Help
FortiManager
FortiManager supports network operations use cases for centralized management, best practices compliance, and workflow automation to provide better protection against breaches.
bboudjema
Staff
Staff

Created on ‎08-11-2022 02:43 AM Edited on ‎07-11-2024 06:30 AM By Moderator

Article Id 220551

Troubleshooting Tip: IOC license false positives

Description

This article describes how to check and troubleshoot potential IOC false positive URL/IPs.
Scope FortiManager, FortiGuard.
Solution

Indicators of Compromise allow FortiGuard to detect compromised endpoints by comparing the IP/domain or URL against the TIDB package.

 

This package is downloaded daily from FortiGuard servers. Any compromised hosts are listed in the FortiView panel.

 

The TIDB package contains a blacklist of IPs, domains, and URLs.

As soon as a new TIDB package is downloaded by FortiAnalyzer, the previous package becomes obsolete.

 

Occasionally, issues occur where IOCs find false positives

 

  1. Verify that FortiAnalyzer is not using an IOC demo license:

 

The difference between the demo and the paid version is potentially the reason for the false positive results.

 

The demo mode IOC: uses the default threat package which comes with the firmware release. The default package is NOT up-to-date.

 

The licensed IOC: uses a fresh threat package (downloaded regularly) from FortiGuard and produces much more accurate detection.

 

  1. Use the below CLI commands to verify license information:

 

diagnose test application sqllogd 204 stats

 

bboudjema_0-1660207896068.png

 

If FortiAnalyzer uses the paid IOC version, check the TIDB version used and the load time to be sure the latest database is used in Fortiview -> compromised hosts panel. This will prevent numerous false positives.

 

If the TIDB is not up to date, refer to the below KB article for instructions on updating it:

 

Technical Tip: Configure FortiManager as a local FDN server for FortiGates.

 

 

  1. Use the below CLI commands to check IP/URL against FortiGuard DB:

     

diagnose test application sqllogd 204 tidb type=3,key=x.x.x.x

diag test app sqllogd 204 tidb type=<type>,key=<key_str>

 

'Type' means the TIDB table type. The available values are:

 

0 - suspicious-url

1 - infected-url

2 - infected-domain

3 - infected-ip

 

'Key_str' is the search string and should be in the correct format for the 'Type'.

 

Examples:

 

diag test app sqllogd 204 tidb type=1,key=https://example.com/test/t5/tkb/ 

diag test app sqllogd 204 tidb type=2,key=example.com

diag test app sqllogd 204 tidb type=3,key=93.184.216.34

 

In this example, an IP address is used.

 

bboudjema_1-1660207922751.png

 

The above CLI command will test the condition against the latest TIDB and check if the IP address is infected.

 

This command helps to check if the concerned IP address is a false positive or not.

 

Use of FortiGuard IOC Lookup tool:

 

To check the same information, it is possible to use this alternative method:

 

  1. Go to the FortiGuard IOC Service page.
  2. Enter the desired IP address, URL, or Domain to check.

 

If any doubts exist, a request for review is possible.

 

Troubleshoot commands:

 

diagnose test application sqllogd 204 stats
diagnose test application sqllogd 204 license
diagnose test application sqllogd 204 notif
diagnose test application sqllogd 204 tidb type=3,key=x.x.x.x

exec tac report

 

Related articles: 
2475
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.