Fortinet white logo
Fortinet white logo

FortiDLP Console User Guide

Performing Investigate searches

Performing Investigate searches

To perform an Investigate search, follow these steps.

Tooltip

For a list of search query examples, see Investigate search query examples.

How to perform an Investigate search
  1. In the FortiDLP Console, on the left-hand sidebar, click .
    By default, event stream counts for events for the current day are shown.
  2. Optionally, to modify the time frame, do the following:
    • To filter using a time preset:
      1. On the top right of the page, clickon the time picker widget.
      2. Click one of the following options:
        • Last 60 min
        • Today
        • Last 24 hours
        • Last 7 days
        • Last 30 days.
    • To filter using a custom time frame:
      1. On the top right of the page, clickon the time picker widget.
      2. In the From field, type or select the start date and time.
      3. In the To fields, type or select the end date and time.
      4. Click Apply.
  3. Optionally, to remove a default filter, do the following:
    1. On the search bar, click the icon.
    2. To show localhost connection events, turn the Hide localhost connections toggle off.
    3. To show subframe browser events, turn the Hide subframe navigation toggle off.
      Example

      For example, if a user visits a web page that consists of several frames containing ads, a subframe event would be generated for each ad URL. If you do not want to view these types of events, keep this toggle on to hide them from view. If you do want to these events, turn this toggle off.

    4. To show system service events, turn the Hide system and service events toggle off.
  4. Note

    If you turn a default filter off, it will remain off until you turn it on again. This is true even if you log out/in to the FortiDLP Console.

    Default filters can also be applied from the individual Browser and Network connection event stream pages.

  5. Click the search bar.
  6. Do one of the following:
    • To search within a single event stream, select the event stream and then type or select a property.
    • To search across multiple event streams, select Alias and then type or select an alias.
    • To search for a user's name, node's hostname, label, or SaaS application, type a text string of at least two characters and make a selection.
  7. Type or select one of the following operators (the options shown are dependent on what you entered at step 5):
    • = (equals). Within the Action event stream, entering action = kill_process returns events where the kill process action was executed.
    • != (does not equal). Entering file_extension != pdf returns events for non-PDF files.
    • in (in). Entering file_extension in [zip, rar, 7z, tar, iso] returns events for archive files.
    • !in (not in). Entering file_extension !in [zip, rar, 7z, tar, iso] returns events for non-archive files.
    • < (less than). Within the Detection event stream, entering score < 70 returns events for detections with a risk score of less than 70 (that is, detections that are not high or critical).
    • <= (less than or equal to). Within the Browser event stream, entering file_size <= 1000kB returns events for uploaded or downloaded files that were less than or equal to 1000 kB (1 MB).
    • > (greater than). Within the Network connection event stream, entering bytes_sent > 1GB returns events for connections where more than 1 GB was sent.
    • >= (greater than or equal to). Within the Print event stream, entering number_of_pages >= 15 returns events for print jobs of 15 or more pages.
    • : (matches). Entering file_name : Customer* returns events for files that have a file name that starts with "Customer".
    • !: (does not match). Within the File access event stream, entering file_path !: C:\Users\Administrator\AppData\Local\* returns events for files that are not in users' Local folder.
    • exists (exists). Within the Browser event stream, entering file_name exists returns events for uploaded and downloaded files.
  8. Type a search string. Strings containing spaces must be wrapped in double quotes, for example, dst_country != "united states".
  9. Tooltip

    As shown at step 6, you can use an asterisk (*) as a wildcard character to represent zero or more characters or words when using a : (matches) or !: (does not match) operator.

  10. Press Enter or click Search.

To clear a filter, on the search bar, hover over the filter you want to remove and then click X. Or to remove all filters, on the search bar, click Clear at the right of the search bar.

Tooltip

The Investigate module lets you quickly navigate to other parts of the FortiDLP Console to investigate further and/or reconfigure policies.

For example, after submitting the action:action = message query to see events triggering the display message action, you could view the Created by values to see which policies were breached. Then, in the Action event stream's Events table, you could click the policy name and then to visit the policy configuration page and make needed adjustments.

Also, from the Events table, you can click an event to open its details panel and then click to go to a user's Activity feed, where other events occurring within a one-minute time window display.

Performing Investigate searches

Performing Investigate searches

To perform an Investigate search, follow these steps.

Tooltip

For a list of search query examples, see Investigate search query examples.

How to perform an Investigate search
  1. In the FortiDLP Console, on the left-hand sidebar, click .
    By default, event stream counts for events for the current day are shown.
  2. Optionally, to modify the time frame, do the following:
    • To filter using a time preset:
      1. On the top right of the page, clickon the time picker widget.
      2. Click one of the following options:
        • Last 60 min
        • Today
        • Last 24 hours
        • Last 7 days
        • Last 30 days.
    • To filter using a custom time frame:
      1. On the top right of the page, clickon the time picker widget.
      2. In the From field, type or select the start date and time.
      3. In the To fields, type or select the end date and time.
      4. Click Apply.
  3. Optionally, to remove a default filter, do the following:
    1. On the search bar, click the icon.
    2. To show localhost connection events, turn the Hide localhost connections toggle off.
    3. To show subframe browser events, turn the Hide subframe navigation toggle off.
      Example

      For example, if a user visits a web page that consists of several frames containing ads, a subframe event would be generated for each ad URL. If you do not want to view these types of events, keep this toggle on to hide them from view. If you do want to these events, turn this toggle off.

    4. To show system service events, turn the Hide system and service events toggle off.
  4. Note

    If you turn a default filter off, it will remain off until you turn it on again. This is true even if you log out/in to the FortiDLP Console.

    Default filters can also be applied from the individual Browser and Network connection event stream pages.

  5. Click the search bar.
  6. Do one of the following:
    • To search within a single event stream, select the event stream and then type or select a property.
    • To search across multiple event streams, select Alias and then type or select an alias.
    • To search for a user's name, node's hostname, label, or SaaS application, type a text string of at least two characters and make a selection.
  7. Type or select one of the following operators (the options shown are dependent on what you entered at step 5):
    • = (equals). Within the Action event stream, entering action = kill_process returns events where the kill process action was executed.
    • != (does not equal). Entering file_extension != pdf returns events for non-PDF files.
    • in (in). Entering file_extension in [zip, rar, 7z, tar, iso] returns events for archive files.
    • !in (not in). Entering file_extension !in [zip, rar, 7z, tar, iso] returns events for non-archive files.
    • < (less than). Within the Detection event stream, entering score < 70 returns events for detections with a risk score of less than 70 (that is, detections that are not high or critical).
    • <= (less than or equal to). Within the Browser event stream, entering file_size <= 1000kB returns events for uploaded or downloaded files that were less than or equal to 1000 kB (1 MB).
    • > (greater than). Within the Network connection event stream, entering bytes_sent > 1GB returns events for connections where more than 1 GB was sent.
    • >= (greater than or equal to). Within the Print event stream, entering number_of_pages >= 15 returns events for print jobs of 15 or more pages.
    • : (matches). Entering file_name : Customer* returns events for files that have a file name that starts with "Customer".
    • !: (does not match). Within the File access event stream, entering file_path !: C:\Users\Administrator\AppData\Local\* returns events for files that are not in users' Local folder.
    • exists (exists). Within the Browser event stream, entering file_name exists returns events for uploaded and downloaded files.
  8. Type a search string. Strings containing spaces must be wrapped in double quotes, for example, dst_country != "united states".
  9. Tooltip

    As shown at step 6, you can use an asterisk (*) as a wildcard character to represent zero or more characters or words when using a : (matches) or !: (does not match) operator.

  10. Press Enter or click Search.

To clear a filter, on the search bar, hover over the filter you want to remove and then click X. Or to remove all filters, on the search bar, click Clear at the right of the search bar.

Tooltip

The Investigate module lets you quickly navigate to other parts of the FortiDLP Console to investigate further and/or reconfigure policies.

For example, after submitting the action:action = message query to see events triggering the display message action, you could view the Created by values to see which policies were breached. Then, in the Action event stream's Events table, you could click the policy name and then to visit the policy configuration page and make needed adjustments.

Also, from the Events table, you can click an event to open its details panel and then click to go to a user's Activity feed, where other events occurring within a one-minute time window display.