This article describes about the issue where FortiAnalyzer compromised host showing wrong End User and IP address.
In FortiAnalyzer - > FortiView - > FortiView - > Compromised Hosts, the End User showing on the entries may not be represented by the correct current IP address.
The reason for this is most probably the DHCP server is configured with a short lease time, something less than 24 hours.
What would happen is that the hosts in the network will be assigned new IP addresses very frequently, and the endpoint user -> IP relation on the FortiAnalyzer will be outdated with the frequent changes happening.
The reason behind the issue is that this feature is predominantly design for static IPs, however it could also be used for DHCP environment with DHCP lease longer than 7 days.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.