Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Console User Guide

    Home FortiDLP FortiDLP Console User Guide

    Detection details panel

    Detection details panel

    The Detection details panel gives you a closer look at a detection.

    From here, you can view:

    • the detection's timestamp, severity, risk score, and description
    • associated entities and their labels
    • the detection's trigger, such as the policy name, and applicable MITRE ATT&CK indicators and tags
    • key detection information, such as the filename and process binary associated with an unauthorized USB file transfer attempt which triggered a policy
    • origin and data lineage tracking information, such as the website or SaaS app a sensitive file was downloaded from and any operations performed before a user attempted to exfiltrate it, such as copies, moves, and renames
      • Note

      Origin and data lineage tracking is supported for files downloaded from monitored web browsers and consequential copy, move, and rename operations. Other operations, such as file compression, are not tracked. Policy templates, like Sensitive file compressed, can be used to detect additional operations. To learn more, see the FortiDLP Policies Reference Guide.
    • associated actions and content, such as captured screenshots and message user feedback
    • core metadata, which is the primary event information relating to the detection (also shown as "key detection information")
      • Example

      For example, core metadata for an email policy detection would include the Inspection pattern field that reports the matched content inspection pattern name(s), such as US Social Security Numbers (SSN).
    • extended metadata, which is additional contextual information provided for policy detections for advanced analysis and response.
      • Example

      Extended metadata for the Unauthorized email sent or received template would include the mail_ci_matches field that reports the matched content inspection rule (specifying the data identifiers that have been found and the match frequency) and the email section(s) that were inspected.

      For more on extended metadata, see the FortiDLP Policies Extended Metadata Reference Guide.

    Note

    Actions that require a file upload, including take screenshot and make shadow copy, take longer to complete than other actions. If an action is viewed from an associated Detection details panel before it completes, it will display as "Not found" until it succeeds or fails.

    The Detection details panel also allows you to quickly add the detection to a case and execute searches, filtering by associated properties.

    Detection details

    Detection details with data lineage

    For details about the information reported for detections, see Detection properties.

    Previous
    Next

    Detection details panel

    Detection details panel

    The Detection details panel gives you a closer look at a detection.

    From here, you can view:

    • the detection's timestamp, severity, risk score, and description
    • associated entities and their labels
    • the detection's trigger, such as the policy name, and applicable MITRE ATT&CK indicators and tags
    • key detection information, such as the filename and process binary associated with an unauthorized USB file transfer attempt which triggered a policy
    • origin and data lineage tracking information, such as the website or SaaS app a sensitive file was downloaded from and any operations performed before a user attempted to exfiltrate it, such as copies, moves, and renames
      • Note

      Origin and data lineage tracking is supported for files downloaded from monitored web browsers and consequential copy, move, and rename operations. Other operations, such as file compression, are not tracked. Policy templates, like Sensitive file compressed, can be used to detect additional operations. To learn more, see the FortiDLP Policies Reference Guide.
    • associated actions and content, such as captured screenshots and message user feedback
    • core metadata, which is the primary event information relating to the detection (also shown as "key detection information")
      • Example

      For example, core metadata for an email policy detection would include the Inspection pattern field that reports the matched content inspection pattern name(s), such as US Social Security Numbers (SSN).
    • extended metadata, which is additional contextual information provided for policy detections for advanced analysis and response.
      • Example

      Extended metadata for the Unauthorized email sent or received template would include the mail_ci_matches field that reports the matched content inspection rule (specifying the data identifiers that have been found and the match frequency) and the email section(s) that were inspected.

      For more on extended metadata, see the FortiDLP Policies Extended Metadata Reference Guide.

    Note

    Actions that require a file upload, including take screenshot and make shadow copy, take longer to complete than other actions. If an action is viewed from an associated Detection details panel before it completes, it will display as "Not found" until it succeeds or fails.

    The Detection details panel also allows you to quickly add the detection to a case and execute searches, filtering by associated properties.

    Detection details

    Detection details with data lineage

    For details about the information reported for detections, see Detection properties.

    Previous
    Next