Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Console User Guide

    Home FortiDLP FortiDLP Console User Guide

    Scoped investigations

    Scoped investigations

    Scoped investigations improve data privacy and information security regulation compliance by letting you choose which information is accessible to operators for forensic analysis. Scoped investigations grant operators time-bound, revocable, and audited access to just the users and nodes they need to prevent unnecessary exposure or mishandling of sensitive data.

    A scoped investigation has an investigator and an approver, where one of two workflows occur:

    1. An investigator requests an investigation, proposing the data access permitted. The approver then approves the investigation, adjusting the access if needed, or denies it. The investigator then completes the investigation.
    2. An approver assigns an investigation to an investigator, defining the data access permitted. The investigator then completes the investigation.

    Scoped investigations limit the information investigators can view across the FortiDLP Console and have an expiry, after which access is automatically withdrawn to further reduce data privacy risk. For auditing purposes, investigation activity is also recorded in the Audit log.

    Investigation management

    As described in the following sections, scoped investigations can be assigned or requested from the Incidents, Users, and Nodes modules.

    Both approvers and investigators manage scoped investigations in Admin settings > Scoped investigations. From here, approvers can view requests from all investigators within their organization and investigators can view their own requests. Additionally, approvers can assign, approve/deny, or revoke investigations, and investigators can activate and withdraw investigations.

    A scoped investigation is shown in the Scoped investigations tab with one of the following statuses.

    Investigation statuses
    STatus Description
    Pending The investigation is awaiting approval by an approver.
    Approved The investigation has been approved, but the investigator has not started the investigation.
    Withdrawn The investigation has been withdrawn by the investigator before approval.
    Denied The investigation has been denied by an approver.
    Activated The investigation is in progress.
    Revoked The investigation has been revoked by an approver.
    Expired The investigation period has expired.

    To learn more about scoped investigations, see:

    Previous
    Next

    Scoped investigations

    Scoped investigations

    Scoped investigations improve data privacy and information security regulation compliance by letting you choose which information is accessible to operators for forensic analysis. Scoped investigations grant operators time-bound, revocable, and audited access to just the users and nodes they need to prevent unnecessary exposure or mishandling of sensitive data.

    A scoped investigation has an investigator and an approver, where one of two workflows occur:

    1. An investigator requests an investigation, proposing the data access permitted. The approver then approves the investigation, adjusting the access if needed, or denies it. The investigator then completes the investigation.
    2. An approver assigns an investigation to an investigator, defining the data access permitted. The investigator then completes the investigation.

    Scoped investigations limit the information investigators can view across the FortiDLP Console and have an expiry, after which access is automatically withdrawn to further reduce data privacy risk. For auditing purposes, investigation activity is also recorded in the Audit log.

    Investigation management

    As described in the following sections, scoped investigations can be assigned or requested from the Incidents, Users, and Nodes modules.

    Both approvers and investigators manage scoped investigations in Admin settings > Scoped investigations. From here, approvers can view requests from all investigators within their organization and investigators can view their own requests. Additionally, approvers can assign, approve/deny, or revoke investigations, and investigators can activate and withdraw investigations.

    A scoped investigation is shown in the Scoped investigations tab with one of the following statuses.

    Investigation statuses
    STatus Description
    Pending The investigation is awaiting approval by an approver.
    Approved The investigation has been approved, but the investigator has not started the investigation.
    Withdrawn The investigation has been withdrawn by the investigator before approval.
    Denied The investigation has been denied by an approver.
    Activated The investigation is in progress.
    Revoked The investigation has been revoked by an approver.
    Expired The investigation period has expired.

    To learn more about scoped investigations, see:

    Previous
    Next