Sumo Logic + Fortigate + IPS Results

I built this panel for my Fortigate dashboard that lists out the top 10 IPS rules triggered. I find this helpful so that I can track down potential issues or new vulnerabilities that the firewall has caught but I did not know about.

[crayon show-plain-default=”true” toolbar=”false” nums=”false” striped=”true” lang=”text” title=”IPS rules”]_index=security_logs _sourceCategory=fw_security (“type=\”utm\”” AND “subtype=\”ips\””)
| extract “attack=\”(?.*?)\” ”
| keyvalue regex “=(\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})” keys “srcip”, “dstip”
| keyvalue regex “=(\w+)” keys “service”
| count as count attack
| sort by count
| limit 10[/crayon]
The above gives you the top 10 IPS rules triggered and is now suitable for your dashboard (first picture). If you are in the search area of the Sumo Logic interface then check out the message tab as it lists the source and destination IP addresses as well as the basic service listed in human readable columns (second picture).

Older example