Search Malware Logs - Outbreak Prevention#
Search for malware outbreak prevention events detected by FortiGate AntiVirus.
✅ All code examples tested: Verified against FortiAnalyzer v7.4.8, v7.6.4, v8.0.0.
Overview#
This example shows how to search virus/malware logs specifically for outbreak prevention events - useful for:
Monitoring malware outbreak detection and prevention
Investigating potential malware incidents
Tracking mass malware distribution attempts
Security incident response for outbreaks
Compliance reporting on malware threats
This operation uses the two-step asynchronous pattern. See the LogView Search Overview for complete workflow details.
Endpoint Details#
Method: POST
URL: /jsonrpc
API Path (Step 1): /logview/adom/{adom}/logsearch
API Path (Step 2): /logview/adom/{adom}/logsearch/{tid}
Step 1: Submit Search Request#
Key Parameters#
Parameter |
Type |
Required |
Description |
|---|---|---|---|
|
|
Yes |
ADOM name (e.g., “root”) |
|
|
Yes |
Must be |
|
|
Yes |
Must include |
|
|
Yes |
Time range for search |
Filter Examples#
Basic Outbreak Prevention:
eventtype="outbreak-prevention"
By Malware Name:
eventtype="outbreak-prevention" and virus contains "wannacry"
By Source IP:
eventtype="outbreak-prevention" and srcip==10.0.1.50
By Action Taken:
eventtype="outbreak-prevention" and action=blocked
{
"method": "add",
"params": [{
"url": "/logview/adom/root/logsearch",
"data": {
"logtype": "virus",
"filter": "eventtype=\"outbreak-prevention\"",
"time-range": {
"start": "2025-11-09 00:00:00",
"end": "2025-11-09 23:59:59"
}
}
}],
"session": "{{session_id}}",
"id": 1
}
{
"result": [{
"data": {
"tid": 12347
},
"status": {
"code": 0,
"message": "OK"
}
}]
}
Step 2: Fetch Results#
{
"method": "get",
"params": [{
"url": "/logview/adom/root/logsearch/12347",
"data": {
"limit": 100,
"offset": 0
}
}],
"session": "{{session_id}}",
"id": 2
}
{
"result": [{
"data": {
"tid": 12347,
"status": "done",
"percentage": 100,
"total_lines": 15,
"logs": [
{
"date": "2025-11-09",
"time": "11:42:18",
"devname": "FGT-01",
"eventtype": "outbreak-prevention",
"srcip": "10.0.1.50",
"dstip": "203.0.113.45",
"virus": "W32/Conficker.worm",
"action": "blocked",
"filename": "infected.exe",
"profile": "default",
"user": "jdoe"
}
]
},
"status": {
"code": 0,
"message": "OK"
}
}]
}
Complete Python Example#
import requests
import urllib3
import time
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def search_outbreak_prevention(session_id, adom, time_range, additional_filter=None):
"""
Search for malware outbreak prevention events
Args:
session_id: Active session ID
adom: ADOM name
time_range: Time range dict
additional_filter: Optional additional filter criteria
Returns:
list: Malware outbreak prevention log entries
"""
url = "https://faz.example.com/jsonrpc"
# Build filter
filter_expr = 'eventtype="outbreak-prevention"'
if additional_filter:
filter_expr += f" and {additional_filter}"
# Step 1: Submit search
payload = {
"method": "add",
"params": [{
"url": f"/logview/adom/{adom}/logsearch",
"data": {
"logtype": "virus",
"filter": filter_expr,
"time-range": time_range
}
}],
"session": session_id,
"id": 1
}
response = requests.post(url, json=payload, verify=False)
result = response.json()
if result['result'][0]['status']['code'] != 0:
raise Exception(f"Search failed: {result['result'][0]['status']['message']}")
tid = result['result'][0]['data']['tid']
print(f"✓ Outbreak search submitted. TID: {tid}")
# Step 2: Poll and fetch
while True:
payload = {
"method": "get",
"params": [{
"url": f"/logview/adom/{adom}/logsearch/{tid}"
}],
"session": session_id,
"id": 2
}
response = requests.post(url, json=payload, verify=False)
data = response.json()['result'][0]['data']
if data['status'] == 'done' and data['percentage'] == 100:
print(f"✓ Found {data['total_lines']} outbreak events")
return data.get('logs', [])
print(f" Status: {data['percentage']}%")
time.sleep(2)
# Example: Search for all outbreak prevention events
logs = search_outbreak_prevention(
session_id="your_session_id",
adom="root",
time_range={"last-n-hours": 24}
)
# Display results
for log in logs:
print(f"{log['time']} | {log['srcip']} -> {log['dstip']} | "
f"Malware: {log.get('virus', 'Unknown')} | Action: {log['action']}")
Use Cases#
Monitor All Outbreak Events#
# Find all outbreak prevention events in last 24 hours
logs = search_outbreak_prevention(
session_id=session,
adom="root",
time_range={"last-n-hours": 24}
)
Investigate Specific Malware#
# Search for specific malware outbreak
logs = search_outbreak_prevention(
session_id=session,
adom="root",
time_range={"last-n-hours": 48},
additional_filter='virus contains "wannacry"'
)
Track by Source#
# Find outbreak events from specific IP
logs = search_outbreak_prevention(
session_id=session,
adom="root",
time_range={"last-n-hours": 24},
additional_filter="srcip==10.0.1.50"
)