Skip to main content
JTOLvF2
JTOLvF2
New Member
February 1, 2019
Question

FortiAnalyzer IOC Subscription, What is it?

  • February 1, 2019
  • 2 replies
  • 17128 views

I've opened a technical chat, called into support to try and speak with someone ALWAYS a voicemail once transferred to sales, and searched all over the internet. No one can tell me what the Fortianalyzer IOC license gives me over the DEMO mode. Does anyone have any idea what the full feature functionality of this license provides?

    2 replies

    chall_FTNT
    Staff
    chall_FTNT
    Staff
    February 1, 2019

    See FortiView Indicators of Compromise (5.6) or Viewing Compromised Hosts (6.0)

    Subscribing FortiAnalyzer to FortiGuard

    Your FortiAnalyzer needs to subscribe to FortiGuard to keep its threat database up to date. You must purchase a FortiGuard Indicators of Compromise Service license for that.

     

    If you use the Compromised Host feature without updating the license, you will be using old signatures (out of date information).  Just like enabling AV/IPS in a FortiGate without valid FortiGuard coverage only allows the FortiGate to scan for the signatures it has.

     

    chutter_FTNT
    Staff
    chutter_FTNT
    Staff
    July 3, 2019

    Hi,

    please have a look at this cookbook:

     

    https://docs.fortinet.com/document/fortianalyzer/6.2.0/cookbook/779346/how-ioc-works

     

    It should answer your qusetions

     

    Christian

    mike_dp
    mike_dp
    New Member
    July 5, 2019

    we are currently trying it for a year and got pretty much nothing from it beside some false positive results. at least 90% is from websites that are currently blocked (malware website or unrated). We probably won't renew this next year. 

    tanr
    tanr
    New Member
    July 6, 2019

    We're still trying out IOC as well.  Haven't seen many hits and haven't had many false positives either.

     

    I had hoped that in 6.2 IOC would become more fully implemented, but per https://docs.fortinet.com/document/fortianalyzer/6.2.0/cookbook/779346/how-ioc-works it looks like it is still just adding up the number of attempts to access blacklisted or suspicious URL's. 

     

    Noting suspicious URLs is an improvement over regular web filtering, but I really feel that to meet the definition of Indicators of Compromise it needs to be looking at more than URLs and DNS.  Why not have it look at bad/suspicious logs from App Control, IPS, etc.?  A device with multiple remote access and proxy apps (App Control) that is also doing port scans (IPS) should really get flagged as suspicious, but right now I don't think IOC will catch it.  If it should have caught this and I'm missing something please let me know!

     

     

    Terms & ConditionsAccessibility statement