User-event mapping
FortiDLP processes events from multiple sources, such as Windows, Mac, and Linux devices, and cloud services. Events that are triggered by a user's activity have a device- or cloud-service-specific identity that can be correlated with users that have been synced to FortiDLP.
FortiDLP uses a system based on URIs to reference different types of identifiers so that an event can be correlated with a user. The URI scheme defines the type of identifier, and the content of the URI will be in a format specific to that scheme. The URI schemes used for identification vary depending on the event source. For example, an Agent event on a Windows computer will include a security identifier, whereas a cloud event will include an email address. In order for a correlation to occur, at least one URI from the event must match a URI assigned to a user. A user can be assigned multiple URIs to allow them to be correlated with events from a variety of sources.
Directory URIs
When a user is synced to FortiDLP from a directory source, such as Entra ID, Google Workspace, or LDAP, FortiDLP creates one or more URIs for the user, which are used to uniquely identify them. FortiDLP supports several URI schemes, providing a flexible framework for user association. The directory sync source determines which URIs are created, based on whether the scheme is supported.
| URI scheme | Example URI | Synced from Entra ID | Synced from Google Workspace | Synced from LDAP |
|---|---|---|---|---|
| Windows Security Identifiers (SID) | sid://S-1-5-21-3623811015-3361044348-30300820-1013@domain
|
✓ | ✓ | |
| Unix User IDs (UID) | unix://5001@domain
|
✓ | ||
| Usernames | username://john.smith@domain
|
✓ | ✓ | ✓ |
| Email addresses | mail://john.smith@example.com
|
✓ | ✓ | ✓ |
Device URIs
You can use the Agent and Hostname URIs to associate users directly with a device, rather than or as well as with directory information.
Once an Agent is enrolled on a device, all events reported by that Agent will contain an Agent URI (created by FortiDLP) and a Hostname URI (the name of the computer). Both can uniquely identify the device within your organization, so you can assign either URI to a user to map all of the events generated by a specific device to them.
| URI scheme | Example URI |
|---|---|
| Agent | agent://5b12d3d9-5301-4b60-6966-4a29385eb166@domain1
|
| Hostname | machinename://john-smith-desktop
|
The Agent URI can be automatically assigned to a user upon Agent enrollment if specified. The Hostname URI can be manually assigned to users through the /api/v2/users/bulk/useruri or /api/v2/users/{uuid}/useruri/add FortiDLP API endpoints. You can also sync device hostnames from an LDAP directory using LDAP Sync Tool version 3.1.0+.
|
Each user can have multiple URIs for each scheme, or none at all. For example, a user can have multiple email addresses if they use a different email address for each cloud service. Each user URI must be uniquely assigned to a single user. If a URI that is already assigned to a user is then assigned to a different user, it will be reassigned to the new user and removed from the old user. The |