Hot!FortiAnalyzer IOC Subscription, What is it?

Author
JTOLvF2
New Member
  • Total Posts : 7
  • Scores: 0
  • Reward points: 0
  • Joined: 2018/09/17 15:41:48
  • Status: offline
2019/02/01 11:57:43 (permalink)
0

FortiAnalyzer IOC Subscription, What is it?

I've opened a technical chat, called into support to try and speak with someone ALWAYS a voicemail once transferred to sales, and searched all over the internet. No one can tell me what the Fortianalyzer IOC license gives me over the DEMO mode. Does anyone have any idea what the full feature functionality of this license provides?
#1
chall_FTNT
skyhigh
  • Total Posts : 315
  • Scores: 34
  • Reward points: 0
  • Joined: 2003/11/28 16:19:30
  • Status: offline
Re: FortiAnalyzer IOC Subscription, What is it? 2019/02/01 13:12:55 (permalink)
0
See FortiView Indicators of Compromise (5.6) or Viewing Compromised Hosts (6.0)

Subscribing FortiAnalyzer to FortiGuard

Your FortiAnalyzer needs to subscribe to FortiGuard to keep its threat database up to date. You must purchase a FortiGuard Indicators of Compromise Service license for that.
 
If you use the Compromised Host feature without updating the license, you will be using old signatures (out of date information).  Just like enabling AV/IPS in a FortiGate without valid FortiGuard coverage only allows the FortiGate to scan for the signatures it has.
 
post edited by chall_FTNT - 2019/02/01 13:24:48
#2
chutter_FTNT
New Member
  • Total Posts : 7
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/03/26 06:22:03
  • Status: offline
Re: FortiAnalyzer IOC Subscription, What is it? 2019/07/03 01:40:23 (permalink)
0
Hi,
please have a look at this cookbook:
 
https://docs.fortinet.com/document/fortianalyzer/6.2.0/cookbook/779346/how-ioc-works
 
It should answer your qusetions
 
Christian
#3
mike_dp
Bronze Member
  • Total Posts : 34
  • Scores: 0
  • Reward points: 0
  • Joined: 2016/02/22 12:26:22
  • Status: offline
Re: FortiAnalyzer IOC Subscription, What is it? 2019/07/05 13:51:05 (permalink)
0
we are currently trying it for a year and got pretty much nothing from it beside some false positive results. at least 90% is from websites that are currently blocked (malware website or unrated). We probably won't renew this next year. 
#4
tanr
Platinum Member
  • Total Posts : 681
  • Scores: 31
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: FortiAnalyzer IOC Subscription, What is it? 2019/07/05 18:59:30 (permalink)
0
We're still trying out IOC as well.  Haven't seen many hits and haven't had many false positives either.
 
I had hoped that in 6.2 IOC would become more fully implemented, but per https://docs.fortinet.com/document/fortianalyzer/6.2.0/cookbook/779346/how-ioc-works it looks like it is still just adding up the number of attempts to access blacklisted or suspicious URL's. 
 
Noting suspicious URLs is an improvement over regular web filtering, but I really feel that to meet the definition of Indicators of Compromise it needs to be looking at more than URLs and DNS.  Why not have it look at bad/suspicious logs from App Control, IPS, etc.?  A device with multiple remote access and proxy apps (App Control) that is also doing port scans (IPS) should really get flagged as suspicious, but right now I don't think IOC will catch it.  If it should have caught this and I'm missing something please let me know!
 
 
#5
chutter_FTNT
New Member
  • Total Posts : 7
  • Scores: 2
  • Reward points: 0
  • Joined: 2018/03/26 06:22:03
  • Status: offline
Re: FortiAnalyzer IOC Subscription, What is it? 2019/07/07 23:17:17 (permalink)
0
There was a big improvement in 6.2 it's called IOC rescan.
You can now configure FAZ to rescan historical logs (number of days back can be configured).
For more info please look at:
 
https://docs2.fortinet.com/document/fortianalyzer/6.2.0/new-features/894000/retrospective-ioc-history-scan-threat-hunting
 
Regards
 
Christian
 
 
#6
Jump to:
© 2019 APG vNext Commercial Version 5.5