Created on 12-12-2020 11:37 PM Edited on 10-02-2023 07:44 AM By Stephen_G
Description
This article describes how to troubleshoot for IOC (Indicators of Compromise) in Fortianalyzer.
Fortinet Documentation on IOCs.
Scope
FortiAnalyzer.
Solution
IOCs (Indicators of Compromise) detect compromised client hosts (endpoints) by comparing IP, domain, and URL visited against the TIDB (Threat Intelligence Data Base) package, downloaded daily from FortiGuard.
When it is necessary to troubleshoot IOC detection, the below steps can be followed.
To check the license downloaded from FortiGuard in the CLI:
diagnose fmupdate dbcontract fds
FL-1KE3R16-----1 [SERIAL_NO]
AccountID:
Industry:
Company:
Contract: 1
PBDS-1-99-20250104 <-- A PBDS is an IOC license.
Contract Raw Data:
Contract=PBDS-1-99-20250104:0:1:1:0
diagnose test application sqllogd 204 stats
License of post breach detection installed.
License expiration : 2025-Jan-04
TIDB version : 00000.01017-1902242107
TIDB load time : 2019-02-24 14:11:2
diagnose test application sqllogd 204 tidb type=1, key=<url>
<ip> is not in tidb type black_url.
diagnose test application sqllogd 204 tidb type=2, key=<domain>
x.com is in tidb type black_domain. id=726851 hash=863185493322 3418302
diagnose test application sqllogd 204 tidb type=3, key=<ip>
<ip> is not in tidb type black_ip.
To identify the status of a domain/URL/IP in Fortiguard, use FortiGuard IOC services.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.