Hi, The last few days we are experiencing mass endpoint quarantines
because otelrules.azureedge.net is flagged as an indicator of compromise
on our Fortigates / FortiAnalyzer. otelrules.azureedge.net is number 92
on the required urls for Office 365 t...
The last few weeks we are seeing Microsoft or Intel Signed files classed
as FSA/RISK_HIGH in both the FortiClient as the Fortigates. Our
FortiClients are configured to explicitely NOT upload files signed by
trusted sources (Like Microsoft, Intel, etc...
Response from tac Thank you for bringing this issue to our attention.Our
analysis shows that these files(md5:798cd6d62ca995eb320059595efd0b03 &
md5:8fb10da817e73f639d2e905c8b6b43f0) do not contain any malicious
behaviour.We have already removed the d...
Hi Markus, We have the same, 842 instances of armsvc.exe quarantined
with filehash
E730922F614E4DFFE70D229EC118CD3052A31E9CA4DAB274A1A15DF1CBFA5674Another
randomfilename.msi with filehash
1942A8CC615E3CDCB06A336AA9F808358005D320E5FD9DF31264BACBCAEB92...
We are fine with some false positives, we understand they happen, and
think it is better to be safe then sorry in most cases. But if you issue
an IOC on known urls for Microsoft cloud services...you have to be super
duper sure of your case, otherwise...
Hi Vraev, License of post breach detection installed.License
expiration_str: 2025-03-25 The other commands just completed, no
results...This night again around midnight, a lot of IOC's on
otelrules.azureedge.net.
Already did, yesterday, and today again. Also got report that they
removed it from IOC database, checked our version was higher than the
version in which they whitelisted. Still IOC's are being triggered.
