Search Malware Logs - External Malware List

Search Malware Logs - External Malware List#

Search for malware detections based on external threat intelligence lists.

✅ All code examples tested: Verified against FortiAnalyzer v7.4.8, v7.6.4, v8.0.0.

Overview#

This example shows how to search for malware detections from external malware lists and threat feeds - useful for:

  • Monitoring threats from external threat intelligence

  • Tracking malware from FortiGuard threat feeds

  • Investigating known malicious file hashes

  • Security operations center (SOC) threat hunting

  • Integration with threat intelligence platforms

This operation uses the two-step asynchronous pattern. See the LogView Search Overview for complete workflow details.

Endpoint Details#

Method: POST URL: /jsonrpc API Path (Step 1): /logview/adom/{adom}/logsearch API Path (Step 2): /logview/adom/{adom}/logsearch/{tid}

Step 1: Submit Search Request#

{
    "method": "add",
    "params": [{
        "url": "/logview/adom/root/logsearch",
        "data": {
            "logtype": "virus",
            "time-range": {
                "start": "2025-11-09 00:00:00",
                "end": "2025-11-09 23:59:59"
            }
        }
    }],
    "session": "{{session_id}}",
    "id": 1
}

{
    "result": [{
        "data": {
            "tid": 12350
        },
        "status": {
            "code": 0,
            "message": "OK"
        }
    }]
}

Step 2: Fetch Results#

{
    "method": "get",
    "params": [{
        "url": "/logview/adom/root/logsearch/12350",
        "data": {
            "limit": 100,
            "offset": 0
        }
    }],
    "session": "{{session_id}}",
    "id": 2
}

{
    "result": [{
        "data": {
            "tid": 12350,
            "status": "done",
            "percentage": 100,
            "total_lines": 8,
            "logs": [
                {
                    "date": "2025-11-09",
                    "time": "15:42:10",
                    "devname": "FGT-01",
                    "srcip": "10.0.1.85",
                    "virus": "Malware.Generic",
                    "action": "blocked",
                    "filename": "threat.bin"
                }
            ]
        },
        "status": {
            "code": 0,
            "message": "OK"
        }
    }]
}

Complete Python Example#

import requests
import urllib3
import time

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def search_external_malware(session_id, adom, time_range, filter_expr=None):
    """
    Search for external malware list detections

    Args:
        session_id: Active session ID
        adom: ADOM name
        time_range: Time range dict
        filter_expr: Optional filter expression

    Returns:
        list: External malware detection logs
    """
    url = "https://faz.example.com/jsonrpc"

    payload_data = {
        "logtype": "virus",
        "time-range": time_range
    }

    if filter_expr:
        payload_data["filter"] = filter_expr

    payload = {
        "method": "add",
        "params": [{
            "url": f"/logview/adom/{adom}/logsearch",
            "data": payload_data
        }],
        "session": session_id,
        "id": 1
    }

    response = requests.post(url, json=payload, verify=False)
    result = response.json()

    if result['result'][0]['status']['code'] != 0:
        raise Exception(f"Search failed")

    tid = result['result'][0]['data']['tid']
    print(f"✓ Search submitted. TID: {tid}")

    while True:
        payload = {
            "method": "get",
            "params": [{
                "url": f"/logview/adom/{adom}/logsearch/{tid}"
            }],
            "session": session_id,
            "id": 2
        }

        response = requests.post(url, json=payload, verify=False)
        data = response.json()['result'][0]['data']

        if data['status'] == 'done' and data['percentage'] == 100:
            print(f"✓ Found {data['total_lines']} detections")
            return data.get('logs', [])

        time.sleep(2)
On this page