Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wi3tse
New Contributor II

otelrules.azureedge.net flagged as IOC on FortiGate / FortiAnalyzer

Hi, 

 

The last few days we are experiencing mass endpoint quarantines because otelrules.azureedge.net is flagged as an indicator of compromise on our Fortigates / FortiAnalyzer.

 

otelrules.azureedge.net is number 92 on the required urls for Office 365 to function according to:

Office 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Learn

 

Are there any other people / companies who experience the same, or is it something for only us?

Detection patern reads:

 

[{"wf_cate":"Information Technology","av_cate":"","spam_cates":[],"ioc_cate":"","ioc_tags":[],"confidence":"Low","reference_url":"https://ioc.fortiguard.com/search?query=otelrules.azureedge.net&filter=indicator","kill_chain_phases":["command-and-control"],"created":"2024-01-16T01:16:38Z","modified":"2024-01-16T06:29:53Z","malware_name":"","reportFasleIoc":true,"hideMiscellaneous":true,"tdpattern":"otelrules.azureedge.net","iocTitle":"Detect Pattern","iocDesc":"otelrules.azureedge.net"}]

8 REPLIES 8
vraev
Staff
Staff

Hi @Wi3tse ,

 

Please use the following form to contact the team responsible for the IOC.

https://www.fortiguard.com/faq/ioc

Best,

V.R.
Wi3tse
New Contributor II

Already did, yesterday, and today again. Also got report that they removed it from IOC database, checked our version was higher than the version in which they whitelisted. Still IOC's are being triggered.

vraev
Staff
Staff

Please provide the output from:
diagnose test application sqllogd 204 license status

Also, try do disable it:
config system log ioc
set status disable
end

config system sql
set compress-table-min-age 5
end

 

and then to enable it.

Please observe after this steps.

V.R.
Jack_wack
New Contributor III

If i were you, I wouldn't use the action quarantine. A false positive usually has a huge impact on the company. It might take down the whole workstations. False positive ioc's are more often than true positive ioc's.

Instead I'd choose an action such notifying the admin and banning the external url or ip. It's less harm when it's false.

Wi3tse
New Contributor II

We are fine with some false positives, we understand they happen, and think it is better to be safe then sorry in most cases.

 

But if you issue an IOC on known urls for Microsoft cloud services...you have to be super duper sure of your case, otherwise the IOC's are quickly becoming worthless information, which does more harm than good.

 

I think they should create a category for Microsoft cloud services, you can whitelist from triggering IOC's.

 

 

Wi3tse
New Contributor II

Hi Vraev,

 

License of post breach detection installed.
License expiration_str: 2025-03-25

 

The other commands just completed, no results...

This night again around midnight, a lot of IOC's on otelrules.azureedge.net.

 

 

 

Jack_wack
New Contributor III

If i were you, I wouldn't use the action quarantine. A false positive usually has a huge impact on the company. It might take down the whole workstations. False positive ioc's are more often than true positive ioc's.

Instead I'd choose an action such notifying the admin and banning the external url or ip. It's less harm when it's false.

vraev
Staff
Staff

Hi,

There is not so much  as an options from FAZ side.

Please review this article.
https://community.fortinet.com/t5/FortiManager/Troubleshooting-Tip-IOC-license-false-positives/ta-p/...

V.R.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors