FortiView Indicators of Compromise

The Indicators of Compromise (IOC) summary shows end users with suspicious web usage compromises. It provides information such as end users’ IP addresses, last detected date, host name, OS, a Map View, and number of threats. You can drill down to view threat details.

FortiAnalyzer generates the Indicators of Compromise by checking the web filter logs of each end user against its threat database. When a threat match is found, a threat score is given to the end user. When the check is complete, FortiAnalyzer aggregates all the threat scores of an end user and gives its verdict of the end user’s overall Indicators of Compromise.

To use this Indicators of Compromise summary, you must turn on the UTM web filter of FortiGate devices. You must also subscribe your FortiManager unit to FortiGuard to keep its local threat database synchronized with the FortiGuard threat database. See Subscribing FortiManager to FortiGuard.

Viewing Indicators of Compromise information

Indicators of Compromise information is in FortiView > Threats > Indicators of Compromise.

When viewing Indicators of Compromise, use the controls in the toolbar to select Table or Tile format, select devices, specify a time period, refresh the view, set the refresh rate, export the information, and switch to full-screen mode.

In tile format, you can view a map of the Indicators of Compromise by clicking Map View in the tile. To see more details, hover the cursor over a destination

To acknowledge the Indicators of Compromise of an end user, click Ack.

To filter entries, click Add Filter and specify devices or a time period.

To drill down and view threat details, double-click a tile or a row.

Subscribing FortiManager to FortiGuard

Your FortiManager needs to subscribe to FortiGuard to keep its threat database up to date. You must purchase a FortiGuard Indicators of Compromise Service license for that.

To subscribe FortiManager to FortiGuard:
  1. Go to System Settings > Dashboard.
  2. In the License Information widget, find the FortiGuard > Indicators of Compromise Service field and click Purchase.