Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Policies Reference Guide

    Home FortiDLP Policies 8.0.0 FortiDLP Policies Reference Guide
    8.0.0
    8.0.0
    7.1.2
    7.1.1
    7.1.0
    7.0.0

    Screenshot templates

    Screenshot templates

    Templates for building policies based on screen capture application usage.

    Screenshot taken

    Requirements: Windows or macOS, Agent version 7.7.14 or later

    Detects when a user takes a screenshot of their desktop using a screenshot application or a keyboard shortcut. The screenshot applications monitored are as follows: Windows: Greenshot, Snagit, Snip & Sketch, and Snipping Tool (requires Agent 10.5.2+). macOS: CleanShot X, Screenshot, Snagit 2024, and SnapNDrag.

    Note

    Some screenshot applications write to file in addition to or instead of writing to clipboard, consequently the "Empty clipboard" action can be circumvented. To detect screenshots taken using keyboard shortcuts, you must enable keystroke monitoring. For details, refer to the FortiDLP Administration Guide.
    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. chrome.exe) to authorize or unauthorize their content being captured in a screenshot.
    Window titles Advanced asset list A list of patterns matched against the screenshotted application's window title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when a screenshot is taken of an application that has a window title containing "confidential" or "content".
    Monitor only foreground applications Boolean The toggle to enable/disable monitoring only the foreground application.
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps on which screenshots are authorized or unauthorized. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which screenshots are authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    Operation parameters
    Monitor screenshot capture Boolean The toggle to enable/disable monitoring of screen captures.
    Monitor screenshot save Boolean The toggle to enable/disable monitoring of screen captures being saved to files.
    Tactic Technique Sub-technique
    T1113 (Screen Capture)
    attack.mitre.org/techniques/T1113/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Empty clipboard

    Previous
    Next

    Screenshot templates

    Screenshot templates

    Templates for building policies based on screen capture application usage.

    Screenshot taken

    Requirements: Windows or macOS, Agent version 7.7.14 or later

    Detects when a user takes a screenshot of their desktop using a screenshot application or a keyboard shortcut. The screenshot applications monitored are as follows: Windows: Greenshot, Snagit, Snip & Sketch, and Snipping Tool (requires Agent 10.5.2+). macOS: CleanShot X, Screenshot, Snagit 2024, and SnapNDrag.

    Note

    Some screenshot applications write to file in addition to or instead of writing to clipboard, consequently the "Empty clipboard" action can be circumvented. To detect screenshots taken using keyboard shortcuts, you must enable keystroke monitoring. For details, refer to the FortiDLP Administration Guide.
    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. chrome.exe) to authorize or unauthorize their content being captured in a screenshot.
    Window titles Advanced asset list A list of patterns matched against the screenshotted application's window title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when a screenshot is taken of an application that has a window title containing "confidential" or "content".
    Monitor only foreground applications Boolean The toggle to enable/disable monitoring only the foreground application.
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps on which screenshots are authorized or unauthorized. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which screenshots are authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    Operation parameters
    Monitor screenshot capture Boolean The toggle to enable/disable monitoring of screen captures.
    Monitor screenshot save Boolean The toggle to enable/disable monitoring of screen captures being saved to files.
    Tactic Technique Sub-technique
    T1113 (Screen Capture)
    attack.mitre.org/techniques/T1113/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Empty clipboard

    Previous
    Next