Automation Stitch:auto.compromised.host is triggered.
Is this thing just trying to scare me?
FGT[FG200] Automation Stitch:auto.compromised.host is triggered.date=2021-04-05 time=14:21:27 logid="0100022953" type="event" subtype="system" level="warning" vd="root" eventtime=1617646887419280502 tz="-0400" logdesc="Compromised host detected" devid="FG200E4Q17912606" vd="root" msg="IOC detected by FortiAnalyzer" srcip="10.111.12.10
When I look them up on analyzer most are "newly registered domain visited" but some are:
" Traffic to C&C:sync.console.adtarget.com.tr, Traffic path: PolicyID 71\\wan1\\188.8.131.52:443
I understand what that is saying but there are several right now on our network so I also find it hard to imagine that we've really got up to ten hosts infected and talking to a C&C - Hell, we run a pretty tight ship on AV, HIPS, Secureworks, etc.