Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Policies Reference Guide

    Home FortiDLP Policies 8.3.0 FortiDLP Policies Reference Guide
    8.3.0
    8.3.0
    8.2.1
    8.2.0
    8.1.0
    8.0.0
    7.1.2
    7.1.1
    7.1.0
    7.0.0

    Browser templates

    Browser templates

    Templates for building policies based on user browser activity.

    Note

    To use this functionality, you must enable web monitoring for Agents. For details, refer to the FortiDLP Agent Deployment Guide and FortiDLP Administration Guide.

    Browser extension changed

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.0.1 or later

    Detects when a user installs or modifies a browser extension.

    Parameter Type Description
    Extension parameters
    Extension names Advanced asset list A list of browser extension names to include or exclude from monitoring. Case-insensitive matching is used.
    Extension IDs Advanced asset list A list of browser extension IDs to include or exclude from monitoring. Case-insensitive and partial matching is used.
    Monitor parameters
    Monitor extension installation Boolean The toggle to enable/disable the detection of monitored browser extensions being installed.
    Monitor extension enabling Boolean The toggle to enable/disable the detection of monitored browser extensions being enabled.
    Monitor extension uninstallation Boolean The toggle to enable/disable the detection of monitored browser extensions being uninstalled.
    Monitor extension disabling Boolean The toggle to enable/disable the detection of monitored browser extensions being disabled.
    Tactic Technique Sub-technique
    TA0042 (Resource Development)
    attack.mitre.org/tactics/TA0042/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by browser extension Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Browser run in private browsing mode

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.4.3 or later

    Detects when a user runs a browser in private browsing mode.

    Note

    Subsequent detections and actions for the same process will not be generated until at least 30 minutes after the first detection/action.

    Note

    Private browsing sessions initiated from the browser menu will not be reported for macOS when Firefox is used or for Linux when Chrome or Firefox is used unless the FortiDLP Browser Extension has been installed and configured to monitor incognito activity.
    Parameter Type Description
    Process parameters
    Private browsing called paths Advanced asset list A list of regular expressions matching command line arguments or called paths that enable private browsing (e.g. -incognito). The match is case-sensitive.
    Reporting parameters
    Detect private browsing for unmonitored browsers only Boolean The toggle to enable the detection of private browsing activity only for browsers in which web monitoring is disabled. Leaving this toggle off detects private browsing activity for browsers in which web monitoring is enabled or disabled. Requires Google Chrome or Microsoft Edge.
    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Encrypted file downloaded

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 10.1.1 or later

    Detects when a user attempts to download an encrypted or password-protected file via a browser, and optionally blocks the download.

    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps for which downloads are authorized or unauthorized. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which downloads are authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    User account domains (Preview) Advanced asset list A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor web activity when the account login details are unavailable.
    File parameters
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used.
    File names Advanced asset list A list of regular expressions matching file names that users are authorized or unauthorized to download. Case-insensitive matching is used.
    Maximum file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied.
    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1027 (Obfuscated Files or Information)
    attack.mitre.org/techniques/T1027/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by file extension Disabled
    Cluster by filename Disabled
    Cluster by policy Disabled

    Supported actions: Block browser download, Display message, Lock, Isolate, Take screenshot, Reboot

    Encrypted file uploaded

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 10.1.1 or later

    Detects when a user attempts to upload an encrypted or password-protected file via a browser, and optionally blocks the upload.

    Note

    As part of this feature, an in-browser banner is displayed to users to notify them when content inspection is performed. This can be disabled using Agent configuration groups.
    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps for which uploads are authorized or unauthorized. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which uploads are authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    Tab titles Advanced asset list A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when an encrypted file is uploaded to a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+.
    User account domains (Preview) Advanced asset list A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor web activity when the account login details are unavailable.
    File parameters
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .docx). The dot can be omitted, and case-insensitive matching is used.
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    Maximum file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied.
    File origin parameters (Windows and macOS only)
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+.
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.
    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1027 (Obfuscated Files or Information)
    attack.mitre.org/techniques/T1027/
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1567 (Exfiltration Over Web Service)
    attack.mitre.org/techniques/T1567/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by filename Disabled
    Cluster by file extension Disabled
    Cluster by policy Disabled

    Supported actions: Block browser upload, Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy

    File downloaded from IP address

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.8.0 or later

    Detects when a user downloads a file directly from an IP address instead of through a host with a DNS entry.

    Parameter Type Description
    Website parameters
    IP addresses Advanced asset list A list of IPv4 or IPv6 addresses in CIDR format (e.g. 192.0.2.1/16 or 2001:db8::68/128) from which file downloads are authorized or unauthorized if present in the URL.
    Tactic Technique Sub-technique

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by filename Disabled
    Cluster by policy Disabled

    Supported actions: Block browser download, Display message, Lock, Isolate, Take screenshot, Reboot

    FortiDLP Browser Extension tampered with

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 8.1.2 or later

    Detects when a user tampers with the FortiDLP Browser Extension.

    Note

    Subsequent detections and actions for the same browser process will not be generated until at least one day after the first detection/action.
    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1562 (Impair Defenses)
    attack.mitre.org/techniques/T1562/
    T1562.001 (Disable or Modify Tools)
    attack.mitre.org/techniques/T1562/001/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by binary name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process

    Password entered on website

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.4.0 or later

    Detects when a user enters a password on a website.

    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps for which password entry is authorized or unauthorized. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which password entry is authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    Tab titles Advanced asset list A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when a user enters a password on a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+.
    URL regex patterns Advanced asset list A list of URLs for which password entry is authorized or unauthorized. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead.
    Machine learning parameters
    Only report new websites Boolean The toggle to enable/disable generating a detection if a password is entered on the same unauthorized website multiple times. If enabled, a detection will only be generated the first time a password is entered on a particular unauthorized website.
    Training period (days) Integer The time period (in days) during which the list of websites on which passwords are typically entered on a node are learned. No detections will be generated during this period if "Only report new websites" is enabled. The FortiDLP Agent will continue to learn password activity after this period.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Password entered on website opened from Outlook

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Windows, Agent version 7.6.2 or later

    Detects when a user opens a link from Microsoft Outlook and then enters a password on an unauthorized website.

    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps on which users are authorized or unauthorized to enter passwords. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which users are authorized or unauthorized to enter passwords. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    Tab titles Advanced asset list A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when a user enters a password on a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+.
    URL regex patterns Advanced asset list A list of URLs on which users are authorized or unauthorized to enter passwords. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead.
    Tactic Technique Sub-technique
    TA0043 (Reconnaissance)
    attack.mitre.org/tactics/TA0043/
    T1598 (Phishing for Information)
    attack.mitre.org/techniques/T1598/
    T1598.003 (Spearphishing Link)
    attack.mitre.org/techniques/T1598/003/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Prohibited content posted on social media website

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 8.4.0 or later

    Detects when a user posts disallowed content on a prohibited social media website.

    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps for which POST requests are authorized or unauthorized. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which POST requests are either authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    Tab titles Advanced asset list A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when a user posts on a social media website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+.
    URL regex patterns Advanced asset list A list of URL regex patterns matching websites to which POST requests are either authorized or unauthorized. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead.
    User account domains (Preview) Advanced asset list A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor web activity when the account login details are unavailable.
    Form field keywords Advanced asset list A list of keywords matching form fields in the POST request body to either ignore or monitor when performing content inspection. Case-insensitive matching is used, and the keyword will match if it appears anywhere in the form field name. For example, entering "include" would match the "include_ext_alt_text" form field. Note: Keyword matching on raw fields will only be performed on the first 16KiB.
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching form contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match posts containing US social security numbers. To match all posts use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Note: Content inspection on raw fields will only be performed on the first 16KiB. Requires Agent 12.1.0+ on Linux.
    Content inspection keywords Advanced asset list The keywords matched form contents during content inspection. Note: Content inspection on raw fields will only be performed on the first 16KiB. Requires Agent 12.1.0+ on Linux.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns and keywords/keyphrases). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a post. Requires Agent 12.1.0+ on Linux.
    Tactic Technique Sub-technique
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1567 (Exfiltration Over Web Service)
    attack.mitre.org/techniques/T1567/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by content Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Prohibited web request made using browser

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 6.0.2 or later

    Detects when a user makes a prohibited web request using a browser.

    Parameter Type Description
    Request parameters
    Method String list The HTTP method for the request, such as POST, GET, PUT, or DELETE. This can be left empty to match all methods.
    Scheme Advanced asset list The URI scheme for the request (e.g. HTTPS or HTTP). This can be left empty to match all URI schemes.
    Domain Advanced asset list The domain for the request (e.g. example.com). Subdomains will match. This can be left empty to match all domains.
    IP addresses Advanced asset list The IPv4 or IPv6 address in CIDR format (e.g. 192.0.2.1/16 or 2001:db8::68/128) for the request if a domain name is not used.
    Path Advanced asset list The path of the URL following the top-level domain. Glob pattern matching is supported. For example, to match all paths under https://example.com/customers/, use /customers/**. Note that some service providers have dynamic URLs that change per request and therefore cannot be used. The path to a static URL is required.
    Query parameters Advanced asset list The query parameters appended to the URL to match on a web request. For example, to match the URL https://example.com/path?customer=name%20with%20space, you would enter customer=name%20with20space. If multiple parameters are specified, the ordering does not matter. This can be left empty to match all query parameters.
    Query patterns Advanced asset list The pattern used to match the decoded URL query of a request. Full regular expression (regex) grammar is supported. For example, to match the URL https://example.com/path?customer=056%20name, you would enter customer=[0-9]+ [a-z]+. This can be left empty to match all query parameters.
    Request body pattern Advanced asset list A list of patterns for matching the contents of the web request body. Full regular expression (regex) grammar is supported. This can be left empty to match all request bodies. Note: Pattern matching on raw fields will only be performed on the first 16KiB.
    Tab titles Advanced asset list A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when a request is made on a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Sensitive content submitted on unauthorized website

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Windows or macOS, Agent version 8.4.0 or later

    Detects when a user submits sensitive content in a web request using a browser. The "SaaS apps" and/or "URL patterns" parameter(s) must be configured to generate a detection.

    Parameter Type Description
    Request parameters
    Method String list The HTTP method for the request, such as POST, GET, or PUT. This can be left empty to match all methods.
    SaaS apps SaaS app filter A list of SaaS apps for which web requests are authorized or unauthorized. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which web requests are authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    Tab titles Advanced asset list A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when a request is made on a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+.
    User account domains (Preview) Advanced asset list A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor web activity when the account login details are unavailable.
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching the web request body contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match requests containing US social security numbers. To match all requests use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Note: Content inspection on raw fields will only be performed on the first 16KiB.
    Content inspection keywords Advanced asset list The keywords matched to web request body contents during content inspection. Note: Content inspection on raw fields will only be performed on the first 16KiB.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns and keywords/keyphrases). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a request.
    Tactic Technique Sub-technique
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1567 (Exfiltration Over Web Service)
    attack.mitre.org/techniques/T1567/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by content Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Sensitive file downloaded

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 8.4.0 or later

    Detects when a user attempts to download a sensitive file via a browser and optionally blocks the download.

    Note

    From Agent 10.0.3+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.
    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps for which downloads are authorized or unauthorized. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which downloads are authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    User account domains (Preview) Advanced asset list A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor web activity when the account login details are unavailable.
    URL regex patterns Advanced asset list A list of URLs from which downloads are authorized or unauthorized. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead.
    File parameters
    File names Advanced asset list A list of regular expressions matching file names that users are authorized or unauthorized to download. Case-insensitive matching is used.
    Maximum permitted file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 10.0.3+.
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 10.0.3+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    Machine learning parameters
    Prohibit downloads from new websites Boolean The toggle to enable/disable generating a detection when a file is downloaded from a new website. If enabled, a detection will be generated the first time a file is downloaded from a particular website, even if the "Prohibit listed URLs" download rule is selected and the website is not present in the URL list. If the "Allow listed URLs" download rule is selected and the URL is present in the URL list, no detection will be generated, even if the website has not been downloaded from before. Requires a FortiDLP Enterprise or FortiDLP Managed license.
    Training period (hours) Integer The uptime period (in hours) during which the list of websites to which files are typically uploaded is learned. No detections will be generated due to downloads from new websites during this period. The FortiDLP Agent will continue to learn download activity after this period. Requires a FortiDLP Enterprise or FortiDLP Managed license.
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux.
    Content inspection keywords Advanced asset list The keywords matched to file contents during content inspection. Requires Agent 12.1.0+ on Linux.
    Microsoft sensitivity labels Asset list The Microsoft sensitivity labels matched to files during content inspection. Requires Agent 12.1.0+ on Linux.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a document.
    Tactic Technique Sub-technique
    T1213 (Data from Information Repositories)
    attack.mitre.org/techniques/T1213/
    T1530 (Data from Cloud Storage)
    attack.mitre.org/techniques/T1530/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by filename Disabled
    Cluster by content Disabled
    Cluster by policy Disabled

    Supported actions: Block browser download, Display message, Lock, Isolate, Take screenshot, Reboot

    Sensitive file downloaded from personal file share website

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 8.4.0 or later

    Detects when a user attempts to download a sensitive file from a file share website using a personal account, and optionally blocks the download.

    Note

    From Agent 10.0.3+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.
    Parameter Type Description
    File share parameters
    Monitored file share websites String list A list of file share websites to monitor.
    User account parameters
    Authorized corporate account domains Advanced asset list A list of corporate account domains for which downloads are allowed when using file share websites. For example, entering "company.com" would allow a user to download files from file shares using their name@company.com account, but not their name@gmail.com account. Case-insensitive matching is used.
    Monitor unknown user accounts Boolean The toggle to monitor downloads when the account login details are unavailable.
    File parameters
    File names Advanced asset list A list of regular expressions matching file names that users are authorized or unauthorized to download. Case-insensitive matching is used.
    Maximum permitted file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 10.0.3+.
    File extensions Advanced asset list A list of file extensions that users are authorized or unauthorized to download (e.g. .doc, .docx, .pdf). The doc can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 10.0.3+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux.
    Content inspection keywords Advanced asset list The keywords matched to file contents during content inspection. Requires Agent 12.1.0+ on Linux.
    Microsoft sensitivity labels Asset list The Microsoft sensitivity labels matched to files during content inspection. Requires Agent 12.1.0+ on Linux.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a document.
    Tactic Technique Sub-technique
    T1213 (Data from Information Repositories)
    attack.mitre.org/techniques/T1213/
    T1530 (Data from Cloud Storage)
    attack.mitre.org/techniques/T1530/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by filename Disabled
    Cluster by content Disabled
    Cluster by policy Disabled

    Supported actions: Block browser download, Display message, Lock, Isolate, Take screenshot, Reboot

    Sensitive file uploaded

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 8.4.0 or later

    Detects when a user attempts to upload a sensitive file via a browser and optionally blocks the upload.

    Note

    As part of this feature, an in-browser banner is displayed to users to notify them when content inspection is performed. This can be disabled using Agent configuration groups.

    Note

    Upload blocking based on content inspection requires a Chromium-based browser for Agent versions < 8.6.0.

    Note

    From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.
    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps for which uploads are authorized or unauthorized. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which uploads are authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    Tab titles Advanced asset list A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when a file is uploaded to a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+.
    User account domains (Preview) Advanced asset list A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor web activity when the account login details are unavailable.
    URL regex patterns Advanced asset list A list of URLs to which uploads are authorized or unauthorized. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead.
    File parameters
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    Maximum permitted file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+.
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    Machine learning parameters
    Prohibit uploads to new websites Boolean The toggle to enable/disable generating a detection when a file is uploaded to a new website. If enabled, a detection will be generated the first time a file is uploaded to a particular website, even if the "Prohibit listed domains" upload rule is selected and the domain is not present in the domain list. If the "Allow listed domains" upload rule is selected and the domain is present in the domain list, no detection will be generated, even if the website has not been uploaded to before. Requires a FortiDLP Enterprise or FortiDLP Managed license.
    Training period (hours) Integer The uptime period (in hours) during which the list of websites to which files are typically uploaded is learned. No detections will be generated due to uploads to new websites during this period. The FortiDLP Agent will continue to learn upload activity after this period. Requires a FortiDLP Enterprise or FortiDLP Managed license.
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux.
    Content inspection keywords Advanced asset list The keywords matched to file contents during content inspection. Requires Agent 12.1.0+ on Linux.
    Microsoft sensitivity labels Asset list The Microsoft sensitivity labels matched to files during content inspection. Requires Agent 12.1.0+ on Linux.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a document.
    File origin parameters (Windows and macOS only)
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+.
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.
    Tactic Technique Sub-technique
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1567 (Exfiltration Over Web Service)
    attack.mitre.org/techniques/T1567/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by filename Disabled
    Cluster by content Disabled
    Cluster by policy Disabled

    Supported actions: Block browser upload, Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy

    Sensitive file uploaded to personal file share website

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 8.4.0 or later

    Detects when a user attempts to upload a sensitive file to a file share website using a personal account, and optionally blocks the upload.

    Note

    As part of this feature, an in-browser banner is displayed to notify users when uploaded files are verified against policies. This can be disabled using Agent configuration groups.

    Note

    Upload blocking based on content inspection requires a Chromium-based browser for Agent versions < 8.6.0.

    Note

    From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.
    Parameter Type Description
    Website parameters
    Monitored file share websites String list A list of file share websites to monitor.
    Tab titles Advanced asset list A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when a file is uploaded to a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+.
    User account parameters
    Authorized corporate account domains Advanced asset list A list of corporate account domains for which uploads are allowed when using file share websites. For example, entering "company.com" would allow a user to upload files to file shares using their name@company.com account, but not their name@gmail.com account. Case-insensitive matching is used.
    Monitor unknown user accounts Boolean The toggle to monitor uploads when the account login details are unavailable.
    File parameters
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    Maximum permitted file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+.
    File extensions Advanced asset list A list of file extensions that users are authorized or unauthorized to upload (e.g. .doc, .docx, .pdf). The doc can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux.
    Content inspection keywords Advanced asset list The keywords matched to file contents during content inspection. Requires Agent 12.1.0+ on Linux.
    Microsoft sensitivity labels Asset list The Microsoft sensitivity labels matched to files during content inspection. Requires Agent 12.1.0+ on Linux.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a document.
    File origin parameters (Windows and macOS only)
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+.
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.
    Tactic Technique Sub-technique
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1567 (Exfiltration Over Web Service)
    attack.mitre.org/techniques/T1567/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by filename Disabled
    Cluster by content Disabled
    Cluster by policy Disabled

    Supported actions: Block browser upload, Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy

    Sensitive ZIP file downloaded

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.8.0 or later

    Detects when a user downloads a ZIP file from an unauthorized URL, and that file contains unauthorized content.

    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps for which downloads are authorized or unauthorized. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which downloads are authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    User account domains (Preview) Advanced asset list A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor web activity when the account login details are unavailable.
    URL regex patterns Advanced asset list A list of URLs from which downloads are authorized or unauthorized. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead.
    File parameters
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .zip). The dot can be omitted, and case-insensitive matching is used.
    File names Advanced asset list A list of regular expressions matching file names that users are authorized or unauthorized to download. Case-insensitive matching is used.
    Maximum permitted file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied.
    Content inspection parameters
    Content file names Advanced asset list A list of file path expressions that, when matched to a zipped file, make the ZIP file it is contained within unauthorized for download. The match can use glob-style pattern matching rules (e.g. **\*.pdf would match all PDF files). An empty list will match all zipped files. Case-insensitive matching is used.
    Tactic Technique Sub-technique
    T1213 (Data from Information Repositories)
    attack.mitre.org/techniques/T1213/
    T1530 (Data from Cloud Storage)
    attack.mitre.org/techniques/T1530/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by filename Disabled
    Cluster by policy Disabled

    Supported actions: Block browser download, Display message, Lock, Isolate, Take screenshot, Reboot

    Sensitive ZIP file uploaded

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.8.0 or later

    Detects when a user attempts to upload a ZIP file via a browser, and optionally blocks the upload.

    Note

    As part of this feature, an in-browser banner is displayed to users to notify them when content inspection is performed. This can be disabled using Agent configuration groups.

    Note

    Upload blocking based on content inspection requires a Chromium-based browser for Agent versions < 8.6.0.
    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps for which uploads are authorized or unauthorized. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which uploads are authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    Tab titles Advanced asset list A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when a file is uploaded to a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+.
    User account domains (Preview) Advanced asset list A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor web activity when the account login details are unavailable.
    URL regex patterns Advanced asset list A list of URLs to which uploads are authorized or unauthorized. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead.
    File parameters
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .zip). The dot can be omitted, and case-insensitive matching is used.
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    Maximum permitted file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied.
    Content inspection parameters
    Content file names Advanced asset list A list of file path expressions that, when matched to a zipped file, make the ZIP file it is contained within unauthorized for upload. The match can use glob-style pattern matching rules (e.g. **\*.pdf would match all PDF files). An empty list will match all zipped files. Case-insensitive matching is used.
    File origin parameters (Windows and macOS only)
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+.
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.
    Tactic Technique Sub-technique
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1567 (Exfiltration Over Web Service)
    attack.mitre.org/techniques/T1567/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by filename Disabled
    Cluster by policy Disabled

    Supported actions: Block browser upload, Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy

    Specified term used in web search

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 5.2.3 or later

    Detects when a user searches the web using a specified term. Google, Yahoo, Bing, Ask, and DuckDuckGo search engines are supported.

    Parameter Type Description
    Search parameters
    Search terms Advanced asset list A list of terms to filter by. Case-insensitive matching is used.
    Tactic Technique Sub-technique
    TA0043 (Reconnaissance)
    attack.mitre.org/tactics/TA0043/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by content Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Unapproved browser extension version installed

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.0.1 or later

    Detects when a user installs an unapproved browser extension version.

    Parameter Type Description
    Extension parameters
    Approved extension versions Asset A string mapping asset that maps an extension name to approved versions. For example, {"Sheets": "1.0.0", "Docs": "2.0.0"} would approve version 1.0.0 of the Google Sheets extension and version 2.0.0 of the Google Docs extension.
    Monitor parameters
    Prohibit older extensions Boolean The toggle to enable/disable generating a detection for extensions older than the approved version.
    Prohibit newer extensions Boolean The toggle to enable/disable generating a detection for extensions newer than the approved version.
    Reporting interval (days) Float The frequency in which a detection is generated for an unapproved extension. For example, setting this to 1 enables detections to be generated once a day per extension, setting this to 2 enables detections to be generated once every two days per extension, and so on. When set to 0, only one detection is generated for each extension, ever.
    Tactic Technique Sub-technique
    TA0042 (Resource Development)
    attack.mitre.org/tactics/TA0042/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by browser extension version Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Unauthorized browser used

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.6.2 or later

    Detects when a user runs an unauthorized browser.

    Parameter Type Description
    Browser parameters
    Authorized browsers String list A list of browsers that are permitted for use. This can include Arc, Brave, Firefox, Google Chrome, Internet Explorer, Maxthon, Microsoft Edge, MSEdgeWebView, Opera Browser, Safari, Tor, Torch, Vivaldi, WebKit and Yandex.
    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by binary name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Unauthorized website accessed

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 5.2.3 or later

    Detects when a user visits a disallowed website.

    Note

    If the "URL patterns" and "URL regex patterns" parameters are left empty, the policy will not monitor any websites.
    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of authorized or unauthorized SaaS apps. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites authorized or unauthorized to be accessed. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    URL regex patterns Advanced asset list A list of URLs to which access is authorized or unauthorized. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead.
    Monitor automatically loaded subframes Boolean The toggle to enable/disable monitoring of auto subframes. This is any content that is automatically loaded in a non-top-level frame. For example, if a page consists of several frames containing ads, those ad URLs are loaded in subframes. The user may not even realize the content in these pages is a separate frame, and so may not care about the URL.
    Detection parameters
    Rate limit (minutes) Float The minimum time (in minutes) between consecutive detections for the same domain. Set to 0 to disable.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Unusual browser file transfer

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.9.3 or later

    Detects when a user's browser file upload or download behavior deviates from their normal behavior.

    Parameter Type Description
    Event type parameters
    Transfer types to profile String list A list of file transfer types to be profiled.
    Event types to profile String list A list of file transfer event types to be profiled.
    Machine learning parameters
    Size sensitivity Integer Controls how sensitive the policy is to unusually large file transfers. Increasing this value will lower the threshold for what is considered unusual with regards to the size of a file transfer, resulting in more detections.
    Maximum permitted transfer size (MB) Integer The maximum size of transfer (in MB). Unusual transfers larger than this threshold will generate a detection.
    New event sensitivity Integer Controls how sensitive the policy is to new hosts and file types. Increasing this value will lower the threshold for what is considered unusual with regards to new hosts and file types, resulting in more detections.
    Minimum training data Integer The minimum number of data points required before this policy is able to generate detections. One data point represents the aggregate transfer activity to/from a website over a single aggregate window.
    Aggregation window (minutes) Integer The duration (in minutes) over which multiple transfer events are aggregated.
    Training period (days) Integer The time period (in days) during which the FortiDLP Agent learns user's upload and download behavior. The FortiDLP Agent will continue to learn after this period. No detections will be generated during this period.
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps to/from which transfers are authorized or unauthorized. Requires Agent 11.3.0+.
    Domains Advanced asset list A list of domains to/from which transfers are authorized or unauthorized. Case-insensitive matching is used. Subdomains will match. Authorized domains will not generate a detection but the associated data points will still be used to train the model used to detect unusual transfers. To exclude certain domains from the model entirely see "Domains (model data)".
    SaaS apps (model data) SaaS app filter A list of SaaS apps to/from which transfers are included or excluded from training the model used to detect unusual transfers. Excluded SaaS apps will not generate a detection.
    Domains (model data) Advanced asset list A list of domains to/from which transfers are included or excluded from training the model used to detect unusual transfers. Excluded domains will not generate a detection. Case-insensitive matching is used. Subdomains will match.
    Tactic Technique Sub-technique
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1567 (Exfiltration Over Web Service)
    attack.mitre.org/techniques/T1567/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Website visited through insecure protocol

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 4.2.5 or later

    Detects when a user visits an HTTP or FTP website.

    Parameter Type Description
    Website parameters
    Insecure protocols String list A list of prohibited protocols.
    SaaS apps SaaS app filter A list of authorized or unauthorized SaaS apps. Requires Agent 11.3.0+.
    Domains Advanced asset list A list of authorized or unauthorized domain names.
    IP addresses Advanced asset list A list of IPv4 or IPv6 addresses in CIDR format (e.g. 192.0.2.1/16 or 2001:db8::68/128) authorized or unauthorized if a domain name is not used.
    Monitor automatically loaded subframes Boolean The toggle to enable/disable monitoring of auto subframes. This is any content that is automatically loaded in a non-top-level frame. For example, if a page consists of several frames containing ads, those ad URLs are loaded in subframes. The user may not even realize the content in these pages is a separate frame, and so may not care about the URL.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Previous
    Next

    Browser templates

    Browser templates

    Templates for building policies based on user browser activity.

    Note

    To use this functionality, you must enable web monitoring for Agents. For details, refer to the FortiDLP Agent Deployment Guide and FortiDLP Administration Guide.

    Browser extension changed

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.0.1 or later

    Detects when a user installs or modifies a browser extension.

    Parameter Type Description
    Extension parameters
    Extension names Advanced asset list A list of browser extension names to include or exclude from monitoring. Case-insensitive matching is used.
    Extension IDs Advanced asset list A list of browser extension IDs to include or exclude from monitoring. Case-insensitive and partial matching is used.
    Monitor parameters
    Monitor extension installation Boolean The toggle to enable/disable the detection of monitored browser extensions being installed.
    Monitor extension enabling Boolean The toggle to enable/disable the detection of monitored browser extensions being enabled.
    Monitor extension uninstallation Boolean The toggle to enable/disable the detection of monitored browser extensions being uninstalled.
    Monitor extension disabling Boolean The toggle to enable/disable the detection of monitored browser extensions being disabled.
    Tactic Technique Sub-technique
    TA0042 (Resource Development)
    attack.mitre.org/tactics/TA0042/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by browser extension Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Browser run in private browsing mode

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.4.3 or later

    Detects when a user runs a browser in private browsing mode.

    Note

    Subsequent detections and actions for the same process will not be generated until at least 30 minutes after the first detection/action.

    Note

    Private browsing sessions initiated from the browser menu will not be reported for macOS when Firefox is used or for Linux when Chrome or Firefox is used unless the FortiDLP Browser Extension has been installed and configured to monitor incognito activity.
    Parameter Type Description
    Process parameters
    Private browsing called paths Advanced asset list A list of regular expressions matching command line arguments or called paths that enable private browsing (e.g. -incognito). The match is case-sensitive.
    Reporting parameters
    Detect private browsing for unmonitored browsers only Boolean The toggle to enable the detection of private browsing activity only for browsers in which web monitoring is disabled. Leaving this toggle off detects private browsing activity for browsers in which web monitoring is enabled or disabled. Requires Google Chrome or Microsoft Edge.
    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Encrypted file downloaded

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 10.1.1 or later

    Detects when a user attempts to download an encrypted or password-protected file via a browser, and optionally blocks the download.

    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps for which downloads are authorized or unauthorized. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which downloads are authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    User account domains (Preview) Advanced asset list A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor web activity when the account login details are unavailable.
    File parameters
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used.
    File names Advanced asset list A list of regular expressions matching file names that users are authorized or unauthorized to download. Case-insensitive matching is used.
    Maximum file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied.
    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1027 (Obfuscated Files or Information)
    attack.mitre.org/techniques/T1027/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by file extension Disabled
    Cluster by filename Disabled
    Cluster by policy Disabled

    Supported actions: Block browser download, Display message, Lock, Isolate, Take screenshot, Reboot

    Encrypted file uploaded

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 10.1.1 or later

    Detects when a user attempts to upload an encrypted or password-protected file via a browser, and optionally blocks the upload.

    Note

    As part of this feature, an in-browser banner is displayed to users to notify them when content inspection is performed. This can be disabled using Agent configuration groups.
    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps for which uploads are authorized or unauthorized. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which uploads are authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    Tab titles Advanced asset list A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when an encrypted file is uploaded to a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+.
    User account domains (Preview) Advanced asset list A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor web activity when the account login details are unavailable.
    File parameters
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .docx). The dot can be omitted, and case-insensitive matching is used.
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    Maximum file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied.
    File origin parameters (Windows and macOS only)
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+.
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.
    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1027 (Obfuscated Files or Information)
    attack.mitre.org/techniques/T1027/
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1567 (Exfiltration Over Web Service)
    attack.mitre.org/techniques/T1567/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by filename Disabled
    Cluster by file extension Disabled
    Cluster by policy Disabled

    Supported actions: Block browser upload, Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy

    File downloaded from IP address

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.8.0 or later

    Detects when a user downloads a file directly from an IP address instead of through a host with a DNS entry.

    Parameter Type Description
    Website parameters
    IP addresses Advanced asset list A list of IPv4 or IPv6 addresses in CIDR format (e.g. 192.0.2.1/16 or 2001:db8::68/128) from which file downloads are authorized or unauthorized if present in the URL.
    Tactic Technique Sub-technique

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by filename Disabled
    Cluster by policy Disabled

    Supported actions: Block browser download, Display message, Lock, Isolate, Take screenshot, Reboot

    FortiDLP Browser Extension tampered with

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 8.1.2 or later

    Detects when a user tampers with the FortiDLP Browser Extension.

    Note

    Subsequent detections and actions for the same browser process will not be generated until at least one day after the first detection/action.
    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1562 (Impair Defenses)
    attack.mitre.org/techniques/T1562/
    T1562.001 (Disable or Modify Tools)
    attack.mitre.org/techniques/T1562/001/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by binary name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot, Kill process

    Password entered on website

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.4.0 or later

    Detects when a user enters a password on a website.

    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps for which password entry is authorized or unauthorized. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which password entry is authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    Tab titles Advanced asset list A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when a user enters a password on a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+.
    URL regex patterns Advanced asset list A list of URLs for which password entry is authorized or unauthorized. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead.
    Machine learning parameters
    Only report new websites Boolean The toggle to enable/disable generating a detection if a password is entered on the same unauthorized website multiple times. If enabled, a detection will only be generated the first time a password is entered on a particular unauthorized website.
    Training period (days) Integer The time period (in days) during which the list of websites on which passwords are typically entered on a node are learned. No detections will be generated during this period if "Only report new websites" is enabled. The FortiDLP Agent will continue to learn password activity after this period.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Password entered on website opened from Outlook

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Windows, Agent version 7.6.2 or later

    Detects when a user opens a link from Microsoft Outlook and then enters a password on an unauthorized website.

    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps on which users are authorized or unauthorized to enter passwords. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which users are authorized or unauthorized to enter passwords. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    Tab titles Advanced asset list A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when a user enters a password on a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+.
    URL regex patterns Advanced asset list A list of URLs on which users are authorized or unauthorized to enter passwords. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead.
    Tactic Technique Sub-technique
    TA0043 (Reconnaissance)
    attack.mitre.org/tactics/TA0043/
    T1598 (Phishing for Information)
    attack.mitre.org/techniques/T1598/
    T1598.003 (Spearphishing Link)
    attack.mitre.org/techniques/T1598/003/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Prohibited content posted on social media website

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 8.4.0 or later

    Detects when a user posts disallowed content on a prohibited social media website.

    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps for which POST requests are authorized or unauthorized. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which POST requests are either authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    Tab titles Advanced asset list A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when a user posts on a social media website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+.
    URL regex patterns Advanced asset list A list of URL regex patterns matching websites to which POST requests are either authorized or unauthorized. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead.
    User account domains (Preview) Advanced asset list A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor web activity when the account login details are unavailable.
    Form field keywords Advanced asset list A list of keywords matching form fields in the POST request body to either ignore or monitor when performing content inspection. Case-insensitive matching is used, and the keyword will match if it appears anywhere in the form field name. For example, entering "include" would match the "include_ext_alt_text" form field. Note: Keyword matching on raw fields will only be performed on the first 16KiB.
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching form contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match posts containing US social security numbers. To match all posts use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Note: Content inspection on raw fields will only be performed on the first 16KiB. Requires Agent 12.1.0+ on Linux.
    Content inspection keywords Advanced asset list The keywords matched form contents during content inspection. Note: Content inspection on raw fields will only be performed on the first 16KiB. Requires Agent 12.1.0+ on Linux.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns and keywords/keyphrases). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a post. Requires Agent 12.1.0+ on Linux.
    Tactic Technique Sub-technique
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1567 (Exfiltration Over Web Service)
    attack.mitre.org/techniques/T1567/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by content Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Prohibited web request made using browser

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 6.0.2 or later

    Detects when a user makes a prohibited web request using a browser.

    Parameter Type Description
    Request parameters
    Method String list The HTTP method for the request, such as POST, GET, PUT, or DELETE. This can be left empty to match all methods.
    Scheme Advanced asset list The URI scheme for the request (e.g. HTTPS or HTTP). This can be left empty to match all URI schemes.
    Domain Advanced asset list The domain for the request (e.g. example.com). Subdomains will match. This can be left empty to match all domains.
    IP addresses Advanced asset list The IPv4 or IPv6 address in CIDR format (e.g. 192.0.2.1/16 or 2001:db8::68/128) for the request if a domain name is not used.
    Path Advanced asset list The path of the URL following the top-level domain. Glob pattern matching is supported. For example, to match all paths under https://example.com/customers/, use /customers/**. Note that some service providers have dynamic URLs that change per request and therefore cannot be used. The path to a static URL is required.
    Query parameters Advanced asset list The query parameters appended to the URL to match on a web request. For example, to match the URL https://example.com/path?customer=name%20with%20space, you would enter customer=name%20with20space. If multiple parameters are specified, the ordering does not matter. This can be left empty to match all query parameters.
    Query patterns Advanced asset list The pattern used to match the decoded URL query of a request. Full regular expression (regex) grammar is supported. For example, to match the URL https://example.com/path?customer=056%20name, you would enter customer=[0-9]+ [a-z]+. This can be left empty to match all query parameters.
    Request body pattern Advanced asset list A list of patterns for matching the contents of the web request body. Full regular expression (regex) grammar is supported. This can be left empty to match all request bodies. Note: Pattern matching on raw fields will only be performed on the first 16KiB.
    Tab titles Advanced asset list A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when a request is made on a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Sensitive content submitted on unauthorized website

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Windows or macOS, Agent version 8.4.0 or later

    Detects when a user submits sensitive content in a web request using a browser. The "SaaS apps" and/or "URL patterns" parameter(s) must be configured to generate a detection.

    Parameter Type Description
    Request parameters
    Method String list The HTTP method for the request, such as POST, GET, or PUT. This can be left empty to match all methods.
    SaaS apps SaaS app filter A list of SaaS apps for which web requests are authorized or unauthorized. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which web requests are authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    Tab titles Advanced asset list A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when a request is made on a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+.
    User account domains (Preview) Advanced asset list A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor web activity when the account login details are unavailable.
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching the web request body contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match requests containing US social security numbers. To match all requests use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Note: Content inspection on raw fields will only be performed on the first 16KiB.
    Content inspection keywords Advanced asset list The keywords matched to web request body contents during content inspection. Note: Content inspection on raw fields will only be performed on the first 16KiB.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns and keywords/keyphrases). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a request.
    Tactic Technique Sub-technique
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1567 (Exfiltration Over Web Service)
    attack.mitre.org/techniques/T1567/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by content Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Sensitive file downloaded

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 8.4.0 or later

    Detects when a user attempts to download a sensitive file via a browser and optionally blocks the download.

    Note

    From Agent 10.0.3+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.
    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps for which downloads are authorized or unauthorized. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which downloads are authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    User account domains (Preview) Advanced asset list A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor web activity when the account login details are unavailable.
    URL regex patterns Advanced asset list A list of URLs from which downloads are authorized or unauthorized. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead.
    File parameters
    File names Advanced asset list A list of regular expressions matching file names that users are authorized or unauthorized to download. Case-insensitive matching is used.
    Maximum permitted file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 10.0.3+.
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 10.0.3+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    Machine learning parameters
    Prohibit downloads from new websites Boolean The toggle to enable/disable generating a detection when a file is downloaded from a new website. If enabled, a detection will be generated the first time a file is downloaded from a particular website, even if the "Prohibit listed URLs" download rule is selected and the website is not present in the URL list. If the "Allow listed URLs" download rule is selected and the URL is present in the URL list, no detection will be generated, even if the website has not been downloaded from before. Requires a FortiDLP Enterprise or FortiDLP Managed license.
    Training period (hours) Integer The uptime period (in hours) during which the list of websites to which files are typically uploaded is learned. No detections will be generated due to downloads from new websites during this period. The FortiDLP Agent will continue to learn download activity after this period. Requires a FortiDLP Enterprise or FortiDLP Managed license.
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux.
    Content inspection keywords Advanced asset list The keywords matched to file contents during content inspection. Requires Agent 12.1.0+ on Linux.
    Microsoft sensitivity labels Asset list The Microsoft sensitivity labels matched to files during content inspection. Requires Agent 12.1.0+ on Linux.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a document.
    Tactic Technique Sub-technique
    T1213 (Data from Information Repositories)
    attack.mitre.org/techniques/T1213/
    T1530 (Data from Cloud Storage)
    attack.mitre.org/techniques/T1530/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by filename Disabled
    Cluster by content Disabled
    Cluster by policy Disabled

    Supported actions: Block browser download, Display message, Lock, Isolate, Take screenshot, Reboot

    Sensitive file downloaded from personal file share website

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 8.4.0 or later

    Detects when a user attempts to download a sensitive file from a file share website using a personal account, and optionally blocks the download.

    Note

    From Agent 10.0.3+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.
    Parameter Type Description
    File share parameters
    Monitored file share websites String list A list of file share websites to monitor.
    User account parameters
    Authorized corporate account domains Advanced asset list A list of corporate account domains for which downloads are allowed when using file share websites. For example, entering "company.com" would allow a user to download files from file shares using their name@company.com account, but not their name@gmail.com account. Case-insensitive matching is used.
    Monitor unknown user accounts Boolean The toggle to monitor downloads when the account login details are unavailable.
    File parameters
    File names Advanced asset list A list of regular expressions matching file names that users are authorized or unauthorized to download. Case-insensitive matching is used.
    Maximum permitted file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 10.0.3+.
    File extensions Advanced asset list A list of file extensions that users are authorized or unauthorized to download (e.g. .doc, .docx, .pdf). The doc can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 10.0.3+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux.
    Content inspection keywords Advanced asset list The keywords matched to file contents during content inspection. Requires Agent 12.1.0+ on Linux.
    Microsoft sensitivity labels Asset list The Microsoft sensitivity labels matched to files during content inspection. Requires Agent 12.1.0+ on Linux.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a document.
    Tactic Technique Sub-technique
    T1213 (Data from Information Repositories)
    attack.mitre.org/techniques/T1213/
    T1530 (Data from Cloud Storage)
    attack.mitre.org/techniques/T1530/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by filename Disabled
    Cluster by content Disabled
    Cluster by policy Disabled

    Supported actions: Block browser download, Display message, Lock, Isolate, Take screenshot, Reboot

    Sensitive file uploaded

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 8.4.0 or later

    Detects when a user attempts to upload a sensitive file via a browser and optionally blocks the upload.

    Note

    As part of this feature, an in-browser banner is displayed to users to notify them when content inspection is performed. This can be disabled using Agent configuration groups.

    Note

    Upload blocking based on content inspection requires a Chromium-based browser for Agent versions < 8.6.0.

    Note

    From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.
    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps for which uploads are authorized or unauthorized. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which uploads are authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    Tab titles Advanced asset list A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when a file is uploaded to a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+.
    User account domains (Preview) Advanced asset list A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor web activity when the account login details are unavailable.
    URL regex patterns Advanced asset list A list of URLs to which uploads are authorized or unauthorized. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead.
    File parameters
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    Maximum permitted file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+.
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    Machine learning parameters
    Prohibit uploads to new websites Boolean The toggle to enable/disable generating a detection when a file is uploaded to a new website. If enabled, a detection will be generated the first time a file is uploaded to a particular website, even if the "Prohibit listed domains" upload rule is selected and the domain is not present in the domain list. If the "Allow listed domains" upload rule is selected and the domain is present in the domain list, no detection will be generated, even if the website has not been uploaded to before. Requires a FortiDLP Enterprise or FortiDLP Managed license.
    Training period (hours) Integer The uptime period (in hours) during which the list of websites to which files are typically uploaded is learned. No detections will be generated due to uploads to new websites during this period. The FortiDLP Agent will continue to learn upload activity after this period. Requires a FortiDLP Enterprise or FortiDLP Managed license.
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux.
    Content inspection keywords Advanced asset list The keywords matched to file contents during content inspection. Requires Agent 12.1.0+ on Linux.
    Microsoft sensitivity labels Asset list The Microsoft sensitivity labels matched to files during content inspection. Requires Agent 12.1.0+ on Linux.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a document.
    File origin parameters (Windows and macOS only)
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+.
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.
    Tactic Technique Sub-technique
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1567 (Exfiltration Over Web Service)
    attack.mitre.org/techniques/T1567/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by filename Disabled
    Cluster by content Disabled
    Cluster by policy Disabled

    Supported actions: Block browser upload, Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy

    Sensitive file uploaded to personal file share website

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 8.4.0 or later

    Detects when a user attempts to upload a sensitive file to a file share website using a personal account, and optionally blocks the upload.

    Note

    As part of this feature, an in-browser banner is displayed to notify users when uploaded files are verified against policies. This can be disabled using Agent configuration groups.

    Note

    Upload blocking based on content inspection requires a Chromium-based browser for Agent versions < 8.6.0.

    Note

    From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured.
    Parameter Type Description
    Website parameters
    Monitored file share websites String list A list of file share websites to monitor.
    Tab titles Advanced asset list A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when a file is uploaded to a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+.
    User account parameters
    Authorized corporate account domains Advanced asset list A list of corporate account domains for which uploads are allowed when using file share websites. For example, entering "company.com" would allow a user to upload files to file shares using their name@company.com account, but not their name@gmail.com account. Case-insensitive matching is used.
    Monitor unknown user accounts Boolean The toggle to monitor uploads when the account login details are unavailable.
    File parameters
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    Maximum permitted file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied.
    File types Advanced asset list A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+.
    File extensions Advanced asset list A list of file extensions that users are authorized or unauthorized to upload (e.g. .doc, .docx, .pdf). The doc can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated for Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf".
    Content inspection parameters
    Content inspection patterns Advanced asset list A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. Requires Agent 12.1.0+ on Linux.
    Content inspection keywords Advanced asset list The keywords matched to file contents during content inspection. Requires Agent 12.1.0+ on Linux.
    Microsoft sensitivity labels Asset list The Microsoft sensitivity labels matched to files during content inspection. Requires Agent 12.1.0+ on Linux.
    Content inspection match type String The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. Requires Agent 12.1.0+ on Linux.
    Content inspection match frequency Integer The minimum number of times each pattern must be present in a document.
    File origin parameters (Windows and macOS only)
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+.
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.
    Tactic Technique Sub-technique
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1567 (Exfiltration Over Web Service)
    attack.mitre.org/techniques/T1567/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by filename Disabled
    Cluster by content Disabled
    Cluster by policy Disabled

    Supported actions: Block browser upload, Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy

    Sensitive ZIP file downloaded

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.8.0 or later

    Detects when a user downloads a ZIP file from an unauthorized URL, and that file contains unauthorized content.

    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps for which downloads are authorized or unauthorized. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which downloads are authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    User account domains (Preview) Advanced asset list A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor web activity when the account login details are unavailable.
    URL regex patterns Advanced asset list A list of URLs from which downloads are authorized or unauthorized. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead.
    File parameters
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .zip). The dot can be omitted, and case-insensitive matching is used.
    File names Advanced asset list A list of regular expressions matching file names that users are authorized or unauthorized to download. Case-insensitive matching is used.
    Maximum permitted file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied.
    Content inspection parameters
    Content file names Advanced asset list A list of file path expressions that, when matched to a zipped file, make the ZIP file it is contained within unauthorized for download. The match can use glob-style pattern matching rules (e.g. **\*.pdf would match all PDF files). An empty list will match all zipped files. Case-insensitive matching is used.
    Tactic Technique Sub-technique
    T1213 (Data from Information Repositories)
    attack.mitre.org/techniques/T1213/
    T1530 (Data from Cloud Storage)
    attack.mitre.org/techniques/T1530/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by filename Disabled
    Cluster by policy Disabled

    Supported actions: Block browser download, Display message, Lock, Isolate, Take screenshot, Reboot

    Sensitive ZIP file uploaded

    Available under any of the following licenses: FortiDLP Standard, FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.8.0 or later

    Detects when a user attempts to upload a ZIP file via a browser, and optionally blocks the upload.

    Note

    As part of this feature, an in-browser banner is displayed to users to notify them when content inspection is performed. This can be disabled using Agent configuration groups.

    Note

    Upload blocking based on content inspection requires a Chromium-based browser for Agent versions < 8.6.0.
    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps for which uploads are authorized or unauthorized. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites on which uploads are authorized or unauthorized. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    Tab titles Advanced asset list A list of patterns matched against the browser tab's title. Full regular expression (regex) grammar is supported and case-insensitive matching is used. For example, entering "con(fidential|tent)" would generate a detection when a file is uploaded to a website with a browser tab title containing "confidential" or "content". Requires Agent 10.2.0+.
    User account domains (Preview) Advanced asset list A list of account domains that are authorized or unauthorized to use for website login. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor web activity when the account login details are unavailable.
    URL regex patterns Advanced asset list A list of URLs to which uploads are authorized or unauthorized. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead.
    File parameters
    File extensions Advanced asset list A list of file extensions to filter on (e.g. .zip). The dot can be omitted, and case-insensitive matching is used.
    File paths Advanced asset list A list of file path expressions to match against. The match can use glob-style pattern matching rules (e.g. C:\Users\**\Shared\** would match all files in the Shared folder under users' home directories and **\*.pdf would match all PDF files). Case-insensitive matching is used.
    Maximum permitted file size (MB) Float The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied.
    Content inspection parameters
    Content file names Advanced asset list A list of file path expressions that, when matched to a zipped file, make the ZIP file it is contained within unauthorized for upload. The match can use glob-style pattern matching rules (e.g. **\*.pdf would match all PDF files). An empty list will match all zipped files. Case-insensitive matching is used.
    File origin parameters (Windows and macOS only)
    SaaS apps SaaS app filter A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+.
    User account domains (Preview) Advanced asset list A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+.
    Monitor unknown user accounts (Preview) Boolean The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable.
    Tactic Technique Sub-technique
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1567 (Exfiltration Over Web Service)
    attack.mitre.org/techniques/T1567/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by filename Disabled
    Cluster by policy Disabled

    Supported actions: Block browser upload, Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy

    Specified term used in web search

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 5.2.3 or later

    Detects when a user searches the web using a specified term. Google, Yahoo, Bing, Ask, and DuckDuckGo search engines are supported.

    Parameter Type Description
    Search parameters
    Search terms Advanced asset list A list of terms to filter by. Case-insensitive matching is used.
    Tactic Technique Sub-technique
    TA0043 (Reconnaissance)
    attack.mitre.org/tactics/TA0043/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by content Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Unapproved browser extension version installed

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.0.1 or later

    Detects when a user installs an unapproved browser extension version.

    Parameter Type Description
    Extension parameters
    Approved extension versions Asset A string mapping asset that maps an extension name to approved versions. For example, {"Sheets": "1.0.0", "Docs": "2.0.0"} would approve version 1.0.0 of the Google Sheets extension and version 2.0.0 of the Google Docs extension.
    Monitor parameters
    Prohibit older extensions Boolean The toggle to enable/disable generating a detection for extensions older than the approved version.
    Prohibit newer extensions Boolean The toggle to enable/disable generating a detection for extensions newer than the approved version.
    Reporting interval (days) Float The frequency in which a detection is generated for an unapproved extension. For example, setting this to 1 enables detections to be generated once a day per extension, setting this to 2 enables detections to be generated once every two days per extension, and so on. When set to 0, only one detection is generated for each extension, ever.
    Tactic Technique Sub-technique
    TA0042 (Resource Development)
    attack.mitre.org/tactics/TA0042/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by browser extension version Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Unauthorized browser used

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.6.2 or later

    Detects when a user runs an unauthorized browser.

    Parameter Type Description
    Browser parameters
    Authorized browsers String list A list of browsers that are permitted for use. This can include Arc, Brave, Firefox, Google Chrome, Internet Explorer, Maxthon, Microsoft Edge, MSEdgeWebView, Opera Browser, Safari, Tor, Torch, Vivaldi, WebKit and Yandex.
    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by binary name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Unauthorized website accessed

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 5.2.3 or later

    Detects when a user visits a disallowed website.

    Note

    If the "URL patterns" and "URL regex patterns" parameters are left empty, the policy will not monitor any websites.
    Parameter Type Description
    Website parameters
    SaaS apps SaaS app filter A list of authorized or unauthorized SaaS apps. Requires Agent 11.3.0+.
    URL patterns Advanced asset list A list of URL patterns for websites authorized or unauthorized to be accessed. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/login* will match any subdomain of example.com with any path, as long as the final path segment begins with "login".
    URL regex patterns Advanced asset list A list of URLs to which access is authorized or unauthorized. Full regular expression (regex) grammar is supported. Note: Characters such as "." and "?" should be escaped with a backslash ("\"), e.g. example\.com/search\?q=foo. Note: This parameter is deprecated for Agent 10.0.3+; please use the "URL patterns" parameter instead.
    Monitor automatically loaded subframes Boolean The toggle to enable/disable monitoring of auto subframes. This is any content that is automatically loaded in a non-top-level frame. For example, if a page consists of several frames containing ads, those ad URLs are loaded in subframes. The user may not even realize the content in these pages is a separate frame, and so may not care about the URL.
    Detection parameters
    Rate limit (minutes) Float The minimum time (in minutes) between consecutive detections for the same domain. Set to 0 to disable.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Unusual browser file transfer

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 7.9.3 or later

    Detects when a user's browser file upload or download behavior deviates from their normal behavior.

    Parameter Type Description
    Event type parameters
    Transfer types to profile String list A list of file transfer types to be profiled.
    Event types to profile String list A list of file transfer event types to be profiled.
    Machine learning parameters
    Size sensitivity Integer Controls how sensitive the policy is to unusually large file transfers. Increasing this value will lower the threshold for what is considered unusual with regards to the size of a file transfer, resulting in more detections.
    Maximum permitted transfer size (MB) Integer The maximum size of transfer (in MB). Unusual transfers larger than this threshold will generate a detection.
    New event sensitivity Integer Controls how sensitive the policy is to new hosts and file types. Increasing this value will lower the threshold for what is considered unusual with regards to new hosts and file types, resulting in more detections.
    Minimum training data Integer The minimum number of data points required before this policy is able to generate detections. One data point represents the aggregate transfer activity to/from a website over a single aggregate window.
    Aggregation window (minutes) Integer The duration (in minutes) over which multiple transfer events are aggregated.
    Training period (days) Integer The time period (in days) during which the FortiDLP Agent learns user's upload and download behavior. The FortiDLP Agent will continue to learn after this period. No detections will be generated during this period.
    Website parameters
    SaaS apps SaaS app filter A list of SaaS apps to/from which transfers are authorized or unauthorized. Requires Agent 11.3.0+.
    Domains Advanced asset list A list of domains to/from which transfers are authorized or unauthorized. Case-insensitive matching is used. Subdomains will match. Authorized domains will not generate a detection but the associated data points will still be used to train the model used to detect unusual transfers. To exclude certain domains from the model entirely see "Domains (model data)".
    SaaS apps (model data) SaaS app filter A list of SaaS apps to/from which transfers are included or excluded from training the model used to detect unusual transfers. Excluded SaaS apps will not generate a detection.
    Domains (model data) Advanced asset list A list of domains to/from which transfers are included or excluded from training the model used to detect unusual transfers. Excluded domains will not generate a detection. Case-insensitive matching is used. Subdomains will match.
    Tactic Technique Sub-technique
    TA0010 (Exfiltration)
    attack.mitre.org/tactics/TA0010/
    T1567 (Exfiltration Over Web Service)
    attack.mitre.org/techniques/T1567/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Website visited through insecure protocol

    Available under any of the following licenses: FortiDLP Enterprise, FortiDLP Managed

    Requirements: Agent version 4.2.5 or later

    Detects when a user visits an HTTP or FTP website.

    Parameter Type Description
    Website parameters
    Insecure protocols String list A list of prohibited protocols.
    SaaS apps SaaS app filter A list of authorized or unauthorized SaaS apps. Requires Agent 11.3.0+.
    Domains Advanced asset list A list of authorized or unauthorized domain names.
    IP addresses Advanced asset list A list of IPv4 or IPv6 addresses in CIDR format (e.g. 192.0.2.1/16 or 2001:db8::68/128) authorized or unauthorized if a domain name is not used.
    Monitor automatically loaded subframes Boolean The toggle to enable/disable monitoring of auto subframes. This is any content that is automatically loaded in a non-top-level frame. For example, if a page consists of several frames containing ads, those ad URLs are loaded in subframes. The user may not even realize the content in these pages is a separate frame, and so may not care about the URL.

    No default MITRE ATT&CK indicators. Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by domain name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Previous
    Next