DescriptionThis article describes how to troubleshoot for IOC (Indicators of Compromise) in Fortianalyzer.Fortinet Documentation.https://docs.fortinet.com/document/fortianalyzer/6.2.0/cookbook/779346/how-ioc-worksScopeTo troubleshoot, FortiAnalyzer not triggering IOC detection. SolutionIOC (Indicators of Compromise) detects compromised
client hosts (endpoints) by comparing IP, domain, and URL visited against the TIDB (Threat Intelligence Data Base) package, downloaded daily from FortiGuard.
When there is a need to troubleshoot the IOC detection, the
below steps can be followed.
1. 1) IOC requires separate licensing
To check the license downloaded from FortiGuard in the CLI:
# diagnose
fmupdate dbcontract fds
FL-1KE3R16-----1
[SERIAL_NO]
AccountID:
Industry:
Company:
Contract:
1
PBDS-1-99-20250104 -------à PBDS is IOC license
Contract
Raw Data:
Contract=PBDS-1-99-20250104:0:1:1:0
2) To check the license and TIDB version
used by FortiAnalyzer in the CLI:
# diagnose test
application sqllogd 204 stats
License
of post breach detection installed.
License
expiration : 2025-Jan-04
TIDB
version : 00000.01017-1902242107
TIDB
load time : 2019-02-24 14:11:2
33 3) Make sure that the FGT logs contains necessary
information to identify the IOC
As mentioned above, FAZ uses IP, domain
(DNS filter) and URL (Web filter) to identify the IOCs. This means that FGT
logs should contain any of these information for IOC trigger.
4) To check whether a particular URL or IP or
domain is included in the local TIDB:
FL3K5F-1
# diagnose test application sqllogd 204 tidb type=1, key=<url>
<ip> is not
in tidb type black_url.
FL3K5F-1
# diagnose test application sqllogd 204 tidb type=2, key=<domain>
x.com is in tidb
type black_domain. id=726851 hash=863185493322 3418302
FL3K5F-1 # diagnose
test application sqllogd 204 tidb type=3, key=<ip>
<ip> is not
in tidb type black_ip.
5.
To identify
the status of a domain/URL/IP in Fortiguard:
Use https://www.fortiguard.com/learnmore#ioc
