Managing a Compromised Hosts rescan policy
Compromised Hosts can be configured to scan previous entries on regular intervals or when a new package is received from FortiGuard so that FortiAnalyzer performs a rescan using the latest available definitions.
Requirements for managing a Compromised Hosts rescan policy:
|
When IOC rescan is performed, the Ioc_Rescan tag is added to rescanned logs. Event handlers that include the Ioc_Rescan tag in their rules will process rescanned logs and generate new alerts tagged with Ioc_Rescan. Real-time logs matching these event handler rules continue to generate alerts without the Ioc_Rescan tag.
By default, the following basic event handlers include Ioc_Rescan tag for all rules:
- Default-Compromised Host-Detection-IOC-By-Endpoint
- Default-Compromised Host-Detection-IOC-By-Threat
To configure rescan settings and check rescan results:
- Go to FortiView > Threats > Compromised Hosts.
- Click the Rescan Task icon above the table view.
The Compromised Hosts Rescan pane displays.
- Configure the Compromised Hosts Rescan Global Settings.
- Toggle Enable Global Compromised Hosts Rescan to On.
- Set the running time to a specific hour of the day, or select package update to perform a rescan when a package update is received.
- Configure the Compromised Hosts Rescan Current ADOM Settings.
- Toggle Enable Current ADOM Compromised Hosts Rescan to On.
- Select the log types to be scanned (DNS, Web Filter logs, Traffic logs, or Email filter logs).
- Set the number of previous days' logs to be scanned.
By default, DNS, web filter, and traffic logs are enabled, and the scan will cover the last 14 days. The maximum recommended number of scan days is calculated based on historical scan speeds, or 30 days if no previous scans have been done.
-
Rescan jobs are shown in the Rescan tasks table, which includes the following columns:
Start Time The task's start time. Status The status of the task (complete, running, etc.).
Running tasks can be canceled by clicking the cancel icon in the Status column.
Percentage Task progress as a percentage.
End Time The task's end time. Threat Count
Configure the parameters for the selected action.
Log Count
The total number of logs with threats.
Package Update Time
The IOC package update time.
Blacklist Count
A count of the newly detected threats added to the blacklist.
- Select a non-zero threat count number in the table to drilldown to view specific task details, including the Detect Pattern, Threat Type, Threat Name, # of Events, and Endpoint.
In FortiView > Threats > Compromised Hosts, a rescan icon is displayed in the Last Detected column if threats are found during a rescan. To view only those hosts that had threats found during a rescan, go to the Settings and enable Only Show Rescan.
For FortiMail email filter rescans, the endpoint which visited an allowed URL will be marked as compromised if the URL is blocklisted in the latest URL blocklist. The compromised hosts are the users' email addresses which can be found in the To field of the log.