Clipboard templates
Templates for building policies based on user clipboard activity.
|
To use this functionality, you must enable clipboard monitoring for Agents. For details, refer to the FortiDLP Administration Guide. |
Sensitive content copied and pasted to desktop application
Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows or macOS, Agent version 8.4.0 or later
Detects when a user copies or cuts text from an unauthorized website or application and pastes it to an unauthorized application.
|
|
To use this functionality, you must enable clipboard monitoring and keystroke monitoring for Agents. For details, refer to the FortiDLP Administration Guide. |
| Parameter | Type | Description |
|---|---|---|
| Source website parameters | ||
| SaaS apps | SaaS app filter | A list of SaaS apps on which content is authorized or unauthorized to be copied. Requires Agent 11.3.0+. |
| URL patterns | Advanced asset list | A list of URL patterns for websites on which content is authorized or unauthorized to be copied. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login". |
| Tab titles | Advanced asset list | A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when text is copied from a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+. |
| User account domains (Preview) | Advanced asset list | A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+. |
| Monitor unknown user accounts (Preview) | Boolean | The toggle to monitor web activity when the account login details are unavailable. |
| URL regex patterns | Advanced asset list | A list of URLs from which content is authorized or unauthorized to be copied. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead. |
| Source application parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) from which users are authorized or unauthorized to copy text. Case-insensitive matching is used. |
| Window titles | Advanced asset list | A list of window titles for applications from which users are authorized or unauthorized to copy text. Full regular expression (regex) grammar is supported, and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when text is copied from an application that has a window title containing "confidential" or "content". |
| Application identifiers | Advanced asset list | A list of application identifiers from which users are authorized or unauthorized to copy text. Case-insensitive matching is used. |
| Destination application parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) to which users are authorized or unauthorized to paste text. Case-insensitive matching is used. |
| Application identifiers | Advanced asset list | A list of application identifiers to which users are authorized or unauthorized to paste text. Case-insensitive matching is used. |
| Content inspection parameters | ||
| Content inspection patterns | Advanced asset list | A list of patterns for matching clipboard contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match contents containing US social security numbers. To match all contents use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. |
| Content inspection keywords | Advanced asset list | The keywords matched to clipboard contents during content inspection. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns and keywords/keyphrases). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1048 (Exfiltration Over Alternative Protocol)
attack.mitre.org/techniques/T1048/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by copy source | Disabled |
| Cluster by paste destination | Disabled |
| Cluster by content | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Sensitive content copied and pasted to website
Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows or macOS, Agent version 8.4.0 or later
Detects when a user copies or cuts text from an unauthorized website or application and pastes it to an unauthorized website.
|
|
To use this functionality, you must enable clipboard monitoring and keystroke monitoring for Agents. For details, refer to the FortiDLP Administration Guide. |
|
|
From Agent 10.0.3+, the source and destination website "URL regex patterns" parameters are deprecated; please use the "URL patterns" parameters instead. |
| Parameter | Type | Description |
|---|---|---|
| Source website parameters | ||
| SaaS apps | SaaS app filter | A list of SaaS apps on which content is authorized or unauthorized to be copied. Requires Agent 11.3.0+. |
| URL patterns | Advanced asset list | A list of URL patterns for websites on which content is authorized or unauthorized to be copied. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login". |
| Tab titles | Advanced asset list | A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when text is copied from a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+. |
| User account domains (Preview) | Advanced asset list | A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+. |
| Monitor unknown user accounts (Preview) | Boolean | The toggle to monitor web activity when the account login details are unavailable. |
| URL regex patterns | Advanced asset list | A list of URLs from which content is authorized or unauthorized to be copied. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead. |
| Source application parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) from which users are authorized or unauthorized to copy text. Case-insensitive matching is used. |
| Window titles | Advanced asset list | A list of window titles for applications from which users are authorized or unauthorized to copy text. Full regular expression (regex) grammar is supported, and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when text is copied from an application that has a window title containing "confidential" or "content". |
| Application identifiers | Advanced asset list | A list of application identifiers from which users are authorized or unauthorized to copy text. Case-insensitive matching is used. |
| Destination website parameters | ||
| SaaS apps | SaaS app filter | A list of SaaS apps on which content is authorized or unauthorized to be pasted. Requires Agent 11.3.0+. |
| URL patterns | Advanced asset list | A list of URL patterns for websites on which content is authorized or unauthorized to be pasted. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login". |
| Tab titles | Advanced asset list | A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when text is pasted to a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+. |
| User account domains (Preview) | Advanced asset list | A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+. |
| Monitor unknown user accounts (Preview) | Boolean | The toggle to monitor web activity when the account login details are unavailable. |
| URL regex patterns | Advanced asset list | A list of URLs to which content is authorized or unauthorized to be pasted. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead. |
| Content inspection parameters | ||
| Content inspection patterns | Advanced asset list | A list of patterns for matching clipboard contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match contents containing US social security numbers. To match all contents use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. |
| Content inspection keywords | Advanced asset list | The keywords matched to clipboard contents during content inspection. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns and keywords/keyphrases). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1567 (Exfiltration Over Web Service)
attack.mitre.org/techniques/T1567/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by copy source | Disabled |
| Cluster by paste destination | Disabled |
| Cluster by content | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Sensitive content copied from desktop application
Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows or macOS, Agent version 8.4.0 or later
Detects when a user copies or cuts text from an unauthorized application, and that text matches an advanced content inspection pattern.
| Parameter | Type | Description |
|---|---|---|
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) from which users are authorized or unauthorized to copy text. Case-insensitive matching is used. |
| Window titles | Advanced asset list | A list of window titles for applications from which users are authorized or unauthorized to copy text. Full regular expression (regex) grammar is supported, and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when text is copied from an application that has a window title containing "confidential" or "content". |
| Application identifiers | Advanced asset list | A list of application identifiers from which users are authorized or unauthorized to copy text. Case-insensitive matching is used. |
| Content inspection parameters | ||
| Content inspection patterns | Advanced asset list | A list of patterns for matching clipboard contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match contents containing US social security numbers. To match all contents use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. |
| Content inspection keywords | Advanced asset list | The keywords matched to clipboard contents during content inspection. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns and keywords/keyphrases). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0009 (Collection)
attack.mitre.org/tactics/TA0009/ |
T1005 (Data from Local System)
attack.mitre.org/techniques/T1005/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by content | Disabled |
| Cluster by binary name | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process, Empty clipboard
Sensitive content copied from website
Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed
Requirements: Agent version 8.4.0 or later
Detects when a user copies or cuts text from an unauthorized website, and that text matches an advanced content inspection pattern.
| Parameter | Type | Description |
|---|---|---|
| Website parameters | ||
| SaaS apps | SaaS app filter | A list of SaaS apps on which content is authorized or unauthorized to be copied. Requires Agent 11.3.0+. |
| URL patterns | Advanced asset list | A list of URL patterns for websites on which content is authorized or unauthorized to be copied. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login". |
| Tab titles | Advanced asset list | A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when text is copied from a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+. |
| User account domains (Preview) | Advanced asset list | A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+. |
| Monitor unknown user accounts (Preview) | Boolean | The toggle to monitor web activity when the account login details are unavailable. |
| URL regex patterns | Advanced asset list | A list of URLs from which content is authorized or unauthorized to be copied. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead. |
| Content inspection parameters | ||
| Content inspection patterns | Advanced asset list | A list of patterns for matching clipboard contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match contents containing US social security numbers. To match all contents use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux. |
| Content inspection keywords | Advanced asset list | The keywords matched to clipboard contents during content inspection. Requires Agent 12.1.0+ on Linux. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns and keywords/keyphrases). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present. Requires Agent 12.1.0+ on Linux. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0009 (Collection)
attack.mitre.org/tactics/TA0009/ |
T1213 (Data from Information Repositories)
attack.mitre.org/techniques/T1213/ |
|
|
TA0009 (Collection)
attack.mitre.org/tactics/TA0009/ |
T1530 (Data from Cloud Storage)
attack.mitre.org/techniques/T1530/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by domain name | Disabled |
| Cluster by content | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Empty clipboard
Sensitive content pasted to desktop application
Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows or macOS, Agent version 8.4.0 or later
Detects when a user pastes text to an unauthorized application, and that text matches an advanced content inspection pattern.
|
|
To use this functionality, you must enable clipboard monitoring and keystroke monitoring for Agents. For details, refer to the FortiDLP Administration Guide. |
| Parameter | Type | Description |
|---|---|---|
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) to which users are authorized or unauthorized to paste text. Case-insensitive matching is used. |
| Application identifiers | Advanced asset list | A list of application identifiers to which users are authorized or unauthorized to paste text. Case-insensitive matching is used. |
| Content inspection parameters | ||
| Content inspection patterns | Advanced asset list | A list of patterns for matching clipboard contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match contents containing US social security numbers. To match all contents use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. |
| Content inspection keywords | Advanced asset list | The keywords matched to clipboard contents during content inspection. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns and keywords/keyphrases). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1048 (Exfiltration Over Alternative Protocol)
attack.mitre.org/techniques/T1048/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by content | Disabled |
| Cluster by paste destination | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process
Sensitive content pasted to website
Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed
Requirements: Agent version 8.4.0 or later
Detects when a user pastes text to an unauthorized website, and that text matches an advanced content inspection pattern.
|
|
To use this functionality, you must enable clipboard monitoring and keystroke monitoring for Agents. For details, refer to the FortiDLP Administration Guide. |
| Parameter | Type | Description |
|---|---|---|
| Website parameters | ||
| SaaS apps | SaaS app filter | A list of SaaS apps on which content is authorized or unauthorized to be pasted. Requires Agent 11.3.0+. |
| URL patterns | Advanced asset list | A list of URL patterns for websites on which content is authorized or unauthorized to be pasted. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login". |
| Tab titles | Advanced asset list | A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when text is pasted to a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+. |
| User account domains (Preview) | Advanced asset list | A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+. |
| Monitor unknown user accounts (Preview) | Boolean | The toggle to monitor web activity when the account login details are unavailable. |
| URL regex patterns | Advanced asset list | A list of URLs to which content is authorized or unauthorized to be pasted. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead. |
| Content inspection parameters | ||
| Content inspection patterns | Advanced asset list | A list of patterns for matching clipboard contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match contents containing US social security numbers. To match all contents use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux. |
| Content inspection keywords | Advanced asset list | The keywords matched to clipboard contents during content inspection. Requires Agent 12.1.0+ on Linux. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns and keywords/keyphrases). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present. Requires Agent 12.1.0+ on Linux. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1567 (Exfiltration Over Web Service)
attack.mitre.org/techniques/T1567/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by domain name | Disabled |
| Cluster by content | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot