This article describes how to disable IOC detection on FortiAnalyzer without an IOC license (demo mode IOC) to avoid false positive IOC alerts.
Table of Contents
Scope
FortiAnalyzer.
Solution
FortiAnalyzer Indicator of Compromise (IOC) can detect compromised hosts by checking traffic against Threat Intelligence DB (TIDB). With a valid IOC license, FortiAnalyzer will use the updated TIDB package from FortiGuard when performing IOC scans.
However, without a valid IOC license, FortiAnalyzer will use the demo TIDB package, which is not updated. This may cause the FortiAnalyzer to generate false positive IOC alerts on non-compromised hosts.
If FortiAnalyzer is generating false positive IOC alerts, follow the steps below to disable IOC scanning in FortiAnalyzer.
Check the IOC license
The IOC license in FortiAnalyzer can be checked using the command below:
diagnose test application sqllogd 204 stats
FortiAnalyzer with a valid IOC license will have the command output as shown below:
diagnose test application sqllogd 204 license status License of post breach detection installed
whereas a FortiAnalyzer without a valid IOC license will have an output as below:
diagnose test application sqllogd 204 license status There is no license of post breach detection.
Disable IOC detection
The CLI commands shown below will disable IOC in FortiAnalyzer.
config system log ioc set notification disable set rescan-status disable set status disable end