Fortinet black logo

Administration Guide

Managing an IOC rescan policy

Managing an IOC rescan policy

The indicators of compromise (IOC) scan time range can be customized to scan previous entries so that when a new package is received from FortiGuard, FortiAnalyzer can immediately rescan using the new definitions.

Note

Requirements for managing an IOC rescan policy:

  • This feature requires a valid IOC license. The rescan options will not be available in the GUI or CLI without a license.
  • The administrator must have System Settings write privileges to enable or disable and configure Global IOC Rescan.
To configure rescan settings and check rescan results:
  1. Go to SOC > FortiView > Threats > Compromised Hosts.
  2. From the Tools menu on the right-side of the toolbar, select Edit Rescan Configuration.
    The Edit IOC Rescan Policy Settings window opens.

    Screenshot displaying the IOC rescan policy settings.

  3. Under IOC Rescan Global Settings:
    1. Enable Global IOC Rescan.
    2. Set the running time to either a specific hour of the day, or select package update to rescan when the package is updated.
  4. Under IOC Rescan Current ADOM Settings:
    1. Enable Current ADOM IOC Rescan.
    2. Select the log types to be scanned (DNS, Web Filter, and Traffic logs).
    3. Set the number of previous days' logs that are scanned.

    By default, all log types are selected, and the scan will cover the past 14 days. The maximum recommended number of scan days is calculated based on historical scan speeds, or 30 days if no previous scans have been done.

  5. All tasks are shown in the Rescan tasks table, which includes:
    • The start and end time of each task.
    • The status of the task (complete, running, etc.).
    • How complete a task is, as a percentage.
    • The total number of scanned logs and the threat count (the number of logs with threats) for each task.
    • The IOC package update time.
    • A count of the new threats that were added in this update.

    Running tasks can be canceled by clicking the Cancel button in the Status column.

    Screenshot displaying the populated rescan tasks table.

  6. Select a non-zero threat count number in the Rescan tasks table to drill down to a specific scans task details. These details include the Detect Pattern, Threat Type, Threat Name, # of Events, and the Endpoint.

    Screenshot displaying specific scan task details.

  7. Click Back to return to the settings window.
  8. Click OK to return to the compromised hosts list.
  9. In the compromised hosts list, a rescan icon will be shown in the Last Detected column if any threats where found during a rescan. To view only those hosts that had threats found during a rescan, select Only Show Rescan from the Tools menu in the toolbar.

    Screenshot displaying list of rescanned compromised hosts

Managing an IOC rescan policy

The indicators of compromise (IOC) scan time range can be customized to scan previous entries so that when a new package is received from FortiGuard, FortiAnalyzer can immediately rescan using the new definitions.

Note

Requirements for managing an IOC rescan policy:

  • This feature requires a valid IOC license. The rescan options will not be available in the GUI or CLI without a license.
  • The administrator must have System Settings write privileges to enable or disable and configure Global IOC Rescan.
To configure rescan settings and check rescan results:
  1. Go to SOC > FortiView > Threats > Compromised Hosts.
  2. From the Tools menu on the right-side of the toolbar, select Edit Rescan Configuration.
    The Edit IOC Rescan Policy Settings window opens.

    Screenshot displaying the IOC rescan policy settings.

  3. Under IOC Rescan Global Settings:
    1. Enable Global IOC Rescan.
    2. Set the running time to either a specific hour of the day, or select package update to rescan when the package is updated.
  4. Under IOC Rescan Current ADOM Settings:
    1. Enable Current ADOM IOC Rescan.
    2. Select the log types to be scanned (DNS, Web Filter, and Traffic logs).
    3. Set the number of previous days' logs that are scanned.

    By default, all log types are selected, and the scan will cover the past 14 days. The maximum recommended number of scan days is calculated based on historical scan speeds, or 30 days if no previous scans have been done.

  5. All tasks are shown in the Rescan tasks table, which includes:
    • The start and end time of each task.
    • The status of the task (complete, running, etc.).
    • How complete a task is, as a percentage.
    • The total number of scanned logs and the threat count (the number of logs with threats) for each task.
    • The IOC package update time.
    • A count of the new threats that were added in this update.

    Running tasks can be canceled by clicking the Cancel button in the Status column.

    Screenshot displaying the populated rescan tasks table.

  6. Select a non-zero threat count number in the Rescan tasks table to drill down to a specific scans task details. These details include the Detect Pattern, Threat Type, Threat Name, # of Events, and the Endpoint.

    Screenshot displaying specific scan task details.

  7. Click Back to return to the settings window.
  8. Click OK to return to the compromised hosts list.
  9. In the compromised hosts list, a rescan icon will be shown in the Last Detected column if any threats where found during a rescan. To view only those hosts that had threats found during a rescan, select Only Show Rescan from the Tools menu in the toolbar.

    Screenshot displaying list of rescanned compromised hosts