Hi,
The last few days we are experiencing mass endpoint quarantines because otelrules.azureedge.net is flagged as an indicator of compromise on our Fortigates / FortiAnalyzer.
otelrules.azureedge.net is number 92 on the required urls for Office 365 to function according to:
Office 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Learn
Are there any other people / companies who experience the same, or is it something for only us?
Detection patern reads:
[{"wf_cate":"Information Technology","av_cate":"","spam_cates":[],"ioc_cate":"","ioc_tags":[],"confidence":"Low","reference_url":"https://ioc.fortiguard.com/search?query=otelrules.azureedge.net&filter=indicator","kill_chain_phases":["command-and-control"],"created":"2024-01-16T01:16:38Z","modified":"2024-01-16T06:29:53Z","malware_name":"","reportFasleIoc":true,"hideMiscellaneous":true,"tdpattern":"otelrules.azureedge.net","iocTitle":"Detect Pattern","iocDesc":"otelrules.azureedge.net"}]
Hi @Wi3tse ,
Please use the following form to contact the team responsible for the IOC.
https://www.fortiguard.com/faq/ioc
Best,
Already did, yesterday, and today again. Also got report that they removed it from IOC database, checked our version was higher than the version in which they whitelisted. Still IOC's are being triggered.
Please provide the output from:
diagnose test application sqllogd 204 license status
Also, try do disable it:
config system log ioc
set status disable
end
config system sql
set compress-table-min-age 5
end
and then to enable it.
Please observe after this steps.
Created on 01-18-2024 12:47 PM Edited on 01-18-2024 12:48 PM
If i were you, I wouldn't use the action quarantine. A false positive usually has a huge impact on the company. It might take down the whole workstations. False positive ioc's are more often than true positive ioc's.
Instead I'd choose an action such notifying the admin and banning the external url or ip. It's less harm when it's false.
We are fine with some false positives, we understand they happen, and think it is better to be safe then sorry in most cases.
But if you issue an IOC on known urls for Microsoft cloud services...you have to be super duper sure of your case, otherwise the IOC's are quickly becoming worthless information, which does more harm than good.
I think they should create a category for Microsoft cloud services, you can whitelist from triggering IOC's.
Hi Vraev,
License of post breach detection installed.
License expiration_str: 2025-03-25
The other commands just completed, no results...
This night again around midnight, a lot of IOC's on otelrules.azureedge.net.
If i were you, I wouldn't use the action quarantine. A false positive usually has a huge impact on the company. It might take down the whole workstations. False positive ioc's are more often than true positive ioc's.
Instead I'd choose an action such notifying the admin and banning the external url or ip. It's less harm when it's false.
Hi,
There is not so much as an options from FAZ side.
Please review this article.
https://community.fortinet.com/t5/FortiManager/Troubleshooting-Tip-IOC-license-false-positives/ta-p/...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.