Help
FortiAnalyzer
FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
lestopace
Staff
Staff

Created on ‎03-14-2021 11:45 PM Edited on ‎04-06-2025 10:50 PM By Community Manager

Article Id 192722

Technical Tip: How to implement Indicators Of Compromised (IOC) Automation Stitch between FortiGate, FortiAnalyzer and FortiEMS

Description

 

This article describes how to implement Indicators Of Compromised (IOC) Automation Stitch between FortiGate, FortiAnalyzer and FortiEMS.

Pre-requisite.

Refer to the related articles section and to the document below.

Related document:

Viewing Compromised Hosts

Indicators Of Compromised (IOC) Flow.



Scope

 

FortiGate v6.4.4, FortiAnalyzer 6.4.5 and FortiEMS 6.4.3.

Solution

 

FortiGate.

Configure a firewall policy going to the Internet that has a web filter profile enabled on it. This is required for the IOC to work.

 

config firewall policy
    edit 0
        set srcintf "port3"
        set dstintf "virtual-wan-link"
        set srcaddr "10.115.2.52/32"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection"
        set webfilter-profile "monitor-all"
        set logtraffic all
        set nat enable
    next

config system automation-stitch
    edit "Compromised Host Quarantine"
        set trigger "Compromised Host Quarantine"
        set action "Compromised Host Quarantine_quarantine-forticlient"
    next
end

 

 
FortiEMS.
Set the FortiAnalyzer IP address under the Endpoint Profile System Settings so as to allow FortiClient to send logs directly to FortiAnalyzer. 
 
 
FortiClient.
 
 
Note.
For simplification of this guide, only webfilter is enabled and website categories have used their respective default action values.

Results.To trigger IOC logs, access http://195.22.28.198/ from the endpoint machine.
 
FortiGate.
 
 
 
 
Note:
Starting from v7.0.0 the log with the message 'IOC detected by FortiAnalyzer' will not be generated in the System Event logs.  To obtain this log the 'Compromised Host Quarantine' automation stitch will need to be configured with an automation action for email notification as well.
 
FortiAnalyzer.
 
 
FortiClient.
 
 
 
Next actions:
To remove the host from being quarantined, go to FortiEMS dashboard -> Endpoints -> All Endpoints , select the quarantined host, select 'Action' and select 'Unquarantine'.
 
FortiEMS.
 
kb_19916_10.png

 

Note.
It is also possible to provide the endpoint user with a one-time access code.
The user can enter the code to access FortiClient on a quarantined endpoint, then remove the endpoint from quarantine in the FortiClient console.
The code is available under Quarantine Access Code after selecting a quarantined endpoint as seen below.
 
Related document:
Quarantining endpoints

Afterwards, it is necessary to acknowledge the logs from FortiAnalyzer to clear the compromised hosts list from FortiGate so that it can execute the Automation Stitch for the same host once triggered again.
 
FortiAnalyzer.
 
 
  
FortiGate Compromised Hosts by Verdict lists after acknowledgment.
 

 

Related articles:

Technical Tip: Configuring the root FortiGate and downstream FortiGates in Security Fabric

Technical Tip: EMS Connector setup

Technical Tip: How to integrate EMS in the FortiAnalyzer

Troubleshooting Tip: IOC detection

16179
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.