How IOC works
IOC (Indicators of Compromise) detects compromised client hosts (endpoints) by comparing the IP, domain, and URL visited against the TIDB package, downloaded daily from FortiGuard. Compromised hosts are listed in FortiView in a table or map style, and drilling down on a compromised endpoint displays the details of detected threats.
- The TIDB package contains a blacklist which is made up of IPs, domains and URLs, and a suspicious URL list (also called Crowdsource URLs). Only suspicious URLs have a score rating in the TIDB package. Once a URL is included in the blacklist, the suspicious score rating is no longer performed.
- Once a new TIDB package has been downloaded by FortiAnalyzer, the previous package becomes obsolete.
- The blacklist statistics by endpoint are updated in near realtime (ASAP), and suspicious rating statistics by endpoint are updated on a half-hour schedule.
- The IOC inspection is performed on a daily cycle because the updated FortiGuard TIDB package is received daily. At the end of the day, the IOC endpoint summary is fixed and will not receive additional changes, and a new summary will be created for the next day.
- Currently, only FortiGate Web Filter, DNS, and traffic logs are inspected.
- The IOC module requires a license. Without a license, only demo TIDB packages are loaded into the FortiAnalyzer image, and no updated package from FortiGuard is used in the IOC function.
- When a threat is detected, FortiAnalyzer sends a notification to the FortiGate via REST API. The FortiGate can be configured to take automatic action against detected threats.
- IOC threat detection can be performed in both realtime and rescan mode. Realtime detection monitors new incoming logs, whereas rescan mode checks historical logs against the new blacklist once an updated TIDB package is available. Rescan mode does not check historical logs against the suspicious list. Realtime detection is always enabled, and IOC rescan can be enabled or disabled.
Understanding suspicious list detection
The suspicious list is crowdsourced each day by FortiGuard AI from millions of global endpoint devices. The list is comprised of IPs, URLs, and domains that have a low reputation, usually because they are questionable websites.
The TIDB package includes threat ranking scores which FortiAnalyzer normalizes using its internal logic. When an endpoint visits a site that matches one included in the suspicious list, the score is deposited into the “reputation account” for that endpoint. The total normalized score is then used to determine a verdict for the endpoint. The higher the score, the higher the confidence.
When a new TIDB package becomes available, the process to determine a verdict begins again. FortiAnalyzer processes logs for all monitored endpoints against the new TIDB and will determine a verdict for each endpoint based on their new normalized score.
Endpoints that visit suspicious sites on an infrequent basis are at a low risk for compromise and are not included in the Compromised Host watch list. The FortiAnalyzer IOC engine continues to monitor these endpoints until it has enough confidence to produce a verdict, at which point they are given the verdict Low Suspicious and are added to the watch list.
Endpoints that regularly visit suspicious sites are at a higher risk for infection or may already be infected with zero-day malware. These endpoints are assigned a verdict and are added to the Compromised Host watch list.
Suspicious verdicts include:
- High suspicious (high confidence)
- Medium suspicious (medium confidence)
- Low suspicious (low confidence)
In the example below, an endpoint visits multiple sites included in the suspicious list, and as a result, has its verdict changed from Low suspicious to Medium suspicious. The data included in this example is purely hypothetical for the purpose of illustration.
Activity time stamp
Suspicious site visited by endpoint
Ranking of suspicious site
Suspicious score of endpoint
FortiAnalyzer IOC verdict
|Time stamp 1||suspicious-url-1||60||60||
|Time stamp 2||suspicious-ip-2||100||160||
|Time stamp 3||suspicious-domain-3||40||200||
The specific algorithm used for the decision to change the verdict of an endpoint is internal to FortiAnalyzer.
Viewing IOC licenses and TIDB package downloads
To check the license downloaded from FortiGuard in the CLI:
diagnose fmupdate dbcontract fds FL-1KE3R16000271 [SERIAL_NO] AccountID: Industry: Company: Contract: 1 PBDS-1-99-20250104 Contract Raw Data: Contract=PBDS-1-99-20250104:0:1:1:0
In the output, PBDS is the IOC license.
To check the IOC package in the CLI:
diagnose fmupdate fds-getobject FAZ object version information ObjectId Description Version Size Created Date Time --------------------------------------------------------------------------------------------------- ... 00001000TIDB00100 ThreatIntel DB 00000.01052 34 MB 19/04/14 20:10 ext_desc:ThreatIntel DB 00001000TIDB00100 ThreatIntel DB 00000.01053 37 MB 19/04/16 04:13 <latest> ext_desc:ThreatIntel DB ...
FortiAnalyzer periodically syncs its own IOC TIDB files to the version of IOC package downloaded by fmupdate. This is performed on a one hour schedule.
To check the license and TIDB version used by FortiAnalyzer in the CLI:
diagnose test application sqllogd 204 stats License of post breach detection installed. License expiration : 2025-Jan-04 TIDB version : 00000.01017-1902242107 TIDB load time : 2019-02-24 14:11:2
Configuring FortiGate to FortiAnalyzer REST API authentication
FortiGate to FortiAnalyzer REST API authentication allows the FortiAnalyzer to send IOC alerts and trigger configured automation rules, if configured.
To configure REST API authentication:
- Go to the Device Manager in the FortiAnalyzer.
- Edit the FortiGate device to set the FortiGate super admin username and password.
This is the only way to configure REST API authentication prior to 6.2.
Alternatively, when configuring logging to FortiAnalyzer on FortiGate, you can go to Security Fabric > Settings and enable Allow access to FortiGate REST API and Trust FortiAnalyzer by serial number.
Throttling IOC alerts
To avoid flooding FortiGate with event alerts, you can configure a throttle which allows only one alert to be sent within a set period of time for the same endpoint.
The default time period is one day (1440 minutes).
To set an IOC alert throttle in the CLI:
config system log ioc (ioc)# set notification Disable/Enable Ioc notification. notification-throttle Minute value for throttling the rate of IoC notifications. (ioc)# get notification : enable notification-throttle: 1440
Debugging IOC notifications
Check for the FortiGate system event: IOC detected by FortiAnalyzer.
If the system event is not present, check FortiAnalyzer's OFTP debug or FortiGate's httpsd debug for the same message.