Version:

Version:

Version:


Table of Contents

New Features

Download PDF
Copy Link

IoC re-scan events

Event Handlers can generate events for compromised hosts detected by the IoC rescan feature.

Example of viewing IoC re-scanned events:
  1. Go to FortiView > FortiView > Threats > Compromised Hosts, and click the settings icon to configure global and ADOM rescan settings.
  2. In the rescan task list, select a task and click on a threat count (red circle) to view the rescan result.
    Threat 1.169.112.88 was found on the endpoint 172.18.4.116 and VAN-200289-PC2.
  3. Go to FortiView > FortiView > Threats > Compromised Hosts.
    For the end user faz-test(10.2.60.145) on endpoint VAN-200289-PC2, a rescan icon is displayed in the Last Detected column to indicate that there were threats found during rescan.
  4. Go to the drilldown view for the end user to view the detected threat patterns.
    For end user faz-test(10.2.60.145) there are two threat patterns: 1.163.163.199 was found by real-time logs, and 1.169.112.88 was found during rescan.
  5. Go to FortiSoC > Handlers > Event Handler List.
    The ioc_rescan tag is added in all filters for the following default event handlers: Default-Compromised Host-Detection-IOC-By-Endpoint and Default-Compromised Host-Detection-IOC-By-Threat.
    For comparison, there is no ioc_rescan tag for any filters in the custom event handlers: Copy of Default-Compromised  Host-Detection-IOC-By-Endpoint and Copy of Default-Compromised Host-Detection-IOC-By-Threat.
  6. Go to FortiSoC > Event Monitor > All Events and view alerts for the Default-Compromised Host-Detection-IOC-By-Threat handler.
    The ioc_rescan tag exists for threat 1.169.112.88 because they are generated by rescan logs. There is no ioc_rescan tag for threat 1.163.163.199 because they are generated by real-time logs.
  7. View alerts for the Copy of Default-Compromised Host-Detection-IOC-By-Threat handler.
    There are no alerts for threat 1.169.112.88 because the handler does not process rescan logs. There are alerts without the ioc_rescan tag for threat 1.163.163.199 because the handler still processes real-time logs.

IoC re-scan events

Event Handlers can generate events for compromised hosts detected by the IoC rescan feature.

Example of viewing IoC re-scanned events:
  1. Go to FortiView > FortiView > Threats > Compromised Hosts, and click the settings icon to configure global and ADOM rescan settings.
  2. In the rescan task list, select a task and click on a threat count (red circle) to view the rescan result.
    Threat 1.169.112.88 was found on the endpoint 172.18.4.116 and VAN-200289-PC2.
  3. Go to FortiView > FortiView > Threats > Compromised Hosts.
    For the end user faz-test(10.2.60.145) on endpoint VAN-200289-PC2, a rescan icon is displayed in the Last Detected column to indicate that there were threats found during rescan.
  4. Go to the drilldown view for the end user to view the detected threat patterns.
    For end user faz-test(10.2.60.145) there are two threat patterns: 1.163.163.199 was found by real-time logs, and 1.169.112.88 was found during rescan.
  5. Go to FortiSoC > Handlers > Event Handler List.
    The ioc_rescan tag is added in all filters for the following default event handlers: Default-Compromised Host-Detection-IOC-By-Endpoint and Default-Compromised Host-Detection-IOC-By-Threat.
    For comparison, there is no ioc_rescan tag for any filters in the custom event handlers: Copy of Default-Compromised  Host-Detection-IOC-By-Endpoint and Copy of Default-Compromised Host-Detection-IOC-By-Threat.
  6. Go to FortiSoC > Event Monitor > All Events and view alerts for the Default-Compromised Host-Detection-IOC-By-Threat handler.
    The ioc_rescan tag exists for threat 1.169.112.88 because they are generated by rescan logs. There is no ioc_rescan tag for threat 1.163.163.199 because they are generated by real-time logs.
  7. View alerts for the Copy of Default-Compromised Host-Detection-IOC-By-Threat handler.
    There are no alerts for threat 1.169.112.88 because the handler does not process rescan logs. There are alerts without the ioc_rescan tag for threat 1.163.163.199 because the handler still processes real-time logs.