File transfer templates
Templates for building policies based on file transfers to/from remote destinations.
Connection made to remote destination using file transfer utility
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Agent version 4.2.5 or later
Detects when a user connects to a remote host using a file transfer utility.
| Parameter | Type | Description |
|---|---|---|
| File transfer utility parameters | ||
| File transfer utility binary names | Advanced asset list | A list of file transfer utility binary names (e.g. scp, pscp.exe). Case-insensitive matching is used. |
| File transfer utility binary called paths | Advanced asset list | A list of regular expressions matching file transfer utility called paths (e.g. .*ssh.exe .*scp). Case-sensitive matching is used. |
| Connection parameters | ||
| Remote IP addresses | Advanced asset list | A list of IPv4 or IPv6 addresses in CIDR format (e.g. 192.0.2.1/16 or 2001:db8::68/128) to which file transfer utilities are authorized or unauthorized to connect. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0042 (Resource Development)
attack.mitre.org/tactics/TA0042/ |
T1588 (Obtain Capabilities)
attack.mitre.org/techniques/T1588/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by destination IP | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process
Sensitive file copied to unauthorized local folder using file transfer utility
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Agent version 8.4.0 or later
Detects when a user copies a sensitive file to an unauthorized local folder using a file transfer utility.
|
Subsequent detections and actions for the same file and process will not be generated until at least one minute after the first detection/action. |
|
|
From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured. |
| Parameter | Type | Description |
|---|---|---|
| File transfer utility parameters | ||
| File transfer utility binary names | Advanced asset list | A list of file transfer utility binary names (e.g. scp, pscp.exe). Case-insensitive matching is used. |
| File transfer utility binary called paths | Advanced asset list | A list of regular expressions matching file transfer utility called paths (e.g. .*ssh.exe .*scp). Case-sensitive matching is used. |
| File parameters | ||
| File paths | Advanced asset list | A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used. |
| File path keywords | Advanced asset list | A list of keywords that match if they appear anywhere in the file path. Users are authorized or unauthorized to copy files that contain these keywords in their file paths. Case-insensitive matching is used. |
| Maximum permitted file size (MB) | Float | The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied. Requires Agent 8.8.0+. |
| File types | Advanced asset list | A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+. |
| File extensions | Advanced asset list | A list of file extensions (e.g. .doc, .docx, .pdf) that users are authorized or unauthorized to copy. The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf". |
| Content inspection parameters | ||
| Content inspection patterns | Advanced asset list | A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux. |
| Content inspection keywords | Advanced asset list | The keywords matched to file contents during content inspection. Requires Agent 12.1.0+ on Linux. |
| Microsoft sensitivity labels | Asset list | The Microsoft sensitivity labels matched to files during content inspection. Requires Agent 12.1.0+ on Linux. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present in a document. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0009 (Collection)
attack.mitre.org/tactics/TA0009/ |
T1074 (Data Staged)
attack.mitre.org/techniques/T1074/ |
T1074.001 (Local Data Staging)
attack.mitre.org/techniques/T1074/001/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by filename | Disabled |
| Cluster by file extension | Disabled |
| Cluster by content | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process, Make shadow copy
Sensitive file transferred over RDP from client to server
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 8.4.0 or later
Detects when a user connects to a server or remote computer using Remote Desktop Protocol and then transfers a sensitive file.
|
|
Subsequent detections and actions for the same file and remote destination will not be generated until five minutes after the first detection. |
|
|
From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured. |
| Parameter | Type | Description |
|---|---|---|
| Connection parameters | ||
| IP addresses | Advanced asset list | A list of IPv4 or IPv6 addresses in CIDR format (e.g. 192.0.2.1/16 or 2001:db8::68/128) to which Remote Desktop connections are authorized or unauthorized. |
| File parameters | ||
| File paths | Advanced asset list | A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used. |
| Maximum permitted file size (MB) | Float | The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied. Requires Agent 8.8.0+. |
| File types | Advanced asset list | A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+. |
| File extensions | Advanced asset list | A list of file extensions to filter on (e.g. .doc, .xls, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf". |
| Content inspection parameters | ||
| Content inspection patterns | Advanced asset list | A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. |
| Content inspection keywords | Advanced asset list | The keywords matched to file contents during content inspection. |
| Microsoft sensitivity labels | Asset list | The Microsoft sensitivity labels matched to files during content inspection. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present in a document. |
| File origin parameters | ||
| SaaS apps | SaaS app filter | A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+. |
| URL patterns | Advanced asset list | A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+. |
| User account domains (Preview) | Advanced asset list | A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+. |
| Monitor unknown user accounts (Preview) | Boolean | The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1048 (Exfiltration Over Alternative Protocol)
attack.mitre.org/techniques/T1048/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by file extension | Disabled |
| Cluster by destination IP | Disabled |
| Cluster by content | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy
Sensitive file transferred over RDP from server to client
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Windows, Agent version 8.4.0 or later
Detects when a node receives a Windows Remote Desktop connection and then a sensitive file is transferred.
|
|
Subsequent detections and actions for the same file and remote destination will not be generated until five minutes after the first detection. |
|
|
From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured. |
| Parameter | Type | Description |
|---|---|---|
| Connection parameters | ||
| IP addresses | Advanced asset list | A list of IPv4 or IPv6 addresses in CIDR format (e.g. 192.0.2.1/16 or 2001:db8::68/128) from which Remote Desktop connections are authorized or unauthorized. |
| File parameters | ||
| File paths | Advanced asset list | A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used. |
| Maximum permitted file size (MB) | Float | The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied. Requires Agent 8.8.0+. |
| File types | Advanced asset list | A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+. |
| File extensions | Advanced asset list | A list of file extensions to filter on (e.g. .doc, .xls, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf". |
| Content inspection parameters | ||
| Content inspection patterns | Advanced asset list | A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. |
| Content inspection keywords | Advanced asset list | The keywords matched to file contents during content inspection. |
| Microsoft sensitivity labels | Asset list | The Microsoft sensitivity labels matched to files during content inspection. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present in a document. |
| File origin parameters | ||
| SaaS apps | SaaS app filter | A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+. |
| URL patterns | Advanced asset list | A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+. |
| User account domains (Preview) | Advanced asset list | A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+. |
| Monitor unknown user accounts (Preview) | Boolean | The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0008 (Lateral Movement)
attack.mitre.org/tactics/TA0008/ |
T1021 (Remote Services)
attack.mitre.org/techniques/T1021/ |
T1021.001 (Remote Desktop Protocol)
attack.mitre.org/techniques/T1021/001/ |
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1048 (Exfiltration Over Alternative Protocol)
attack.mitre.org/techniques/T1048/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by file extension | Disabled |
| Cluster by source IP | Disabled |
| Cluster by content | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy
Sensitive file transferred to remote destination
Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed
Requirements: Agent version 8.4.0 or later
Detects when a user connects to an unauthorized remote destination using a file transfer utility and then transfers a sensitive file.
|
|
The policy reports all the remote IP addresses that the file transfer utility was connected to at the time of file access. A detection will be raised if a sensitive file is accessed by a file transfer utility, and any of the remote destinations to which it is currently connected is unauthorized. |
|
|
From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured. |
| Parameter | Type | Description |
|---|---|---|
| File transfer utility parameters | ||
| File transfer utility | String list | A list of file transfer utilities to monitor. |
| Connection parameters | ||
| IP addresses | Advanced asset list | A list of IPv4 or IPv6 addresses in CIDR format (e.g. 192.0.2.1/16 or 2001:db8::68/128) to which TCP connections are authorized or unauthorized. If a sensitive file is accessed by a file transfer utility while it is connected to an unauthorized IP address, a detection will be raised. Note: It is possible for a GUI (desktop) utility such as FileZilla to have multiple active connections open in different windows/ tabs. In this case, a detection will be raised if a file access occurs when any of the connections are unauthorized. |
| Domains | Advanced asset list | A list of domain names (e.g. example.com) to which TCP connections are authorized or unauthorized. If a sensitive file is accessed by a file transfer utility while it is connected to an unauthorized domain, a detection will be raised. Note: It is possible for a GUI (desktop) utility such as FileZilla to have multiple active connections open in different windows/ tabs. In this case, a detection will be raised if a file access occurs when any of the connections are unauthorized. |
| File parameters | ||
| File paths | Advanced asset list | A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used. |
| File path keywords | Advanced asset list | A list of keywords that match if they appear anywhere in the file path (e.g. passwords, secret, confidential). Users are authorized or unauthorized to transfer files that contain these keywords in their file paths. Case-insensitive matching is used. |
| Maximum permitted file size (MB) | Float | The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied. Requires Agent 8.8.0+. |
| File types | Advanced asset list | A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+. |
| File extensions | Advanced asset list | A list of file extensions (e.g. .doc, .docx, .pdf) that users are authorized or unauthorized to copy. The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf". |
| Content inspection parameters | ||
| Content inspection patterns | Advanced asset list | A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux. |
| Content inspection keywords | Advanced asset list | The keywords matched to file contents during content inspection. Requires Agent 12.1.0+ on Linux. |
| Microsoft sensitivity labels | Asset list | The Microsoft sensitivity labels matched to files during content inspection. Requires Agent 12.1.0+ on Linux. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present in a document. |
| File origin parameters (Windows and macOS only) | ||
| SaaS apps | SaaS app filter | A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+. |
| URL patterns | Advanced asset list | A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+. |
| User account domains (Preview) | Advanced asset list | A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+. |
| Monitor unknown user accounts (Preview) | Boolean | The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1048 (Exfiltration Over Alternative Protocol)
attack.mitre.org/techniques/T1048/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by filename | Disabled |
| Cluster by file extension | Disabled |
| Cluster by content | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process, Make shadow copy
Sensitive file transferred via Bluetooth or AirDrop
Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed
Requirements: Agent version 8.4.0 or later
Detects when a user transfers a file containing specified content to another device using Bluetooth or AirDrop.
|
|
Subsequent detections and actions for the same file and process will not be generated until at least 10 seconds after the first detection/action. |
| Parameter | Type | Description |
|---|---|---|
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. fsquirt.exe) authorized or unauthorized to read sensitive files. Case-insensitive matching is used. |
| Called paths | Advanced asset list | A list of regular expressions matching binary called paths (e.g. .*fsquirt\.exe) authorized or unauthorized to read sensitive files. An empty list will match all applications. Case-sensitive matching is used. |
| File parameters | ||
| File paths | Advanced asset list | A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used. |
| File path keywords | Advanced asset list | A list of keywords that match if they appear anywhere in the file path (e.g. passwords, secret, confidential). Case-insensitive matching is used. |
| Maximum permitted file size (MB) | Float | The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied. Requires Agent 8.8.0+. |
| Only monitor network shares | Boolean | The toggle to enable/disable only monitoring files on a network share. If disabled, network files along with local files will be monitored. |
| File types | Advanced asset list | A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+. |
| File extensions | Advanced asset list | A list of file extensions to filter on when performing content inspection (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf". |
| Content inspection parameters | ||
| Content inspection patterns | Advanced asset list | A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux. |
| Content inspection keywords | Advanced asset list | The keywords matched to file contents during content inspection. Requires Agent 12.1.0+ on Linux. |
| Microsoft sensitivity labels | Asset list | The Microsoft sensitivity labels matched to files during content inspection. Requires Agent 12.1.0+ on Linux. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present in a document. |
| File origin parameters (Windows and macOS only) | ||
| SaaS apps | SaaS app filter | A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+. |
| URL patterns | Advanced asset list | A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+. |
| User account domains (Preview) | Advanced asset list | A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+. |
| Monitor unknown user accounts (Preview) | Boolean | The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable. |
| Detection parameters | ||
| Group detections | Boolean | The toggle to enable/disable reporting multiple applications transferring the same file in a single detection. |
| Group time window (in seconds) | Integer | The time period over which Bluetooth activity will be grouped into a single detection. |
No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by binary name | Disabled |
| Cluster by filename | Disabled |
| Cluster by content | Disabled |
| Cluster by file extension | Disabled |
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process, Make shadow copy