Assigning scoped investigations
As an approver, you can assign scoped investigations to investigators from the Scoped investigations tab, or Incidents, Users, or Nodes modules as follows.
|
|
Approvers are not permitted to assign investigations to themselves. |
How to assign a scoped investigation
- In the FortiDLP Console, do one of the following:
- To assign an investigation from the Scoped investigations tab:
- On the left-hand sidebar, click
.
- Under General, select the Scoped investigations tab.
- At the top of the page, click Assign investigation.

- On the left-hand sidebar, click
- To assign an investigation from the Incidents module:
- On the left-hand sidebar, click
.
- At the end of the incident's table row, click
> Assign investigation.


You can also click an incident's table row to assign the investigation from the Incident details page.

- On the left-hand sidebar, click
- To assign an investigation from the Users module:
- On the left-hand sidebar, click
.
- At the end of the user's table row, click
> Assign investigation.

- On the left-hand sidebar, click
- To assign an investigation from the Nodes module:
- On the left-hand sidebar, click
.
- Filter for the relevant node. For guidance on this, see Nodes.
- In the Table tab, at the end of the node's table row, click
> Assign investigation.


You can also click a node's table row to assign the investigation from the Node profile page.
- On the left-hand sidebar, click
- To assign an investigation from the Scoped investigations tab:
- In the Assign investigation dialog box, do the following:
- In the Investigation name field, type a name to identify the investigation. (If you performed step 1 from the Incidents module, the incident's description will be prepopulated, but you can edit this.)
- In the Operator menu, select the operator to assign to the investigation.
- In the Scoped users list, select the users to investigate, a maximum of 20. (If you performed step 1 from the Incidents module or the Users module, the corresponding user(s) will be preselected.)
- In the Scoped nodes list, select the nodes to investigate, a maximum of 20. (If you performed step 1 from the Nodes module, the node's hostname will be preselected.)
- In the Scoped event streams list, select the event streams to investigate. By default, all event streams will be preselected.
- Set the time range of the events to investigate:
- To limit the time range, keep the Limit time range toggle on and either select a time preset or enter a custom time range.
- To place no limit on the time range, turn the Limit time range toggle off.
- In the Investigation reason field, type the investigation reason.
- Click Next.
- Set the expiry of the investigation by either selecting a time preset or entering a custom expiry.
- Click Assign investigation.