FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
markdr_FTNT
Staff
Staff
Article Id 190636

Description
In reports generated by FortiAnalyzer, some URLs are obfuscated such that the period or dot “.” and colon ":" are replaced with the words [dot] and/or [colon] respectively.
This article explains why this happens..

Useful link:
Fortinet Documentation:
How to generate data reports in FortiAnalyzer: https://docs.fortinet.com/document/fortianalyzer/6.2.0/administration-guide/136416/reports


Scope

FortiAnalyzer versions:
6.0.5 build 0332
6.2.0 build 1049
6.2.1 build 1063 and greater


Solution
This behavior is by design.

In certain scenarios, a PDF reader will activate URLs found in the report, and as such any malicious or threat bearing URLs shown in a report would become active hyperlinks and potentially lead users towards a website that had been blocked.
While this behavior does not happen by default, (FortiAnalyzer does not activate hyperlink URLs in the report), enabling ‘Databinding Format as URL’ in the PDF reader or simply having an URL start with ‘www’ does inadvertently result in URL text becoming an active hyperlink in the PDF reader.

To mitigate this behavior, when a threat report where blocked or malicious URLs are shown, the reports have been altered to replace the period or “.” dot character in the URL, with [dot] and ":" with [colon]


For instance, 'http://www.malware.com' is replaced as
'http[colon]//www[dot]malware[dot]com'.

Below is an example of such behavior in a report file.