Viewing Indicators of Compromise
Indicators of Compromise service (IOC) is a licensed feature.
When using Indicator of Compromise, it is recommended to turn on the UTM web filter of FortiGate devices and subscribe your FortiAnalyzer unit to FortiGuard to keep its local threat database synchronized with the FortiGuard threat database. See Subscribing FortiAnalyzer to FortiGuard.
The IOC service downloads the threat database from FortiGuard and detects suspicious events and potentially compromised network traffic using sophisticated algorithms. For more information about how FortiGuard collects indicators of compromise, see the FortiGuard website.
Depending on the log type, FortiAnalyzer identifies possible compromised hosts by checking the threat database against the log's IP address, domain, and URL. The following table displays which data in the logs are checked against the threat database:
Log type |
Data |
---|---|
Attack logs |
URLs, Domains, and IP addresses |
DNS | IP addresses |
Email filter logs |
URLs, Domains, and IP addresses |
Event logs |
Threat type |
Traffic logs |
IP addresses |
Web Filter |
URLs, Domains, and IP addresses |
The results for each affected end user is displayed in Indicator of Compromise. You can drill down from table to review the details of the affected host, including the detect pattern and detect method for each indicator of compromise. You can also drill down further from these detections to review the logs where the matches were initially found in FortiAnalyzer. See Working with IOC information.
Indicator of Compromise can be configured to rescan logs at regular intervals using new definitions from FortiGuard. Email filter logs from FortiMail devices are also supported by IOC, and can be rescanned when enabled in the Indicator of Compromise rescan settings. See Managing an IOC rescan policy.