Action results and statuses
When an action is initiated by a policy or an operator, one or more associated action events display in the FortiDLP Console's Investigate module. For each event, you can view the action result or status, which indicates if the action has been executed on the node it was intended for.
A node's Agent version determines whether action events are displayed with a result or a status in the FortiDLP Console:
- Nodes running Agent 11.0.1 or later support new actions. When a new action is performed, a single event is generated with a result. These action events are recorded in the Action (New) event stream.
- Nodes running Agent 10.5.3 or earlier support legacy actions. When a legacy action is performed, multiple events are generated as the action transitions through different statuses. These action events are recorded in the Action (Legacy) event stream.
The following sections describe the possible results and statuses shown.
New actions results
The FortiDLP Agent reports an event for a new action when the action has completed. These action events display with one of two results.
| Result | Description |
|---|---|
| Succeeded | The FortiDLP Agent executed an action. |
| Failed | The FortiDLP Agent failed to execute an action due to an error. Details of the specific error are provided. |
|
Because the Agent reports actions after they have completed (succeeded or failed), events and detections for actions that require a file upload, including take screenshot, request debug bundle, request performance report, and make shadow copy, may take longer to display in the FortiDLP Console. |
|
You can view pending action requests for debug bundles and performance reports on the Node profile page, which display with a "Requested" badge.
Additionally, you can check for pending actions by sending a GET request to the FortiDLP API's |
Legacy action statuses
Several communications occur between the FortiDLP Agent and the FortiDLP Infrastructure to complete legacy actions. Throughout these interactions, a status is shown in the FortiDLP Console, illustrating the action's state at different points in time. A legacy action status typically progresses from "Requested" to "Received" to "Executed". However, additional action statuses may be shown, as detailed in the following table.
When considering legacy actions statuses, note that actions are either persistent or nonpersistent. A persistent action is one that persists on a node and can be reversed, such as the lock and isolate actions. A nonpersistent action is one that does not persist on a node and cannot be reversed, which includes all other action types.
| Status | Description |
|---|---|
| Requested by operator | The FortiDLP Infrastructure received an action request from an operator. |
| Requested by Agent | The FortiDLP Infrastructure received an action request from an Agent, either due to a policy violation or a CPU or memory threshold being exceeded. |
| Received | The FortiDLP Agent received an action request from the FortiDLP Infrastructure. |
| Executed | The FortiDLP Agent executed a nonpersistent action. |
| In progress | The FortiDLP Agent executed a persistent action. |
| Undo requested | The FortiDLP Infrastructure received an action request to reverse a persistent action. |
| Undone | The FortiDLP Agent reversed a persistent action. |
| Undo failed | An error occurred that prevented the FortiDLP Agent from reversing a persistent action. |
| Awaiting update | The FortiDLP Agent partially executed an action while offline and is awaiting information from the FortiDLP Infrastructure to complete the action. |
| Expired | The FortiDLP Agent did not respond to an action request before it timed out—for example, because it was offline. Actions only transition to this state if they have not been sent to the FortiDLP Agent. |
| Failure | An error occurred that prevented the FortiDLP Agent from executing an action. |