Why are logs from AV/IPS not used for the FortiAnalyzer IOC feature?

The reason logs from AV (Antivirus) and IPS (Intrusion Prevention System) are not utilized for the FortiAnalyzer IOC (Indicator of Compromise) feature is that these threats are actively detected and mitigated by the FortiGate. Since FortiGate's primary role is to identify and take action against potential threats immediately, the logs generated in these scenarios do not typically provide the necessary context for IOC analysis. The IOC feature relies on logs that reflect post-event analysis and threat intelligence, as it helps in identifying potential compromises based on events that have already occurred and been recorded.

AV and IPS logs primarily contain data about threat detection and prevention rather than information about successfully executed attacks or indicators that could suggest a breach has taken place. Consequently, the focus of IOC in FortiAnalyzer is more aligned with logs that illustrate malicious activities that may warrant further investigation.