User account domains (Preview)

Requirements: FortiDLP Agent 11.4.6+ and policy pack 8.0.0+.

To enable this Preview feature, contact Fortinet Support.

The User account domains parameter allows detections to be generated based on the website/web app login account name used when uploading or downloading files, typing, coping and pasting text, and so on. You can use this parameter to define either an allowlist that matches permitted user account names or a denylist that matches prohibited user account names.

For example, selecting the Allow listed domains radio button and entering company.com would create an allowlist that permits users to upload files to a Dropbox file share website (defined by the URL patterns parameter) using an account in the format name@company.com without generating detections. With this configuration, a detection would be generated if a user attempted an upload while using an account in the format name@gmail.com or any other that does not match the company's domain. Alternatively, selecting the Prohibit listed domains radio button and entering gmail.com would create a denylist that generates a detection if a user attempts a file upload while using an account in the format name@gmail.com, but does not generate a detection when any other accounts are used.

The User account domains parameter helps distinguish between corporate and non-corporate web activity for users who have signed in to a site or web app using:

• username- and password-based authentication
• OAuth, or
• SAML 2.0.

OAuth and SAML logins are supported with Microsoft, Google, or Okta as identity providers.

The User account domains parameter is provided in various policy templates, enabling you to set specific account domain conditions for triggering detections depending on the context.

Using the Sensitive file downloaded template, you could create a policy to block sensitive files from being downloaded from a Dropbox file share website unless users are logged in using their corporate email address as follows: In the Website parameters section: For the URL patterns parameter: Select the Prohibit listed URLs radio button. Either type a custom value or select an asset that matches your corporate Dropbox, such as dropbox.com. For the User account domains parameter: Select the Allow listed domains radio button. Either type a custom value or select an asset that matches your corporate email domain, such as company.com.

Some templates, such as the Sensitive file uploaded template, let you prohibit uploads, considering both a file's web origin and destination and associated account domains. For more on this, also see User account domains: origin (Preview).

Known limitations

Be mindful of the following limitations:

• Password-free logins, where a one-time code, face, fingerprint, pin, or security key is used for authentication, are not recognized and will be reported as unknown logins.
  

  If the User account domains parameter is set, you can generate detections when activities associated with unknown logins occur by turning the Monitor unknown user accounts toggle on during template configuration.

• Two-factor authentication (2FA) logins are not validated and may generate detections regardless of users successfully authenticating using this method.
• If a user logs in to an app via an external provider (e.g. 'Continue with Google' or 'Continue with Microsoft Account') and an account is automatically used due to being the only account logged in to the provider, the account username will only be identifiable if the Agent captured the login to the provider.
  

  For example: A user logs in to Google (external provider) using jim@gmail.com. A browser login event is generated for this account. The user then logs in to the WeTransfer app using 'Sign in with Google', and jim@gmail.com is automatically used due to being the only active Google account in the browser. A browser login event is generated, and jim@gmail.com is identified as the account username.