|
FortiAnalyzer Indicator of Compromise (IOC) can detect compromised hosts by checking traffic against Threat Intelligence DB (TIDB). With a valid IOC license, FortiAnalyzer will use the updated TIDB package from FortiGuard when performing IOC scans.
However, without a valid IOC license, FortiAnalyzer will use the demo TIDB package, which is not updated. This may cause the FortiAnalyzer to generate false positive IOC alerts on non-compromised hosts.
If FortiAnalyzer is generating false positive IOC alerts, follow the steps below to disable IOC scanning in FortiAnalyzer.
- Check the IOC license: The IOC license in FortiAnalyzer can be checked using the command below:
diagnose test application sqllogd 204 stats
FortiAnalyzer with a valid IOC license will have the command output as shown below:
diagnose test application sqllogd 204 license status
License of post breach detection installed
whereas a FortiAnalyzer without a valid IOC license will have an output as below:
diagnose test application sqllogd 204 license status
There is no license of post breach detection.
- Disable IOC detection: The CLI commands shown below will disable IOC in FortiAnalyzer.
config system log ioc
set notification disable
set rescan-status disable
set status disable
end
|
