Fortinet white logo
Fortinet white logo

Administration Guide

Indicators of Compromise

Indicators of Compromise

IOC (Indicators of Compromise) detects compromised client hosts (endpoints) by comparing the IP, domain, and URL visited against the TIDB package, downloaded daily from FortiGuard. Compromised hosts are listed in FortiView in a table or map style, and drilling down on a compromised endpoint displays the details of detected threats.

  • The TIDB package contains a blacklist which is made up of IPs, domains and URLs, and a suspicious URL list (also called Crowdsource URLs). Only suspicious URLs have a score rating in the TIDB package. Once a URL is included in the blacklist, the suspicious score rating is no longer performed.
  • Once a new TIDB package has been downloaded by FortiAnalyzer, the previous package becomes obsolete.
  • The blacklist statistics by endpoint are updated in near realtime (ASAP), and suspicious rating statistics by endpoint are updated on a half-hour schedule.
  • The IOC inspection is performed on a daily cycle because the updated FortiGuard TIDB package is received daily. At the end of the day, the IOC endpoint summary is fixed and will not receive additional changes, and a new summary will be created for the next day.
  • Web Filter, DNS, and traffic logs from FortiGate, and email filter logs from FortiMail are inspected.
  • The IOC module requires a license. Without a license, only demo TIDB packages are loaded into the FortiAnalyzer image, and no updated package from FortiGuard is used in the IOC function.
  • When a threat is detected, FortiAnalyzer sends a notification to the FortiGate via REST API. The FortiGate can be configured to take automatic action against detected threats.
  • IOC threat detection can be performed in both realtime and rescan mode. Realtime detection monitors new incoming logs, whereas rescan mode checks historical logs against the new blacklist once an updated TIDB package is available. Rescan mode does not check historical logs against the suspicious list. Realtime detection is always enabled, and IOC rescan can be enabled or disabled.
Understanding suspicious list detection

The suspicious list is crowdsourced each day by FortiGuard AI from millions of global endpoint devices. The list is comprised of IPs, URLs, and domains that have a low reputation, usually because they are questionable websites.

The TIDB package includes threat ranking scores which FortiAnalyzer normalizes using its internal logic. When an endpoint visits a site that matches one included in the suspicious list, the score is deposited into the “reputation account” for that endpoint. The total normalized score is then used to determine a verdict for the endpoint. The higher the score, the higher the confidence. When a new TIDB package becomes available, the process to determine a verdict begins again. FortiAnalyzer processes logs for all monitored endpoints against the new TIDB and will determine a verdict for each endpoint based on their new normalized score.

Endpoints that visit suspicious sites on an infrequent basis are at a low risk for compromise and are not included in the Compromised Host watch list. The FortiAnalyzer IOC engine continues to monitor these endpoints until it has enough confidence to produce a verdict, at which point they are given the verdict Low Suspicious and are added to the watch list. Endpoints that regularly visit suspicious sites are at a higher risk for infection or may already be infected with zero-day malware. These endpoints are assigned a verdict and are added to the Compromised Host watch list.

Suspicious verdicts include:

  • High suspicious (high confidence)
  • Medium suspicious (medium confidence)
  • Low suspicious (low confidence)

In the example below, an endpoint visits multiple sites included in the suspicious list, and as a result, has its verdict changed from Low suspicious to Medium suspicious. The data included in this example is purely hypothetical for the purpose of illustration.

Activity time stamp

Suspicious site visited by endpoint

Ranking of suspicious site

Suspicious score of endpoint

FortiAnalyzer IOC verdict

Time stamp 1 suspicious-url-1 60 60

Low suspicious

Time stamp 2 suspicious-ip-2 100 160

Low suspicious

Time stamp 3 suspicious-domain-3 40 200

Medium suspicious

The specific algorithm used for the decision to change the verdict of an endpoint is internal to FortiAnalyzer.

Viewing IOC licenses and TIDB package downloads
To check the license downloaded from FortiGuard in the CLI:
diagnose fmupdate dbcontract fds
FL-1KE3R16000271 [SERIAL_NO]
  AccountID:
  Industry:
  Company:
  Contract:  1
        PBDS-1-99-20250104
  Contract Raw Data:
        Contract=PBDS-1-99-20250104:0:1:1:0

In the output, PBDS is the IOC license.

To check the IOC package in the CLI:
diagnose fmupdate fds-getobject

FAZ object version information
ObjectId                Description             Version         Size    Created Date Time
---------------------------------------------------------------------------------------------------
...
00001000TIDB00100       ThreatIntel DB          00000.01052     34 MB   19/04/14 20:10          ext_desc:ThreatIntel DB
00001000TIDB00100       ThreatIntel DB          00000.01053     37 MB   19/04/16 04:13 <latest> ext_desc:ThreatIntel DB
...

FortiAnalyzer periodically syncs its own IOC TIDB files to the version of IOC package downloaded by fmupdate. This is performed on a one hour schedule.

To check the license and TIDB version used by FortiAnalyzer in the CLI:
diagnose test application sqllogd 204 stats

License of post breach detection installed.
License expiration : 2025-Jan-04
TIDB version : 00000.01017-1902242107
TIDB load time : 2019-02-24 14:11:2
Configuring FortiGate to FortiAnalyzer REST API authentication

FortiGate to FortiAnalyzer REST API authentication allows the FortiAnalyzer to send IOC alerts and trigger configured automation rules, if configured.

To configure REST API authentication:
  1. Go to the Device Manager in the FortiAnalyzer.
  2. Edit the FortiGate device to set the FortiGate super admin username and password.
    This is the only way to configure REST API authentication prior to 6.2.

Alternatively, when configuring logging to FortiAnalyzer on FortiGate, you can go to Security Fabric > Settings and enable Allow access to FortiGate REST API and Trust FortiAnalyzer by serial number.

Throttling IOC alerts

To avoid flooding FortiGate with event alerts, you can configure a throttle which allows only one alert to be sent within a set period of time for the same endpoint.
The default time period is one day (1440 minutes).

To set an IOC alert throttle in the CLI:
config system log ioc
(ioc)# set
 notification             Disable/Enable Ioc notification.
 notification-throttle    Minute value for throttling the rate of IoC notifications.

(ioc)# get
notification        : enable
notification-throttle: 1440
Debugging IOC notifications

Check for the FortiGate system event: IOC detected by FortiAnalyzer.

If the system event is not present, check FortiAnalyzer's OFTP debug or FortiGate's httpsd debug for the same message.

Indicators of Compromise

Indicators of Compromise

IOC (Indicators of Compromise) detects compromised client hosts (endpoints) by comparing the IP, domain, and URL visited against the TIDB package, downloaded daily from FortiGuard. Compromised hosts are listed in FortiView in a table or map style, and drilling down on a compromised endpoint displays the details of detected threats.

  • The TIDB package contains a blacklist which is made up of IPs, domains and URLs, and a suspicious URL list (also called Crowdsource URLs). Only suspicious URLs have a score rating in the TIDB package. Once a URL is included in the blacklist, the suspicious score rating is no longer performed.
  • Once a new TIDB package has been downloaded by FortiAnalyzer, the previous package becomes obsolete.
  • The blacklist statistics by endpoint are updated in near realtime (ASAP), and suspicious rating statistics by endpoint are updated on a half-hour schedule.
  • The IOC inspection is performed on a daily cycle because the updated FortiGuard TIDB package is received daily. At the end of the day, the IOC endpoint summary is fixed and will not receive additional changes, and a new summary will be created for the next day.
  • Web Filter, DNS, and traffic logs from FortiGate, and email filter logs from FortiMail are inspected.
  • The IOC module requires a license. Without a license, only demo TIDB packages are loaded into the FortiAnalyzer image, and no updated package from FortiGuard is used in the IOC function.
  • When a threat is detected, FortiAnalyzer sends a notification to the FortiGate via REST API. The FortiGate can be configured to take automatic action against detected threats.
  • IOC threat detection can be performed in both realtime and rescan mode. Realtime detection monitors new incoming logs, whereas rescan mode checks historical logs against the new blacklist once an updated TIDB package is available. Rescan mode does not check historical logs against the suspicious list. Realtime detection is always enabled, and IOC rescan can be enabled or disabled.
Understanding suspicious list detection

The suspicious list is crowdsourced each day by FortiGuard AI from millions of global endpoint devices. The list is comprised of IPs, URLs, and domains that have a low reputation, usually because they are questionable websites.

The TIDB package includes threat ranking scores which FortiAnalyzer normalizes using its internal logic. When an endpoint visits a site that matches one included in the suspicious list, the score is deposited into the “reputation account” for that endpoint. The total normalized score is then used to determine a verdict for the endpoint. The higher the score, the higher the confidence. When a new TIDB package becomes available, the process to determine a verdict begins again. FortiAnalyzer processes logs for all monitored endpoints against the new TIDB and will determine a verdict for each endpoint based on their new normalized score.

Endpoints that visit suspicious sites on an infrequent basis are at a low risk for compromise and are not included in the Compromised Host watch list. The FortiAnalyzer IOC engine continues to monitor these endpoints until it has enough confidence to produce a verdict, at which point they are given the verdict Low Suspicious and are added to the watch list. Endpoints that regularly visit suspicious sites are at a higher risk for infection or may already be infected with zero-day malware. These endpoints are assigned a verdict and are added to the Compromised Host watch list.

Suspicious verdicts include:

  • High suspicious (high confidence)
  • Medium suspicious (medium confidence)
  • Low suspicious (low confidence)

In the example below, an endpoint visits multiple sites included in the suspicious list, and as a result, has its verdict changed from Low suspicious to Medium suspicious. The data included in this example is purely hypothetical for the purpose of illustration.

Activity time stamp

Suspicious site visited by endpoint

Ranking of suspicious site

Suspicious score of endpoint

FortiAnalyzer IOC verdict

Time stamp 1 suspicious-url-1 60 60

Low suspicious

Time stamp 2 suspicious-ip-2 100 160

Low suspicious

Time stamp 3 suspicious-domain-3 40 200

Medium suspicious

The specific algorithm used for the decision to change the verdict of an endpoint is internal to FortiAnalyzer.

Viewing IOC licenses and TIDB package downloads
To check the license downloaded from FortiGuard in the CLI:
diagnose fmupdate dbcontract fds
FL-1KE3R16000271 [SERIAL_NO]
  AccountID:
  Industry:
  Company:
  Contract:  1
        PBDS-1-99-20250104
  Contract Raw Data:
        Contract=PBDS-1-99-20250104:0:1:1:0

In the output, PBDS is the IOC license.

To check the IOC package in the CLI:
diagnose fmupdate fds-getobject

FAZ object version information
ObjectId                Description             Version         Size    Created Date Time
---------------------------------------------------------------------------------------------------
...
00001000TIDB00100       ThreatIntel DB          00000.01052     34 MB   19/04/14 20:10          ext_desc:ThreatIntel DB
00001000TIDB00100       ThreatIntel DB          00000.01053     37 MB   19/04/16 04:13 <latest> ext_desc:ThreatIntel DB
...

FortiAnalyzer periodically syncs its own IOC TIDB files to the version of IOC package downloaded by fmupdate. This is performed on a one hour schedule.

To check the license and TIDB version used by FortiAnalyzer in the CLI:
diagnose test application sqllogd 204 stats

License of post breach detection installed.
License expiration : 2025-Jan-04
TIDB version : 00000.01017-1902242107
TIDB load time : 2019-02-24 14:11:2
Configuring FortiGate to FortiAnalyzer REST API authentication

FortiGate to FortiAnalyzer REST API authentication allows the FortiAnalyzer to send IOC alerts and trigger configured automation rules, if configured.

To configure REST API authentication:
  1. Go to the Device Manager in the FortiAnalyzer.
  2. Edit the FortiGate device to set the FortiGate super admin username and password.
    This is the only way to configure REST API authentication prior to 6.2.

Alternatively, when configuring logging to FortiAnalyzer on FortiGate, you can go to Security Fabric > Settings and enable Allow access to FortiGate REST API and Trust FortiAnalyzer by serial number.

Throttling IOC alerts

To avoid flooding FortiGate with event alerts, you can configure a throttle which allows only one alert to be sent within a set period of time for the same endpoint.
The default time period is one day (1440 minutes).

To set an IOC alert throttle in the CLI:
config system log ioc
(ioc)# set
 notification             Disable/Enable Ioc notification.
 notification-throttle    Minute value for throttling the rate of IoC notifications.

(ioc)# get
notification        : enable
notification-throttle: 1440
Debugging IOC notifications

Check for the FortiGate system event: IOC detected by FortiAnalyzer.

If the system event is not present, check FortiAnalyzer's OFTP debug or FortiGate's httpsd debug for the same message.