When a log entry is received and inserted into the SQL database, the log entry is scanned and compared to the blacklist and suspicious list in the IOC threat database that is downloaded from FortiGuard.
If a match is found in the blacklist, then FortiAnalyzer displays the endpoint in Compromised Hosts with a Verdict of Infected.
If a match is found in the suspicious list, then FortiAnalyzer flags the endpoint for further analysis.
In the analysis, FortiAnalyzer compares the flagged log entries with the previous endpoint's statistics for the same day and then updates the score.
If the score exceeds the threshold, that endpoint is listed or updated in Compromised Hosts.
When an endpoint is displayed in Compromised Hosts, all the suspicious logs which contributed to the score are listed.
When the database is rebuilt, all log entries are reinserted and rescanned.