Detection details panel
The Detection details panel gives you a closer look at a detection.
From here, you can view:
- the detection's timestamp, severity, risk score, and description
- associated entities and their labels
- the detection's trigger, such as the policy name, and applicable MITRE ATT&CK indicators and tags
- key detection information, such as the filename and process binary associated with an unauthorized USB file transfer attempt which triggered a policy
- origin and data lineage tracking information, such as the website or SaaS app a sensitive file was downloaded from and any operations performed before a user attempted to exfiltrate it, such as copies, moves, and renames
- associated actions and content, such as captured screenshots and message user feedback
- core metadata, which is the primary event information relating to the detection (also shown as "key detection information")
- extended metadata, which is additional contextual information provided for policy detections for advanced analysis and response.
|
|
Origin and data lineage tracking is supported for files downloaded from monitored web browsers and consequential copy, move, and rename operations. Other operations, such as file compression, are not tracked. Policy templates, like Sensitive file compressed, can be used to detect additional operations. To learn more, see the FortiDLP Policies Reference Guide. |
|
|
For example, core metadata for an email policy detection would include the |
|
|
Extended metadata for the Unauthorized email sent or received template would include the |
For more on extended metadata, see the FortiDLP Policies Extended Metadata Reference Guide.
|
|
Actions that require a file upload, including take screenshot and make shadow copy, take longer to complete than other actions. If an action is viewed from an associated Detection details panel before it completes, it will display as "Not found" until it succeeds or fails. |
The Detection details panel also allows you to quickly add the detection to a case and execute searches, filtering by associated properties.
Detection details
Detection details with data lineage
For details about the information reported for detections, see Detection properties.