Get Malicious Events by Endpoint

Retrieve malicious code detection events filtered by endpoint.

✅ All code examples tested: Verified against FortiAnalyzer v7.4.8, v7.6.4, v8.0.0.

Overview

This endpoint retrieves endpoint-based malicious event alerts - useful for:

• Monitoring malware and malicious code detections

• Investigating compromised endpoints

• Tracking FortiClient EMS security events

• Endpoint security incident response

• Threat hunting across endpoints

Endpoint Details

Method: POST URL: /jsonrpc API Path: /eventmgmt/adom/{adom}/alerts ADOM Support: Yes Requires Authentication: Yes Minimum Version: 7.4.0

Request Example

REQUEST

{
    "method": "get",
    "params": [{
        "url": "/eventmgmt/adom/root/alerts",
        "apiver": 3,
        "filter": "triggername=\"Default-Malicious-Code-Detection-By-Endpoint\"",
        "limit": 100,
        "offset": 0,
        "time-range": {
            "start": "2025-11-10 00:00",
            "end": "2025-11-10 23:59"
        }
    }],
    "session": "{{session_id}}",
    "id": 1
}

RESPONSE

{
    "result": [{
        "data": {
            "alerts": [
                {
                    "triggername": "Default-Malicious-Code-Detection-By-Endpoint",
                    "severity": "critical",
                    "endpoint": "WORKSTATION-01",
                    "threat": "Trojan.Generic",
                    "user": "jdoe",
                    "timestamp": "2025-11-10 14:32:15"
                }
            ]
        },
        "status": {
            "code": 0,
            "message": "OK"
        }
    }]
}

Complete Python Example

import requests
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def get_malicious_events_by_endpoint(session_id, adom, start_time, end_time, limit=100):
    """Get malicious code detection events by endpoint"""
    url = "https://faz.example.com/jsonrpc"

    payload = {
        "method": "get",
        "params": [{
            "url": f"/eventmgmt/adom/{adom}/alerts",
            "apiver": 3,
            "filter": 'triggername="Default-Malicious-Code-Detection-By-Endpoint"',
            "limit": limit,
            "offset": 0,
            "time-range": {
                "start": start_time,
                "end": end_time
            }
        }],
        "session": session_id,
        "id": 1
    }

    response = requests.post(url, json=payload, verify=False)
    result = response.json()

    if result['result'][0]['status']['code'] == 0:
        return result['result'][0]['data']
    else:
        raise Exception(f"API error: {result['result'][0]['status']['message']}")

# Example
alerts = get_malicious_events_by_endpoint(
    session_id="your_session_id",
    adom="root",
    start_time="2025-11-10 00:00",
    end_time="2025-11-10 23:59"
)

print(f"Total Malicious Event Alerts: {len(alerts.get('alerts', []))}")

Related Endpoints

• Get IPS Alerts - IPS event alerts

• Get SD-WAN Alerts - SD-WAN event alerts

---

Last Updated: 2025-11-10 API Version: 7.6.4+