Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Policies Reference Guide

    Home FortiDLP Policies 8.3.0 FortiDLP Policies Reference Guide
    8.3.0
    8.3.0
    8.2.1
    8.2.0
    8.1.0
    8.0.0
    7.1.2
    7.1.1
    7.1.0
    7.0.0

    User account domains: origin (Preview)

    User account domains: origin (Preview)

    Requirements: FortiDLP Agent 11.4.6+ and FortiDLP Policies 8.0.0+.

    Note

    To enable this Preview feature, contact Fortinet Support.

    The User account domains parameter, available in the File origin parameters or Attachment origin parameters template sections, allows detections to be generated based on the login account name used to download files from a protected website (that is, one defined by the URL patterns: origin parameter) or a protected web app (that is, one defined by the SaaS apps: origin parameter).

    You can use the User account domains parameter to specify a list of domains that match the user account names you want to monitor.

    Example

    For example, entering company.com would enable monitoring of login user accounts in the format name@company.com.

    The User account domains parameter helps distinguish between corporate and non-corporate web activity for users who have signed in to a site or web app using:

    • username- and password-based authentication
    • OAuth, or
    • SAML 2.0.
    Note

    OAuth and SAML logins are supported with Microsoft, Google, or Okta as identity providers.

    The User account domains parameter is available in various templates, with some templates providing the capability to generate detections considering a file's web origin and destination.

    Example

    For example, using the Sensitive file uploaded template, you could prevent files that were originally downloaded from a OneDrive file share website from being uploaded to any website unless users are logged in using their corporate email address as follows.

    In the Website parameters section:

    • For the User account domains parameter:
      1. Select the Allow listed domains radio button.
      2. Either type a custom value or select an asset that matches your corporate email domain, such as company.com.

    In the File origin parameters section:

    • For the URL patterns parameter, either type a custom value or select an asset that matches your corporate OneDrive, such as onedrive.com.
    • For the User account domains parameter, either type a custom value or select an asset that matches your corporate email domain, such as company.com.
    Known limitations

    Be mindful of the following limitations:

    • Password-free logins, where a one-time code, face, fingerprint, pin, or security key is used for authentication, are not recognized and will be reported as unknown logins.
      Note

      If the User account domains parameter is set, you can generate detections when file downloads associated with unknown logins are subsequently egressed by turning the Monitor unknown user accounts toggle on during template configuration.

    • Two-factor authentication (2FA) logins are not validated and may generate detections regardless of users successfully authenticating using this method.
    • If a user logs in to an app via an external provider (e.g. 'Continue with Google' or 'Continue with Microsoft Account') and an account is automatically used due to being the only account logged in to the provider, the account username will only be identifiable if the Agent captured the login to the provider.
      Example

      For example:

      1. A user logs in to Google (external provider) using jim@gmail.com. A browser login event is generated for this account.
      2. The user then logs in to the WeTransfer app using 'Sign in with Google', and jim@gmail.com is automatically used due to being the only active Google account in the browser. A browser login event is generated, and jim@gmail.com is identified as the account username.
    Previous
    Next

    User account domains: origin (Preview)

    User account domains: origin (Preview)

    Requirements: FortiDLP Agent 11.4.6+ and FortiDLP Policies 8.0.0+.

    Note

    To enable this Preview feature, contact Fortinet Support.

    The User account domains parameter, available in the File origin parameters or Attachment origin parameters template sections, allows detections to be generated based on the login account name used to download files from a protected website (that is, one defined by the URL patterns: origin parameter) or a protected web app (that is, one defined by the SaaS apps: origin parameter).

    You can use the User account domains parameter to specify a list of domains that match the user account names you want to monitor.

    Example

    For example, entering company.com would enable monitoring of login user accounts in the format name@company.com.

    The User account domains parameter helps distinguish between corporate and non-corporate web activity for users who have signed in to a site or web app using:

    • username- and password-based authentication
    • OAuth, or
    • SAML 2.0.
    Note

    OAuth and SAML logins are supported with Microsoft, Google, or Okta as identity providers.

    The User account domains parameter is available in various templates, with some templates providing the capability to generate detections considering a file's web origin and destination.

    Example

    For example, using the Sensitive file uploaded template, you could prevent files that were originally downloaded from a OneDrive file share website from being uploaded to any website unless users are logged in using their corporate email address as follows.

    In the Website parameters section:

    • For the User account domains parameter:
      1. Select the Allow listed domains radio button.
      2. Either type a custom value or select an asset that matches your corporate email domain, such as company.com.

    In the File origin parameters section:

    • For the URL patterns parameter, either type a custom value or select an asset that matches your corporate OneDrive, such as onedrive.com.
    • For the User account domains parameter, either type a custom value or select an asset that matches your corporate email domain, such as company.com.
    Known limitations

    Be mindful of the following limitations:

    • Password-free logins, where a one-time code, face, fingerprint, pin, or security key is used for authentication, are not recognized and will be reported as unknown logins.
      Note

      If the User account domains parameter is set, you can generate detections when file downloads associated with unknown logins are subsequently egressed by turning the Monitor unknown user accounts toggle on during template configuration.

    • Two-factor authentication (2FA) logins are not validated and may generate detections regardless of users successfully authenticating using this method.
    • If a user logs in to an app via an external provider (e.g. 'Continue with Google' or 'Continue with Microsoft Account') and an account is automatically used due to being the only account logged in to the provider, the account username will only be identifiable if the Agent captured the login to the provider.
      Example

      For example:

      1. A user logs in to Google (external provider) using jim@gmail.com. A browser login event is generated for this account.
      2. The user then logs in to the WeTransfer app using 'Sign in with Google', and jim@gmail.com is automatically used due to being the only active Google account in the browser. A browser login event is generated, and jim@gmail.com is identified as the account username.
    Previous
    Next