Search Attack Logs - Botnet Detection

Search for botnet-related attack logs and command & control (C2) communications.

✅ All code examples tested: Verified against FortiAnalyzer v7.4.8, v7.6.4, v8.0.0.

Overview

This example shows how to search IPS logs for botnet detection events - useful for:

• Detecting botnet C2 communications

• Identifying compromised hosts

• Tracking botnet activity patterns

• Incident response for infected devices

• Compliance and security reporting

This operation uses the two-step asynchronous pattern. See the LogView Search Overview for complete workflow details.

Endpoint Details

Method: POST URL: /jsonrpc API Path (Step 1): /logview/adom/{adom}/logsearch API Path (Step 2): /logview/adom/{adom}/logsearch/{tid}

Step 1: Submit Search Request

REQUEST

{
    "method": "add",
    "params": [{
        "url": "/logview/adom/root/logsearch",
        "data": {
            "logtype": "attack",
            "filter": "attack contains \"botnet\"",
            "time-range": {
                "start": "2025-11-09 00:00:00",
                "end": "2025-11-09 23:59:59"
            }
        }
    }],
    "session": "{{session_id}}",
    "id": 1
}

RESPONSE

{
    "result": [{
        "data": {
            "tid": 12351
        },
        "status": {
            "code": 0,
            "message": "OK"
        }
    }]
}

Step 2: Fetch Results

REQUEST

{
    "method": "get",
    "params": [{
        "url": "/logview/adom/root/logsearch/12351",
        "data": {
            "limit": 100,
            "offset": 0
        }
    }],
    "session": "{{session_id}}",
    "id": 2
}

RESPONSE

{
    "result": [{
        "data": {
            "tid": 12351,
            "status": "done",
            "percentage": 100,
            "total_lines": 12,
            "logs": [
                {
                    "date": "2025-11-09",
                    "time": "17:05:23",
                    "devname": "FGT-01",
                    "srcip": "10.0.1.150",
                    "dstip": "198.51.100.45",
                    "attack": "Botnet.CnC.Connection",
                    "action": "dropped",
                    "severity": "high"
                }
            ]
        },
        "status": {
            "code": 0,
            "message": "OK"
        }
    }]
}

Complete Python Example

import requests
import urllib3
import time

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def search_botnet_logs(session_id, adom, time_range):
    """Search for botnet detection logs"""
    url = "https://faz.example.com/jsonrpc"

    payload = {
        "method": "add",
        "params": [{
            "url": f"/logview/adom/{adom}/logsearch",
            "data": {
                "logtype": "attack",
                "filter": 'attack contains "botnet"',
                "time-range": time_range
            }
        }],
        "session": session_id,
        "id": 1
    }

    response = requests.post(url, json=payload, verify=False)
    tid = response.json()['result'][0]['data']['tid']
    print(f"✓ Botnet search submitted. TID: {tid}")

    while True:
        response = requests.post(url, json={
            "method": "get",
            "params": [{"url": f"/logview/adom/{adom}/logsearch/{tid}"}],
            "session": session_id,
            "id": 2
        }, verify=False)

        data = response.json()['result'][0]['data']
        if data['status'] == 'done' and data['percentage'] == 100:
            return data.get('logs', [])
        time.sleep(2)

Related Endpoints

• LogView Search Overview - Complete workflow guide

• Search Attack - Signature - All IPS logs

---

Last Updated: 2025-11-09 API Version: 7.6.4+