Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Policies Reference Guide

    Home FortiDLP Policies 8.0.0 FortiDLP Policies Reference Guide
    8.0.0
    8.0.0
    7.1.2
    7.1.1
    7.1.0
    7.0.0

    Activity monitoring templates

    Activity monitoring templates

    Templates for building policies based on user activity.

    Note

    To use this functionality, you must enable keystroke monitoring for Agents and additionally approve macOS keystroke monitoring permissions. For details, refer to the FortiDLP Administration Guide and FortiDLP Agent Deployment Guide.

    Application use violated

    Requirements: Agent version 7.2.1 or later

    Detects when a user is active or idle for a prohibited duration, where single application use is tracked.

    Note

    Subsequent detections and actions for the same process will not be generated until at least one day after the first detection/action.

    Note

    If both the "Application binary name" and "Window title" parameters are populated, then application usage is tracked if the binary name and window title match these parameters. If neither the "Application binary name" nor the "Window title" parameters are populated, then no user activity will be monitored.

    Note

    To track application use based on idle time, you must enable keystroke monitoring. For details, refer to the FortiDLP Administration Guide.
    Parameter Type Description
    Application parameters
    Application binary name String The binary name to monitor (e.g. chrome.exe). Case-insensitive matching is used. If left empty, application activity will be matched against the "Window title" parameter.
    Window title String The window title to monitor. Full regular expression (regex) grammar is supported, and case-insensitive matching is used. If left empty, application activity will be matched against the "Application binary name" parameter.
    Usage parameters
    Monitor application use String list Monitor application usage by configuring a minimum or maximum duration an application is expected to be used for.
    Application use duration String The duration an application should be used, in HH:MM format. For example, to report if an application is in use for more than 2 hours and 30 minutes enter 2:30 and select "Maximum application usage" for the "Monitor application use" parameter.
    Monitor active application usage Boolean The toggle to enable/disable monitoring of active application usage. This is the time an application is open and the user is interacting with it.
    Monitor idle application usage Boolean The toggle to enable/disable monitoring of idle application usage. This is the time an application is open but the user is not interacting with it.
    Reporting parameters
    Report violation immediately Boolean The toggle to enable/disable generating a detection and performing optional actions as soon as application usage exceeds the "Maximum application usage" parameter. If this is disabled, a detection will be generated after excessive idle or active application usage is complete, for example, when the application is closed.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled
    Cluster by binary name Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process

    Concurrent application use

    Detects when a user runs multiple instances of an application at the same time.

    Parameter Type Description
    Application parameters
    Application binary name String The binary name to monitor (e.g. chrome.exe). Case-insensitive matching is used.
    Usage parameters
    Maximum application instances Integer The maximum number of times an application can be run at the same time.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled
    Cluster by binary name Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process

    Daily application use violated

    Requirements: Agent version 7.1.0 or later

    Detects when a user is active or idle for a prohibited duration over the course of a day, where total application use is tracked.

    Note

    If both the "Application binary name" and "Window title" parameters are populated, then application usage is tracked if the binary name and window title match these parameters. If neither the "Application binary name" nor the "Window title" parameters are populated, then all user activity will be monitored.

    Note

    To track application use based on idle time, you must enable keystroke monitoring. For details, refer to the FortiDLP Administration Guide.
    Parameter Type Description
    Application parameters
    Application binary name String The binary name to monitor (e.g. chrome.exe). Case-insensitive matching is used. If left empty, application activity will be matched against the "Window title" parameter.
    Window title String The window title to monitor. Full regular expression (regex) grammar is supported, and case-insensitive matching is used. If left empty, application activity will be matched against the "Application binary name" parameter.
    Usage parameters
    Monitor application use String list Monitor application usage by configuring a minimum or maximum duration an application is expected to be used for.
    Application use duration String The duration an application should be used, in HH:MM format. For example, to report if an application is in use for more than 2 hours and 30 minutes enter 2:30 and select "Maximum application usage" for the "Monitor application use" parameter.
    Monitor active application usage Boolean The toggle to enable/disable monitoring of active application usage. This is the time an application is open and the user is interacting with it.
    Monitor idle application usage Boolean The toggle to enable/disable monitoring of idle application usage. This is the time an application is open but the user is not interacting with it.
    Days to monitor String list A list of days on which application usage should be monitored.
    Start time String The time of day to start monitoring application usage. Times are in 24-hour format (HH:MM), and are in the FortiDLP Agent's local timezone.
    End time String The time of day to stop monitoring application usage. Times are in 24-hour format (HH:MM), and are in the FortiDLP Agent's local timezone.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled
    Cluster by binary name Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Previous
    Next

    Activity monitoring templates

    Activity monitoring templates

    Templates for building policies based on user activity.

    Note

    To use this functionality, you must enable keystroke monitoring for Agents and additionally approve macOS keystroke monitoring permissions. For details, refer to the FortiDLP Administration Guide and FortiDLP Agent Deployment Guide.

    Application use violated

    Requirements: Agent version 7.2.1 or later

    Detects when a user is active or idle for a prohibited duration, where single application use is tracked.

    Note

    Subsequent detections and actions for the same process will not be generated until at least one day after the first detection/action.

    Note

    If both the "Application binary name" and "Window title" parameters are populated, then application usage is tracked if the binary name and window title match these parameters. If neither the "Application binary name" nor the "Window title" parameters are populated, then no user activity will be monitored.

    Note

    To track application use based on idle time, you must enable keystroke monitoring. For details, refer to the FortiDLP Administration Guide.
    Parameter Type Description
    Application parameters
    Application binary name String The binary name to monitor (e.g. chrome.exe). Case-insensitive matching is used. If left empty, application activity will be matched against the "Window title" parameter.
    Window title String The window title to monitor. Full regular expression (regex) grammar is supported, and case-insensitive matching is used. If left empty, application activity will be matched against the "Application binary name" parameter.
    Usage parameters
    Monitor application use String list Monitor application usage by configuring a minimum or maximum duration an application is expected to be used for.
    Application use duration String The duration an application should be used, in HH:MM format. For example, to report if an application is in use for more than 2 hours and 30 minutes enter 2:30 and select "Maximum application usage" for the "Monitor application use" parameter.
    Monitor active application usage Boolean The toggle to enable/disable monitoring of active application usage. This is the time an application is open and the user is interacting with it.
    Monitor idle application usage Boolean The toggle to enable/disable monitoring of idle application usage. This is the time an application is open but the user is not interacting with it.
    Reporting parameters
    Report violation immediately Boolean The toggle to enable/disable generating a detection and performing optional actions as soon as application usage exceeds the "Maximum application usage" parameter. If this is disabled, a detection will be generated after excessive idle or active application usage is complete, for example, when the application is closed.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled
    Cluster by binary name Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process

    Concurrent application use

    Detects when a user runs multiple instances of an application at the same time.

    Parameter Type Description
    Application parameters
    Application binary name String The binary name to monitor (e.g. chrome.exe). Case-insensitive matching is used.
    Usage parameters
    Maximum application instances Integer The maximum number of times an application can be run at the same time.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled
    Cluster by binary name Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process

    Daily application use violated

    Requirements: Agent version 7.1.0 or later

    Detects when a user is active or idle for a prohibited duration over the course of a day, where total application use is tracked.

    Note

    If both the "Application binary name" and "Window title" parameters are populated, then application usage is tracked if the binary name and window title match these parameters. If neither the "Application binary name" nor the "Window title" parameters are populated, then all user activity will be monitored.

    Note

    To track application use based on idle time, you must enable keystroke monitoring. For details, refer to the FortiDLP Administration Guide.
    Parameter Type Description
    Application parameters
    Application binary name String The binary name to monitor (e.g. chrome.exe). Case-insensitive matching is used. If left empty, application activity will be matched against the "Window title" parameter.
    Window title String The window title to monitor. Full regular expression (regex) grammar is supported, and case-insensitive matching is used. If left empty, application activity will be matched against the "Application binary name" parameter.
    Usage parameters
    Monitor application use String list Monitor application usage by configuring a minimum or maximum duration an application is expected to be used for.
    Application use duration String The duration an application should be used, in HH:MM format. For example, to report if an application is in use for more than 2 hours and 30 minutes enter 2:30 and select "Maximum application usage" for the "Monitor application use" parameter.
    Monitor active application usage Boolean The toggle to enable/disable monitoring of active application usage. This is the time an application is open and the user is interacting with it.
    Monitor idle application usage Boolean The toggle to enable/disable monitoring of idle application usage. This is the time an application is open but the user is not interacting with it.
    Days to monitor String list A list of days on which application usage should be monitored.
    Start time String The time of day to start monitoring application usage. Times are in 24-hour format (HH:MM), and are in the FortiDLP Agent's local timezone.
    End time String The time of day to stop monitoring application usage. Times are in 24-hour format (HH:MM), and are in the FortiDLP Agent's local timezone.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled
    Cluster by binary name Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Previous
    Next