Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Console User Guide

    Home FortiDLP FortiDLP Console User Guide

    Detection details panel

    Detection details panel

    The Detection details panel gives you a closer look at a detection.

    From here, you can view:

    • the detection's timestamp, severity, risk score, and description
    • associated entities and their labels
    • the detection's trigger, such as the policy name, and applicable MITRE ATT&CK indicators and tags
    • key information, such as the filename and process binary associated with an unauthorized USB file transfer attempt which triggered a policy
    • origin-based tracking information, such as the website or SaaS app a file was downloaded from and the corresponding login user account name that was used
    • associated actions and content, such as captured screenshots and message user feedback
    • core metadata, which is the primary event information relating to the detection (also shown as "key information").
      • Example

      For example, core metadata for an email policy detection would include the Inspection pattern field that reports the matched content inspection pattern name(s), such as US Social Security Numbers (SSN).
    • extended metadata, which is additional contextual information provided for policy detections for advanced analysis and response.
      • Example

      Extended metadata for the Unauthorized email sent or received template would include the mail_ci_matches field that reports the matched content inspection rule (specifying the data identifiers that have been found and the match frequency) and the email section(s) that were inspected.

      For more on extended metadata, refer to the FortiDLP Policies Extended Metadata Reference Guide.

    Note

    Actions that require a file upload, including take screenshot and make shadow copy, take longer to complete than other actions. If an action is viewed from an associated Detection details panel before it completes, it will display as "Not found" until it succeeds or fails.

    The Detection details panel also allows you to quickly add the detection to a case and execute searches, filtering by associated properties.

    Detection details panel

    For details about the information reported for detections, see the detection properties listed in Investigate search properties.

    Previous
    Next

    Detection details panel

    Detection details panel

    The Detection details panel gives you a closer look at a detection.

    From here, you can view:

    • the detection's timestamp, severity, risk score, and description
    • associated entities and their labels
    • the detection's trigger, such as the policy name, and applicable MITRE ATT&CK indicators and tags
    • key information, such as the filename and process binary associated with an unauthorized USB file transfer attempt which triggered a policy
    • origin-based tracking information, such as the website or SaaS app a file was downloaded from and the corresponding login user account name that was used
    • associated actions and content, such as captured screenshots and message user feedback
    • core metadata, which is the primary event information relating to the detection (also shown as "key information").
      • Example

      For example, core metadata for an email policy detection would include the Inspection pattern field that reports the matched content inspection pattern name(s), such as US Social Security Numbers (SSN).
    • extended metadata, which is additional contextual information provided for policy detections for advanced analysis and response.
      • Example

      Extended metadata for the Unauthorized email sent or received template would include the mail_ci_matches field that reports the matched content inspection rule (specifying the data identifiers that have been found and the match frequency) and the email section(s) that were inspected.

      For more on extended metadata, refer to the FortiDLP Policies Extended Metadata Reference Guide.

    Note

    Actions that require a file upload, including take screenshot and make shadow copy, take longer to complete than other actions. If an action is viewed from an associated Detection details panel before it completes, it will display as "Not found" until it succeeds or fails.

    The Detection details panel also allows you to quickly add the detection to a case and execute searches, filtering by associated properties.

    Detection details panel

    For details about the information reported for detections, see the detection properties listed in Investigate search properties.

    Previous
    Next