Did you ever find a solution? With AD integration the DNS always get's
pegged as the compromised host. At first I had the FortiGate disable the
port of the compromised host, which in effect shutdown the whole network
so now I just have it email alert...