Hi,
I have internal domain dns server on domain controller, Fortianalyzer shows this host as compromised with multiple attempts to websites like:
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Created on 01-06-2022 01:55 PM
Hello Tutek,
Do you also log on Syslog server? Hope you will find some information in there.
Also, can you check if all the logs are been forwarded from the firewall to the Fortianalyzer, can you check on the firewall if you can find anything from the logs in the firewall.
Let us know if that helps.
Hey Tutek,
if you check the compromised host details on FortiAnalyzer, by right-clicking you should be able to get to the underlying logs FortiAnalyzer received, which made it reach the compromised verdict.
I would suggest checking traffic and/or security logs with source IP of your domain controller to figure out if there is in fact any traffic going to the internet from your DCs. If there is such traffic, the logs should tell you what policy allows that traffic, you can lock down the access, and then figure out if your domain controllers are actually compromised or not.
Hope this helps!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1031 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.