FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
This article describes about the issue where FortiAnalyzer compromised host showing wrong End User and IP address.
Scope
FortiAnalyzer
Solution
In FortiAnalyzer - > FortiView - > FortiView - > Compromised Hosts, the End User showing on the entries may not be represented by the correct current IP address.
The reason for this is most probably the DHCP server is configured with a short lease time, something less than 24 hours.
What would happen is that the hosts in the network will be assigned new IP addresses very frequently, and the endpoint user -> IP relation on the FortiAnalyzer will be outdated with the frequent changes happening.
The reason behind the issue is that this feature is predominantly design for static IPs, however it could also be used for DHCP environment with DHCP lease longer than 7 days.
