Description
This article describes why FortiAnalyzer Compromises host show the Detect Method as Infected-domain.
Scope
FortiAnalyzer.
Solution
IOC Uses Threat info database.
Here is how IOC works:
As the WF logs coming in, the breach detection engine parses the logs and categorizes the 'normal looking' web traffic into two main categories (based on the information from the TDS package):
Infected: real breach.
'A match or matches of the blacklisted IPs/DGA domains etc have been found from the web logs'.
The whole idea of IOC is identifying potential threat domains which are not identified by FortiGate web filtering service.
IOC engine monitors each URL/IP this host has visited over period of time and continuously analyze the behavior pattern using its internal algorithm to determine if the host is compromised.
IOC require separate threat detection license.
Difference between demo and paid version, and potentially the reason to the 'verdict' potentially giving 'outdated' results.
The demo mode IOC: uses the default threat package which comes with the firmware release.
The default package is NOT up-to-date.
The licensed IOC uses fresh threat package (daily downloaded) from FortiGuard and it produces much accurate detection.
How to check domain is infected as per TIDB database:
If endpoint is trying to access an URL which belongs to an infected domain then it will display as infected-domain with logtype:webfilter.
Example: Endpoint(LAN USER) try to access URL www.m-3.co.za.
Example: Endpoint(LAN USER) try to access URL www.m-3.co.za.
FortiGate sends logs to FortiAnalyzer, then the corresponding logs in FortiAnalyzer under compromised hosts as below:
If the FortiGuard categorization is incorrect (false positives), submit a request to update it through FortiGuard's IoC page.
Related documents:
Related documents:
