Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Administration Guide

    Home FortiDLP FortiDLP Administration Guide

    Configuring behavioral analytics detection rules

    Configuring behavioral analytics detection rules

    FortiDLP uses behavioral analytics rules to identify anomalous activity for users and managed nodes. When an event matches a behavioral analytics detection rule, a detection is shown in the FortiDLP Console along with a risk score and severity that indicates the perceived danger to your organization.

    You can define behavioral analytics detection risk scores in the Policies module's Behavioral analytics tab, which also determines their severity levels. When configuring risk scores, refer to the following severity scale and table.

    Severity scale

    Behavioral analytics detections
    Detections Description Requirements
    Unknown USB device Indicates when a user connects a USB storage device for the first time, which has never been used by anyone in the organization. N/A
    Unknown process Indicates when a user executes a binary file for the first time in the organization. N/A
    Unknown Wi-Fi SSID Indicates when a user connects to an SSID that has not been used by anyone in the organization. Windows or macOS
    Unknown Wi-Fi BSSID Indicates when a user connects to a known SSID from a BSSID that has not been used by anyone in the organization. Windows or macOS
    Surge in outbound connections Indicates when a node makes an abnormally large number of outbound connections based on previous network usage. N/A
    Surge in inbound connections Indicates when a node receives an abnormally large number of inbound connections based on previous network usage. N/A
    Surge in outbound hosts Indicates when a node connects to an abnormally large number of different network destinations based on previous network usage. N/A
    Surge in inbound hosts Indicates when a node receives an abnormally large number of connections from different network sources based on previous network usage. N/A
    Surge in outbound port connections Indicates when a node connects to an abnormally large number of unique ports and services based on previous network usage. This is indicative of port scanning. N/A
    Surge in inbound port connections Indicates when a node accepts connections on an abnormally large number of unique ports and services based on previous network usage. This is indicative of port scanning. N/A
    Surge in outbound data sent Indicates when a node sends a significantly large amount of data in outbound connections based on previous network usage. N/A
    Surge in inbound data sent Indicates when a node sends a significantly large amount of data in inbound connections based on previous network usage. N/A
    Surge in outbound data received Indicates when a node receives a significantly large amount of data in outbound connections based on previous network usage. N/A
    Surge in inbound data received Indicates when a node receives a significantly large amount of data in inbound connections based on previous network usage. N/A
    Unexpected Wi-Fi Indicates when a user connects to a Wi-Fi network that is unusual given the other, commonly-used networks that are available at the time. Windows or macOS
    Surge in files written to USB Indicates when a user writes an abnormally large number of files to a USB storage device based on previous storage device usage. N/A
    Surge in number of concurrent logins for a user

    Indicates when a user logs in to multiple nodes concurrently that they do not usually log in to or have never logged in to.

    This detection applies when users log in using LDAP credentials and not local credentials.

    		 Windows or macOS
    How to configure behavioral analytics detection rules
    1. In the FortiDLP Console, on the left-hand sidebar, click .
    2. Select the Behavioral analytics tab.
    3. In the Fixed detection risk scores section, do the following:
      1. For each rule, type a number between 0–100 to define the detection's risk score.
        2. Note
        • A detection that has a risk score of 0 is classified as no severity.
        • A detection that has a risk score between 1–39 is classified as low severity.
        • A detection that has a risk score between 40–69 is classified as medium severity.
        • A detection that has a risk score between 70–89 is classified as high severity.
        • A detection that has a risk score between 90–100 is classified as critical severity.
      2. Click Save.
    4. In the Variable detection risk scores section, do the following:
      1. For each rule, type a number between 0–100 to define the upper limit of the detection's risk score range.
        2. Note
        • A detection that has a risk score of 0 is classified as no severity.
        • A detection that has a risk score between 1–39 is classified up to low severity.
        • A detection that has a risk score between 40–69 is classified up to medium severity.
        • A detection that has a risk score between 70–89 is classified up to high severity.
        • A detection that has a risk score between 90–100 is classified up to critical severity.
      2. Click Save.
    Previous
    Next

    Configuring behavioral analytics detection rules

    Configuring behavioral analytics detection rules

    FortiDLP uses behavioral analytics rules to identify anomalous activity for users and managed nodes. When an event matches a behavioral analytics detection rule, a detection is shown in the FortiDLP Console along with a risk score and severity that indicates the perceived danger to your organization.

    You can define behavioral analytics detection risk scores in the Policies module's Behavioral analytics tab, which also determines their severity levels. When configuring risk scores, refer to the following severity scale and table.

    Severity scale

    Behavioral analytics detections
    Detections Description Requirements
    Unknown USB device Indicates when a user connects a USB storage device for the first time, which has never been used by anyone in the organization. N/A
    Unknown process Indicates when a user executes a binary file for the first time in the organization. N/A
    Unknown Wi-Fi SSID Indicates when a user connects to an SSID that has not been used by anyone in the organization. Windows or macOS
    Unknown Wi-Fi BSSID Indicates when a user connects to a known SSID from a BSSID that has not been used by anyone in the organization. Windows or macOS
    Surge in outbound connections Indicates when a node makes an abnormally large number of outbound connections based on previous network usage. N/A
    Surge in inbound connections Indicates when a node receives an abnormally large number of inbound connections based on previous network usage. N/A
    Surge in outbound hosts Indicates when a node connects to an abnormally large number of different network destinations based on previous network usage. N/A
    Surge in inbound hosts Indicates when a node receives an abnormally large number of connections from different network sources based on previous network usage. N/A
    Surge in outbound port connections Indicates when a node connects to an abnormally large number of unique ports and services based on previous network usage. This is indicative of port scanning. N/A
    Surge in inbound port connections Indicates when a node accepts connections on an abnormally large number of unique ports and services based on previous network usage. This is indicative of port scanning. N/A
    Surge in outbound data sent Indicates when a node sends a significantly large amount of data in outbound connections based on previous network usage. N/A
    Surge in inbound data sent Indicates when a node sends a significantly large amount of data in inbound connections based on previous network usage. N/A
    Surge in outbound data received Indicates when a node receives a significantly large amount of data in outbound connections based on previous network usage. N/A
    Surge in inbound data received Indicates when a node receives a significantly large amount of data in inbound connections based on previous network usage. N/A
    Unexpected Wi-Fi Indicates when a user connects to a Wi-Fi network that is unusual given the other, commonly-used networks that are available at the time. Windows or macOS
    Surge in files written to USB Indicates when a user writes an abnormally large number of files to a USB storage device based on previous storage device usage. N/A
    Surge in number of concurrent logins for a user

    Indicates when a user logs in to multiple nodes concurrently that they do not usually log in to or have never logged in to.

    This detection applies when users log in using LDAP credentials and not local credentials.

    		 Windows or macOS
    How to configure behavioral analytics detection rules
    1. In the FortiDLP Console, on the left-hand sidebar, click .
    2. Select the Behavioral analytics tab.
    3. In the Fixed detection risk scores section, do the following:
      1. For each rule, type a number between 0–100 to define the detection's risk score.
        2. Note
        • A detection that has a risk score of 0 is classified as no severity.
        • A detection that has a risk score between 1–39 is classified as low severity.
        • A detection that has a risk score between 40–69 is classified as medium severity.
        • A detection that has a risk score between 70–89 is classified as high severity.
        • A detection that has a risk score between 90–100 is classified as critical severity.
      2. Click Save.
    4. In the Variable detection risk scores section, do the following:
      1. For each rule, type a number between 0–100 to define the upper limit of the detection's risk score range.
        2. Note
        • A detection that has a risk score of 0 is classified as no severity.
        • A detection that has a risk score between 1–39 is classified up to low severity.
        • A detection that has a risk score between 40–69 is classified up to medium severity.
        • A detection that has a risk score between 70–89 is classified up to high severity.
        • A detection that has a risk score between 90–100 is classified up to critical severity.
      2. Click Save.
    Previous
    Next