FortiAnalyzer can receive logs and Windows host events directly from endpoints connected to EMS, and you can use FortiAnalyzer to analyze the logs and run reports.
This article describes how to troubleshoot for IOC (Indicators of Compromise) in Fortianalyzer.

Fortinet Documentation.

To troubleshoot, FortiAnalyzer not triggering IOC detection. 

IOC (Indicators of Compromise) detects compromised client hosts (endpoints) by comparing IP,  domain, and URL visited against the TIDB (Threat Intelligence Data Base)  package, downloaded daily from FortiGuard.

When there is a need to troubleshoot the IOC detection, the below steps can be followed.

1.       1) IOC requires separate licensing

To check the license downloaded from FortiGuard in the CLI:

# diagnose fmupdate dbcontract fds


FL-1KE3R16-----1 [SERIAL_NO]




Contract:  1

      PBDS-1-99-20250104     -------à PBDS is IOC license

Contract Raw Data:



2) To check the license and TIDB version used by FortiAnalyzer in the CLI:

# diagnose test application sqllogd 204 stats


License of post breach detection installed.

License expiration : 2025-Jan-04

TIDB version : 00000.01017-1902242107

TIDB load time : 2019-02-24 14:11:2

33 3) Make sure that the FGT logs contains necessary information to identify the IOC

As mentioned above, FAZ uses IP, domain (DNS filter) and URL (Web filter) to identify the IOCs. This means that FGT logs should contain any of these information for IOC trigger.


4) To check whether a particular URL or IP or domain is included in the local TIDB:


FL3K5F-1 # diagnose test application sqllogd 204 tidb type=1, key=<url>
<ip> is not in tidb type black_url.


FL3K5F-1 # diagnose test application sqllogd 204 tidb type=2, key=<domain> is in tidb type black_domain. id=726851 hash=863185493322 3418302

FL3K5F-1 # diagnose test application sqllogd 204 tidb type=3, key=<ip>
<ip> is not in tidb type black_ip.


5.       To identify the status of a domain/URL/IP in Fortiguard: