Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Policies Reference Guide

    Home FortiDLP Policies 8.3.0 FortiDLP Policies Reference Guide
    8.3.0
    8.3.0
    8.2.1
    8.2.0
    8.1.0
    8.0.0
    7.1.2
    7.1.1
    7.1.0
    7.0.0

    Incident clustering rules

    Incident clustering rules

    Supported clustering rules for grouping detections together to form an incident.

    Name Description
    Cluster by account name A rule that clusters detections by a common account name.
    Cluster by binary name A rule that clusters detections by a common binary name.
    Cluster by browser extension A rule that clusters detections by a common browser extension.
    Cluster by browser extension version A rule that clusters detections by a common browser extension version.
    Cluster by called path A rule that clusters detections by a common called path.
    Cluster by certificate name A rule that clusters detections by a common certificate name.
    Cluster by content A rule that clusters detections by common file content.
    Cluster by copy source A rule that clusters detections by a common copy source. If content is copied from a desktop application, the binary name is used. If content is copied from a website, the hostname is used.
    Cluster by destination IP A rule that clusters detections by a common destination IP address. For outgoing connections, the remote IP address is used. For incoming connections, the local IP address is used.
    Cluster by destination port A rule that clusters detections by a common destination port number. For outgoing connections, the remote port is used. For incoming connections, the local port is used.
    Cluster by domain name A rule that clusters detections by a common domain name.
    Cluster by file extension A rule that clusters detections by a common file extension.
    Cluster by file path A rule that clusters detections by a common file path.
    Cluster by filename A rule that clusters detections by a common filename.
    Cluster by hostname A rule that clusters detections by a common hostname.
    Cluster by local IP A rule that clusters detections by a common local IP address. For outgoing connections, the source IP address is used. For incoming connections, the destination IP address is used.
    Cluster by local port A rule that clusters detections by a common local port number. For outgoing connections, the source port is used. For incoming connections, the destination port is used.
    Cluster by paste destination A rule that clusters detections by a common clipboard destination. If content is pasted to a desktop application, the binary name is used. If content is pasted to a website, the hostname is used.
    Cluster by policy A rule that clusters detections by a common policy.
    Cluster by recipient domain A rule that clusters detections by a common recipient domain.
    Cluster by remote email domain A rule that clusters detections by a common remote email domain. For incoming emails, the sender domain is used. For outgoing emails, the recipient domain is used.
    Cluster by remote IP A rule that clusters detections by a common remote IP address. For outgoing connections, the destination IP address is used. For incoming connections, the source IP address is used.
    Cluster by remote port A rule that clusters detections by a common remote port number. For outgoing connections, the destination port is used. For incoming connections, the source port is used.
    Cluster by sender email address A rule that clusters detections by a common sender email address.
    Cluster by source IP A rule that clusters detections by a common source IP address. For outgoing connections, the local IP address is used. For incoming connections, the remote IP address is used.
    Cluster by source port A rule that clusters detections by a common source port number. For outgoing connections, the local port is used. For incoming connections, the remote port is used.
    Cluster by USB identifier A rule that clusters detections by a common USB identifier, which is the USB VID + PID.
    Cluster by USB PID A rule that clusters detections by a common USB Product ID (PID).
    Cluster by USB serial number A rule that clusters detections by a common USB serial number.
    Cluster by USB VID A rule that clusters detections by a common USB Vendor ID (VID).
    Cluster by Wi-Fi BSSID A rule that clusters detections by a common Wi-Fi BSSID.
    Cluster by Wi-Fi SSID A rule that clusters detections by a common Wi-Fi SSID.
    Previous
    Next

    Incident clustering rules

    Incident clustering rules

    Supported clustering rules for grouping detections together to form an incident.

    Name Description
    Cluster by account name A rule that clusters detections by a common account name.
    Cluster by binary name A rule that clusters detections by a common binary name.
    Cluster by browser extension A rule that clusters detections by a common browser extension.
    Cluster by browser extension version A rule that clusters detections by a common browser extension version.
    Cluster by called path A rule that clusters detections by a common called path.
    Cluster by certificate name A rule that clusters detections by a common certificate name.
    Cluster by content A rule that clusters detections by common file content.
    Cluster by copy source A rule that clusters detections by a common copy source. If content is copied from a desktop application, the binary name is used. If content is copied from a website, the hostname is used.
    Cluster by destination IP A rule that clusters detections by a common destination IP address. For outgoing connections, the remote IP address is used. For incoming connections, the local IP address is used.
    Cluster by destination port A rule that clusters detections by a common destination port number. For outgoing connections, the remote port is used. For incoming connections, the local port is used.
    Cluster by domain name A rule that clusters detections by a common domain name.
    Cluster by file extension A rule that clusters detections by a common file extension.
    Cluster by file path A rule that clusters detections by a common file path.
    Cluster by filename A rule that clusters detections by a common filename.
    Cluster by hostname A rule that clusters detections by a common hostname.
    Cluster by local IP A rule that clusters detections by a common local IP address. For outgoing connections, the source IP address is used. For incoming connections, the destination IP address is used.
    Cluster by local port A rule that clusters detections by a common local port number. For outgoing connections, the source port is used. For incoming connections, the destination port is used.
    Cluster by paste destination A rule that clusters detections by a common clipboard destination. If content is pasted to a desktop application, the binary name is used. If content is pasted to a website, the hostname is used.
    Cluster by policy A rule that clusters detections by a common policy.
    Cluster by recipient domain A rule that clusters detections by a common recipient domain.
    Cluster by remote email domain A rule that clusters detections by a common remote email domain. For incoming emails, the sender domain is used. For outgoing emails, the recipient domain is used.
    Cluster by remote IP A rule that clusters detections by a common remote IP address. For outgoing connections, the destination IP address is used. For incoming connections, the source IP address is used.
    Cluster by remote port A rule that clusters detections by a common remote port number. For outgoing connections, the destination port is used. For incoming connections, the source port is used.
    Cluster by sender email address A rule that clusters detections by a common sender email address.
    Cluster by source IP A rule that clusters detections by a common source IP address. For outgoing connections, the local IP address is used. For incoming connections, the remote IP address is used.
    Cluster by source port A rule that clusters detections by a common source port number. For outgoing connections, the local port is used. For incoming connections, the remote port is used.
    Cluster by USB identifier A rule that clusters detections by a common USB identifier, which is the USB VID + PID.
    Cluster by USB PID A rule that clusters detections by a common USB Product ID (PID).
    Cluster by USB serial number A rule that clusters detections by a common USB serial number.
    Cluster by USB VID A rule that clusters detections by a common USB Vendor ID (VID).
    Cluster by Wi-Fi BSSID A rule that clusters detections by a common Wi-Fi BSSID.
    Cluster by Wi-Fi SSID A rule that clusters detections by a common Wi-Fi SSID.
    Previous
    Next