I've opened a technical chat, called into support to try and speak with someone ALWAYS a voicemail once transferred to sales, and searched all over the internet. No one can tell me what the Fortianalyzer IOC license gives me over the DEMO mode. Does anyone have any idea what the full feature functionality of this license provides?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
See FortiView Indicators of Compromise (5.6) or Viewing Compromised Hosts (6.0)
Your FortiAnalyzer needs to subscribe to FortiGuard to keep its threat database up to date. You must purchase a FortiGuard Indicators of Compromise Service license for that.
If you use the Compromised Host feature without updating the license, you will be using old signatures (out of date information). Just like enabling AV/IPS in a FortiGate without valid FortiGuard coverage only allows the FortiGate to scan for the signatures it has.
Hi,
please have a look at this cookbook:
https://docs.fortinet.com/document/fortianalyzer/6.2.0/cookbook/779346/how-ioc-works
It should answer your qusetions
Christian
we are currently trying it for a year and got pretty much nothing from it beside some false positive results. at least 90% is from websites that are currently blocked (malware website or unrated). We probably won't renew this next year.
Fortigate : 80E, 80F, 100E, 200F, 300E : 6.4.6
FortiAnalyzer, ForticlientEMS
We're still trying out IOC as well. Haven't seen many hits and haven't had many false positives either.
I had hoped that in 6.2 IOC would become more fully implemented, but per https://docs.fortinet.com/document/fortianalyzer/6.2.0/cookbook/779346/how-ioc-works it looks like it is still just adding up the number of attempts to access blacklisted or suspicious URL's.
Noting suspicious URLs is an improvement over regular web filtering, but I really feel that to meet the definition of Indicators of Compromise it needs to be looking at more than URLs and DNS. Why not have it look at bad/suspicious logs from App Control, IPS, etc.? A device with multiple remote access and proxy apps (App Control) that is also doing port scans (IPS) should really get flagged as suspicious, but right now I don't think IOC will catch it. If it should have caught this and I'm missing something please let me know!
There was a big improvement in 6.2 it's called IOC rescan.
You can now configure FAZ to rescan historical logs (number of days back can be configured).
For more info please look at:
Regards
Christian
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.