Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
JTOLvF2
New Contributor II

FortiAnalyzer IOC Subscription, What is it?

I've opened a technical chat, called into support to try and speak with someone ALWAYS a voicemail once transferred to sales, and searched all over the internet. No one can tell me what the Fortianalyzer IOC license gives me over the DEMO mode. Does anyone have any idea what the full feature functionality of this license provides?

5 REPLIES 5
chall_FTNT
Staff
Staff

See FortiView Indicators of Compromise (5.6) or Viewing Compromised Hosts (6.0)

Subscribing FortiAnalyzer to FortiGuard

Your FortiAnalyzer needs to subscribe to FortiGuard to keep its threat database up to date. You must purchase a FortiGuard Indicators of Compromise Service license for that.

 

If you use the Compromised Host feature without updating the license, you will be using old signatures (out of date information).  Just like enabling AV/IPS in a FortiGate without valid FortiGuard coverage only allows the FortiGate to scan for the signatures it has.

 

Chris Hall
Fortinet Technical Support
chutter_FTNT
Staff
Staff

Hi,

please have a look at this cookbook:

 

https://docs.fortinet.com/document/fortianalyzer/6.2.0/cookbook/779346/how-ioc-works

 

It should answer your qusetions

 

Christian

mike_dp

we are currently trying it for a year and got pretty much nothing from it beside some false positive results. at least 90% is from websites that are currently blocked (malware website or unrated). We probably won't renew this next year. 

Fortigate : 80E, 80F, 100E, 200F, 300E : 6.4.6

FortiAnalyzer, ForticlientEMS

Fortigate : 80E, 80F, 100E, 200F, 300E : 6.4.6 FortiAnalyzer, ForticlientEMS
tanr
Valued Contributor II

We're still trying out IOC as well.  Haven't seen many hits and haven't had many false positives either.

 

I had hoped that in 6.2 IOC would become more fully implemented, but per https://docs.fortinet.com/document/fortianalyzer/6.2.0/cookbook/779346/how-ioc-works it looks like it is still just adding up the number of attempts to access blacklisted or suspicious URL's. 

 

Noting suspicious URLs is an improvement over regular web filtering, but I really feel that to meet the definition of Indicators of Compromise it needs to be looking at more than URLs and DNS.  Why not have it look at bad/suspicious logs from App Control, IPS, etc.?  A device with multiple remote access and proxy apps (App Control) that is also doing port scans (IPS) should really get flagged as suspicious, but right now I don't think IOC will catch it.  If it should have caught this and I'm missing something please let me know!

 

 

chutter_FTNT

There was a big improvement in 6.2 it's called IOC rescan.

You can now configure FAZ to rescan historical logs (number of days back can be configured).

For more info please look at:

 

https://docs2.fortinet.com/document/fortianalyzer/6.2.0/new-features/894000/retrospective-ioc-histor...

 

Regards

 

Christian

 

 

Labels
Top Kudoed Authors