FortiAnalyzer Indicator of Compromise (IOC) can detect compromised hosts by checking traffic against Threat Intelligence DB (TIDB). With a valid IOC license, FortiAnalyzer will use the updated TIDB package from FortiGuard when performing IOC scans.

However, without a valid IOC license, FortiAnalyzer will use the demo TIDB package, which is not updated. This may cause the FortiAnalyzer to generate false positive IOC alerts on non-compromised hosts.

If FortiAnalyzer is generating false positive IOC alerts, follow the steps below to disable IOC scanning in FortiAnalyzer.

1. Check the IOC license: The IOC license in FortiAnalyzer can be checked using the command below:

diagnose test application sqllogd 204 stats

FortiAnalyzer with a valid IOC license will have the command output as shown below:

diagnose test application sqllogd 204 license status

License of post breach detection installed

whereas a FortiAnalyzer without a valid IOC license will have an output as below:

diagnose test application sqllogd 204 license status

There is no license of post breach detection.

2. Disable IOC detection: The CLI commands shown below will disable IOC in FortiAnalyzer.

config system log ioc

set notification disable

set rescan-status disable

set status disable

end