Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Policies Reference Guide

    Home FortiDLP Policies 8.0.0 FortiDLP Policies Reference Guide
    8.0.0
    8.0.0
    7.1.2
    7.1.1
    7.1.0
    7.0.0

    Windows Security integration templates

    Windows Security integration templates

    Templates for building policies related to Windows Security.

    F-Secure malware detected

    Requirements: Windows, Agent version 5.1.2 or later

    Detects when F-Secure identifies malware.

    Tactic Technique Sub-technique
    T1204 (User Execution)
    attack.mitre.org/techniques/T1204/
    T1204.002 (Malicious File)
    attack.mitre.org/techniques/T1204/002/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Microsoft Office security weakened

    Requirements: Windows, Agent version 4.2.0 or later

    Detects when Microsoft Office security is compromised due to registry changes.

    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1562 (Impair Defenses)
    attack.mitre.org/techniques/T1562/
    T1562.001 (Disable or Modify Tools)
    attack.mitre.org/techniques/T1562/001/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Enabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Windows Defender definitions deleted

    Requirements: Windows, Agent version 4.1.0 or later

    Detects when a user deletes a Windows Defender definition.

    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1562 (Impair Defenses)
    attack.mitre.org/techniques/T1562/
    T1562.001 (Disable or Modify Tools)
    attack.mitre.org/techniques/T1562/001/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Windows Defender disabled

    Requirements: Windows, Agent version 4.1.0 or later

    Detects when a user disables Windows Defender.

    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1562 (Impair Defenses)
    attack.mitre.org/techniques/T1562/
    T1562.001 (Disable or Modify Tools)
    attack.mitre.org/techniques/T1562/001/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Enabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Windows Defender malware detected

    Requirements: Windows, Agent version 4.1.0 or later

    Detects when Windows Defender identifies malware.

    Tactic Technique Sub-technique
    T1204 (User Execution)
    attack.mitre.org/techniques/T1204/
    T1204.002 (Malicious File)
    attack.mitre.org/techniques/T1204/002/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by filename Enabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Windows Defender settings modified

    Requirements: Windows, Agent version 4.1.0 or later

    Detects when a user modifies Windows Defender settings.

    Parameter Type Description
    Registry key parameters
    Registry keys Advanced asset list Settings modified involving these keys and their subkeys will be authorized or unauthorized. The * wildcard character is supported. For example, use "HKLM\SOFTWARE\Policies\Microsoft\Windows\Defender\Signature Updates\*" to authorize all changes to signature updates. Additionally, a key value can also be specified using the following syntax "key = value". For example, use "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = 0x0" to authorize disabling automatic sample submission.
    Update parameters
    Ignore updates Boolean Toggle to enable/disable a time window either side of Windows Defender updates when setting changes will be authorized.
    Ignore updates time window (in minutes) Integer The number of minutes either side of an update that setting changes will be authorized.
    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1562 (Impair Defenses)
    attack.mitre.org/techniques/T1562/
    T1562.001 (Disable or Modify Tools)
    attack.mitre.org/techniques/T1562/001/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Windows Firewall disabled

    Requirements: Windows, Agent version 4.1.0 or later

    Detects when a user disables Windows Firewall.

    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1562 (Impair Defenses)
    attack.mitre.org/techniques/T1562/
    T1562.004 (Disable or Modify System Firewall)
    attack.mitre.org/techniques/T1562/004/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Windows Firewall rule modified

    Requirements: Windows, Agent version 7.2.0 or later

    Detects when a user modifies a Windows Firewall rule.

    Note

    Subsequent detections and actions for the same Firewall rule name will not be generated until at least five minutes after the first detection/action.
    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. svchost.exe) that are authorized or unauthorized to edit firewall rules. Case-insensitive matching is used.
    Binary paths Advanced asset list A list of binary paths authorized or unauthorized to edit firewall rules. The match can use glob-style pattern matching rules (e.g. C:\Program Files (x86)\Google\** would authorize all applications under the Google folder). Case-insensitive matching is used.
    Firewall rule parameters
    Firewall rule names Advanced asset list A list of firewall rule names users are authorized or unauthorized to edit. Full regular expression (regex) grammar is supported and case-insensitive matching is used.
    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1562 (Impair Defenses)
    attack.mitre.org/techniques/T1562/
    T1562.004 (Disable or Modify System Firewall)
    attack.mitre.org/techniques/T1562/004/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by binary name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Previous
    Next

    Windows Security integration templates

    Windows Security integration templates

    Templates for building policies related to Windows Security.

    F-Secure malware detected

    Requirements: Windows, Agent version 5.1.2 or later

    Detects when F-Secure identifies malware.

    Tactic Technique Sub-technique
    T1204 (User Execution)
    attack.mitre.org/techniques/T1204/
    T1204.002 (Malicious File)
    attack.mitre.org/techniques/T1204/002/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Microsoft Office security weakened

    Requirements: Windows, Agent version 4.2.0 or later

    Detects when Microsoft Office security is compromised due to registry changes.

    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1562 (Impair Defenses)
    attack.mitre.org/techniques/T1562/
    T1562.001 (Disable or Modify Tools)
    attack.mitre.org/techniques/T1562/001/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Enabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Windows Defender definitions deleted

    Requirements: Windows, Agent version 4.1.0 or later

    Detects when a user deletes a Windows Defender definition.

    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1562 (Impair Defenses)
    attack.mitre.org/techniques/T1562/
    T1562.001 (Disable or Modify Tools)
    attack.mitre.org/techniques/T1562/001/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Windows Defender disabled

    Requirements: Windows, Agent version 4.1.0 or later

    Detects when a user disables Windows Defender.

    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1562 (Impair Defenses)
    attack.mitre.org/techniques/T1562/
    T1562.001 (Disable or Modify Tools)
    attack.mitre.org/techniques/T1562/001/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Enabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Windows Defender malware detected

    Requirements: Windows, Agent version 4.1.0 or later

    Detects when Windows Defender identifies malware.

    Tactic Technique Sub-technique
    T1204 (User Execution)
    attack.mitre.org/techniques/T1204/
    T1204.002 (Malicious File)
    attack.mitre.org/techniques/T1204/002/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by filename Enabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Windows Defender settings modified

    Requirements: Windows, Agent version 4.1.0 or later

    Detects when a user modifies Windows Defender settings.

    Parameter Type Description
    Registry key parameters
    Registry keys Advanced asset list Settings modified involving these keys and their subkeys will be authorized or unauthorized. The * wildcard character is supported. For example, use "HKLM\SOFTWARE\Policies\Microsoft\Windows\Defender\Signature Updates\*" to authorize all changes to signature updates. Additionally, a key value can also be specified using the following syntax "key = value". For example, use "HKLM\SOFTWARE\Microsoft\Windows Defender\SpyNet\SubmitSamplesConsent = 0x0" to authorize disabling automatic sample submission.
    Update parameters
    Ignore updates Boolean Toggle to enable/disable a time window either side of Windows Defender updates when setting changes will be authorized.
    Ignore updates time window (in minutes) Integer The number of minutes either side of an update that setting changes will be authorized.
    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1562 (Impair Defenses)
    attack.mitre.org/techniques/T1562/
    T1562.001 (Disable or Modify Tools)
    attack.mitre.org/techniques/T1562/001/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Windows Firewall disabled

    Requirements: Windows, Agent version 4.1.0 or later

    Detects when a user disables Windows Firewall.

    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1562 (Impair Defenses)
    attack.mitre.org/techniques/T1562/
    T1562.004 (Disable or Modify System Firewall)
    attack.mitre.org/techniques/T1562/004/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Windows Firewall rule modified

    Requirements: Windows, Agent version 7.2.0 or later

    Detects when a user modifies a Windows Firewall rule.

    Note

    Subsequent detections and actions for the same Firewall rule name will not be generated until at least five minutes after the first detection/action.
    Parameter Type Description
    Process parameters
    Binary names Advanced asset list A list of binary names (e.g. svchost.exe) that are authorized or unauthorized to edit firewall rules. Case-insensitive matching is used.
    Binary paths Advanced asset list A list of binary paths authorized or unauthorized to edit firewall rules. The match can use glob-style pattern matching rules (e.g. C:\Program Files (x86)\Google\** would authorize all applications under the Google folder). Case-insensitive matching is used.
    Firewall rule parameters
    Firewall rule names Advanced asset list A list of firewall rule names users are authorized or unauthorized to edit. Full regular expression (regex) grammar is supported and case-insensitive matching is used.
    Tactic Technique Sub-technique
    TA0005 (Defense Evasion)
    attack.mitre.org/tactics/TA0005/
    T1562 (Impair Defenses)
    attack.mitre.org/techniques/T1562/
    T1562.004 (Disable or Modify System Firewall)
    attack.mitre.org/techniques/T1562/004/

    Note: MITRE ATT&CK indicators require Agent 11.4.1+.

    Incident clustering rule Default
    Cluster by binary name Disabled
    Cluster by policy Disabled

    Supported actions: Display message, Lock, Isolate, Take screenshot, Reboot

    Previous
    Next