What happens when the indicator of compromise (IOC) engine on FortiAnalyzer finds web logs that match blocklisted IP addresses? (Choose one answer)

A. A new Infected entry is added for the corresponding endpoint under Compromised Hosts.
B. FortiAnalyzer runs a default playbook in the background that creates an incident alerting analysts.
C. The detection engine classifies those logs as Suspicious.
D. The endpoint is marked as Compromised and, optionally, can be quarantined.

Correct Answer: A

Brave-Dump Clients Votes

A 50%

C 25%

D 25%

Comments

Anonymous User 2026-02-13 13:42:44

Selected Answers: C

should c

marcin 2026-02-15 19:02:45

Selected Answers: A

A. See page 130:
Infected: Indicates a real breach. FortiAnalyzer found matches of the blacklisted IPs or domain generation
algorithms (DGAs) in the web logs.

Anand Chavda 2026-06-01 09:45:13

Selected Answers: D

Anonymous User 2026-06-04 21:12:22

Selected Answers: A

The answer is A.
A new Infected entry is added for the corresponding endpoint under Compromised Hosts.
When the IOC engine on FortiAnalyzer detects web logs that match blocklisted IP addresses, it adds a new Infected entry for the corresponding endpoint under the Compromised Hosts section. This is the specific behavior triggered by a blocklisted IP match in web logs.
Ruling out the others:

B ❌ — FortiAnalyzer does not automatically run a default playbook in the background for IOC matches; playbooks need to be explicitly configured and triggered
C ❌ — Logs matching blocklisted IPs are classified as Infected, not "Suspicious" — Suspicious is a different classification level
D ❌ — The endpoint being marked as "Compromised" and quarantined is a possible action but requires additional configuration (e.g., a playbook or automation stitch); it is not the automatic default behavior of the IOC engine itself