Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

FortinetKusto Query LanguageMicrosoft SentinelSECURE

List Malicious Network Traffic Detected From LAN To WAN By Fortinet

Wayne Andes 4 min read

Description

This KQL query looks for malicious network traffic detected by Fortinet from LAN to WAN.

Risk

Explain what risk this detection tries to cover.

Query

Microsoft Sentinel
Kusto
CommonSecurityLog
| where DeviceVendor == "Fortinet"
| where isnotempty(IndicatorThreatType)
| where isempty(DestinationHostName)
| where isnotempty(DeviceOutboundInterface)
| where DeviceAction != "deny" and DeviceAction != "close" and DeviceAction != "blocked" and isnotempty(DeviceAction)
| mv-expand todynamic(IndicatorThreatType)
| where ReportReferenceLink has "?tags="
| extend ReportReferenceLink=split(ReportReferenceLink,"=",1)
| mv-expand ReportReferenceLink to typeof(string)
| extend MalwareType=split(ReportReferenceLink, "&")
| mv-expand MalwareType to typeof(string)
| where MalwareType <> "languageCode"
| extend identified_application = split(AdditionalExtensions, ";")
| project TimeGenerated, IndicatorThreatType, ApplicationProtocol, SourceIP, SourcePort, Message, identified_application[23], identified_application[21], DeviceOutboundInterface, ThreatConfidence, MalwareType, MaliciousIPCountry, DestinationIP, DestinationPort, DeviceAction, Activity
| order by TimeGenerated

References

You May Also Like

List Security Alerts Triggered By Users At Risk

Wayne Andes

Detect When An Account Has Been Changed To Password To Never Expire

Wayne Andes

List Conditional Access Policy That Was Changed

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *