Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Policies Reference Guide

    Home FortiDLP Policies 8.3.0 FortiDLP Policies Reference Guide
    8.3.0
    8.3.0
    8.2.1
    8.2.0
    8.1.0
    8.0.0
    7.1.2
    7.1.1
    7.1.0
    7.0.0

    File templates

    File templates

    Templates for building policies based on user file activity.

    Cloud sync folder activity

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 8.4.0 or later

    Detects when a user moves sensitive files to/from a local cloud storage provider sync folder.

    Note

    Subsequent detections and actions for the same file and process will not be generated until at least one minute after the first detection/action.

    Note

    From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.

    Note

    Requires Agent 12.0.1+ on Linux.
    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. BoxSync.exe) to authorize or unauthorize access the cloud sync folder. Case-insensitive matching is used.
    File parameters
    File paths Advanced asset list A list of file path expressions matching files that are authorized or unauthorized to be moved to/from a cloud sync folder. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would ignore all file activity involving the Shared folder under users' home directories and **\*.pdf would ignore all PDF files). Case-insensitive matching is used.
    Maximum permitted file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied. Requires Agent 8.8.0+.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+.
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    Cloud provider parameters
    Monitor local Box files (Windows and macOS only) Boolean The toggle to enable/disable detection of file activity in Box cloud sync folder.
    Monitor local Dropbox files Boolean The toggle to enable/disable detection of file activity in Dropbox cloud sync folder.
    Monitor local Google Drive Backup and Sync files (Windows and macOS only) Boolean The toggle to enable/disable detection of file activity in Google Drive Backup and Sync cloud sync folder.
    Monitor local Google Drive Filestream files (Windows and macOS only) Boolean The toggle to enable/disable detection of file activity in Google Drive Filestream cloud sync folder.
    Monitor local iCloud files Boolean The toggle to enable/disable detection of file activity in iCloud sync folder.
    Monitor local IDrive files (Windows and MacOS only) Boolean The toggle to enable/disable detection of file activity in IDrive cloud sync folder.
    Monitor local OneDrive files (Windows and macOS only) Boolean The toggle to enable/disable detection of file activity in OneDrive cloud sync folder.
    Monitor local pCloud files Boolean The toggle to enable/disable detection of file activity in pCloud sync folder.
    File action parameters
    Monitor files written to local cloud sync folder Boolean The toggle to enable/disable detection of files written to the cloud sync folder.
    Monitor files moved or copied to local cloud sync folder Boolean The toggle to enable/disable detection of files moved or copied to the cloud sync folder. Note: This feature is not supported for Google Drive Filestream. Monitoring of file copies are only supported on Mac.
    Monitor files moved or copied from local cloud sync folder Boolean The toggle to enable/disable detection of files moved or copied from the cloud sync folder. Note: This feature is not supported for Google Drive Filestream. Monitoring of file copies are only supported on Mac.
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux.
    Content inspection keywords Advanced asset list The keywords matched to file contents during content inspection. Requires Agent 12.1.0+ on Linux.
    Microsoft sensitivity labels Asset list The Microsoft sensitivity labels matched to files during content inspection. Requires Agent 12.1.0+ on Linux.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a document.
    File origin parameters
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+.
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.
    Detection parameters
    Group detections Boolean The toggle to enable/disable reporting multiple applications opening the same file in a single detection.
    Group time window (in seconds) Integer The time period over which file activity will be grouped into a single detection.
    Tactic Technique Sub-technique
    T1213 (Data from Information Repositories)
    attack.mitre.org/techniques/T1213/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by binary name Disabled
    Cluster by file extension Disabled
    Cluster by content Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy

    Encrypted file opened

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 10.1.1 or later

    Detects when a user opens an encrypted or password-protected file in an unauthorized application.

    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. chrome.exe) authorized or unauthorized to open encrypted files. Case-insensitive matching is used.
    Called paths Advanced asset list A list of regular expressions matching binary called paths (e.g. .*chrome\.exe) authorized or unauthorized to open encrypted files. An empty list will match all applications. Case-sensitive matching is used.
    File parameters
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .docx). The dot can be omitted, and case-insensitive matching is used.
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories). Case-insensitive matching is used.
    File path keywords Advanced asset list A list of keywords that match if they appear anywhere in the file path (e.g. passwords, secret, confidential). Case-insensitive matching is used.
    Only monitor network shares Boolean The toggle to enable/disable only monitoring files on a network share. If disabled, network files along with local files will be monitored.
    File action parameters
    Monitor files opened for reading Boolean The toggle to enable/disable detection of encrypted files opened for read.
    Monitor files opened for writing Boolean The toggle to enable/disable detection of encrypted files opened for write.
    Monitor file rename Boolean The toggle to enable/disable detection of encrypted files renamed.
    Monitor file move Boolean The toggle to enable/disable detection of encrypted files moved.
    File origin parameters (Windows and macOS only)
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+.
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.
    Detection parameters
    Group detections Boolean The toggle to enable/disable reporting multiple applications opening the same encrypted file in a single detection. Agent 7.7.7+ required.
    Group time window (in seconds) Integer The time period over which file activity will be grouped into a single detection.
    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1027 (Obfuscated Files or Information)
    attack.mitre.org/techniques/T1027/
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1048 (Exfiltration Over Alternative Protocol)
    attack.mitre.org/techniques/T1048/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by binary name Disabled
    Cluster by policy Disabled
    Cluster by file extension Disabled
    Cluster by filename Disabled
    Cluster by file path Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process, Make shadow copy

    Encrypted file uploaded or downloaded using unauthorized command

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 10.1.1 or later

    Detects when a user uploads or downloads an encrypted or password-protected file by using an unauthorized command.

    Parameter Type Description
    Command parameters
    Unauthorized called paths Advanced asset list A list of regular expressions matching binary called paths (e.g. aws(\.exe)? +s3 +cp +.*) unauthorized to upload or download sensitive files. Case-sensitive matching is used.
    Unauthorized PowerShell cmdlets Advanced asset list A list of regular expressions matching unauthorized cmdlets. A single capturing group is required to match the file or directory name (e.g. ^Write-S3Object.*-File (["'][^"']+["']|[^ ]+).*). Case-insensitive matching is used. An empty list will not match any cmdlet. Note: The Windows "PowerShell Script Block Logging" group policy must be enabled. For details, go to https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.1#enabling-script-block-logging.
    File parameters
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .doc, .xls, .pdf). The dot can be omitted, and case-insensitive matching is used.
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    File action parameters
    Monitor file uploads Boolean The toggle to enable/disable monitoring of files uploaded from the command line.
    Monitor file downloads Boolean The toggle to enable/disable monitoring of files downloaded from the command line.
    File origin parameters (Windows and macOS only)
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+.
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.
    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1027 (Obfuscated Files or Information)
    attack.mitre.org/techniques/T1027/
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1567 (Exfiltration Over Web Service)
    attack.mitre.org/techniques/T1567/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled
    Cluster by file extension Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy

    File opened outside user directory

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.8.0 or later

    Detects when a file of a specified type is opened outside a directory deemed a user directory (e.g. C:\Users on Windows).

    Note

    From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.
    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. chrome.exe) to authorize or unauthorized access to files outside the home directory. Case-insensitive matching is used.
    File parameters
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\**\Confidential\** would match all files in the Confidential folder). Case-insensitive matching is used.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+.
    File extensions Advanced asset list A list of file extensions (e.g. .doc, .docx, .pdf) to watch for if opened outside expected folders. The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    Tactic Technique Sub-technique

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    File uploaded or downloaded using unauthorized command

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 8.4.0 or later

    Detects when a user uploads or downloads a sensitive file by using an unauthorized command.

    Note

    Subsequent detections and actions for the same file will not be generated until at least 20 seconds after the first detection/action.

    Note

    From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.
    Parameter Type Description
    Command parameters
    Unauthorized called paths Advanced asset list A list of regular expressions matching binary called paths (e.g. aws(\.exe)? +s3 +cp +.*) unauthorized to upload or download sensitive files. Case-sensitive matching is used.
    Unauthorized PowerShell cmdlets Advanced asset list A list of regular expressions matching unauthorized cmdlets. A single capturing group is required to match the file or directory name (e.g. ^Write-S3Object.*-File (["'][^"']+["']|[^ ]+).*). Case-insensitive matching is used. An empty list will not match any cmdlet. Note: The Windows "PowerShell Script Block Logging" group policy must be enabled. For details, go to https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.1#enabling-script-block-logging.
    File parameters
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    Maximum permitted file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied. Requires Agent 8.8.0+.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+.
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .doc, .xls, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    File action parameters
    Monitor file uploads Boolean The toggle to enable/disable monitoring of files uploaded from the command line.
    Monitor file downloads Boolean The toggle to enable/disable monitoring of files downloaded from the command line.
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux.
    Content inspection keywords Advanced asset list The keywords matched to file contents during content inspection. Requires Agent 12.1.0+ on Linux.
    Microsoft sensitivity labels Asset list The Microsoft sensitivity labels matched to files during content inspection. Requires Agent 12.1.0+ on Linux.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a document.
    File origin parameters (Windows and macOS only)
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+.
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.
    Tactic Technique Sub-technique
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1048 (Exfiltration Over Alternative Protocol)
    attack.mitre.org/techniques/T1048/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by content Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy

    Network share activity

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Windows or macOS, Agent version 8.4.0 or later

    Detects when a user performs a network share activity on a sensitive file in an unauthorized application.

    Note

    Two sets of parameters must be configured to trigger a detection: (1) at least one sensitivity parameter that specifies either a data identifier (content inspection pattern, keyword/keyphrase, or Microsoft sensitivity label), origin, file type, or file size; (2) at least one context parameter that specifies either a process, file path, or user (non-system account).

    Note

    Subsequent detections and actions for the same file and process will not be generated until at least 10 seconds after the first detection/action.

    Note

    From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.
    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. chrome.exe) authorized or unauthorized to open sensitive files. Case-insensitive matching is used.
    Called paths Advanced asset list A list of regular expressions matching binary called paths (e.g. .*chrome\.exe) authorized or unauthorized to open sensitive files. An empty list will match all applications. Case-sensitive matching is used.
    Application window titles Advanced asset list A list of window titles for applications from which users are authorized or unauthorized to open sensitive files. Matches are performed on the window title present when the file is accessed, which may differ from the window title present when the file is displayed. Full regular expression (regex) grammar is supported, and case-insensitive matching is used. For example, entering "con(fidential|tent)" would match all window titles containing the words "confidential" or "content". Requires Agent 10.0.4+.
    File parameters
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used. Note: Filtering of hostnames and/or share names via this parameter is limited, as this information may not be reported in the file path.
    File path keywords Advanced asset list A list of keywords that match if they appear anywhere in the file path (e.g. passwords, secret, confidential). Case-insensitive matching is used.
    Maximum permitted file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied. Requires Agent 8.8.0+.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+.
    File extensions Advanced asset list A list of file extensions to filter on when performing content inspection (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    User parameters
    Ignore system service accounts Boolean A toggle to enable/disabled reporting system service accounts (e.g. NT Authority and root). If enabled, a detection will not be generated if a system service account accesses a file with sensitive content.
    File action parameters
    Monitor file read Boolean The toggle to enable/disable detection of files read on network shares.
    Monitor file write Boolean The toggle to enable/disable detection of files written on network shares.
    Monitor file rename Boolean The toggle to enable/disable detection of files renamed on network shares.
    Monitor file move Boolean The toggle to enable/disable detection of files moved on network shares.
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched.
    Content inspection keywords Advanced asset list The keywords matched to file contents during content inspection.
    Microsoft sensitivity labels Asset list The Microsoft sensitivity labels matched to files during content inspection.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a document.
    File origin parameters
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+.
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.
    Detection parameters
    Group detections Boolean The toggle to enable/disable reporting multiple applications opening the same file in a single detection.
    Group time window (in seconds) Integer The time period over which file activity will be grouped into a single detection.
    Tactic Technique Sub-technique
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1048 (Exfiltration Over Alternative Protocol)
    attack.mitre.org/techniques/T1048/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by binary name Disabled
    Cluster by filename Disabled
    Cluster by content Disabled
    Cluster by file extension Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process

    Sensitive file opened

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 8.4.0 or later

    Detects when a user opens a sensitive file in an unauthorized application.

    Note

    Two sets of parameters must be configured to trigger a detection: (1) at least one sensitivity parameter that specifies either a data identifier (content inspection pattern, keyword/keyphrase, or Microsoft sensitivity label), origin, file type, or file size; (2) at least one context parameter that specifies either a process, file path, or user (non-system account).

    Note

    Subsequent detections and actions for the same file and process will not be generated until at least 10 seconds after the first detection/action.

    Note

    From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.
    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. chrome.exe) authorized or unauthorized to open sensitive files. Case-insensitive matching is used.
    Called paths Advanced asset list A list of regular expressions matching binary called paths (e.g. .*chrome\.exe) authorized or unauthorized to open sensitive files. An empty list will match all applications. Case-sensitive matching is used.
    Application window titles (Windows and macOS only) Advanced asset list A list of window titles for applications from which users are authorized or unauthorized to open sensitive files. Matches are performed on the window title present when the file is accessed, which may differ from the window title present when the file is displayed. Full regular expression (regex) grammar is supported, and case-insensitive matching is used. For example, entering "con(fidential|tent)" would match all window titles containing the words "confidential" or "content". Requires Agent 10.0.4+.
    File parameters
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    File path keywords Advanced asset list A list of keywords that match if they appear anywhere in the file path (e.g. passwords, secret, confidential). Case-insensitive matching is used.
    Maximum permitted file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied. Requires Agent 8.8.0+.
    (Deprecated) Only monitor network shares Boolean The toggle to enable/disable only monitoring files on a network share. If disabled, network files along with local files will be monitored. Note: This parameter has been deprecated and will be removed from this template in the future. Please use the "Network share activity" policy template instead.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+.
    File extensions Advanced asset list A list of file extensions to filter on when performing content inspection (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    User parameters
    Ignore system service accounts Boolean A toggle to enable/disabled reporting system service accounts (e.g. NT Authority and root). If enabled, a detection will not be generated if a system service account accesses a file with sensitive content.
    File action parameters
    Monitor files opened for reading Boolean The toggle to enable/disable detection of files opened for read.
    Monitor files opened for writing Boolean The toggle to enable/disable detection of files opened for write.
    Monitor file rename Boolean The toggle to enable/disable detection of files renamed.
    Monitor file move Boolean The toggle to enable/disable detection of files moved.
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux.
    Content inspection keywords Advanced asset list The keywords matched to file contents during content inspection. Requires Agent 12.1.0+ on Linux.
    Microsoft sensitivity labels Asset list The Microsoft sensitivity labels matched to files during content inspection. Requires Agent 12.1.0+ on Linux.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a document.
    File origin parameters (Windows and macOS only)
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+.
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.
    Detection parameters
    Group detections Boolean The toggle to enable/disable reporting multiple applications opening the same file in a single detection.
    Group time window (in seconds) Integer The time period over which file activity will be grouped into a single detection.
    Tactic Technique Sub-technique
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1048 (Exfiltration Over Alternative Protocol)
    attack.mitre.org/techniques/T1048/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by binary name Disabled
    Cluster by filename Disabled
    Cluster by content Disabled
    Cluster by file extension Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process

    Sensitive file renamed

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 11.3.0 or later

    Detects when a user renames a sensitive file.

    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. chrome.exe) authorized or unauthorized to rename sensitive files. Case-insensitive matching is used.
    Called paths Advanced asset list A list of regular expressions matching binary called paths (e.g. .*chrome\.exe) authorized or unauthorized to rename sensitive files. An empty list will match all applications. Case-sensitive matching is used.
    Source file parameters
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    File path keywords Advanced asset list A list of keywords that match if they appear anywhere in the file path (e.g. passwords, secret, confidential). Case-insensitive matching is used.
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" instead of the file extension ".pdf".
    Target file parameters
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    File path keywords Advanced asset list A list of keywords that match if they appear anywhere in the file path (e.g. passwords, secret, confidential). Case-insensitive matching is used.
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" instead of the file extension ".pdf".
    File parameters
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message).
    File action parameters
    Monitor file rename Boolean The toggle to enable/disable detection of files renamed.
    Monitor file move Boolean The toggle to enable/disable detection of files moved.
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux.
    Content inspection keywords Advanced asset list The keywords matched to file contents during content inspection. Requires Agent 12.1.0+ on Linux.
    Microsoft sensitivity labels Asset list The Microsoft sensitivity labels matched to files during content inspection. Requires Agent 12.1.0+ on Linux.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a document.
    File origin parameters (Windows and macOS only)
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download".
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by binary name Disabled
    Cluster by filename Disabled
    Cluster by content Disabled
    Cluster by file extension Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process

    Shared folder access exceeded

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Windows, Agent version 4.1.0 or later

    Detects when a user accesses an excessive number of folders in a file share within a given time period.

    Note

    Subsequent detections and actions for the same process and user will not be generated until at least ten minutes after the first detection.

    Note

    From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.
    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. chrome.exe) authorized or unauthorized to have unlimited access to shared folders. Case-insensitive matching is used.
    File parameters
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+.
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    User parameters
    Usernames Advanced asset list A list of usernames authorized or unauthorized to have unlimited access to shared folders. Case-insensitive matching is used.
    User security identifiers (SID) Advanced asset list A list of user security identifiers (SID) authorized or unauthorized to have unlimited access to shared folders. Full regular expression (regex) grammar is supported, and case-insensitive matching is used.
    Access parameters
    Time window (in seconds) Integer The number of seconds during which the maximum folder count applies.
    Maximum permitted folder access Integer The maximum number of folders that can be accessed during the specified time window.
    Tactic Technique Sub-technique
    T1039 (Data from Network Shared Drive)
    attack.mitre.org/techniques/T1039/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by binary name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Unauthorized folder or file accessed

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.8.0 or later

    Detects when a user opens, renames, or deletes a file that is either in an unauthorized folder and/or has an unauthorized extension/type.

    Note

    Subsequent detections and actions for the same file and process will not be generated until at least 10 seconds after the first detection/action. From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.
    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. chrome.exe) to authorize or unauthorized access to the folder. Case-insensitive matching is used.
    File parameters
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Confidential\** would match all files in the Confidential folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+.
    File extensions Advanced asset list A list of file extensions (e.g. .doc, .docx, .pdf) that users are not authorized to access. The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    File action parameters
    Monitor file open for read Boolean The toggle to enable/disable detection of files opened for read.
    Monitor file open for write Boolean The toggle to enable/disable detection of files opened for write.
    Monitor file rename Boolean The toggle to enable/disable detection of files renamed.
    Monitor file move Boolean The toggle to enable/disable detection of files moved.
    Monitor file delete Boolean The toggle to enable/disable detection of files deleted.
    Tactic Technique Sub-technique
    T1083 (File and Directory Discovery)
    attack.mitre.org/techniques/T1083/
    T1565 (Data Manipulation)
    attack.mitre.org/techniques/T1565/
    T1565.001 (Stored Data Manipulation)
    attack.mitre.org/techniques/T1565/001/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by binary name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process

    Previous
    Next

    File templates

    File templates

    Templates for building policies based on user file activity.

    Cloud sync folder activity

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 8.4.0 or later

    Detects when a user moves sensitive files to/from a local cloud storage provider sync folder.

    Note

    Subsequent detections and actions for the same file and process will not be generated until at least one minute after the first detection/action.

    Note

    From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.

    Note

    Requires Agent 12.0.1+ on Linux.
    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. BoxSync.exe) to authorize or unauthorize access the cloud sync folder. Case-insensitive matching is used.
    File parameters
    File paths Advanced asset list A list of file path expressions matching files that are authorized or unauthorized to be moved to/from a cloud sync folder. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would ignore all file activity involving the Shared folder under users' home directories and **\*.pdf would ignore all PDF files). Case-insensitive matching is used.
    Maximum permitted file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied. Requires Agent 8.8.0+.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+.
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    Cloud provider parameters
    Monitor local Box files (Windows and macOS only) Boolean The toggle to enable/disable detection of file activity in Box cloud sync folder.
    Monitor local Dropbox files Boolean The toggle to enable/disable detection of file activity in Dropbox cloud sync folder.
    Monitor local Google Drive Backup and Sync files (Windows and macOS only) Boolean The toggle to enable/disable detection of file activity in Google Drive Backup and Sync cloud sync folder.
    Monitor local Google Drive Filestream files (Windows and macOS only) Boolean The toggle to enable/disable detection of file activity in Google Drive Filestream cloud sync folder.
    Monitor local iCloud files Boolean The toggle to enable/disable detection of file activity in iCloud sync folder.
    Monitor local IDrive files (Windows and MacOS only) Boolean The toggle to enable/disable detection of file activity in IDrive cloud sync folder.
    Monitor local OneDrive files (Windows and macOS only) Boolean The toggle to enable/disable detection of file activity in OneDrive cloud sync folder.
    Monitor local pCloud files Boolean The toggle to enable/disable detection of file activity in pCloud sync folder.
    File action parameters
    Monitor files written to local cloud sync folder Boolean The toggle to enable/disable detection of files written to the cloud sync folder.
    Monitor files moved or copied to local cloud sync folder Boolean The toggle to enable/disable detection of files moved or copied to the cloud sync folder. Note: This feature is not supported for Google Drive Filestream. Monitoring of file copies are only supported on Mac.
    Monitor files moved or copied from local cloud sync folder Boolean The toggle to enable/disable detection of files moved or copied from the cloud sync folder. Note: This feature is not supported for Google Drive Filestream. Monitoring of file copies are only supported on Mac.
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux.
    Content inspection keywords Advanced asset list The keywords matched to file contents during content inspection. Requires Agent 12.1.0+ on Linux.
    Microsoft sensitivity labels Asset list The Microsoft sensitivity labels matched to files during content inspection. Requires Agent 12.1.0+ on Linux.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a document.
    File origin parameters
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+.
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.
    Detection parameters
    Group detections Boolean The toggle to enable/disable reporting multiple applications opening the same file in a single detection.
    Group time window (in seconds) Integer The time period over which file activity will be grouped into a single detection.
    Tactic Technique Sub-technique
    T1213 (Data from Information Repositories)
    attack.mitre.org/techniques/T1213/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by binary name Disabled
    Cluster by file extension Disabled
    Cluster by content Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy

    Encrypted file opened

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 10.1.1 or later

    Detects when a user opens an encrypted or password-protected file in an unauthorized application.

    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. chrome.exe) authorized or unauthorized to open encrypted files. Case-insensitive matching is used.
    Called paths Advanced asset list A list of regular expressions matching binary called paths (e.g. .*chrome\.exe) authorized or unauthorized to open encrypted files. An empty list will match all applications. Case-sensitive matching is used.
    File parameters
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .docx). The dot can be omitted, and case-insensitive matching is used.
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories). Case-insensitive matching is used.
    File path keywords Advanced asset list A list of keywords that match if they appear anywhere in the file path (e.g. passwords, secret, confidential). Case-insensitive matching is used.
    Only monitor network shares Boolean The toggle to enable/disable only monitoring files on a network share. If disabled, network files along with local files will be monitored.
    File action parameters
    Monitor files opened for reading Boolean The toggle to enable/disable detection of encrypted files opened for read.
    Monitor files opened for writing Boolean The toggle to enable/disable detection of encrypted files opened for write.
    Monitor file rename Boolean The toggle to enable/disable detection of encrypted files renamed.
    Monitor file move Boolean The toggle to enable/disable detection of encrypted files moved.
    File origin parameters (Windows and macOS only)
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+.
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.
    Detection parameters
    Group detections Boolean The toggle to enable/disable reporting multiple applications opening the same encrypted file in a single detection. Agent 7.7.7+ required.
    Group time window (in seconds) Integer The time period over which file activity will be grouped into a single detection.
    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1027 (Obfuscated Files or Information)
    attack.mitre.org/techniques/T1027/
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1048 (Exfiltration Over Alternative Protocol)
    attack.mitre.org/techniques/T1048/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by binary name Disabled
    Cluster by policy Disabled
    Cluster by file extension Disabled
    Cluster by filename Disabled
    Cluster by file path Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process, Make shadow copy

    Encrypted file uploaded or downloaded using unauthorized command

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 10.1.1 or later

    Detects when a user uploads or downloads an encrypted or password-protected file by using an unauthorized command.

    Parameter Type Description
    Command parameters
    Unauthorized called paths Advanced asset list A list of regular expressions matching binary called paths (e.g. aws(\.exe)? +s3 +cp +.*) unauthorized to upload or download sensitive files. Case-sensitive matching is used.
    Unauthorized PowerShell cmdlets Advanced asset list A list of regular expressions matching unauthorized cmdlets. A single capturing group is required to match the file or directory name (e.g. ^Write-S3Object.*-File (["'][^"']+["']|[^ ]+).*). Case-insensitive matching is used. An empty list will not match any cmdlet. Note: The Windows "PowerShell Script Block Logging" group policy must be enabled. For details, go to https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.1#enabling-script-block-logging.
    File parameters
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .doc, .xls, .pdf). The dot can be omitted, and case-insensitive matching is used.
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    File action parameters
    Monitor file uploads Boolean The toggle to enable/disable monitoring of files uploaded from the command line.
    Monitor file downloads Boolean The toggle to enable/disable monitoring of files downloaded from the command line.
    File origin parameters (Windows and macOS only)
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+.
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.
    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1027 (Obfuscated Files or Information)
    attack.mitre.org/techniques/T1027/
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1567 (Exfiltration Over Web Service)
    attack.mitre.org/techniques/T1567/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled
    Cluster by file extension Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy

    File opened outside user directory

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.8.0 or later

    Detects when a file of a specified type is opened outside a directory deemed a user directory (e.g. C:\Users on Windows).

    Note

    From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.
    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. chrome.exe) to authorize or unauthorized access to files outside the home directory. Case-insensitive matching is used.
    File parameters
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\**\Confidential\** would match all files in the Confidential folder). Case-insensitive matching is used.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+.
    File extensions Advanced asset list A list of file extensions (e.g. .doc, .docx, .pdf) to watch for if opened outside expected folders. The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    Tactic Technique Sub-technique

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    File uploaded or downloaded using unauthorized command

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 8.4.0 or later

    Detects when a user uploads or downloads a sensitive file by using an unauthorized command.

    Note

    Subsequent detections and actions for the same file will not be generated until at least 20 seconds after the first detection/action.

    Note

    From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.
    Parameter Type Description
    Command parameters
    Unauthorized called paths Advanced asset list A list of regular expressions matching binary called paths (e.g. aws(\.exe)? +s3 +cp +.*) unauthorized to upload or download sensitive files. Case-sensitive matching is used.
    Unauthorized PowerShell cmdlets Advanced asset list A list of regular expressions matching unauthorized cmdlets. A single capturing group is required to match the file or directory name (e.g. ^Write-S3Object.*-File (["'][^"']+["']|[^ ]+).*). Case-insensitive matching is used. An empty list will not match any cmdlet. Note: The Windows "PowerShell Script Block Logging" group policy must be enabled. For details, go to https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.1#enabling-script-block-logging.
    File parameters
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    Maximum permitted file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied. Requires Agent 8.8.0+.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+.
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .doc, .xls, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    File action parameters
    Monitor file uploads Boolean The toggle to enable/disable monitoring of files uploaded from the command line.
    Monitor file downloads Boolean The toggle to enable/disable monitoring of files downloaded from the command line.
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux.
    Content inspection keywords Advanced asset list The keywords matched to file contents during content inspection. Requires Agent 12.1.0+ on Linux.
    Microsoft sensitivity labels Asset list The Microsoft sensitivity labels matched to files during content inspection. Requires Agent 12.1.0+ on Linux.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a document.
    File origin parameters (Windows and macOS only)
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+.
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.
    Tactic Technique Sub-technique
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1048 (Exfiltration Over Alternative Protocol)
    attack.mitre.org/techniques/T1048/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by content Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy

    Network share activity

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Windows or macOS, Agent version 8.4.0 or later

    Detects when a user performs a network share activity on a sensitive file in an unauthorized application.

    Note

    Two sets of parameters must be configured to trigger a detection: (1) at least one sensitivity parameter that specifies either a data identifier (content inspection pattern, keyword/keyphrase, or Microsoft sensitivity label), origin, file type, or file size; (2) at least one context parameter that specifies either a process, file path, or user (non-system account).

    Note

    Subsequent detections and actions for the same file and process will not be generated until at least 10 seconds after the first detection/action.

    Note

    From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.
    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. chrome.exe) authorized or unauthorized to open sensitive files. Case-insensitive matching is used.
    Called paths Advanced asset list A list of regular expressions matching binary called paths (e.g. .*chrome\.exe) authorized or unauthorized to open sensitive files. An empty list will match all applications. Case-sensitive matching is used.
    Application window titles Advanced asset list A list of window titles for applications from which users are authorized or unauthorized to open sensitive files. Matches are performed on the window title present when the file is accessed, which may differ from the window title present when the file is displayed. Full regular expression (regex) grammar is supported, and case-insensitive matching is used. For example, entering "con(fidential|tent)" would match all window titles containing the words "confidential" or "content". Requires Agent 10.0.4+.
    File parameters
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used. Note: Filtering of hostnames and/or share names via this parameter is limited, as this information may not be reported in the file path.
    File path keywords Advanced asset list A list of keywords that match if they appear anywhere in the file path (e.g. passwords, secret, confidential). Case-insensitive matching is used.
    Maximum permitted file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied. Requires Agent 8.8.0+.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+.
    File extensions Advanced asset list A list of file extensions to filter on when performing content inspection (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    User parameters
    Ignore system service accounts Boolean A toggle to enable/disabled reporting system service accounts (e.g. NT Authority and root). If enabled, a detection will not be generated if a system service account accesses a file with sensitive content.
    File action parameters
    Monitor file read Boolean The toggle to enable/disable detection of files read on network shares.
    Monitor file write Boolean The toggle to enable/disable detection of files written on network shares.
    Monitor file rename Boolean The toggle to enable/disable detection of files renamed on network shares.
    Monitor file move Boolean The toggle to enable/disable detection of files moved on network shares.
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched.
    Content inspection keywords Advanced asset list The keywords matched to file contents during content inspection.
    Microsoft sensitivity labels Asset list The Microsoft sensitivity labels matched to files during content inspection.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a document.
    File origin parameters
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+.
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.
    Detection parameters
    Group detections Boolean The toggle to enable/disable reporting multiple applications opening the same file in a single detection.
    Group time window (in seconds) Integer The time period over which file activity will be grouped into a single detection.
    Tactic Technique Sub-technique
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1048 (Exfiltration Over Alternative Protocol)
    attack.mitre.org/techniques/T1048/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by binary name Disabled
    Cluster by filename Disabled
    Cluster by content Disabled
    Cluster by file extension Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process

    Sensitive file opened

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 8.4.0 or later

    Detects when a user opens a sensitive file in an unauthorized application.

    Note

    Two sets of parameters must be configured to trigger a detection: (1) at least one sensitivity parameter that specifies either a data identifier (content inspection pattern, keyword/keyphrase, or Microsoft sensitivity label), origin, file type, or file size; (2) at least one context parameter that specifies either a process, file path, or user (non-system account).

    Note

    Subsequent detections and actions for the same file and process will not be generated until at least 10 seconds after the first detection/action.

    Note

    From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.
    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. chrome.exe) authorized or unauthorized to open sensitive files. Case-insensitive matching is used.
    Called paths Advanced asset list A list of regular expressions matching binary called paths (e.g. .*chrome\.exe) authorized or unauthorized to open sensitive files. An empty list will match all applications. Case-sensitive matching is used.
    Application window titles (Windows and macOS only) Advanced asset list A list of window titles for applications from which users are authorized or unauthorized to open sensitive files. Matches are performed on the window title present when the file is accessed, which may differ from the window title present when the file is displayed. Full regular expression (regex) grammar is supported, and case-insensitive matching is used. For example, entering "con(fidential|tent)" would match all window titles containing the words "confidential" or "content". Requires Agent 10.0.4+.
    File parameters
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    File path keywords Advanced asset list A list of keywords that match if they appear anywhere in the file path (e.g. passwords, secret, confidential). Case-insensitive matching is used.
    Maximum permitted file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied. Requires Agent 8.8.0+.
    (Deprecated) Only monitor network shares Boolean The toggle to enable/disable only monitoring files on a network share. If disabled, network files along with local files will be monitored. Note: This parameter has been deprecated and will be removed from this template in the future. Please use the "Network share activity" policy template instead.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+.
    File extensions Advanced asset list A list of file extensions to filter on when performing content inspection (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    User parameters
    Ignore system service accounts Boolean A toggle to enable/disabled reporting system service accounts (e.g. NT Authority and root). If enabled, a detection will not be generated if a system service account accesses a file with sensitive content.
    File action parameters
    Monitor files opened for reading Boolean The toggle to enable/disable detection of files opened for read.
    Monitor files opened for writing Boolean The toggle to enable/disable detection of files opened for write.
    Monitor file rename Boolean The toggle to enable/disable detection of files renamed.
    Monitor file move Boolean The toggle to enable/disable detection of files moved.
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux.
    Content inspection keywords Advanced asset list The keywords matched to file contents during content inspection. Requires Agent 12.1.0+ on Linux.
    Microsoft sensitivity labels Asset list The Microsoft sensitivity labels matched to files during content inspection. Requires Agent 12.1.0+ on Linux.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a document.
    File origin parameters (Windows and macOS only)
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+.
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.
    Detection parameters
    Group detections Boolean The toggle to enable/disable reporting multiple applications opening the same file in a single detection.
    Group time window (in seconds) Integer The time period over which file activity will be grouped into a single detection.
    Tactic Technique Sub-technique
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1048 (Exfiltration Over Alternative Protocol)
    attack.mitre.org/techniques/T1048/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by binary name Disabled
    Cluster by filename Disabled
    Cluster by content Disabled
    Cluster by file extension Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process

    Sensitive file renamed

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 11.3.0 or later

    Detects when a user renames a sensitive file.

    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. chrome.exe) authorized or unauthorized to rename sensitive files. Case-insensitive matching is used.
    Called paths Advanced asset list A list of regular expressions matching binary called paths (e.g. .*chrome\.exe) authorized or unauthorized to rename sensitive files. An empty list will match all applications. Case-sensitive matching is used.
    Source file parameters
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    File path keywords Advanced asset list A list of keywords that match if they appear anywhere in the file path (e.g. passwords, secret, confidential). Case-insensitive matching is used.
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" instead of the file extension ".pdf".
    Target file parameters
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    File path keywords Advanced asset list A list of keywords that match if they appear anywhere in the file path (e.g. passwords, secret, confidential). Case-insensitive matching is used.
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" instead of the file extension ".pdf".
    File parameters
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message).
    File action parameters
    Monitor file rename Boolean The toggle to enable/disable detection of files renamed.
    Monitor file move Boolean The toggle to enable/disable detection of files moved.
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux.
    Content inspection keywords Advanced asset list The keywords matched to file contents during content inspection. Requires Agent 12.1.0+ on Linux.
    Microsoft sensitivity labels Asset list The Microsoft sensitivity labels matched to files during content inspection. Requires Agent 12.1.0+ on Linux.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a document.
    File origin parameters (Windows and macOS only)
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download".
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by binary name Disabled
    Cluster by filename Disabled
    Cluster by content Disabled
    Cluster by file extension Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process

    Shared folder access exceeded

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Windows, Agent version 4.1.0 or later

    Detects when a user accesses an excessive number of folders in a file share within a given time period.

    Note

    Subsequent detections and actions for the same process and user will not be generated until at least ten minutes after the first detection.

    Note

    From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.
    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. chrome.exe) authorized or unauthorized to have unlimited access to shared folders. Case-insensitive matching is used.
    File parameters
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+.
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    User parameters
    Usernames Advanced asset list A list of usernames authorized or unauthorized to have unlimited access to shared folders. Case-insensitive matching is used.
    User security identifiers (SID) Advanced asset list A list of user security identifiers (SID) authorized or unauthorized to have unlimited access to shared folders. Full regular expression (regex) grammar is supported, and case-insensitive matching is used.
    Access parameters
    Time window (in seconds) Integer The number of seconds during which the maximum folder count applies.
    Maximum permitted folder access Integer The maximum number of folders that can be accessed during the specified time window.
    Tactic Technique Sub-technique
    T1039 (Data from Network Shared Drive)
    attack.mitre.org/techniques/T1039/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by binary name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Unauthorized folder or file accessed

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.8.0 or later

    Detects when a user opens, renames, or deletes a file that is either in an unauthorized folder and/or has an unauthorized extension/type.

    Note

    Subsequent detections and actions for the same file and process will not be generated until at least 10 seconds after the first detection/action. From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.
    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. chrome.exe) to authorize or unauthorized access to the folder. Case-insensitive matching is used.
    File parameters
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Confidential\** would match all files in the Confidential folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+.
    File extensions Advanced asset list A list of file extensions (e.g. .doc, .docx, .pdf) that users are not authorized to access. The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    File action parameters
    Monitor file open for read Boolean The toggle to enable/disable detection of files opened for read.
    Monitor file open for write Boolean The toggle to enable/disable detection of files opened for write.
    Monitor file rename Boolean The toggle to enable/disable detection of files renamed.
    Monitor file move Boolean The toggle to enable/disable detection of files moved.
    Monitor file delete Boolean The toggle to enable/disable detection of files deleted.
    Tactic Technique Sub-technique
    T1083 (File and Directory Discovery)
    attack.mitre.org/techniques/T1083/
    T1565 (Data Manipulation)
    attack.mitre.org/techniques/T1565/
    T1565.001 (Stored Data Manipulation)
    attack.mitre.org/techniques/T1565/001/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by binary name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process

    Previous
    Next