Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Administration Guide

    Home FortiDLP FortiDLP Administration Guide

    Creating incident sequence rules

    Creating incident sequence rules

    You can create a maximum of 10 incident sequence rules.

    To create a rule, follow the steps below.

    How to create an incident sequence rule
    1. In the FortiDLP Console, on the left-hand sidebar, click .
    2. Select the Sequence rules tab.
    3. Click Create new rule.
    4. In the New incident rule dialog box, do the following:
      1. In the Name field, type a rule name.
      2. Optionally, in the Description field, type a rule description.
      3. Click Next.
      4. Select the checkboxes for at least two stages to incorporate into the rule.
      5. Click Create.
    5. Click Edit.
    6. Set the sequence rule's scope by doing one of the following. Note that the rule will only be applied to the entities you select if the entities have also been assigned policies for the rule's stages:
      • To apply the rule to all entities:
        1. In the Include section, leave the All entities radio button selected.
        2. In the Exclude section, leave the No entities radio button selected.
        3. Click Save.
      • To apply the rule to a subset of entities by only selecting labels to include:
        1. In the Include section, select the Specific entities radio button.
        2. In the label list, select one or more labels for the entities you want to apply the rule to.
        3. Do one of the following:
          • To include entities that have all of the previously selected labels, select the Require all radio button.
          • To include entities that have any of the previously selected labels, select the Require any radio button.
        4. Click Save.
        Example

        For example, to apply a rule to all entities with a "Sales" label or a "Finance" label:

        In the Include section:

        1. Select the Specific entities radio button.
        2. In the labels list, select the Sales and Finance labels.
        3. Select the Require any radio button.
      • To apply the rule to a subset of entities by selecting labels to include and exclude:
        1. In the Include section, follow the steps detailed above.
        2. In the Exclude section:
          1. Select the Specific entities radio button.
          2. In the label list, select one or more labels for the entities you want to exclude from the rule.
          3. Do one of the following:
            • To exclude entities that have all of the previously selected labels, select the Require all radio button.
            • To exclude entities that have any of the previously selected labels, select the Require any radio button.
        3. Click Save.
        Example

        For example, to apply a rule to all entities except those with a "Sales" label or a "Finance" label:

        • In the Include section, select the All entities radio button.
        • In the Exclude section:
          1. Select the Specific entities radio button.
          2. In the labels list, select the Sales and Finance labels.
          3. Select the Require any radio button.

        Or, to apply a rule to entities with a "Manager" label and a "Product" label, but not a "Windows" label:

        • In the Include section:
          1. Select the Specific entities radio button.
          2. In the labels list, select the Manager and Product labels.
          3. Select the Require all radio button.
        • In the Exclude section:
          1. Select the Specific entities radio button.
          2. In the labels list, select the Windows label.
          3. Select either the Require all or Require any radio button.
    7. Set the sequence rule's match type and mandatory stages:
      1. In the Match type widget, click .
      2. Do one of the following:
        • To generate an incident after a policy detection occurs in all of the selected stages, select the Match all stages radio button.
        • To generate an incident after a policy detection occurs in a subset of the selected stages, select the Match ≥ N stages (including mandatory) radio button and then optionally select the checkboxes for any stages you want to be mandatory.
          • Example

          For example, if a rule contains four stages and you select Match ≥ 2 stages, an incident will be generated after a policy detection occurs in any two of the four stages during the given time window.

          Alternatively, if you select Match ≥ 2 stages and make two of the stages mandatory, an incident will be generated after a policy detection occurs in both of the specified stages during the given time window.

      3. Click Save.
    8. Set the sequence rule's risk score:
      1. In the Risk score widget, select.
      2. Do one of the following:
        • To use a fixed risk score for the incident, which is applied regardless of the detections it comprises, leave the Fixed radio button selected and type a number between 1–100:
          • A risk score of 0 is classified as no severity.
          • A risk score between 1–39 is classified as low severity.
          • A risk score between 40–69 is classified as medium severity.
          • A risk score between 70–89 is classified as high severity.
          • A risk score between 90–100 is classified as critical severity.
        • To use the risk score of the most severe detection the incident comprises, select the Most severe detection radio button.
      3. Exit the menu.
    9. Set the sequence rule's time window:
      1. In the Time window widget, click.
      2. Select the time window during which policy detections for selected stages must occur for an incident to be generated.
      3. Exit the menu.
    10. Set the sequence rule's operation mode:
      1. In the Operation mode widget, click.
      2. Do one of the following:
        • To disable the rule after configuration, leave the Disabled radio button selected.
        • To enable the rule after configuration, select the Enabled radio button.
          • Note

          A rule is effective when it is enabled and published, as described later in these instructions.

        • To test the rule after configuration, select the Test radio button.
          • Tooltip

          Incidents generated in the "Test" operation mode will be shown in the Incidents module like other incidents, but can be filtered for rule testing purposes.

      3. Exit the menu.
    11. Customize each of the sequence rule's stages:
      • Optionally, to define a minimum risk score a policy must have to be included in a stage, type a number between 1–100, referring to the severity scale above. Leave this set to 0 to include all policies in the stage.
      • To disable a policy in a stage, turn its Enabled toggle off.
      • To configure policy template parameters, click . For detailed instructions on this, see Configuring policy templates.
    12. Do one of the following:
      • To publish the rule now, click Publish rule and then click Publish in the dialog box that displays.
      • To publish the rule later, exit the sequence rule page and see Publishing incident sequence rules for instructions when you are ready.
    Previous
    Next

    Creating incident sequence rules

    Creating incident sequence rules

    You can create a maximum of 10 incident sequence rules.

    To create a rule, follow the steps below.

    How to create an incident sequence rule
    1. In the FortiDLP Console, on the left-hand sidebar, click .
    2. Select the Sequence rules tab.
    3. Click Create new rule.
    4. In the New incident rule dialog box, do the following:
      1. In the Name field, type a rule name.
      2. Optionally, in the Description field, type a rule description.
      3. Click Next.
      4. Select the checkboxes for at least two stages to incorporate into the rule.
      5. Click Create.
    5. Click Edit.
    6. Set the sequence rule's scope by doing one of the following. Note that the rule will only be applied to the entities you select if the entities have also been assigned policies for the rule's stages:
      • To apply the rule to all entities:
        1. In the Include section, leave the All entities radio button selected.
        2. In the Exclude section, leave the No entities radio button selected.
        3. Click Save.
      • To apply the rule to a subset of entities by only selecting labels to include:
        1. In the Include section, select the Specific entities radio button.
        2. In the label list, select one or more labels for the entities you want to apply the rule to.
        3. Do one of the following:
          • To include entities that have all of the previously selected labels, select the Require all radio button.
          • To include entities that have any of the previously selected labels, select the Require any radio button.
        4. Click Save.
        Example

        For example, to apply a rule to all entities with a "Sales" label or a "Finance" label:

        In the Include section:

        1. Select the Specific entities radio button.
        2. In the labels list, select the Sales and Finance labels.
        3. Select the Require any radio button.
      • To apply the rule to a subset of entities by selecting labels to include and exclude:
        1. In the Include section, follow the steps detailed above.
        2. In the Exclude section:
          1. Select the Specific entities radio button.
          2. In the label list, select one or more labels for the entities you want to exclude from the rule.
          3. Do one of the following:
            • To exclude entities that have all of the previously selected labels, select the Require all radio button.
            • To exclude entities that have any of the previously selected labels, select the Require any radio button.
        3. Click Save.
        Example

        For example, to apply a rule to all entities except those with a "Sales" label or a "Finance" label:

        • In the Include section, select the All entities radio button.
        • In the Exclude section:
          1. Select the Specific entities radio button.
          2. In the labels list, select the Sales and Finance labels.
          3. Select the Require any radio button.

        Or, to apply a rule to entities with a "Manager" label and a "Product" label, but not a "Windows" label:

        • In the Include section:
          1. Select the Specific entities radio button.
          2. In the labels list, select the Manager and Product labels.
          3. Select the Require all radio button.
        • In the Exclude section:
          1. Select the Specific entities radio button.
          2. In the labels list, select the Windows label.
          3. Select either the Require all or Require any radio button.
    7. Set the sequence rule's match type and mandatory stages:
      1. In the Match type widget, click .
      2. Do one of the following:
        • To generate an incident after a policy detection occurs in all of the selected stages, select the Match all stages radio button.
        • To generate an incident after a policy detection occurs in a subset of the selected stages, select the Match ≥ N stages (including mandatory) radio button and then optionally select the checkboxes for any stages you want to be mandatory.
          • Example

          For example, if a rule contains four stages and you select Match ≥ 2 stages, an incident will be generated after a policy detection occurs in any two of the four stages during the given time window.

          Alternatively, if you select Match ≥ 2 stages and make two of the stages mandatory, an incident will be generated after a policy detection occurs in both of the specified stages during the given time window.

      3. Click Save.
    8. Set the sequence rule's risk score:
      1. In the Risk score widget, select.
      2. Do one of the following:
        • To use a fixed risk score for the incident, which is applied regardless of the detections it comprises, leave the Fixed radio button selected and type a number between 1–100:
          • A risk score of 0 is classified as no severity.
          • A risk score between 1–39 is classified as low severity.
          • A risk score between 40–69 is classified as medium severity.
          • A risk score between 70–89 is classified as high severity.
          • A risk score between 90–100 is classified as critical severity.
        • To use the risk score of the most severe detection the incident comprises, select the Most severe detection radio button.
      3. Exit the menu.
    9. Set the sequence rule's time window:
      1. In the Time window widget, click.
      2. Select the time window during which policy detections for selected stages must occur for an incident to be generated.
      3. Exit the menu.
    10. Set the sequence rule's operation mode:
      1. In the Operation mode widget, click.
      2. Do one of the following:
        • To disable the rule after configuration, leave the Disabled radio button selected.
        • To enable the rule after configuration, select the Enabled radio button.
          • Note

          A rule is effective when it is enabled and published, as described later in these instructions.

        • To test the rule after configuration, select the Test radio button.
          • Tooltip

          Incidents generated in the "Test" operation mode will be shown in the Incidents module like other incidents, but can be filtered for rule testing purposes.

      3. Exit the menu.
    11. Customize each of the sequence rule's stages:
      • Optionally, to define a minimum risk score a policy must have to be included in a stage, type a number between 1–100, referring to the severity scale above. Leave this set to 0 to include all policies in the stage.
      • To disable a policy in a stage, turn its Enabled toggle off.
      • To configure policy template parameters, click . For detailed instructions on this, see Configuring policy templates.
    12. Do one of the following:
      • To publish the rule now, click Publish rule and then click Publish in the dialog box that displays.
      • To publish the rule later, exit the sequence rule page and see Publishing incident sequence rules for instructions when you are ready.
    Previous
    Next