Hot!What does 'Count' mean in FortiAnalyzer Threat Log View?

Author
randomcatperson
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Status: offline
2021/06/09 22:20:50 (permalink)
0

What does 'Count' mean in FortiAnalyzer Threat Log View?

Hi,
I'm trying to understand what is specifically meant by 'Count' in the table produced by a threat log view in FortiAnalzyer.
 
https://docs.fortinet.com/document/fortianalyzer/6.4.2/administration-guide/523678/managing-a-compromised-hosts-rescan-policy says "Threat Count: The total number of logs with threats".
For the attached example log view example, does 'count' in this instance mean that we received 123,181 packets from 154.49.100.154 & 121,306 from 52.114.23.99 in this one time (DDoS style)?
Or were there this many packets received over the whole month (custom time range), total?
What is confusing is it has a 'Date/Time' and also has a specific service (UDP/64916 & UDP/10716) which makes me think this is all at once, rather than across the entire time frame.
Any assistance with clarifying exactly what is meant by 'Count' here would be greatly appreciated.
 
post edited by CrazyCatMan - 2021/06/09 22:33:03

Attached Image(s)

#1
randomcatperson
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Status: offline
Re: What does 'Count' mean in FortiAnalyzer Threat Log View? 2021/07/04 19:19:40 (permalink)
0
/bump
#2
randomcatperson
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Status: offline
Re: What does 'Count' mean in FortiAnalyzer Threat Log View? 2021/07/13 18:53:39 (permalink)
0
Fortinet customer service came back with:
"'Count' means the number of times the same threat was being detected and the date/time will be the latest one for the last count updated."
 
I've asked them to further clarify as follows:
"Can you please clarify the meaning a bit deeper?
Say, with a udp_flood Threat, does that mean if the 'count' shows 20,000 & the DoS policy is set to the default threshold of 2000, that we would've received 40,000,000 packets (20,000 count x 2,000 pps)? Or is it that we received a total number of packets equal to 20,000 - which technically violated the threshold 10 times?"
#3
randomcatperson
New Member
  • Total Posts : 10
  • Scores: 0
  • Reward points: 0
  • Status: offline
Re: What does 'Count' mean in FortiAnalyzer Threat Log View? 2021/08/02 01:10:28 (permalink)
0
CrazyCatMan
I've asked them to further clarify as follows:
"Can you please clarify the meaning a bit deeper?
Say, with a udp_flood Threat, does that mean if the 'count' shows 20,000 & the DoS policy is set to the default threshold of 2000, that we would've received 40,000,000 packets (20,000 count x 2,000 pps)? Or is it that we received a total number of packets equal to 20,000 - which technically violated the threshold 10 times?"


Fortinet's reply to the above:
"Is it that we received a total number of packets equal to 20,000 - which technically only violated the threshold 10 times?"
- This is correct, we have received the total number of packets equal to 20,000 and we have violated the thresholds only 10 times.
#4
Jump to:
© 2021 APG vNext Commercial Version 5.5