Printing templates
Templates for building policies based on user printing activity.
Document printed using physical printer outside office hours
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Agent version 8.4.0 or later
Detects when a user prints a document using a physical printer that is connected locally or over the network outside of expected working hours, and optionally blocks the print job.
|
Requires Windows Agent 4.0.0+, macOS Agent 8.5.0+, and Linux Agent 10.2.0+. To enable enhanced visibility and content inspection on Windows, use Agent 11.1.1+, turn the 'Print monitoring' Agent configuration setting 'On', and complete the following setup steps: To enable monitoring of Windows-shared printers and print servers, ensure client-side rendering is enabled and driver isolation is set to 'None' for printer settings, and to enable content inspection, ensure the XPS Viewer IFilter is installed on endpoints. For enhanced visibility and content inspection on macOS, use Agent 10.2.0+. For enhanced visibility and content inspection on Linux, use Agent 12.1.0+. For more information, refer to 'Print monitoring' in the FortiDLP Agent Deployment Guide. |
|
|
For Agent versions earlier than 11.2.3, the Make shadow copy action cannot be used in conjunction with the Block print job action unless content inspection is configured; Action reporting is not supported. |
| Parameter | Type | Description |
|---|---|---|
| Office hours parameters | ||
| List of days off | String list | A list of non-working days. This list can be empty, which would indicate that every day of the week is a working day. |
| Start time | String | The start time of the work day in 24-hour format (HH:MM). Times are in the FortiDLP Agent's local timezone. |
| End time | String | The end time of the work day in 24-hour format (HH:MM). Times are in the FortiDLP Agent's local timezone. |
| User parameters | ||
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to print documents outside of office hours. Case-insensitive matching is used. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to print documents outside of office hours. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Printer parameters | ||
| Printer names | Advanced asset list | A list of printer names authorized or unauthorized to print documents outside of office hours. Case-insensitive matching is used. |
| Printer unique identifiers | Advanced asset list | A list of unique identifiers for printers authorized or unauthorized to print documents outside of office house. Case-insensitive matching is used. Requires Agent 10.2.0+ on macOS and Linux and Agent 11.1.1+ on Windows. |
| Monitored printer types | String list | A list of printer types to monitor. Select "Network" to generate a detection for printers connected over a network. Select "Local" to generate a detection for printers connected directly, such as via USB. Requires Agent 10.2.0+ on macOS and Linux and Agent 11.1.1+ on Windows. |
| Printer name patterns | Advanced asset list | A list of patterns for matching printer names that are authorized or unauthorized to print documents outside of office hours. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Connection parameters | ||
| Printer IP addresses (macOS and Linux only) | Advanced asset list | A list of network printer IP addresses in CIDR format that are authorized or unauthorized to be sent print jobs. Requires Agent 10.2.0+. |
| Process parameters | ||
| Binary names (macOS and Linux only) | Advanced asset list | A list of binary names (e.g. chrome.exe) authorized or unauthorized to print documents outside of office hours. Case-insensitive matching is used. Requires Agent 10.2.0+. |
| File parameters | ||
| Maximum number of pages printed (Windows and macOS only) | Integer | The maximum number of pages allowed to be printed. If this field is set to 0, no limit will be applied. Note: This feature is not supported on macOS when the print blocking action is enabled. |
| Print job name patterns | Advanced asset list | A list of patterns for matching print job names that are authorized or unauthorized to be printed. Print job name examples include filenames, browser tab titles, and application window titles. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Content inspection parameters | ||
| Content inspection patterns | Advanced asset list | A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 10.2.0+ on macOS, Agent 11.1.1+ on Windows, and Agent 12.1.0+ on Linux. |
| Content inspection keywords | Advanced asset list | The keywords matched to file contents during content inspection. Requires Agent 10.2.0+ on macOS, Agent 11.1.1+ on Windows, and Agent 12.1.0+ on Linux. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns and keywords/keyphrases). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 10.2.0+ on macOS, Agent 11.1.1+ on Windows, and Agent 12.1.0+ on Linux. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present in a document. Requires Agent 10.2.0+ on macOS, Agent 11.1.1+ on Windows, and Agent 12.1.0+ on Linux. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1052 (Exfiltration Over Physical Medium)
attack.mitre.org/techniques/T1052/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by binary name | Disabled |
| Cluster by content | Disabled |
| Cluster by filename | Disabled |
| Cluster by destination IP | Disabled |
| Cluster by policy | Disabled |
Supported actions: Block print job, Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy
Large print job completed
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 7.0.4 or later
Detects when a user prints a document with more pages than usual.
| Parameter | Type | Description |
|---|---|---|
| User parameters | ||
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to print any number of pages. Case-insensitive matching is used. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to print any number of pages. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Printer parameters | ||
| Printer names | Advanced asset list | A list of printer names authorized or unauthorized to print any number of pages. Case-insensitive matching is used. |
| Printer name patterns | Advanced asset list | A list of patterns for matching printer names that are authorized or unauthorized to print any number of pages. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Machine learning parameters | ||
| Training period (hours) | Integer | The uptime period (in hours) during which normal user printing activity is learned. No detections will be generated during this period. The FortiDLP Agent will continue to learn from printing activity after this period. |
| Minimum number of pages printed | Integer | The minimum number of pages printed in order for a detection to be generated. |
| Probability threshold | Float | The minimum percentage probability defining how unlikely the number of pages printed must be for a detection to be generated. Note: A low threshold (e.g. 0.1) will result in fewer detections than a high threshold (e.g. 1.0), as printing activities must be classified as more abnormal to generate a detection. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1052 (Exfiltration Over Physical Medium)
attack.mitre.org/techniques/T1052/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Many documents printed
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Agent version 7.7.6 or later
Detects when a user prints an unusual number of documents within a given time period.
| Parameter | Type | Description |
|---|---|---|
| User parameters | ||
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to print any number of documents. Case-insensitive matching is used. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to print any number of documents. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Printer parameters | ||
| Printer names | Advanced asset list | A list of printer names authorized or unauthorized to print any number of documents. Case-insensitive matching is used. |
| Printer name patterns | Advanced asset list | A list of patterns for matching printer names that are authorized or unauthorized to print any number of documents. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Machine learning parameters | ||
| Training period (hours) | Integer | The uptime period (in hours) during which normal user printing activity is learned. No detections will be generated during this period. The FortiDLP Agent will continue to learn from printing activity after this period. |
| Probability threshold | Float | The minimum percentage probability defining how unlikely the number of documents printed must be for a detection to be generated. Note: A low threshold (e.g. 0.1) will result in fewer detections than a high threshold (e.g. 1.0), as printing activities must be classified as more abnormal to generate a detection. |
| Time window (in minutes) | Integer | The number of minutes during which printed documents are counted as a single data point. |
| Minimum number of documents printed | Integer | The minimum number of documents printed within a time window for which a detection can be generated. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1052 (Exfiltration Over Physical Medium)
attack.mitre.org/techniques/T1052/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Many pages printed
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 7.7.6 or later
Detects when a user prints an unusual number of pages within a given time period.
| Parameter | Type | Description |
|---|---|---|
| User parameters | ||
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to print any number of pages. Case-insensitive matching is used. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to print any number of pages. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Printer parameters | ||
| Printer names | Advanced asset list | A list of printer names authorized or unauthorized to print any number of pages. Case-insensitive matching is used. |
| Printer name patterns | Advanced asset list | A list of patterns for matching printer names that are authorized or unauthorized to print any number of pages. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Machine learning parameters | ||
| Training period (hours) | Integer | The uptime period (in hours) during which normal user printing activity is learned. No detections will be generated during this period. The FortiDLP Agent will continue to learn from printing activity after this period. |
| Probability threshold | Float | The minimum percentage probability defining how unlikely the number of pages printed must be for a detection to be generated. Note: A low threshold (e.g. 0.1) will result in fewer detections than a high threshold (e.g. 1.0), as printing activities must be classified as more abnormal to generate a detection. |
| Time window (in minutes) | Integer | The number of minutes during which printed pages are counted as a single data point. |
| Minimum number of pages printed | Integer | The minimum number of pages printed within a time window for which a detection can be generated. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1052 (Exfiltration Over Physical Medium)
attack.mitre.org/techniques/T1052/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Sensitive document printed from website
Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed
Requirements: Agent version 10.3.1 or later
Detects when a user prints a document from a website or prints the contents of a website, and optionally blocks the print job.
|
|
To enable enhanced visibility on Windows, use Agent 11.1.1+, turn the 'Print monitoring' Agent configuration setting 'On', and complete the following setup steps: To enable monitoring of Windows-shared printers and print servers, ensure client-side rendering is enabled and driver isolation is set to 'None' for printer settings. For more information, refer to 'Print monitoring' in the FortiDLP Agent Deployment Guide. |
|
|
For Agent versions earlier than 11.2.3, the Make shadow copy action cannot be used in conjunction with the Block print job action unless content inspection is configured; Action reporting is not supported. |
| Parameter | Type | Description |
|---|---|---|
| Website parameters | ||
| SaaS apps | SaaS app filter | A list of SaaS apps from which printing is authorized or unauthorized. Requires Agent 11.3.0+. |
| URL patterns | Advanced asset list | A list of URL patterns for websites from which printing is authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login". |
| User account domains (Preview) | Advanced asset list | A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+. |
| Monitor unknown user accounts (Preview) | Boolean | The toggle to monitor web activity when the account login details are unavailable. |
| User parameters | ||
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to print documents from websites. Case-insensitive matching is used. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to print documents from websites. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Printer parameters | ||
| Printer unique identifiers | Advanced asset list | A list of unique identifiers for printers authorized or unauthorized to print documents. Case-insensitive matching is used. Requires Agent 11.1.1+ on Windows. |
| Monitored printer types | String list | A list of printer types to monitor. Select "Network" to generate a detection for printers connected over a network. Select "Local" to generate a detection for printers connected directly, such as via USB. Requires Agent 11.1.1+ on Windows. |
| Printer names | Advanced asset list | A list of printer names authorized or unauthorized to print documents from websites. Case-insensitive matching is used. |
| Printer name patterns | Advanced asset list | A list of patterns for matching printer names that are authorized or unauthorized to print documents from websites. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Connection parameters | ||
| Printer IP addresses (macOS and Linux only) | Advanced asset list | A list of network printer IP addresses in CIDR format authorized or unauthorized to be sent print jobs. |
| File parameters | ||
| Maximum number of pages printed (Windows and macOS only) | Integer | The maximum number of pages allowed to be printed. If this field is set to 0, no limit will be applied. Note: This feature is not supported on macOS when the print blocking action is enabled. |
| Print job name patterns | Advanced asset list | A list of patterns for matching print job names that are authorized or unauthorized to be printed. Print job name examples include filenames, browser tab titles, and application window titles. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Content inspection parameters (macOS only) | ||
| Content inspection patterns | Advanced asset list | A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. |
| Content inspection keywords | Advanced asset list | The keywords matched to file contents during content inspection. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns and keywords/keyphrases). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present in a document. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1052 (Exfiltration Over Physical Medium)
attack.mitre.org/techniques/T1052/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
| Cluster by content | Disabled |
| Cluster by hostname | Disabled |
Supported actions: Block print job, Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy
Sensitive document printed using physical printer
Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed
Requirements: Agent version 8.4.0 or later
Detects when a user prints a document using a physical printer that is connected locally or over the network, and optionally blocks the print job.
|
|
Requires Windows Agent 4.0.0+, macOS Agent 8.5.0+, and Linux Agent 10.2.0+. To enable enhanced visibility and content inspection on Windows, use Agent 11.1.1+, turn the 'Print monitoring' Agent configuration setting 'On', and complete the following setup steps: To enable monitoring of Windows-shared printers and print servers, ensure client-side rendering is enabled and driver isolation is set to 'None' for printer settings, and to enable content inspection, ensure the XPS Viewer IFilter is installed on endpoints. For enhanced visibility and content inspection on macOS, use Agent 10.2.0+. For enhanced visibility and content inspection on Linux, use Agent 12.1.0+. For more information, refer to 'Print monitoring' in the FortiDLP Agent Deployment Guide. |
|
|
For Agent versions earlier than 11.2.3, the Make shadow copy action cannot be used in conjunction with the Block print job action unless content inspection is configured; Action reporting is not supported. |
| Parameter | Type | Description |
|---|---|---|
| User parameters | ||
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to print documents. Case-insensitive matching is used. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to print documents. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Printer parameters | ||
| Printer names | Advanced asset list | A list of printer names authorized or unauthorized to print documents. Case-insensitive matching is used. |
| Printer unique identifiers | Advanced asset list | A list of unique identifiers for printers authorized or unauthorized to print documents. Case-insensitive matching is used. Requires Agent 10.2.0+ on macOS and Linux and Agent 11.1.1+ on Windows. |
| Monitored printer types | String list | A list of printer types to monitor. Select "Network" to generate a detection for printers connected over a network. Select "Local" to generate a detection for printers connected directly, such as via USB. Requires Agent 10.2.0+ on macOS and Linux and Agent 11.1.1+ on Windows. |
| Printer name patterns | Advanced asset list | A list of patterns for matching printer names that are authorized or unauthorized to print documents. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Connection parameters | ||
| Printer IP addresses (macOS and Linux only) | Advanced asset list | A list of network printer IP addresses in CIDR format that are authorized or unauthorized to be sent print jobs. Requires Agent 10.2.0+. |
| Process parameters | ||
| Binary names (macOS and Linux only) | Advanced asset list | A list of binary names (e.g. chrome.exe) authorized or unauthorized to print documents. Case-insensitive matching is used. Requires Agent 10.2.0+. |
| File parameters | ||
| Maximum number of pages printed (Windows and macOS only) | Integer | The maximum number of pages allowed to be printed. If this field is set to 0, no limit will be applied. Note: This feature is not supported on macOS when the print blocking action is enabled. |
| Print job name patterns | Advanced asset list | A list of patterns for matching print job names that are authorized or unauthorized to be printed. Print job name examples include filenames, browser tab titles, and application window titles. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Content inspection parameters | ||
| Content inspection patterns | Advanced asset list | A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 10.2.0+ on macOS, Agent 11.1.1+ on Windows, and Agent 12.1.0+ on Linux. |
| Content inspection keywords | Advanced asset list | The keywords matched to file contents during content inspection. Requires Agent 10.2.0+ on macOS, Agent 11.1.1+ on Windows, and Agent 12.1.0+ on Linux. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns and keywords/keyphrases). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 10.2.0+ on macOS, Agent 11.1.1+ on Windows, and Agent 12.1.0+ on Linux. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present in a document. Requires Agent 10.2.0+ on macOS, Agent 11.1.1+ on Windows, and Agent 12.1.0+ on Linux. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1052 (Exfiltration Over Physical Medium)
attack.mitre.org/techniques/T1052/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by binary name | Disabled |
| Cluster by content | Disabled |
| Cluster by filename | Disabled |
| Cluster by destination IP | Disabled |
| Cluster by policy | Disabled |
Supported actions: Block print job, Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy
Sensitive document sent to virtual printer
Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 8.4.0 or later
Detects when a user sends a document to a virtual printer (e.g. PDF, XPS, OneNote), and optionally blocks the print job.
|
|
To enable content inspection, use Agent 11.1.1+, turn the 'Print monitoring' Agent configuration setting 'On', and ensure the XPS Viewer IFilter is installed on endpoints. For more information, refer to 'Print monitoring' in the FortiDLP Agent Deployment Guide. |
|
|
For Agent versions earlier than 11.2.3, the Make shadow copy action cannot be used in conjunction with the Block print job action unless content inspection is configured; Action reporting is not supported. |
| Parameter | Type | Description |
|---|---|---|
| User parameters | ||
| Usernames | Advanced asset list | A list of usernames authorized or unauthorized to print documents to virtual printers. Case-insensitive matching is used. |
| Username patterns | Advanced asset list | A list of patterns for matching usernames that are authorized or unauthorized to print documents to virtual printers. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Printer parameters | ||
| Printer names | Advanced asset list | A list of printer names authorized or unauthorized to print documents. Case-insensitive matching is used. |
| Printer name patterns | Advanced asset list | A list of patterns for matching printer names that are authorized or unauthorized to print documents. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| File parameters | ||
| Maximum number of pages printed | Integer | The maximum number of pages allowed to be printed. If this field is set to 0, no limit will be applied. Note: This feature is not supported on macOS when the print blocking action is enabled. |
| Print job name patterns | Advanced asset list | A list of patterns for matching print job names that are authorized or unauthorized to be printed. Print job name examples include filenames, browser tab titles, and application window titles. Full regular expression (regex) grammar is supported and case-insensitive matching is used. |
| Content inspection parameters | ||
| Content inspection patterns | Advanced asset list | A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 11.1.1+. |
| Content inspection keywords | Advanced asset list | The keywords matched to file contents during content inspection. Requires Agent 11.1.1+. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns and keywords/keyphrases). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present in a document. Requires Agent 11.1.1+. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0009 (Collection)
attack.mitre.org/tactics/TA0009/ |
|
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by content | Disabled |
| Cluster by filename | Disabled |
| Cluster by policy | Disabled |
Supported actions: Block print job, Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy