FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
This article describes the issue where FortiAnalyzer compromised the host showing the wrong End User and IP address.
Scope
FortiAnalyzer.
Solution
In FortiAnalyzer -> FortiView -> FortiView -> Compromised Hosts, the End User showing on the entries may not be represented by the correct current IP address.
The reason for this is most probably the DHCP server is configured with a short lease time, something less than 24 hours.
What would happen is that the hosts in the network will be assigned new IP addresses very frequently, and the endpoint user -> IP relation on the FortiAnalyzer will be outdated with the frequent changes happening.
The reason behind the issue is that this feature is predominantly designed for static IPs, however, it could also be used for a DHCP environment with a DHCP lease longer than 7 days.
