My organization is currently reviewing IOC and I been reading about it. However, I can't find answer to one thing, what if its a false positive and we know it and we want host to access the internet and remove it from 'compromised host' tag?
The "compromised host" tag doesn't do anything on it's on. Only if ou set up an automated action on fortigate based on this tag something will happen.
Now, let's say you set up a automatic quarantine action for Compromised Hosts. You can manually remove the user's device from quarantine, no problem.
More on that here:
https://docs.fortinet.com/document/fortiswitch/7.0.0/devices-managed-by-fortios/173282/quarantines
And, about automation stitches, here:
https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/139441/automation-stitches
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
