Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
heng
Staff
Staff

Created on ‎10-18-2022 11:03 PM Edited on ‎10-19-2022 10:51 PM By Community Manager

Article Id 227120

Technical Tip: How to enable IOC re-scan

Description

This article describes how to enable the Indicators of Compromise (IOC) Service re-scan if there is no re-scan tasks seen even though there is a license subscription of 'Threat Detection service'. 

 

The following screenshot tells when there is no re-scan tasks seen for the compromised hosts with the IOC database.

The tasks listing is empty.   

 

fyheng_0-1666154163677.png
Scope FortiAnalyzer.
Solution

Make sure to have the following settings checked and enabled. 

 

1) FortiView -> Threats > Compromised Hosts -> Settings (Top-right radio buttons) -> Compromised Hosts Rescan Global Settings -> Enable Global Compromised Hosts Rescan -> ON.

 

2) FortiView -> Threats -> Compromised Hosts -> Settings (Top-right radio buttons) -> Compromised Hosts Rescan Current ADOM Settings -> Enable Current ADOM Compromised Hosts Rescan -> ON.

 

3) FortiView -> Threats -> Compromised Hosts -> Settings (Top-right radio buttons) -> Log Type Filters -> The logs type is checked. 

-

fyheng_1-1666154797272.png

 

fyheng_2-1666154875796.png

 

It is possible to check any running tasks for the next cycle of re-scan time, on this example here is at 12:00AM daily. 

 

Related link:

Technical Tip: IOC license false positive
791
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.