if you check the compromised host details on FortiAnalyzer, by right-clicking you should be able to get to the underlying logs FortiAnalyzer received, which made it reach the compromised verdict.
I would suggest checking traffic and/or security logs with source IP of your domain controller to figure out if there is in fact any traffic going to the internet from your DCs. If there is such traffic, the logs should tell you what policy allows that traffic, you can lock down the access, and then figure out if your domain controllers are actually compromised or not.
Hope this helps!
+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++