Help
FortiSIEM
FortiSIEM provides Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA)
summer1
Staff
Staff

Created on ‎12-18-2025 05:17 AM Edited on ‎12-18-2025 05:21 AM By Community Manager

Article Id 422410

Technical Tip: Fetching CPU utilization metrics from Windows Hosts in FortiSIEM by using WMI Classes

Description

This article describes how FortiSIEM can collect CPU utilization metrics from Windows hosts without installing a Windows agent by using WMI classes and a PowerShell query.


This method can also support additional operations through the use of various WMI performance classes.

Use cases include operations such as troubleshooting, issue isolation, and working within restricted environments.
Scope FortiSIEM.

Solution

The following steps outline how to configure a FortiSIEM Windows agent template to retrieve CPU statistics directly, leveraging the WMI class.

 

The illustration below is about pulling CPU metric directly from a Hyper-V host, but users can leverage any other WMI class depending on operational requirements, as referenced in this document: Monitoring Performance Data.

 

  1. Edit the Windows Agent Template.

Go to Setup -> Windows Agent, select the required template, and select Edit.

 

  1. Add the required WMI Class.

Under Script -> WMI classes, select New and apply the following settings:

  • Name: Performance.

  • WMI Class: Win32_PerfFormattedData_HvStats_HyperVHypervisorLogicalProcessor.

  • Attributes: Select all attributes.

 

Untitled.png

 

  1. Save the WMI Configuration.

    Select Save.


     

  2. Add a PowerShell Script.

    Under the PowerShell Script section -> Select New -> In the Script content field, insert the following command:

 
Get-CimInstance -Namespace "root\CIMV2" -ClassName "Win32_PerfFormattedData_HvStats_HyperVHypervisorLogicalProcessor" |
Select-Object Name, PercentTotalRunTime, ContextSwitchesPersec

 

Screenshot_1.jpg


  1. Save and Apply the Template.

     

Select Save, then select Apply to push the template changes.

 

Screenshot_2.jpg

 

  1. Verify Event Ingestion.

Depending on the interval specified, events are generated every 'X' minutes (min value: 15 minutes).

 

Untitled.png


To confirm collection, go to Analytics and search for the following pattern:

 

EVENT TYPE CONTAIN Win32_PerfFormattedData_HvStats AND reporting IP <Windows Host IP>

 

Screenshot_3.jpg

 

This confirms that the Windows host in question is sending performance metrics successfully. 

 

Note:

Depending on the WMI class being used under the template, the search query must be of the appropriate event type.

 

Additional notes:

  • No default parser exists for this event type.
    A custom parser must be created to normalize or extract the required fields.

  • The same method supports a wide range of operational requirements, since any WMI class from the Monitoring Performance Data can be referenced and used as needed.

  • Explaining various types of WMI classes and their uses is beyond the scope of this article.
52
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.