Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Administration Guide

    Home FortiDLP FortiDLP Administration Guide

    Incident sequence rules

    Incident sequence rules

    Requirements: FortiDLP Agent 11.4.2+.

    Sequence rules streamline investigations by automatically correlating detections triggered by the same entity to a risk-scored incident.

    Defined within the Policies module, these rules leverage the MITRE ATT&CK security framework to generate incidents caused by sequences of high-risk activity, such as reconnaissance, data collection, defense evasion, and data exfiltration.

    The FortiDLP Console allows you to create custom sequence rules and also provides an out-of-box sequence rule to help you get started.

    Before you begin using sequence detection, familiarize yourself with the following terms.

    Sequence detection terms

    Term

    Definition

    Sequence rule

    A method for grouping policy detections together to form an incident when a chain of threat activities occurs during a given time window.

    When this method is used, a single incident will encompass detections for one entity (user/node) only.
    Stages

    The threat activities, which are mapped to MITRE ATT&CK tactics, that generate an incident for an entity.

    A sequence rule is made up of two or more stages (for example, Collection and Exfiltration) and each stage has corresponding policies. If a user violates a policy in a stage, that stage is met. If that same user violates at least one policy in each required stage during the time window, an incident is created.
    Match type

    The method for matching policy violations to stages, where you can require all stages to be met to generate an incident or certain stages to be met to generate an incident.

    Stages can be optional or mandatory.
    Risk score The score given to a sequence incident to indicate its severity, such as Fixed (which is defined by the sequence rule) or Most severe detection (which is inherited from the detection with the highest risk score).
    Time window

    The time period during which all required stages must be met by a user to generate an incident.

    When a time window expires, the incident's Active field will be set to false.
    Operation mode

    The setting of the sequence rule, such as Enabled, Disabled, or Test.

    The operation mode does not indicate that the rule has been applied to entities; a rule must also be published.
    Note

    Note the following:

    • A maximum of 10 incident sequence rules can be configured per tenant.
    • A maximum of 10 incidents can exist for the same entity and sequence rule at the same time. If this limit is reached, further incidents will not be created for the entity and rule until one or more of the existing incidents are marked as "Resolved" or "In review".

    To learn more about creating and managing incident sequence rules, see:

    For information on viewing incidents, see Incidents in the FortiDLP Console User Guide.

    Previous
    Next

    Incident sequence rules

    Incident sequence rules

    Requirements: FortiDLP Agent 11.4.2+.

    Sequence rules streamline investigations by automatically correlating detections triggered by the same entity to a risk-scored incident.

    Defined within the Policies module, these rules leverage the MITRE ATT&CK security framework to generate incidents caused by sequences of high-risk activity, such as reconnaissance, data collection, defense evasion, and data exfiltration.

    The FortiDLP Console allows you to create custom sequence rules and also provides an out-of-box sequence rule to help you get started.

    Before you begin using sequence detection, familiarize yourself with the following terms.

    Sequence detection terms

    Term

    Definition

    Sequence rule

    A method for grouping policy detections together to form an incident when a chain of threat activities occurs during a given time window.

    When this method is used, a single incident will encompass detections for one entity (user/node) only.
    Stages

    The threat activities, which are mapped to MITRE ATT&CK tactics, that generate an incident for an entity.

    A sequence rule is made up of two or more stages (for example, Collection and Exfiltration) and each stage has corresponding policies. If a user violates a policy in a stage, that stage is met. If that same user violates at least one policy in each required stage during the time window, an incident is created.
    Match type

    The method for matching policy violations to stages, where you can require all stages to be met to generate an incident or certain stages to be met to generate an incident.

    Stages can be optional or mandatory.
    Risk score The score given to a sequence incident to indicate its severity, such as Fixed (which is defined by the sequence rule) or Most severe detection (which is inherited from the detection with the highest risk score).
    Time window

    The time period during which all required stages must be met by a user to generate an incident.

    When a time window expires, the incident's Active field will be set to false.
    Operation mode

    The setting of the sequence rule, such as Enabled, Disabled, or Test.

    The operation mode does not indicate that the rule has been applied to entities; a rule must also be published.
    Note

    Note the following:

    • A maximum of 10 incident sequence rules can be configured per tenant.
    • A maximum of 10 incidents can exist for the same entity and sequence rule at the same time. If this limit is reached, further incidents will not be created for the entity and rule until one or more of the existing incidents are marked as "Resolved" or "In review".

    To learn more about creating and managing incident sequence rules, see:

    For information on viewing incidents, see Incidents in the FortiDLP Console User Guide.

    Previous
    Next