FortiAnalyzer 6.0.3 Administration Guide

Viewing Compromised Hosts

Compromised Hosts or Indicators of Compromise Service (IOC) is a licensed feature. To view Compromised Hosts, you must turn on the UTM web filter of FortiGate devices and subscribe your FortiAnalyzer unit to FortiGuard to keep its local threat database synchronized with the FortiGuard threat database. See Subscribing FortiAnalyzer to FortiGuard.

The Indicators of Compromise Service (IOC) downloads the threat database from FortiGuard. The FortiGuard threat database contains the blacklist and suspicious list. IOC detects suspicious events and potentially compromised network traffic using sophisticated algorithms on the threat database.

FortiAnalyzer identifies possible compromised hosts by checking the threat database against an event's IP, domain, and URL in the following logs of each end user:

  • Web filter logs.
  • DNS logs.
  • Traffic logs.

When a threat match is found, sophisticated algorithms calculate a threat score for the end user. When the check is complete, FortiAnalyzer aggregates all the threat scores of an end user and gives its verdict of the end user’s overall IOC.

Compromised Hosts displays the results showing end users with suspicious web usage which can indicate that the endpoint is compromised. You can drill down to view threat details.

Understanding Compromised Hosts entries

When a log entry is received and inserted into the SQL database, the log entry is scanned and compared to the blacklist and suspicious list in the IOC threat database that is downloaded from FortiGuard.

If a match is found in the blacklist, then FortiAnalyzer displays the endpoint in Compromised Hosts with a Verdict of Infected.

If a match is found in the suspicious list, then FortiAnalyzer flags the endpoint for further analysis.

In the analysis, FortiAnalyzer compares the flagged log entries with the previous endpoint's statistics for the same day and then updates the score.

If the score exceeds the threshold, that endpoint is listed or updated in Compromised Hosts.

When an endpoint is displayed in Compromised Hosts, all the suspicious logs which contributed to the score are listed.

When the database is rebuilt, all log entries are reinserted and rescanned.

Working with Compromised Hosts information

Go to FortiView > Threats > Compromised Hosts.

When viewing Compromised Hosts, use the controls in the toolbar to select Table or Tile format, select devices, specify a time period, refresh the view, set the refresh rate, export the information, and switch to full-screen mode.

In tile format, you can view a map of the Compromised Hosts by clicking Map View in the tile. To see more details, hover the cursor over a destination.

When you view an event, the # of Threats is the number of unique Threat Names associated with that compromised host (end user).

When you drill down to view details, the # of Events is the number of logs matching each blacklist entry for that compromised host (end user).

  • To acknowledge a Compromised Hosts line item, click Ack on that line.
  • To filter entries, click Add Filter and specify devices or a time period.
  • To drill down and view threat details, double-click a tile or a row.

Subscribing FortiAnalyzer to FortiGuard

To keep your FortiAnalyzer threat database up to date:
  • Ensure your FortiAnalyzer can reach FortiGuard at
  • Purchase a FortiGuard Indicators of Compromise Service license and apply that license to the product registration. No change is needed on the FortiAnalyzer side.
To subscribe FortiAnalyzer to FortiGuard:
  1. Go to System Settings > Dashboard.
  2. In the License Information widget, find the FortiGuard > Indicators of Compromise Service field and click Purchase.
  3. After purchasing the license, check that the FortiGuard > Indicators of Compromise Service is Licensed and shows the expiry date.