Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
heyyoscotthall
New Contributor

Indicator of compromise question

My organization is currently reviewing IOC and I been reading about it. However, I can't find answer to one thing, what if its a false positive and we know it and we want host to access the internet and remove it from 'compromised host' tag?

1 Solution
tio3udes
New Contributor III

The "compromised host" tag doesn't do anything on it's on. Only if ou set up an automated action on fortigate based on this tag something will happen.

Now, let's say you set up a automatic quarantine action for Compromised Hosts. You can manually remove the user's device from quarantine, no problem.

 

More on that here:

 

https://docs.fortinet.com/document/fortiswitch/7.0.0/devices-managed-by-fortios/173282/quarantines

 

 

And, about automation stitches, here:

 

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/139441/automation-stitches

ti03udes

View solution in original post

ti03udes
1 REPLY 1
tio3udes
New Contributor III

The "compromised host" tag doesn't do anything on it's on. Only if ou set up an automated action on fortigate based on this tag something will happen.

Now, let's say you set up a automatic quarantine action for Compromised Hosts. You can manually remove the user's device from quarantine, no problem.

 

More on that here:

 

https://docs.fortinet.com/document/fortiswitch/7.0.0/devices-managed-by-fortios/173282/quarantines

 

 

And, about automation stitches, here:

 

https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/139441/automation-stitches

ti03udes
ti03udes
Labels
Top Kudoed Authors