Email templates
Templates for building policies based on user email activity.
|
To use this functionality, you must enable email monitoring for Agents. For details, refer to the FortiDLP Agent Deployment Guide and FortiDLP Administration Guide. |
|
|
For Agent 10.1.0+, the FortiDLP Email Add-in is required to monitor New Outlook on Windows and macOS, and Outlook on the Web for both platforms. The FortiDLP Email Plugin (Legacy) is required to monitor Classic Outlook on Windows. |
Unauthorized email attachment opened or saved
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows or macOS, Agent version 7.8.0 or later
Detects when a user either opens an Outlook email attachment in an unauthorized application or saves an unauthorized email attachment from Outlook. A five-minute cache period is used to suppress detections for repeated file access events by the same process.
|
|
This policy only monitors the Microsoft Outlook desktop application and does not support New Outlook. |
|
|
From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured. |
| Parameter | Type | Description |
|---|---|---|
| File action parameters | ||
| Attachment actions to monitor | String list | A list of attachment actions to monitor. If "Opened" is selected, detections will be raised when an email attachment is opened by an unauthorized application. If "Saved" is selected, detections will be raised when an email attachment is saved to disk by Microsoft Outlook. |
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. word.exe) authorized or unauthorized to open attachments. Case-insensitive matching is used. |
| File parameters | ||
| Filename keywords | Advanced asset list | A list of keywords that match if they appear anywhere in the attachment name (e.g. passwords, secret, confidential). Case-insensitive matching is used. |
| File types | Advanced asset list | A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+. |
| File extensions | Advanced asset list | A list of attachment file extensions that users are authorized or unauthorized to open or save (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf". |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0009 (Collection)
attack.mitre.org/tactics/TA0009/ |
T1213 (Data from Information Repositories)
attack.mitre.org/techniques/T1213/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by binary name | Disabled |
| Cluster by filename | Disabled |
| Cluster by file extension | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Unauthorized email received (Classic Outlook only)
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 9.1.0 or later
Detects when, in Classic Outlook, a user receives an unauthorized email.
|
|
Two sets of content inspection parameters can be configured to search for different data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels) in different sections of an email. For example, you could search for a credit card number in the email body and attachments and raise a detection only if the the keyword "Finance" was not in the subject line. |
|
|
All configured parameters must be met to generate a detection. If all parameters are left empty, all emails will be allowed. To perform content inspection, at least one data identifier and location is required. |
| Parameter | Type | Description |
|---|---|---|
| Sender/recipient parameters | ||
| Email domains | Advanced asset list | A list of email domain names (e.g. example.com) authorized or unauthorized to send email. Case-insensitive matching is used. Subdomains will match. |
| Email addresses | Advanced asset list | A list of email addresses (e.g. abc@example.com) authorized or unauthorized to send email. Case-insensitive matching is used. |
| Maximum permitted recipients | Float | The maximum number of allowed email recipients. If this field is set to 0, no limit will be applied. Case-insensitive counting is used. |
| Maximum permitted recipient domains | Float | The maximum number of allowed recipient email domains. If this field is set to 0, no limit will be applied. Case-insensitive counting is used. |
| Recipient type | String list | A list of email recipient types to match on. |
| Content inspection parameters | ||
| Content inspection location | String list | A list of email sections to perform content inspection on. Detections will be generated based on the total match count across all selected locations. Select "All email attachments" to combine match counts across all attachments, e.g. if an email has 1 attachment with 2 matches and another with 1 match, 3 matches will be added to the total. Alternatively, select "Individual email attachments" to perform a separate total calculation for each attachment, e.g. if an email has 1 attachment with 2 matches and another with 1 match, 2 matches will be added to the first total. |
| Content inspection patterns | Advanced asset list | A list of patterns for matching email contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match emails containing US social security numbers. To match all emails use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. |
| Content inspection keywords | Advanced asset list | The keywords matched to email contents during content inspection. |
| Microsoft sensitivity labels | Asset list | The Microsoft sensitivity labels matched to files during content inspection. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present in an email. |
| Extended content inspection parameters | ||
| Content inspection location | String list | A list of email sections to perform content inspection on. Detections will be generated based on the total match count across all selected locations. Select "All email attachments" to combine match counts across all attachments, e.g. if an email has 1 attachment with 2 matches and another with 1 match, 3 matches will be added to the total. Alternatively, select "Individual email attachments" to perform a separate total calculation for each attachment, e.g. if an email has 1 attachment with 2 matches and another with 1 match, 2 matches will be added to the first total. |
| Content inspection patterns | Advanced asset list | A list of patterns for matching email contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match emails containing US social security numbers. To match all emails use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. |
| Content inspection keywords | Advanced asset list | The keywords matched to email contents during content inspection. |
| Microsoft sensitivity labels | Asset list | The Microsoft sensitivity labels matched to files during content inspection. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present in an email. |
| Attachment parameters | ||
| Prohibit email attachments | Boolean | The toggle to enable/disable prohibiting all email attachments. If this is enabled and no other parameters are set, a detection will be generated when an email containing an attachment is received. If this is enabled and other parameters are set, a detection will be generated when an email containing an attachment which matches the configured parameters is received. |
| File names | Advanced asset list | A list of regular expressions matching email attachment names authorized or unauthorized to be attached to emails. Case-insensitive matching is used. |
| Maximum permitted attachment size (MB) | Float | The maximum size of allowed attachments in megabytes. If this field is set to 0, no limit will be applied. |
| Email attachment file types | Advanced asset list | A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) authorized or unauthorized to be attached to emails. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured when using Agent 9.1.0+, the "Email attachment file extensions" parameter will be ignored. Requires Agent 9.1.0+. |
| Email attachment file extensions | Advanced asset list | A list of file extensions (e.g. .doc, .docx, .xls, .xlsx) authorized or unauthorized to be attached to emails. The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated and will only be used if the "Email attachment file types" parameter has not been configured. The "Email attachment file types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf". |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1048 (Exfiltration Over Alternative Protocol)
attack.mitre.org/techniques/T1048/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by sender email address | Disabled |
| Cluster by content | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy
Unauthorized email received with encrypted file attachment (Classic Outlook only)
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 10.1.1 or later
Detects when, in Classic Outlook, a user receives an unauthorized email containing an encrypted or password-protected file.
|
|
All configured fields must be met to generate a detection. |
| Parameter | Type | Description |
|---|---|---|
| Sender/recipient parameters | ||
| Email domains | Advanced asset list | A list of email domain names (e.g. example.com) authorized or unauthorized to send email. Case-insensitive matching is used. Subdomains will match. |
| Email addresses | Advanced asset list | A list of email addresses (e.g. abc@example.com) authorized or unauthorized to send email. Case-insensitive matching is used. |
| Maximum number of recipients | Float | The maximum size of allowed email recipients. If this field is set to 0, no limit will be applied. Case-insensitive counting is used. |
| Attachment parameters | ||
| Email attachment file extensions | Advanced asset list | A list of file extensions (e.g. .pdf) to monitor for encrypted file content. The dot can be omitted and the extension name is case-insensitive. |
| File names | Advanced asset list | A list of regular expressions matching email attachment names authorized or unauthorized to be attached to emails. Case-insensitive matching is used. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0005 (Defense Evasion)
attack.mitre.org/tactics/TA0005/ |
T1027 (Obfuscated Files or Information)
attack.mitre.org/techniques/T1027/ |
|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1048 (Exfiltration Over Alternative Protocol)
attack.mitre.org/techniques/T1048/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by sender email address | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy
Unauthorized email received with link (Classic Outlook only)
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 9.0.1 or later
Detects when, in Classic Outlook, a user receives an email from an unauthorized sender, and that email contains a prohibited or suspicious link.
|
|
In order for a detection to be generated, no configured allowlists must be matched, and, if configured, at least one denylist or toggle must be matched. If none of the parameters have been configured, all email links will be reported. |
| Parameter | Type | Description |
|---|---|---|
| Sender parameters | ||
| Email domains | Advanced asset list | A list of email domain names (e.g. example.com) authorized for sending emails with links. Case-insensitive matching is used. Subdomains will match. |
| Email addresses | Advanced asset list | A list of email addresses (e.g. abc@example.com) authorized for sending emails with links. Case-insensitive matching is used. |
| Link parameters | ||
| Prohibit links to URLs with IP addresses | Boolean | The toggle to enable/disable generating a detection when a user receives an email containing a link to a URL with an IP address (e.g. http://192.168.0.1/). |
| Prohibit URLs displayed as different addresses | Boolean | The toggle to enable/disable generating a detection when a user receives an email containing a link where the display text is a URL (e.g. https://example.com/) with a different domain than the target URL (e.g. https://phishing.com/). |
| Domains | Advanced asset list | A list of domain names (e.g. example.com) that are authorized or unauthorized to be included as links in an email. |
| URL regex patterns | Advanced asset list | A list of patterns matching URLs that are authorized or unauthorized to be included as links in an email. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0001 (Initial Access)
attack.mitre.org/tactics/TA0001/ |
T1566 (Phishing)
attack.mitre.org/techniques/T1566/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by sender email address | Disabled |
| Cluster by remote email domain | Disabled |
| Cluster by hostname | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Unauthorized email received with ZIP file attachment (Classic Outlook only)
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 9.1.0 or later
Detects when, in Classic Outlook, a user receives an unauthorized email containing a ZIP file.
|
|
All configured fields must be met to generate a detection. |
| Parameter | Type | Description |
|---|---|---|
| Sender/recipient parameters | ||
| Email domains | Advanced asset list | A list of email domain names (e.g. example.com) authorized or unauthorized to send email. Case-insensitive matching is used. Subdomains will match. |
| Email addresses | Advanced asset list | A list of email addresses (e.g. abc@example.com) authorized or unauthorized to send email. Case-insensitive matching is used. |
| Maximum permitted recipients | Float | The maximum number of allowed email recipients. If this field is set to 0, no limit will be applied. Case-insensitive counting is used. |
| Content inspection parameters | ||
| Content file names | Advanced asset list | A list of file path expressions that, when matched to a zipped file, make the ZIP file it is contained within authorized or unauthorized to be received via email. The match can use glob-style pattern matching rules (e.g. **\*.pdf would match all PDF files). An empty list will match all zipped files. Case-insensitive matching is used. |
| Attachment parameters | ||
| Email attachment file extensions | Advanced asset list | A list of file extensions (e.g. .zip) to monitor for unauthorized ZIP file content. The dot can be omitted and the extension name is case-insensitive. |
| File names | Advanced asset list | A list of regular expressions matching email attachment names authorized or unauthorized to be attached to emails. Case-insensitive matching is used. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1048 (Exfiltration Over Alternative Protocol)
attack.mitre.org/techniques/T1048/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by sender email address | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy
Unauthorized email sent
Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows or macOS, Agent version 9.1.0 or later
Detects when, in Classic Outlook or New Outlook, a user sends an unauthorized email.
|
|
Two sets of content inspection parameters can be configured to search for different data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels) in different sections of an email. For example, you could search for a credit card number in the email body and attachments and raise a detection only if the the keyword "Finance" was not in the subject line. |
|
|
All configured parameters must be met to generate a detection or block an email. If all parameters are left empty, all emails will be allowed. To perform content inspection, at least one data identifier and location is required. |
| Parameter | Type | Description |
|---|---|---|
| Sender/recipient parameters | ||
| Email domains | Advanced asset list | A list of email domain names (e.g. example.com) authorized or unauthorized to receive email. Case-insensitive matching is used. Subdomains will match. |
| Email addresses | Advanced asset list | A list of email addresses (e.g. abc@example.com) authorized or unauthorized to receive email. Case-insensitive matching is used. |
| Maximum permitted recipients | Float | The maximum number of allowed email recipients. If this field is set to 0, no limit will be applied. Case-insensitive counting is used. |
| Maximum permitted recipient domains | Float | The maximum number of allowed recipient email domains. If this field is set to 0, no limit will be applied. Case-insensitive counting is used. |
| Recipient type | String list | A list of email recipient types to match on. |
| Content inspection parameters | ||
| Content inspection location | String list | A list of email sections to perform content inspection on. Detections will be generated based on the total match count across all selected locations. Select "All email attachments" to combine match counts across all attachments, e.g. if an email has 1 attachment with 2 matches and another with 1 match, 3 matches will be added to the total. Alternatively, select "Individual email attachments" to perform a separate total calculation for each attachment, e.g. if an email has 1 attachment with 2 matches and another with 1 match, 2 matches will be added to the first total. |
| Content inspection patterns | Advanced asset list | A list of patterns for matching email contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match emails containing US social security numbers. To match all emails use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. |
| Content inspection keywords | Advanced asset list | The keywords matched to email contents during content inspection. |
| Microsoft sensitivity labels | Asset list | The Microsoft sensitivity labels matched to files during content inspection. Note: The FortiDLP Email Plugin (Legacy) requires Windows. The FortiDLP Email Add-in for Windows and macOS requires Agent 10.4.0+ for header inspection and Agent 10.1.3+ for attachment inspection. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present in an email. |
| Extended content inspection parameters | ||
| Content inspection location | String list | A list of email sections to perform content inspection on. Detections will be generated based on the total match count across all selected locations. Select "All email attachments" to combine match counts across all attachments, e.g. if an email has 1 attachment with 2 matches and another with 1 match, 3 matches will be added to the total. Alternatively, select "Individual email attachments" to perform a separate total calculation for each attachment, e.g. if an email has 1 attachment with 2 matches and another with 1 match, 2 matches will be added to the first total. |
| Content inspection patterns | Advanced asset list | A list of patterns for matching email contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match emails containing US social security numbers. To match all emails use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. |
| Content inspection keywords | Advanced asset list | The keywords matched to email contents during content inspection. |
| Microsoft sensitivity labels | Asset list | The Microsoft sensitivity labels matched to files during content inspection. Note: The FortiDLP Email Plugin (Legacy) requires Windows. The FortiDLP Email Add-in for Windows and macOS requires Agent 10.4.0+ for header inspection and Agent 10.1.3+ for attachment inspection. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present in an email. |
| Attachment parameters | ||
| Prohibit email attachments | Boolean | The toggle to enable/disable prohibiting all email attachments. If this is enabled and no other parameters are set, a detection will be generated when an email containing an attachment is sent. If this is enabled and other parameters are set, a detection will be generated when an email containing an attachment which matches the configured parameters is sent. |
| File names | Advanced asset list | A list of regular expressions matching email attachment names authorized or unauthorized to be attached to emails. Case-insensitive matching is used. |
| Maximum permitted attachment size (MB) | Float | The maximum size of allowed attachments in megabytes. If this field is set to 0, no limit will be applied. |
| Email attachment file types | Advanced asset list | A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) authorized or unauthorized to be attached to emails. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured when using Agent 9.1.0+, the "Email attachment file extensions" parameter will be ignored. Requires Agent 9.1.0+. |
| Email attachment file extensions | Advanced asset list | A list of file extensions (e.g. .doc, .docx, .xls, .xlsx) authorized or unauthorized to be attached to emails. The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated and will only be used if the "Email attachment file types" parameter has not been configured. The "Email attachment file types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf". |
| Attachment origin parameters | ||
| SaaS apps | SaaS app filter | A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+. |
| URL patterns | Advanced asset list | A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+. |
| User account domains (Preview) | Advanced asset list | A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+. |
| Monitor unknown user accounts (Preview) | Boolean | The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1048 (Exfiltration Over Alternative Protocol)
attack.mitre.org/techniques/T1048/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by sender email address | Disabled |
| Cluster by remote email domain | Disabled |
| Cluster by recipient domain | Disabled |
| Cluster by content | Disabled |
| Cluster by policy | Disabled |
Supported actions: Block email, Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy
Unauthorized email sent with encrypted file attachment
Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows or macOS, Agent version 10.1.1 or later
Detects when, in Classic Outlook or New Outlook, a user sends an unauthorized email containing an encrypted or password-protected file.
|
|
All configured fields must be met to generate a detection or block an email. |
| Parameter | Type | Description |
|---|---|---|
| Sender/recipient parameters | ||
| Email domains | Advanced asset list | A list of email domain names (e.g. example.com) authorized or unauthorized to receive email. Case-insensitive matching is used. Subdomains will match. |
| Email addresses | Advanced asset list | A list of email addresses (e.g. abc@example.com) authorized or unauthorized to receive email. Case-insensitive matching is used. |
| Maximum number of recipients | Float | The maximum size of allowed email recipients. If this field is set to 0, no limit will be applied. Case-insensitive counting is used. |
| Attachment parameters | ||
| Email attachment file extensions | Advanced asset list | A list of file extensions (e.g. .pdf) to monitor for encrypted file content. The dot can be omitted and the extension name is case-insensitive. |
| File names | Advanced asset list | A list of regular expressions matching email attachment names authorized or unauthorized to be attached to emails. Case-insensitive matching is used. |
| Attachment origin parameters | ||
| SaaS apps | SaaS app filter | A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+. |
| URL patterns | Advanced asset list | A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+. |
| User account domains (Preview) | Advanced asset list | A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+. |
| Monitor unknown user accounts (Preview) | Boolean | The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0005 (Defense Evasion)
attack.mitre.org/tactics/TA0005/ |
T1027 (Obfuscated Files or Information)
attack.mitre.org/techniques/T1027/ |
|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1048 (Exfiltration Over Alternative Protocol)
attack.mitre.org/techniques/T1048/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by recipient domain | Disabled |
| Cluster by policy | Disabled |
| Cluster by sender email address | Disabled |
| Cluster by remote email domain | Disabled |
Supported actions: Block email, Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy
Unauthorized email sent with ZIP file attachment
Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows or macOS, Agent version 9.1.0 or later
Detects when, in Classic Outlook or New Outlook, a user sends an unauthorized email containing a ZIP file.
|
|
All configured fields must be met to generate a detection or block an email. |
| Parameter | Type | Description |
|---|---|---|
| Sender/recipient parameters | ||
| Email domains | Advanced asset list | A list of email domain names (e.g. example.com) authorized or unauthorized to receive email. Case-insensitive matching is used. Subdomains will match. |
| Email addresses | Advanced asset list | A list of email addresses (e.g. abc@example.com) authorized or unauthorized to receive email. Case-insensitive matching is used. |
| Maximum permitted recipients | Float | The maximum number of allowed email recipients. If this field is set to 0, no limit will be applied. Case-insensitive counting is used. |
| Content inspection parameters | ||
| Content file names | Advanced asset list | A list of file path expressions that, when matched to a zipped file, make the ZIP file it is contained within authorized or unauthorized to be sent via email. The match can use glob-style pattern matching rules (e.g. **\*.pdf would match all PDF files). An empty list will match all zipped files. Case-insensitive matching is used. |
| Attachment parameters | ||
| Email attachment file extensions | Advanced asset list | A list of file extensions (e.g. .zip) to monitor for unauthorized ZIP file content. The dot can be omitted and the extension name is case-insensitive. |
| File names | Advanced asset list | A list of regular expressions matching email attachment names authorized or unauthorized to be attached to emails. Case-insensitive matching is used. |
| Attachment origin parameters | ||
| SaaS apps | SaaS app filter | A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+. |
| URL patterns | Advanced asset list | A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+. |
| User account domains (Preview) | Advanced asset list | A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+. |
| Monitor unknown user accounts (Preview) | Boolean | The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1048 (Exfiltration Over Alternative Protocol)
attack.mitre.org/techniques/T1048/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by sender email address | Disabled |
| Cluster by remote email domain | Disabled |
| Cluster by recipient domain | Disabled |
| Cluster by policy | Disabled |
Supported actions: Block outbound email, Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy
Unauthorized email tool used
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Detects when a user runs an unauthorized email application.
| Parameter | Type | Description |
|---|---|---|
| Process parameters | ||
| Authorized applications | String list | A list of email applications users are authorized to use. This template can detect use of Thunderbird, Windows Mail App, Windows Live Mail, Outlook (including new Outlook for Windows), eM Client, Pidgen, and Apple Mail. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0042 (Resource Development)
attack.mitre.org/tactics/TA0042/ |
T1588 (Obtain Capabilities)
attack.mitre.org/techniques/T1588/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by binary name | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process