IOC (Indicators of Compromise) detects compromised client hosts (endpoints) by comparing IP, domain, and URL visited against the TIDB (Threat Intelligence Data Base) package, downloaded daily from FortiGuard.
When there is a need to troubleshoot the IOC detection, the below steps can be followed.
1. 1) IOC requires separate licensing
To check the license downloaded from FortiGuard in the CLI:
# diagnose fmupdate dbcontract fds
PBDS-1-99-20250104 -------à PBDS is IOC license
Contract Raw Data:
# diagnose test application sqllogd 204 stats
License of post breach detection installed.
License expiration : 2025-Jan-04
TIDB version : 00000.01017-1902242107
TIDB load time : 2019-02-24 14:11:2
33 3) Make sure that the FGT logs contains necessary information to identify the IOC
As mentioned above, FAZ uses IP, domain (DNS filter) and URL (Web filter) to identify the IOCs. This means that FGT logs should contain any of these information for IOC trigger.
# diagnose test application sqllogd 204 tidb type=1, key=<url>
<ip> is not in tidb type black_url.
# diagnose test application sqllogd 204 tidb type=2, key=<domain>
x.com is in tidb type black_domain. id=726851 hash=863185493322 3418302
FL3K5F-1 # diagnose test application sqllogd 204 tidb type=3, key=<ip>
<ip> is not in tidb type black_ip.
5. To identify the status of a domain/URL/IP in Fortiguard:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.