Compromised Hosts or Indicators of Compromise service (IOC) is a licensed feature.
When using Compromised Hosts, it is recommended to turn on the UTM web filter of FortiGate devices and subscribe your FortiAnalyzer unit to FortiGuard to keep its local threat database synchronized with the FortiGuard threat database. See Subscribing FortiAnalyzer to FortiGuard.
FortiGate devices also generate an event log for IOC when they are detected in local out traffic. The source IP in these event logs are considered a compromised host, and they can be monitored in FortiAnalyzer.
Email filter logs from FortiMail devices are also supported by IOC, and can be rescanned when enabled in the Compromised Hosts settings.
The Indicators of Compromise service (IOC) downloads the threat database from FortiGuard. The FortiGuard threat database contains the blacklist and suspicious list. IOC detects suspicious events and potentially compromised network traffic using sophisticated algorithms on the threat database.
FortiAnalyzer identifies possible compromised hosts by checking the threat database against an event's IP, domain, and URL in the following logs of each end user:
- Web filter logs.
- DNS logs.
- Traffic logs.
- Email filter logs (for FortiMail devices).
When a threat match is found, sophisticated algorithms calculate a threat score for the end user. When the check is complete, FortiAnalyzer aggregates all the threat scores of an end user and gives its verdict of the end user’s overall IOC.
Compromised Hosts displays the results showing end users with suspicious web usage which can indicate that the endpoint is compromised. You can drill down to view threat details.
Compromised Hosts can be configured to rescan logs at regular intervals using new definitions from FortiGuard.