Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Console User Guide

    Home FortiDLP FortiDLP Console User Guide

    Requesting scoped investigations

    Requesting scoped investigations

    As an investigator, you can submit scoped investigation requests from the Incidents, Users, or Nodes modules, as described in the following instructions.

    After you submit a request, the icon on the top menu bar of the FortiDLP Console will keep you informed.

    • If a request is pending, the bell will display a blue circle.
    • If a request is approved/activated, the bell will display a green circle.
    • If a request is denied/revoked, the bell will display a red circle.
    Note

    Where you have requests with different statuses, one circle will display, with green taking precedence, followed by red;

    • If you have approved/activated requests and pending and/or denied/revoked requests simultaneously, the bell will display a green circle.
    • If you have denied/revoked requests and pending requests simultaneously, the bell will display a red circle.

    To see your requests, just click the icon and select the My investigations menu option to go to the Scoped investigations tab. Alternatively, you can view requests in the Scoped investigations tab via Admin settings.

    How to request a scoped investigation
    1. In the FortiDLP Console, do one of the following:
      • To request an investigation from the Incidents module:
        1. On the left-hand sidebar, click .
        2. At the end of the incident's table row, click> Request investigation.
          3. Tooltip

          You can also click an incident's table row to request the investigation from the Incident details page.


      • To request an investigation from the Users module:
        1. On the left-hand sidebar, click .
        2. At the end of the user's table row, click> Request investigation.
      • To request an investigation from the Nodes module:
        1. On the left-hand sidebar, click .
        2. Filter for the relevant node. For guidance on this, see Nodes.
        3. In the Table tab, at the end of the node's table row, click> Request investigation.
          4. Tooltip

          You can also click a node's table row to request the investigation from Node profile page.

    2. In the Request investigation dialog box, do the following:
      1. In the Investigation name field, type a name to identify the investigation. (If you performed step 1 from the Incidents module, the incident's description will be prepopulated, but you can edit this.)
      2. In the Scoped users list, select the users to investigate, a maximum of 20. (If you performed step 1 from the Incidents module or the Users module, a maximum of 10 corresponding user(s) will be preselected.)
      3. In the Scoped nodes list, select the nodes to investigate, a maximum of 20. (If you performed step 1 from the Nodes module, the node's hostname will be preselected.)
      4. In the Scoped event streams list, select the event streams to investigate. By default, all event streams will be preselected.
      5. Set the time range of the events to investigate:
        • To limit the time range, keep the Limit time range toggle on and either select a time preset or enter a custom time range.
        • To place no limit on the time range, turn the Limit time range toggle off.
      6. In the Investigation reason field, type the investigation reason.
      7. Click Send request.
    Previous
    Next

    Requesting scoped investigations

    Requesting scoped investigations

    As an investigator, you can submit scoped investigation requests from the Incidents, Users, or Nodes modules, as described in the following instructions.

    After you submit a request, the icon on the top menu bar of the FortiDLP Console will keep you informed.

    • If a request is pending, the bell will display a blue circle.
    • If a request is approved/activated, the bell will display a green circle.
    • If a request is denied/revoked, the bell will display a red circle.
    Note

    Where you have requests with different statuses, one circle will display, with green taking precedence, followed by red;

    • If you have approved/activated requests and pending and/or denied/revoked requests simultaneously, the bell will display a green circle.
    • If you have denied/revoked requests and pending requests simultaneously, the bell will display a red circle.

    To see your requests, just click the icon and select the My investigations menu option to go to the Scoped investigations tab. Alternatively, you can view requests in the Scoped investigations tab via Admin settings.

    How to request a scoped investigation
    1. In the FortiDLP Console, do one of the following:
      • To request an investigation from the Incidents module:
        1. On the left-hand sidebar, click .
        2. At the end of the incident's table row, click> Request investigation.
          3. Tooltip

          You can also click an incident's table row to request the investigation from the Incident details page.


      • To request an investigation from the Users module:
        1. On the left-hand sidebar, click .
        2. At the end of the user's table row, click> Request investigation.
      • To request an investigation from the Nodes module:
        1. On the left-hand sidebar, click .
        2. Filter for the relevant node. For guidance on this, see Nodes.
        3. In the Table tab, at the end of the node's table row, click> Request investigation.
          4. Tooltip

          You can also click a node's table row to request the investigation from Node profile page.

    2. In the Request investigation dialog box, do the following:
      1. In the Investigation name field, type a name to identify the investigation. (If you performed step 1 from the Incidents module, the incident's description will be prepopulated, but you can edit this.)
      2. In the Scoped users list, select the users to investigate, a maximum of 20. (If you performed step 1 from the Incidents module or the Users module, a maximum of 10 corresponding user(s) will be preselected.)
      3. In the Scoped nodes list, select the nodes to investigate, a maximum of 20. (If you performed step 1 from the Nodes module, the node's hostname will be preselected.)
      4. In the Scoped event streams list, select the event streams to investigate. By default, all event streams will be preselected.
      5. Set the time range of the events to investigate:
        • To limit the time range, keep the Limit time range toggle on and either select a time preset or enter a custom time range.
        • To place no limit on the time range, turn the Limit time range toggle off.
      6. In the Investigation reason field, type the investigation reason.
      7. Click Send request.
    Previous
    Next