Skip to main content
randomcatperson
randomcatperson
Explorer
June 10, 2021
Question

What does 'Count' mean in FortiAnalyzer Threat Log View?

  • June 10, 2021
  • 1 reply
  • 5934 views

Hi,

I'm trying to understand what is specifically meant by 'Count' in the table produced by a threat log view in FortiAnalzyer.

 

https://docs.fortinet.com/document/fortianalyzer/6.4.2/administration-guide/523678/managing-a-compromised-hosts-rescan-policy says "Threat Count: The total number of logs with threats". For the attached example log view example, does 'count' in this instance mean that we received 123,181 packets from 154.49.100.154 & 121,306 from 52.114.23.99 in this one time (DDoS style)?

Or were there this many packets received over the whole month (custom time range), total?

What is confusing is it has a 'Date/Time' and also has a specific service (UDP/64916 & UDP/10716) which makes me think this is all at once, rather than across the entire time frame.

Any assistance with clarifying exactly what is meant by 'Count' here would be greatly appreciated.

 

    1 reply

    randomcatperson
    randomcatpersonAuthor
    Explorer
    July 5, 2021

    /bump

    randomcatperson
    randomcatpersonAuthor
    Explorer
    July 14, 2021

    Fortinet customer service came back with:

    "'Count' means the number of times the same threat was being detected and the date/time will be the latest one for the last count updated."

     

    I've asked them to further clarify as follows:

    "Can you please clarify the meaning a bit deeper? Say, with a udp_flood Threat, does that mean if the 'count' shows 20,000 & the DoS policy is set to the default threshold of 2000, that we would've received 40,000,000 packets (20,000 count x 2,000 pps)? Or is it that we received a total number of packets equal to 20,000 - which technically violated the threshold 10 times?"

    randomcatperson
    randomcatpersonAuthor
    Explorer
    August 2, 2021

    CrazyCatMan wrote:

    I've asked them to further clarify as follows:

    "Can you please clarify the meaning a bit deeper? Say, with a udp_flood Threat, does that mean if the 'count' shows 20,000 & the DoS policy is set to the default threshold of 2000, that we would've received 40,000,000 packets (20,000 count x 2,000 pps)? Or is it that we received a total number of packets equal to 20,000 - which technically violated the threshold 10 times?"

    Fortinet's reply to the above:

    "Is it that we received a total number of packets equal to 20,000 - which technically only violated the threshold 10 times?"

    - This is correct, we have received the total number of packets equal to 20,000 and we have violated the thresholds only 10 times.

    Terms & ConditionsAccessibility statement