Description

This article describes how to troubleshoot for IOC (Indicators of Compromise) in Fortianalyzer.

Fortinet Documentation on IOCs.

Scope

FortiAnalyzer.

Solution

IOCs (Indicators of Compromise) detect compromised client hosts (endpoints) by comparing IP, domain, and URL visited against the TIDB (Threat Intelligence Data Base) package, downloaded daily from FortiGuard.

When it is necessary to troubleshoot IOC detection, the below steps can be followed.

1. IOCs requires separate licensing

To check the license downloaded from FortiGuard in the CLI:

diagnose fmupdate dbcontract fds

FL-1KE3R16-----1 [SERIAL_NO]

AccountID:

Industry:

Company:

Contract:  1

PBDS-1-99-20250104        <-- A PBDS is an IOC license.

Contract Raw Data:

Contract=PBDS-1-99-20250104:0:1:1:0

2. To check the license and TIDB version used by FortiAnalyzer in the CLI:

diagnose test application sqllogd 204 stats

License of post breach detection installed.

License expiration : 2025-Jan-04

TIDB version : 00000.01017-1902242107

TIDB load time : 2019-02-24 14:11:2

3. Make sure that the FGT logs contains necessary information to identify the IOC
   
   As mentioned above, FAZ uses IP, domain (DNS filter) and URL (Web filter) to identify the IOCs. This means that FGT logs should contain any of these information for IOC trigger.

4. To check whether a particular URL or IP or domain is included in the local TIDB:

diagnose test application sqllogd 204 tidb type=1, key=<url>
<ip> is not in tidb type black_url.

diagnose test application sqllogd 204 tidb type=2, key=<domain>
x.com is in tidb type black_domain. id=726851 hash=863185493322 3418302

diagnose test application sqllogd 204 tidb type=3, key=<ip>
<ip> is not in tidb type black_ip.

To identify the status of a domain/URL/IP in Fortiguard, use FortiGuard IOC services.