Managing an IOC rescan policy
The indicators of compromise (IOC) scan time range can be customized to scan previous entries so that when a new package is received from FortiGuard, FortiAnalyzer can immediately rescan using the new definitions.
Requirements for managing an IOC rescan policy:
To configure rescan settings and check rescan results:
- Go to SOC > FortiView > Threats > Compromised Hosts.
- From the Tools menu on the right-side of the toolbar, select Edit Rescan Configuration.
The Edit IOC Rescan Policy Settings window opens.
- Under IOC Rescan Global Settings:
- Enable Global IOC Rescan.
- Set the running time to either a specific hour of the day, or select package update to rescan when the package is updated.
- Under IOC Rescan Current ADOM Settings:
- Enable Current ADOM IOC Rescan.
- Select the log types to be scanned (DNS, Web Filter, and Traffic logs).
- Set the number of previous days' logs that are scanned.
By default, all log types are selected, and the scan will cover the past 14 days. The maximum recommended number of scan days is calculated based on historical scan speeds, or 30 days if no previous scans have been done.
- All tasks are shown in the Rescan tasks table, which includes:
- The start and end time of each task.
- The status of the task (complete, running, etc.).
- How complete a task is, as a percentage.
- The total number of scanned logs and the threat count (the number of logs with threats) for each task.
- The IOC package update time.
- A count of the new threats that were added in this update.
Running tasks can be canceled by clicking the Cancel button in the Status column.
- Select a non-zero threat count number in the Rescan tasks table to drill down to a specific scans task details. These details include the Detect Pattern, Threat Type, Threat Name, # of Events, and the Endpoint.
- Click Back to return to the settings window.
- Click OK to return to the compromised hosts list.
- In the compromised hosts list, a rescan icon will be shown in the Last Detected column if any threats where found during a rescan. To view only those hosts that had threats found during a rescan, select Only Show Rescan from the Tools menu in the toolbar.