Fortinet white logo
Fortinet white logo

Administration Guide

Working with IOC information

Working with IOC information

Go to FortiView > Threats > Indicator of Compromise.

Click the Settings icon to change the following:

  • Chart Type: users IOC (default) or table.

  • Show Top: different options are available according to the Chart Type.

  • Refresh Interval: Every 30 Minutes by default.

  • Autoplay Interval: Every 20 Seconds by default.

  • Show Acknowledged: disabled by default.

  • Only Show Rescan: disabled by default.

For information about rescan settings, see Managing an IOC rescan policy

You can set the devices, time period, and filters for the dashboard. If there are regularly used filters, you can create a custom view. See Creating custom views for FortiView

Using Indicator of Compromise when Chart Type = table:

This chart type displays IOC line items in a table view. The total indicators of compromise is displayed above the chart. Click the export icon to export the table information into a PDF or report chart.

There is a line for each source, and the # of Threats column displays the number of unique threat names associated with that end user.

You can perform the following actions in this view:

  • To acknowledge an IOC line item, click ACK in the Acknowledge column for that row.
  • To filter entries, click + to add a filter such as device ID, log type, or secuity action.
  • To drill down and view threat details, double-click a tile or a row.

When viewing threat details, you can toggle between Blocklist and Suspicious information in a table view. In the Blocklist view, the # of Events column displays the number of logs matching each blacklist entry for that end user.

Incorrectly rated IOCs can be reported after drilling down to view threat details. Click the Detect Pattern for the row, and, in the Information dialog, click Report Misrated IOC.

Using Indicator of Compromise when Chart Type = users IOC:

This chart type includes two panes: a rotating list of users and a map of incidents.

The rotating list of users automatically rotates through indicators of compromise. This includes the endpoint information and the number of unique threat names associated with that end user. You can pause autoplay or click > or < to manually move to another user.

Using Indicator of Compromise when Chart Type = bubble:

In the Sort By dropdown, select which top IOC to display in the bubble chart: by verdict or by number of threats. Mouse-over a bubble to display the following information:

  • Source

  • Last Detected

  • Host Name

  • OS

  • Log Types

  • Security Actions

  • Verdict

  • # of Threats

  • Achnowledge

  • Device Name

  • Device ID

Working with IOC information

Working with IOC information

Go to FortiView > Threats > Indicator of Compromise.

Click the Settings icon to change the following:

  • Chart Type: users IOC (default) or table.

  • Show Top: different options are available according to the Chart Type.

  • Refresh Interval: Every 30 Minutes by default.

  • Autoplay Interval: Every 20 Seconds by default.

  • Show Acknowledged: disabled by default.

  • Only Show Rescan: disabled by default.

For information about rescan settings, see Managing an IOC rescan policy

You can set the devices, time period, and filters for the dashboard. If there are regularly used filters, you can create a custom view. See Creating custom views for FortiView

Using Indicator of Compromise when Chart Type = table:

This chart type displays IOC line items in a table view. The total indicators of compromise is displayed above the chart. Click the export icon to export the table information into a PDF or report chart.

There is a line for each source, and the # of Threats column displays the number of unique threat names associated with that end user.

You can perform the following actions in this view:

  • To acknowledge an IOC line item, click ACK in the Acknowledge column for that row.
  • To filter entries, click + to add a filter such as device ID, log type, or secuity action.
  • To drill down and view threat details, double-click a tile or a row.

When viewing threat details, you can toggle between Blocklist and Suspicious information in a table view. In the Blocklist view, the # of Events column displays the number of logs matching each blacklist entry for that end user.

Incorrectly rated IOCs can be reported after drilling down to view threat details. Click the Detect Pattern for the row, and, in the Information dialog, click Report Misrated IOC.

Using Indicator of Compromise when Chart Type = users IOC:

This chart type includes two panes: a rotating list of users and a map of incidents.

The rotating list of users automatically rotates through indicators of compromise. This includes the endpoint information and the number of unique threat names associated with that end user. You can pause autoplay or click > or < to manually move to another user.

Using Indicator of Compromise when Chart Type = bubble:

In the Sort By dropdown, select which top IOC to display in the bubble chart: by verdict or by number of threats. Mouse-over a bubble to display the following information:

  • Source

  • Last Detected

  • Host Name

  • OS

  • Log Types

  • Security Actions

  • Verdict

  • # of Threats

  • Achnowledge

  • Device Name

  • Device ID