The Compromised Hosts summary shows end users with suspicious web usage which can indicate that their workstation is compromised. It provides information such as end users’ IP addresses, last detected date, host name, OS, a Map View, and number of threats. You can drill down to view threat details.
FortiAnalyzer identifies possible compromised hosts by checking the web filter logs of each end user against its threat database. When a threat match is found, a threat score is given to the end user. When the check is complete, FortiAnalyzer aggregates all the threat scores of an end user and gives its verdict of the end user’s overall Indicators of Compromise.
To use this Compromised Hosts summary, you must turn on the UTM web filter of FortiGate devices. You must also subscribe your FortiAnalyzer unit to FortiGuard to keep its local threat database synchronized with the FortiGuard threat database. See Subscribing FortiAnalyzer to FortiGuard.
Go to FortiView > Threats > Compromised Hosts.
When viewing Compromised Hosts, use the controls in the toolbar to select Table or Tile format, select devices, specify a time period, refresh the view, set the refresh rate, export the information, and switch to full-screen mode.
In tile format, you can view a map of the Compromised Hosts by clicking Map View in the tile. To see more details, hover the cursor over a destination.
The # of Threats is the number of unique threat names associated with that compromised host entry.
The number of events is the number of logs matching each blacklist entry for that compromised host entry.
- To acknowledge a Compromised Hosts line item, click Ack on that line.
- To filter entries, click Add Filter and specify devices or a time period.
- To drill down and view threat details, double-click a tile or a row.
- Ensure your FortiAnalyzer can reach FortiGuard at
- Purchase a FortiGuard Indicators of Compromise Service license and apply that license to the product registration. No change is needed on the FortiAnalyzer side.
- Go to System Settings > Dashboard.
- In the License Information widget, find the FortiGuard > Indicators of Compromise Service field and click Purchase.
- After purchasing the license, check that the FortiGuard > Indicators of Compromise Service is Licensed and shows the expiry date.