| Description |
This article describes how to check and troubleshoot potential IOC false positive URL/IPs. |
| Scope | FortiManager, FortiGuard. |
| Solution |
Indicators of Compromise allow for FortiGuard to detect compromised endpoints by comparing the IP/domain or URL against the TIDB package.
This package is downloaded on a daily basis from FortiGuard servers. Any compromised hosts are listed in the FortiView panel.
The TIDB package contains a blacklist of IPs, domains and URLs. As soon as a new TIDB package is downloaded by FortiAnalyzer, the previous package becomes obsolete.
Occasionally, issues occur where IOCs find false positives
1) Verify that FortiAnalyzer is not using an IOC demo license:
The difference between demo and the paid version is potentially the reason for the false positive results..
The demo mode IOC: uses the default threat package which comes with the firmware release. The default package is NOT up-to-date.
The licensed IOC: uses a fresh threat package (downloaded regularly) from FortiGuard and produces much more accurate detection.
2) Use the below CLI commands to verify license information:
diagnose test application sqllogd 204 stats
If FortiAnalyzer uses the paid IOC version, check the TIDB version used and the load time to be sure the latest database is used in Fortiview -> compromised hosts panel. This will prevent numerous false positives.
If the TIDB is not up to date, refer to the below KB article for instructions on updating it:
Technical Tip: Configure FortiManager as a local FDN server for FortiGates.
3) Use the below CLI commands to check IP/URL against FortiGuard DB:
diagnose test application sqllogd 204 tidb type=3,key=x.x.x.x diag test app sqllogd 204 tidb type=<type>,key=<key_str>
'Type' means the TIDB table type. The available values are:
0 - suspicious-url 1 - infected-url 2 - infected-domain 3 - infected-ip
'Key_str' is the search string and should be in the correct format for the 'Type'.
Examples:
diag test app sqllogd 204 tidb type=1,key=https://example.com/test/t5/tkb/ diag test app sqllogd 204 tidb type=2,key=example.com diag test app sqllogd 204 tidb type=3,key=93.184.216.34
In this example, an IP address is used.
The above CLI command will test the condition against the latest TIDB and check if the IP address is infected.
This command helps to check if the concerned IP address is a false positive or not.
Use of FortiGuard Web Filter Lookup tool:
Below is another way to check the same information:
If any doubts exist, a request for review is possible.
Troubleshoot commands:
diagnose test application sqllogd 204 stats exec tac report
Related articles: |
