USB templates
Templates for building policies based on USB device use.
|
The use the USB transfer blocking functionality provided by some of the following templates, you must enable it via Agent configuration groups. For details, refer to the FortiDLP Administration Guide. |
Bulk file transfer to USB storage device exceeded
Requirements: Agent version 9.1.0 or later
Detects when a user writes an excessive number of files or volume of data to a USB storage device without a significant pause between consecutive file transfers.
|
|
Requires Agent 11.2.3+ on Linux. |
| Parameter | Type | Description |
|---|---|---|
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) authorized or unauthorized to write files to USB devices. Case-insensitive matching is used. |
| File parameters | ||
| File extensions | Advanced asset list | A list of file extensions to filter on (e.g. .doc, .xls, .pdf). The dot can be omitted, and case-insensitive matching is used. |
| File path keywords | Advanced asset list | A list of keywords that match if they appear anywhere in the file path (e.g. passwords, secret, confidential). Case-insensitive matching is used. |
| File types | Advanced asset list | A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+. |
| Content inspection parameters (Windows and macOS only) | ||
| Content inspection patterns | Advanced asset list | A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. |
| Content inspection keywords | Advanced asset list | The keywords matched to file contents during content inspection. |
| Microsoft sensitivity labels | Asset list | The Microsoft sensitivity labels matched to files during content inspection. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present in a document. |
| Aggregation window parameters | ||
| Maximum permitted number of files | Integer | The total number of files that are permitted to be transferred during a bulk USB transfer. |
| Maximum permitted file size (MB) | Float | The total size of files that is permitted to be transferred during a bulk USB transfer. |
| Wait period (seconds) | Integer | The maximum period of inactivity between transfers of the same bulk transfer. Consecutive transfers that complete within the wait period will be considered the same bulk transfer, and consecutive transfers that complete after the wait period will be considered a separate transfer. A detection will be raised after the wait period has passed and both "Maximum" parameters have been exceeded (also taking into account the "Detection timing"). |
| Detection parameters | ||
| Detection timing | String list | A list of timings for which a detection can be raised for a bulk USB transfer. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1052 (Exfiltration Over Physical Medium)
attack.mitre.org/techniques/T1052/ |
T1052.001 (Exfiltration over USB)
attack.mitre.org/techniques/T1052/001/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Encrypted file written to USB storage device
Requirements: Agent version 10.1.1 or later
Detects when a user writes an encrypted file to a USB storage device.
| Parameter | Type | Description |
|---|---|---|
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) authorized or unauthorized to write encrypted files to USB devices. Case-insensitive matching is used. |
| File parameters | ||
| File extensions | Advanced asset list | A list of file extensions to filter on when performing content inspection (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. |
| File path keywords | Advanced asset list | A list of keywords that match if they appear anywhere in the file path (e.g. passwords, secret, confidential). Case-insensitive matching is used. |
| File origin parameters (Windows and macOS only) | ||
| SaaS apps (Preview) | SaaS app filter | A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+. |
| URL patterns (Preview) | Advanced asset list | A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+. |
| User account domains (Preview) | Advanced asset list | A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+. |
| Monitor unknown user accounts (Preview) | Boolean | The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0005 (Defense Evasion)
attack.mitre.org/tactics/TA0005/ |
T1027 (Obfuscated Files or Information)
attack.mitre.org/techniques/T1027/ |
|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1052 (Exfiltration Over Physical Medium)
attack.mitre.org/techniques/T1052/ |
T1052.001 (Exfiltration over USB)
attack.mitre.org/techniques/T1052/001/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
| Cluster by file extension | Disabled |
Supported actions: Block transfer to USB storage device, Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy
File transfer to USB storage device over time window exceeded
Requirements: Agent version 9.1.0 or later
Detects when a user writes an excessive number of files or volume of data to a USB storage device within a given time window.
|
|
Requires Agent 11.2.3+ on Linux. |
| Parameter | Type | Description |
|---|---|---|
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) authorized or unauthorized to write files to USB devices. Case-insensitive matching is used. |
| File parameters | ||
| File types | Advanced asset list | A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+. |
| File extensions | Advanced asset list | A list of file extensions to filter on (e.g. .doc, .xls, .pdf). The dot can be omitted, and case-insensitive matching is used. |
| File path keywords | Advanced asset list | A list of keywords that match if they appear anywhere in the file path (e.g. passwords, secret, confidential). Case-insensitive matching is used. |
| Content inspection parameters (Windows and macOS only) | ||
| Content inspection patterns | Advanced asset list | A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. |
| Content inspection keywords | Advanced asset list | The keywords matched to file contents during content inspection. |
| Microsoft sensitivity labels | Asset list | The Microsoft sensitivity labels matched to files during content inspection. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present in a document. |
| Aggregation window parameters | ||
| Maximum permitted number of files | Integer | The total number of files that are permitted to be transferred to USB during a time window. |
| Maximum permitted file size (MB) | Float | The total size of files that is permitted to be transferred to USB during a time window. |
| Window length (minutes) | Float | The length of time over which to aggregate the number and size of files transferred to USB. A detection will be raised after the window has passed if both "Maximum" parameters have been exceeded. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1052 (Exfiltration Over Physical Medium)
attack.mitre.org/techniques/T1052/ |
T1052.001 (Exfiltration over USB)
attack.mitre.org/techniques/T1052/001/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Sensitive file written to USB storage device
Requirements: Agent version 8.4.0 or later
Detects when a user attempts to transfer a sensitive file to a USB storage device and optionally blocks the transfer.
|
|
Subsequent detections and actions for the same file and process will not be generated until at least 30 seconds after the first detection/action. |
|
|
From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured. |
|
|
Requires Agent 11.2.3+ on Linux. |
| Parameter | Type | Description |
|---|---|---|
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) authorized or unauthorized to write files to USB devices. Case-insensitive matching is used. When USB file transfer blocking functionality is enabled, this parameter is ignored on macOS, resulting in all processes being monitored. |
| File parameters | ||
| File path keywords | Advanced asset list | A list of keywords that match if they appear anywhere in the file path (e.g. passwords, secret, confidential). Case-insensitive matching is used. |
| Maximum permitted file size (MB) | Float | The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied. Requires Agent 8.8.0+. |
| File types | Advanced asset list | A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+. |
| File extensions | Advanced asset list | A list of file extensions to filter on when performing content inspection (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. Note: This parameter is deprecated from Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf". |
| Content inspection parameters (Windows and macOS only) | ||
| Content inspection patterns | Advanced asset list | A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. |
| Content inspection keywords | Advanced asset list | The keywords matched to file contents during content inspection. |
| Microsoft sensitivity labels | Asset list | The Microsoft sensitivity labels matched to files during content inspection. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present in a document. |
| File origin parameters (Windows and macOS only) | ||
| SaaS apps (Preview) | SaaS app filter | A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+. |
| URL patterns (Preview) | Advanced asset list | A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+. |
| User account domains (Preview) | Advanced asset list | A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+. |
| Monitor unknown user accounts (Preview) | Boolean | The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable. |
| Detection parameters | ||
| Group detections | Boolean | The toggle to enable/disable reporting multiple write events in a single detection. See "Group inactivity (seconds)" and "Maximum group duration (minutes)" in order to configure which write events will be grouped together. |
| Group inactivity limit (seconds) | Integer | The maximum time between consecutive write events permitted within in a single detection.group. Once this time has elapsed, a detection will be generated and any subsequent writes will form a new group. |
| Maximum group duration (minutes) | Integer | The maximum period over which write activity will be grouped into a single detection. Once this time has elapsed, a detection will be generated and any subsequent writes will form a new group. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1052 (Exfiltration Over Physical Medium)
attack.mitre.org/techniques/T1052/ |
T1052.001 (Exfiltration over USB)
attack.mitre.org/techniques/T1052/001/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
| Cluster by file extension | Disabled |
| Cluster by content | Disabled |
Supported actions: Block file transfer to USB storage device, Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy
Sensitive WAVE audio file written to USB storage device
Requirements: Agent version 7.8.0 or later
Detects when a user attempts to transfer a sensitive WAVE audio file to a USB storage device and optionally blocks the transfer.
|
|
Subsequent detections and actions for the same file and process will not be generated until at least 30 seconds after the first detection/action. |
| Parameter | Type | Description |
|---|---|---|
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) authorized or unauthorized to write files to USB devices. Case-insensitive matching is used. When USB file transfer blocking functionality is enabled, this parameter is ignored on macOS, resulting in all processes being monitored. |
| File parameters | ||
| File extensions | Advanced asset list | A list of file extensions to filter on when performing content inspection (e.g. .doc, .docx, .pdf). The dot can be omitted, and case-insensitive matching is used. |
| File path keywords | Advanced asset list | A list of keywords that match if they appear anywhere in the file path (e.g. passwords, secret, confidential). Case-insensitive matching is used. |
| Content inspection parameters | ||
| Unauthorized sample rates (Hz) | Integer list | A list of sample rates (e.g. 8000, 16000, 44100) in hertz that, when contained within an audio file, make that file unauthorized to be written to USB devices. An empty list will match all sample rates. |
| Unauthorized sound channels | Integer list | A list of sound channels (e.g. 1 for monophonic sound in one channel, 2 for stereo sound in two channels) that, when contained within an audio file, make that file unauthorized to be written to USB devices. An empty list will match all sound channels. For sound channel descriptions, go to https://www.lifewire.com/monaural-stereo-multichannel-surround-sound-3134860. |
| Unauthorized bits per sample | Integer list | A list of sample bit sizes (e.g. 8 bit, 16 bit) that, when contained within an audio file, make that file unauthorized to be written to USB devices. An empty list will match all sample bit sizes. |
| Minimum unauthorized audio length (seconds) | Integer | The minimum length of an audio file in seconds that makes that file unauthorized to be written to USB devices. Audio files shorter than this duration will not be monitored. A value of 0 will set no minimum. |
| Maximum unauthorized audio length (seconds) | Integer | The maximum length of an audio file in seconds that makes that file unauthorized to be written to USB devices. Audio files longer than this duration will not be monitored. A value of 0 will set no maximum. |
| Unauthorized audio codecs | String list | A list of audio codecs (e.g. PCM, ADPCM) that, when contained within an audio file, make that file unauthorized to be written to USB devices. An empty list will match all audio codecs. |
| Unauthorized RIFF info tags | Asset list | A predefined mapping from a RIFF info tag ID to a value that makes a file unauthorized to be written to USB devices. For example, to prohibit audio files with comments containing the keyword "confidential" from being written to USB devices, create a string mapping policy asset that contains a "ICMT" key and a "confidential" value. Full regular expression (regex) grammar is supported. For RIFF info tag descriptions, go to https://exiftool.org/TagNames/RIFF.html. |
| Unauthorized RIFF info tag match type | String | The match type applied to unauthorized RIFF info tags. Select "Match all tags" to generate a detection only when all selected tags are present in the file. Select "Match any tag" to generate a detection if any of the selected tags are present in the file. |
| File origin parameters (Windows and macOS only) | ||
| SaaS apps (Preview) | SaaS app filter | A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+. |
| URL patterns (Preview) | Advanced asset list | A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+. |
| User account domains (Preview) | Advanced asset list | A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+. |
| Monitor unknown user accounts (Preview) | Boolean | The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1052 (Exfiltration Over Physical Medium)
attack.mitre.org/techniques/T1052/ |
T1052.001 (Exfiltration over USB)
attack.mitre.org/techniques/T1052/001/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Block file transfer to USB storage device, Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy
Sensitive ZIP file written to USB storage device
Requirements: Agent version 7.8.0 or later
Detects when a user attempts to transfer a sensitive ZIP file to a USB storage device and optionally blocks the transfer.
|
|
Subsequent detections and actions for the same file and process will not be generated until at least 30 seconds after the first detection/action. |
| Parameter | Type | Description |
|---|---|---|
| Binary parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) authorized or unauthorized to write files to USB devices. Case-insensitive matching is used. When USB file transfer blocking functionality is enabled, this parameter is ignored on macOS, resulting in all processes being monitored. |
| File parameters | ||
| File extensions | Advanced asset list | A list of file extensions to filter on when performing content inspection (e.g. .zip). The dot can be omitted, and case-insensitive matching is used. |
| File path keywords | Advanced asset list | A list of keywords that match if they appear anywhere in the file path (e.g. passwords, secret, confidential). Case-insensitive matching is used. |
| Content inspection parameters | ||
| Unauthorized content expressions | Advanced asset list | A list of file path expressions that, when matched to a zipped file, make the ZIP file it is contained within unauthorized to be written to USB devices. The match can use glob-style pattern matching rules (e.g. **\*.pdf would match all PDF files). An empty list will match all zipped files. Case-insensitive matching is used. |
| File origin parameters (Windows and macOS only) | ||
| SaaS apps (Preview) | SaaS app filter | A list of protected SaaS apps, from which downloaded files are monitored to prevent exfiltration. Requires Agent 11.3.0+. |
| URL patterns (Preview) | Advanced asset list | A list of URL patterns for protected websites, from which downloaded files are monitored to prevent exfiltration. Supports a single asterisk (*) wildcard which matches 0 or more characters within a domain/path segment, and a double asterisk (**) wildcard which matches 0 or more whole domain/path segments. The URL schema, path, query, and fragment are optional and will match anything if omitted. For example, the pattern **.example.com/**/download* will match any subdomain of example.com with any path, as long as the final path segment begins with "download". Requires Agent 11.3.0+. |
| User account domains (Preview) | Advanced asset list | A list of account domains to monitor for users downloading files from protected websites. For example, entering "company.com" would monitor user accounts in the format name@company.com. Case-insensitive matching is used. Subdomains will match. Requires Agent 11.3.0+. |
| Monitor unknown user accounts (Preview) | Boolean | The toggle to monitor use of files downloaded from protected websites when the account login details are unavailable. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1052 (Exfiltration Over Physical Medium)
attack.mitre.org/techniques/T1052/ |
T1052.001 (Exfiltration over USB)
attack.mitre.org/techniques/T1052/001/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Block file transfer to USB storage device, Display message, Lock, Isolate, Take screenshot, Reboot, Make shadow copy
Unauthorized file read from USB storage device
Requirements: Agent version 8.4.0 or later
Detects when a user reads a file from a USB device, and that file has either an unauthorized file type or a file path containing an unauthorized keyword.
|
|
From Agent 9.1.0+, the "File extensions" parameter is deprecated and will only be used if the "File types" parameter (preferred) is not configured. |
|
|
Requires Agent 11.2.3+ on Linux. |
| Parameter | Type | Description |
|---|---|---|
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) that are authorized or unauthorized to read from USB storage devices. Case-insensitive matching is used. |
| File parameters | ||
| File path keywords | Advanced asset list | A list of keywords that match if they appear anywhere in the file path (e.g. passwords, secret, confidential). Case-insensitive matching is used. |
| Maximum permitted file size (MB) | Float | The maximum size of allowed files in megabytes. Files smaller than this will not generate detections. If this field is set to 0, no limit will be applied. Requires Agent 8.8.0+. |
| File types | Advanced asset list | A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configured and the Agent version supports MIME type identification, the "File extensions" parameter will be ignored. Requires Agent 9.1.0+. |
| File extensions | Advanced asset list | A list of file extensions (e.g. .doc, .docx, .xls, .xlsx) that users are authorized or unauthorized to read from USB storage devices. The dot can be omitted and the extension name is case-insensitive. Note: This parameter is deprecated from Agent 9.1.0+ and will only be used if the "File types" parameter has not been configured or the Agent version does not support MIME type identification. The "File types" parameter should be used instead to identify files of a particular type. For example, PDF files should be matched using the MIME type "application/pdf" (or alternatively, the glob pattern "**\*.pdf") instead of the file extension ".pdf". |
| Content inspection parameters (Windows and macOS only) | ||
| Content inspection patterns | Advanced asset list | A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. |
| Content inspection keywords | Advanced asset list | The keywords matched to file contents during content inspection. |
| Microsoft sensitivity labels | Asset list | The Microsoft sensitivity labels matched to files during content inspection. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present in a document. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0009 (Collection)
attack.mitre.org/tactics/TA0009/ |
T1025 (Data from Removable Media)
attack.mitre.org/techniques/T1025/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
| Cluster by file extension | Disabled |
| Cluster by content | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Unauthorized USB device inserted
Detects when a user inserts an unauthorized USB device.
|
|
If all fields are left empty, detections will be generated for all USB devices. A device is authorized if it matches all configured "Authorized" fields, and is unauthorized if it matches all configured "Unauthorized" fields. If a device is authorized, it will not generate a detection even if it matches one or more of the "Unauthorized" fields. |
| Parameter | Type | Description |
|---|---|---|
| USB parameters | ||
| VID/PID identifiers | Advanced asset list | A list of authorized or unauthorized Vendor ID (VID) and Product ID (PID) combinations in the format vvvv:pppp, where "vvvv" is the USB vendor ID represented in 4 hexadecimal characters and "pppp" is the USB product ID represented in 4 hexadecimal characters (e.g f000:1234). To match all devices with VID "vvvv", use the "vvvv:*" pattern, and to match all devices with PID "pppp", use the "*:pppp" pattern (without the double quotes). For example, f000:* matches all devices with VID f000, and *:1234 matches all devices with PID 1234. Case-insensitive matching is used. |
| Serial numbers | Advanced asset list | A list of serial numbers to match against. Case-insensitive matching is used. |
| Device classes | Advanced asset list | A list of USB device classes to filter on. |
| Machine learning parameters | ||
| Only report new USB storage devices | Boolean | The toggle to enable/disable generating a detection if the same unauthorized USB storage device is used multiple times. If enabled, a detection will only be generated the first time a particular unauthorized USB storage device is used. |
| Training period (days) | Integer | The time period (in days) during which the USB storage devices used on a node are learned. No detections will be generated during this period if "Only report new USB storage devices" is enabled, but if "Block USB mass storage devices" is enabled, unauthorized devices will still be blocked. The FortiDLP Agent will continue to learn USB storage device activity after this period. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0042 (Resource Development)
attack.mitre.org/tactics/TA0042/ |
T1588 (Obtain Capabilities)
attack.mitre.org/techniques/T1588/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
| Cluster by USB identifier | Disabled |
| Cluster by USB VID | Disabled |
| Cluster by USB PID | Disabled |
| Cluster by USB serial number | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot
Unauthorized USB storage device inserted
Requirements: Agent version 6.0.8 or later
Detects when a user inserts an unauthorized USB storage device and optionally blocks the device.
|
|
If all fields are left empty, detections will be generated for all USB storage devices. A device is authorized if it matches any configured "Authorized" field, and is unauthorized if it matches all configured "Unauthorized" fields. If a device is authorized, it will not generate a detection even if it matches all the "Unauthorized" fields. |
| Parameter | Type | Description |
|---|---|---|
| USB parameters | ||
| VID/PID identifiers | Advanced asset list | A list of authorized or unauthorized Vendor ID (VID) and Product ID (PID) combinations in the format vvvv:pppp, where "vvvv" is the USB vendor ID represented in 4 hexadecimal characters and "pppp" is the USB product ID represented in 4 hexadecimal characters (e.g f000:1234). To match all devices with VID "vvvv", use the "vvvv:*" pattern, and to match all devices with PID "pppp", use the "*:pppp" pattern (without the double quotes). For example, f000:* matches all devices with VID f000, and *:1234 matches all devices with PID 1234. Case-insensitive matching is used. |
| Serial numbers | Advanced asset list | A list of serial numbers to match against. Case-insensitive matching is used. |
| Additionally authorized or unauthorized device classes | Advanced asset list | A list of USB device classes in addition to the "Mass Storage" capability. |
| Machine learning parameters | ||
| Only report new USB storage devices | Boolean | The toggle to enable/disable generating a detection if the same unauthorized USB storage device is used multiple times. If enabled, a detection will only be generated the first time a particular unauthorized USB storage device is used. |
| Training period (days) | Integer | The time period (in days) during which the USB storage devices used on a node are learned. No detections will be generated during this period if "Only report new USB storage devices" is enabled, but if the "Block USB storage device" action is enabled, unauthorized devices will still be blocked. The FortiDLP Agent will continue to learn USB storage device activity after this period. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0042 (Resource Development)
attack.mitre.org/tactics/TA0042/ |
T1588 (Obtain Capabilities)
attack.mitre.org/techniques/T1588/ |
|
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
| Cluster by USB identifier | Disabled |
| Cluster by USB VID | Disabled |
| Cluster by USB PID | Disabled |
| Cluster by USB serial number | Disabled |
Supported actions: Block USB storage device, Display message, Lock, Isolate, Take screenshot, Reboot
Unusual USB bulk file transfer activity
Requirements: Agent version 10.3.1 or later
Detects when a user's USB bulk file transfer behavior deviates from their normal behavior. A bulk transfer is a series of write events without a significant pause (60s).
|
|
Requires Agent 11.2.3+ on Linux. |
| Parameter | Type | Description |
|---|---|---|
| Machine learning parameters | ||
| USB transfer properties for monitoring | String list | A list of bulk transfer properties to monitor for training a user-specific ML anomaly detection model. |
| Probability threshold (%) | Float | A whole number or decimal between 0-100% defining how abnormal a bulk transfer must be to generate a detection. The lower the value, the more abnormal the activity is. |
| Maximum permitted bulk transfer size (MB) | Integer | The maximum size allowed for a USB bulk transfer in MB. Unusual bulk transfers larger than this size will generate a detection. |
| Minimum training data | Integer | The minimum number of transfer sessions required before this policy is able to generate detections. |
| Training period (days) | Integer | The time period (in days) during which the FortiDLP Agent learns user's USB transfer behavior. The FortiDLP Agent will continue to learn after this period. No detections will be generated during this period. |
| Process parameters | ||
| Binary names | Advanced asset list | A list of binary names (e.g. chrome.exe) authorized or unauthorized to write files to USB devices. Case-insensitive matching is used. |
| File parameters | ||
| File types | Advanced asset list | A list of MIME type patterns (e.g. audio/mpeg, image/*, application/pdf) to filter on. The * wildcard character can be used to match all MIME types beginning with the specified prefix (e.g. image/* would match files of type image/png, and application/dns* would match files of type application/dns-message). If this parameter is configure, the "File extensions" parameter will be ignored. |
| File extensions | Advanced asset list | A list of file extensions (e.g. .doc, .docx, .xls, .xlsx) authorized or unauthorized to be written to USB devices. The dot can be omitted, and case-insensitive matching is used. |
| File path keywords | Advanced asset list | A list of keywords that match if they appear anywhere in the file path (e.g. passwords, secret, confidential). Case-insensitive matching is used. |
| Content inspection parameters (Windows and macOS only) | ||
| Content inspection patterns | Advanced asset list | A list of patterns for matching file contents during content inspection. Full regular expression (regex) grammar is supported. For example, entering "[0-9]{3}-[0-9]{2}-[0-9]{4}" could match files containing US social security numbers. To match all files use the ".*" pattern (without the double quotes). Select "narrow breadth" if you have selected an asset and only want detections to be raised when at least one of the asset's keywords/keyphrases is matched along with the asset's pattern. Select "wide breadth" if you have selected an asset and want detections to be raised when just the asset's pattern is matched. |
| Content inspection keywords | Advanced asset list | The keywords matched to file contents during content inspection. |
| Microsoft sensitivity labels | Asset list | The Microsoft sensitivity labels matched to files during content inspection. |
| Content inspection match type | String | The match type applied to data identifiers (content inspection patterns, keywords/keyphrases, and Microsoft sensitivity labels). "Match all" generates a detection when all chosen data identifiers are present in the document, "Match none" generates a detection when none of the chosen data identifiers are present in the document, "Match any" generates a detection if any of the chosen data identifiers are present in the document, and "Match at least [N]" generates a detection when at least 2, 3, 4, or 5 of the chosen data identifiers are present in the document. |
| Content inspection match frequency | Integer | The minimum number of times each pattern must be present in a document. |
| Tactic | Technique | Sub-technique |
|---|---|---|
|
TA0010 (Exfiltration)
attack.mitre.org/tactics/TA0010/ |
T1052 (Exfiltration Over Physical Medium)
attack.mitre.org/techniques/T1052/ |
T1052.001 (Exfiltration over USB)
attack.mitre.org/techniques/T1052/001/ |
Note: MITRE ATT&CK indicators require Agent 11.4.1+.
| Incident clustering rule | Default |
|---|---|
| Cluster by policy | Disabled |
Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot