Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Policies Reference Guide

    Home FortiDLP Policies 8.3.0 FortiDLP Policies Reference Guide
    8.3.0
    8.3.0
    8.2.1
    8.2.0
    8.1.0
    8.0.0
    7.1.2
    7.1.1
    7.1.0
    7.0.0

    Keystroke analytics templates

    Keystroke analytics templates

    Templates for building policies based on user keystrokes.

    Note

    To use this functionality, you must enable keystroke monitoring for Agents. For details, refer to the FortiDLP Administration Guide.

    New user typed on node

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Windows or macOS, Agent version 5.1.0 or later

    Detects when a user's typing pattern deviates from the norm, indicating a different person is typing.

    Note

    To use this functionality, you must enable keystroke monitoring for Agents.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Potential keystroke injection attack detected

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Windows or macOS, Agent version 5.1.0 or later

    Detects a non-human typing pattern, indicating a keystroke injection attack.

    Note

    To use this functionality, you must enable keystroke monitoring for Agents.
    Tactic Technique Sub-technique
    T1119 (Automated Collection)
    attack.mitre.org/techniques/T1119/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Unauthorized keyboard shortcut used

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Windows or macOS, Agent version 7.1.2 or later

    Detects when a user presses an unauthorized keyboard shortcut.

    Note

    To monitor a "Function" key on Windows, select one of the "F1-F12" keys in the "Prohibited key" parameter with no "Modifiers". To monitor a "Function" key on MacOS, select one of the "F1-F12" keys in the "Prohibited key" parameter along with the "Fn" modifier. All configured parameters must match for a detection to be generated.

    Note

    To use this functionality, you must enable keystroke monitoring for Agents.

    Note

    Subsequent detections and actions for the same process will not be generated until at least 10 seconds after the first detection/action.
    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. chrome.exe) where the keyboard shortcut is authorized or unauthorized. Case-insensitive matching is used.
    Application window titles Advanced asset list A list of window titles for applications where the keyboard shortcut is authorized or unauthorized. Full regular expression (regex) grammar is supported, and case-insensitive matching is used. For example, entering "con(fidential|tent)" would match all window titles containing the words "confidential" or "content".
    Keyboard shortcut parameters
    Unauthorized key String Key in the keyboard shortcut.
    Modifiers String list A list of modifiers for "Unauthorized key" in the keyboard shortcut.
    Operating system parameters
    Monitor key shortcut on Windows Boolean A toggle to enable/disable monitoring the specified keyboard shortcut on Windows platforms.
    Monitor key shortcut on MacOS Boolean A toggle to enable/disable monitoring the specified keyboard shortcut on MacOS platforms.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled
    Cluster by content Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Unauthorized text typed

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Windows or macOS, Agent version 8.4.0 or later

    Detects when a user types an unauthorized keyword.

    Note

    All configured parameters must match for a detection to be generated.

    Note

    To use this functionality, you must enable keystroke monitoring for Agents.
    Parameter Type Description
    Content inspection parameters
    Unauthorized text patterns Advanced asset list A list of text patterns a user is unauthorized to type. Full regular expression (regex) grammar is supported, and case-insensitive matching is used. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo.
    Unauthorized keywords Advanced asset list A list of keywords a user is unauthorized to type. Case-insensitive matching is used. Note: A detection will not be generated if a user mistypes and corrects a keyword.
    Match type String The match type applied to data identifiers (content inspection patterns and keywords/keyphrases). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document.
    Match frequency Integer The minimum number of times each keyword or text pattern must be typed.
    Process parameters
    Application window titles Advanced asset list A list of window titles for applications where prohibited text is authorized or unauthorized to be typed. Full regular expression (regex) grammar is supported, and case-insensitive matching is used. For example, entering "con(fidential|tent)" would match all window titles containing the words "confidential" or "content".
    Binary names Advanced asset list A list of binary names (e.g. chrome.exe) where users are authorized or unauthorized to type unauthorized keywords. Case-insensitive matching is used.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled
    Cluster by content Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Unauthorized text typed into website

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Windows or macOS, Agent version 10.1.1 or later

    Detects when a user types unauthorized text into a website.

    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps on which users are authorized or unauthorized to type the specified text. Requires Agent 11.3.0+.
    URL pattern list Advanced asset list A list of URL patterns for websites on which users are authorized or unauthorized to type the specified text. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    Content inspection parameters
    Unauthorized text patterns Advanced asset list A list of text patterns a user is unauthorized to type. Full regular expression (regex) grammar is supported, and case-insensitive matching is used. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo.
    Unauthorized keywords Advanced asset list A list of keywords a user is unauthorized to type. Case-insensitive matching is used. Note: A detection will not be generated if a user mistypes and corrects a keyword.
    Match type String The match type applied to data identifiers (content inspection patterns and keywords/keyphrases). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document.
    Match frequency Integer The minimum number of times each keyword or text pattern must be typed.
    Tactic Technique Sub-technique
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1567 (Exfiltration Over Web Service)
    attack.mitre.org/techniques/T1567/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled
    Cluster by domain name Disabled
    Cluster by content Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Previous
    Next

    Keystroke analytics templates

    Keystroke analytics templates

    Templates for building policies based on user keystrokes.

    Note

    To use this functionality, you must enable keystroke monitoring for Agents. For details, refer to the FortiDLP Administration Guide.

    New user typed on node

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Windows or macOS, Agent version 5.1.0 or later

    Detects when a user's typing pattern deviates from the norm, indicating a different person is typing.

    Note

    To use this functionality, you must enable keystroke monitoring for Agents.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Potential keystroke injection attack detected

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Windows or macOS, Agent version 5.1.0 or later

    Detects a non-human typing pattern, indicating a keystroke injection attack.

    Note

    To use this functionality, you must enable keystroke monitoring for Agents.
    Tactic Technique Sub-technique
    T1119 (Automated Collection)
    attack.mitre.org/techniques/T1119/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Unauthorized keyboard shortcut used

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Windows or macOS, Agent version 7.1.2 or later

    Detects when a user presses an unauthorized keyboard shortcut.

    Note

    To monitor a "Function" key on Windows, select one of the "F1-F12" keys in the "Prohibited key" parameter with no "Modifiers". To monitor a "Function" key on MacOS, select one of the "F1-F12" keys in the "Prohibited key" parameter along with the "Fn" modifier. All configured parameters must match for a detection to be generated.

    Note

    To use this functionality, you must enable keystroke monitoring for Agents.

    Note

    Subsequent detections and actions for the same process will not be generated until at least 10 seconds after the first detection/action.
    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. chrome.exe) where the keyboard shortcut is authorized or unauthorized. Case-insensitive matching is used.
    Application window titles Advanced asset list A list of window titles for applications where the keyboard shortcut is authorized or unauthorized. Full regular expression (regex) grammar is supported, and case-insensitive matching is used. For example, entering "con(fidential|tent)" would match all window titles containing the words "confidential" or "content".
    Keyboard shortcut parameters
    Unauthorized key String Key in the keyboard shortcut.
    Modifiers String list A list of modifiers for "Unauthorized key" in the keyboard shortcut.
    Operating system parameters
    Monitor key shortcut on Windows Boolean A toggle to enable/disable monitoring the specified keyboard shortcut on Windows platforms.
    Monitor key shortcut on MacOS Boolean A toggle to enable/disable monitoring the specified keyboard shortcut on MacOS platforms.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled
    Cluster by content Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Unauthorized text typed

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Windows or macOS, Agent version 8.4.0 or later

    Detects when a user types an unauthorized keyword.

    Note

    All configured parameters must match for a detection to be generated.

    Note

    To use this functionality, you must enable keystroke monitoring for Agents.
    Parameter Type Description
    Content inspection parameters
    Unauthorized text patterns Advanced asset list A list of text patterns a user is unauthorized to type. Full regular expression (regex) grammar is supported, and case-insensitive matching is used. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo.
    Unauthorized keywords Advanced asset list A list of keywords a user is unauthorized to type. Case-insensitive matching is used. Note: A detection will not be generated if a user mistypes and corrects a keyword.
    Match type String The match type applied to data identifiers (content inspection patterns and keywords/keyphrases). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document.
    Match frequency Integer The minimum number of times each keyword or text pattern must be typed.
    Process parameters
    Application window titles Advanced asset list A list of window titles for applications where prohibited text is authorized or unauthorized to be typed. Full regular expression (regex) grammar is supported, and case-insensitive matching is used. For example, entering "con(fidential|tent)" would match all window titles containing the words "confidential" or "content".
    Binary names Advanced asset list A list of binary names (e.g. chrome.exe) where users are authorized or unauthorized to type unauthorized keywords. Case-insensitive matching is used.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled
    Cluster by content Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Unauthorized text typed into website

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Windows or macOS, Agent version 10.1.1 or later

    Detects when a user types unauthorized text into a website.

    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps on which users are authorized or unauthorized to type the specified text. Requires Agent 11.3.0+.
    URL pattern list Advanced asset list A list of URL patterns for websites on which users are authorized or unauthorized to type the specified text. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    Content inspection parameters
    Unauthorized text patterns Advanced asset list A list of text patterns a user is unauthorized to type. Full regular expression (regex) grammar is supported, and case-insensitive matching is used. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo.
    Unauthorized keywords Advanced asset list A list of keywords a user is unauthorized to type. Case-insensitive matching is used. Note: A detection will not be generated if a user mistypes and corrects a keyword.
    Match type String The match type applied to data identifiers (content inspection patterns and keywords/keyphrases). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document.
    Match frequency Integer The minimum number of times each keyword or text pattern must be typed.
    Tactic Technique Sub-technique
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1567 (Exfiltration Over Web Service)
    attack.mitre.org/techniques/T1567/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled
    Cluster by domain name Disabled
    Cluster by content Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Previous
    Next