Fortinet black logo

Administration Guide

Home FortiAnalyzer 7.4.2 Administration Guide

Understanding IOC entries

7.4.2
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.3
6.2.2
6.2.1
6.2.0
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.11
5.6.10
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.10
5.2.9
5.2.7
5.2.6
5.2.5
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.13
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
4.3.0
4.2.0
4.1.0
4.0.0
Copy Link
Copy Doc ID 6dcd80f3-897d-11ee-a142-fa163e15d75b:836076
Download PDF

Understanding IOC entries

When a log entry is received and inserted into the SQL database, the log entry is scanned and compared to the blacklist and suspicious list in the IOC threat database that is downloaded from FortiGuard.

If a match is found in the blacklist, FortiAnalyzer displays the endpoint in Indicator of Compromise with a Verdict of Infected.

If a match is found in the suspicious list, FortiAnalyzer flags the endpoint for further analysis.

In the analysis, FortiAnalyzer compares the flagged log entries with the previous endpoint's statistics for the same day and then updates the score.

If the score exceeds the threshold, that endpoint is listed or updated in Indicator of Compromise.

When an endpoint is displayed in Indicator of Compromise, all the suspicious logs which contributed to the score are listed.

When the database is rebuilt, all log entries are reinserted and rescanned.

Previous
Next

Understanding IOC entries

When a log entry is received and inserted into the SQL database, the log entry is scanned and compared to the blacklist and suspicious list in the IOC threat database that is downloaded from FortiGuard.

If a match is found in the blacklist, FortiAnalyzer displays the endpoint in Indicator of Compromise with a Verdict of Infected.

If a match is found in the suspicious list, FortiAnalyzer flags the endpoint for further analysis.

In the analysis, FortiAnalyzer compares the flagged log entries with the previous endpoint's statistics for the same day and then updates the score.

If the score exceeds the threshold, that endpoint is listed or updated in Indicator of Compromise.

When an endpoint is displayed in Indicator of Compromise, all the suspicious logs which contributed to the score are listed.

When the database is rebuilt, all log entries are reinserted and rescanned.

Previous
Next