Event Handlers can generate events for compromised hosts detected by the IoC rescan feature.
- Go to FortiView > FortiView > Threats > Compromised Hosts, and click the settings icon to configure global and ADOM rescan settings.
- In the rescan task list, select a task and click on a threat count (red circle) to view the rescan result.
Threat 126.96.36.199 was found on the endpoint 172.18.4.116 and VAN-200289-PC2.
- Go to FortiView > FortiView > Threats > Compromised Hosts.
For the end user faz-test(10.2.60.145) on endpoint VAN-200289-PC2, a rescan icon is displayed in the Last Detected column to indicate that there were threats found during rescan.
- Go to the drilldown view for the end user to view the detected threat patterns.
For end user faz-test(10.2.60.145) there are two threat patterns: 188.8.131.52 was found by real-time logs, and 184.108.40.206 was found during rescan.
- Go to FortiSoC > Handlers > Event Handler List.
The ioc_rescan tag is added in all filters for the following default event handlers: Default-Compromised Host-Detection-IOC-By-Endpoint and Default-Compromised Host-Detection-IOC-By-Threat.
For comparison, there is no ioc_rescan tag for any filters in the custom event handlers: Copy of Default-Compromised Host-Detection-IOC-By-Endpoint and Copy of Default-Compromised Host-Detection-IOC-By-Threat.
- Go to FortiSoC > Event Monitor > All Events and view alerts for the Default-Compromised Host-Detection-IOC-By-Threat handler.
The ioc_rescan tag exists for threat 220.127.116.11 because they are generated by rescan logs. There is no ioc_rescan tag for threat 18.104.22.168 because they are generated by real-time logs.
- View alerts for the Copy of Default-Compromised Host-Detection-IOC-By-Threat handler.
There are no alerts for threat 22.214.171.124 because the handler does not process rescan logs. There are alerts without the ioc_rescan tag for threat 126.96.36.199 because the handler still processes real-time logs.