Fortinet black logo

New Features

IOC detection support for FortiMail logs 7.0.3

Copy Link
Copy Doc ID 6dd8af04-513d-11eb-b9ad-00505692583a:348977
Download PDF

IOC detection support for FortiMail logs 7.0.3

IOC detection now supports FortiMail logs.

To enable email filter logs in IOC rescan:
  1. Go to FortiView > Compromised Hosts > Settings.
  2. Select Email filter logs in the Log Type Filters category to ensure that email filter logs can be scanned when running the IOC rescan task.

    The threat count for FortiGate and FortiMail is displayed separately in rescan tasks.

    Users can drilldown from a rescan task to view the rescan blocklist. The blocklists for FortiGate and FortiMail are displayed separately.

    When running the IOC rescan, an endpoint that visited an allowed URL previously (for example, one week ago) will be marked as compromised if this URL is added to the latest URL blocklist. The compromised hosts are the users' email addresses which can be found in the "To" field of the log. The IOC rescan icon displays if the endpoints are detected by IOC rescan.

    Drilldown from the compromised hosts page to view the blocklist details.

    Drilldown further from the blocklist to view related logs.

    FortiAnalyzer IOC can perform real-time checks. An IOC rescan icon is not displayed if the endpoints are detected during a real-time check.

IOC detection support for FortiMail logs 7.0.3

IOC detection now supports FortiMail logs.

To enable email filter logs in IOC rescan:
  1. Go to FortiView > Compromised Hosts > Settings.
  2. Select Email filter logs in the Log Type Filters category to ensure that email filter logs can be scanned when running the IOC rescan task.

    The threat count for FortiGate and FortiMail is displayed separately in rescan tasks.

    Users can drilldown from a rescan task to view the rescan blocklist. The blocklists for FortiGate and FortiMail are displayed separately.

    When running the IOC rescan, an endpoint that visited an allowed URL previously (for example, one week ago) will be marked as compromised if this URL is added to the latest URL blocklist. The compromised hosts are the users' email addresses which can be found in the "To" field of the log. The IOC rescan icon displays if the endpoints are detected by IOC rescan.

    Drilldown from the compromised hosts page to view the blocklist details.

    Drilldown further from the blocklist to view related logs.

    FortiAnalyzer IOC can perform real-time checks. An IOC rescan icon is not displayed if the endpoints are detected during a real-time check.