Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiAnalyzer 6.2.0 Administration Guide
    6.2.0
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.9
    5.2.7
    5.2.6
    5.2.5
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.13
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.0
    4.2.0
    4.1.0
    4.0.0

    Managing an IOC rescan policy

    Managing an IOC rescan policy

    The indicators of compromise (IOC) scan time range can be customized to scan previous entries so that when a new package is received from FortiGuard, FortiAnalyzer can immediately rescan using the new definitions.

    Note

    Requirements for managing an IOC rescan policy:

    • This feature requires a valid IOC license. The rescan options will not be available in the GUI or CLI without a license.
    • The administrator must have System Settings write privileges to enable or disable and configure Global IOC Rescan.
    To configure rescan settings and check rescan results:
    1. Go to SOC > FortiView > Threats > Compromised Hosts.
    2. From the Tools menu on the right-side of the toolbar, select Edit Rescan Configuration.
      The Edit IOC Rescan Policy Settings window opens.

      Screenshot displaying the IOC rescan policy settings.

    3. Under IOC Rescan Global Settings:
      1. Enable Global IOC Rescan.
      2. Set the running time to either a specific hour of the day, or select package update to rescan when the package is updated.
    4. Under IOC Rescan Current ADOM Settings:
      1. Enable Current ADOM IOC Rescan.
      2. Select the log types to be scanned (DNS, Web Filter, and Traffic logs).
      3. Set the number of previous days' logs that are scanned.

      By default, all log types are selected, and the scan will cover the past 14 days. The maximum recommended number of scan days is calculated based on historical scan speeds, or 30 days if no previous scans have been done.

    5. All tasks are shown in the Rescan tasks table, which includes:
      • The start and end time of each task.
      • The status of the task (complete, running, etc.).
      • How complete a task is, as a percentage.
      • The total number of scanned logs and the threat count (the number of logs with threats) for each task.
      • The IOC package update time.
      • A count of the new threats that were added in this update.

      Running tasks can be canceled by clicking the Cancel button in the Status column.

      Screenshot displaying the populated rescan tasks table.

    6. Select a non-zero threat count number in the Rescan tasks table to drill down to a specific scans task details. These details include the Detect Pattern, Threat Type, Threat Name, # of Events, and the Endpoint.

      Screenshot displaying specific scan task details.

    7. Click Back to return to the settings window.
    8. Click OK to return to the compromised hosts list.
    9. In the compromised hosts list, a rescan icon will be shown in the Last Detected column if any threats where found during a rescan. To view only those hosts that had threats found during a rescan, select Only Show Rescan from the Tools menu in the toolbar.

      Screenshot displaying list of rescanned compromised hosts

    Previous
    Next

    Managing an IOC rescan policy

    Managing an IOC rescan policy

    The indicators of compromise (IOC) scan time range can be customized to scan previous entries so that when a new package is received from FortiGuard, FortiAnalyzer can immediately rescan using the new definitions.

    Note

    Requirements for managing an IOC rescan policy:

    • This feature requires a valid IOC license. The rescan options will not be available in the GUI or CLI without a license.
    • The administrator must have System Settings write privileges to enable or disable and configure Global IOC Rescan.
    To configure rescan settings and check rescan results:
    1. Go to SOC > FortiView > Threats > Compromised Hosts.
    2. From the Tools menu on the right-side of the toolbar, select Edit Rescan Configuration.
      The Edit IOC Rescan Policy Settings window opens.

      Screenshot displaying the IOC rescan policy settings.

    3. Under IOC Rescan Global Settings:
      1. Enable Global IOC Rescan.
      2. Set the running time to either a specific hour of the day, or select package update to rescan when the package is updated.
    4. Under IOC Rescan Current ADOM Settings:
      1. Enable Current ADOM IOC Rescan.
      2. Select the log types to be scanned (DNS, Web Filter, and Traffic logs).
      3. Set the number of previous days' logs that are scanned.

      By default, all log types are selected, and the scan will cover the past 14 days. The maximum recommended number of scan days is calculated based on historical scan speeds, or 30 days if no previous scans have been done.

    5. All tasks are shown in the Rescan tasks table, which includes:
      • The start and end time of each task.
      • The status of the task (complete, running, etc.).
      • How complete a task is, as a percentage.
      • The total number of scanned logs and the threat count (the number of logs with threats) for each task.
      • The IOC package update time.
      • A count of the new threats that were added in this update.

      Running tasks can be canceled by clicking the Cancel button in the Status column.

      Screenshot displaying the populated rescan tasks table.

    6. Select a non-zero threat count number in the Rescan tasks table to drill down to a specific scans task details. These details include the Detect Pattern, Threat Type, Threat Name, # of Events, and the Endpoint.

      Screenshot displaying specific scan task details.

    7. Click Back to return to the settings window.
    8. Click OK to return to the compromised hosts list.
    9. In the compromised hosts list, a rescan icon will be shown in the Last Detected column if any threats where found during a rescan. To view only those hosts that had threats found during a rescan, select Only Show Rescan from the Tools menu in the toolbar.

      Screenshot displaying list of rescanned compromised hosts

    Previous
    Next