Saturday, May 17, 2025

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

Build+Break+Secure

Learn by building. Master by breaking. Secure by obsession.

FortinetKusto Query LanguageMicrosoft SentinelSECURE

List Unwanted Or Malicious Applications Detected By Fortinet

Wayne Andes 2 min read

Description

This KQL query searches for unwanted or malicious applications detected by Fortinet.

Qurery

Microsoft Sentinel
Kusto
CommonSecurityLog
| where DeviceVendor == "Fortinet"
| where DeviceAction == "accept"
| extend additional_fields = split(AdditionalExtensions, ";")
| where additional_fields[22] == "ad.apprisk=high" or additional_fields[22] == "ad.apprisk=critical"
| summarize sessions=count() by category = tostring(additional_fields[21]), application = (tostring(additional_fields[20]))
| sort by sessions

References

You May Also Like

List New Active CISA Known Exploited Vulnerabilities

Wayne Andes

Detect Anomalous Amount of LDAP Traffic

Wayne Andes

Detect Runas Commands With Saved Credentials

Wayne Andes

Leave a Reply

Your email address will not be published. Required fields are marked *