Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Console User Guide

    Home FortiDLP FortiDLP Console User Guide

    Activity feed

    Activity feed

    The Activity feed displays, by default, a list of events in chronological order, so you can easily see the latest activity occurring in your organization.

    You can click an event to show all of its details, and filter the list by defining a time range, performing search queries, and selecting one or more event streams. With the interactive table, you can pivot to related information and create search queries to dig further into information of interest.

    Above the events table, the total number of events, associated users, and associated nodes is shown for each selected event stream.

    Pinned event fields

    In the table, you can expand an event to view all of its details and then pin important fields to a column to access the information most useful for your investigations. By default, the Actions field is automatically pinned for detection events.

    Pinning fields

    Pinned fields column

    Event streams panel

    The event streams panel lets you filter which streams are visible in the events table. You can manually select one or more streams or turn on a toggle to enable the automatic selection of streams that match a query entered into the search bar at the top of the page.

    Aggregations panel

    In the Aggregations panel, you can view high-level statistics for any event stream, so you can add context related to your current investigation or begin a new one side by side.

    The following table describes the event types the Activity feed captures. For details regarding OS and Agent compatibilities and requirements, refer to the FortiDLP Agent Deployment Guide.

    Event descriptions
    Event type Description
    • Action (New)
    • Action (Legacy)

    Events related to manual (operator-initiated) and automatic (policy-initiated) actions.

    You can view details including the:

    • timestamp
    • action type
    • action result or status, and
    • name of the operator or policy that executed the action.

    For comprehensive information about actions, also see Actions.
    Application

    Events related to application use.

    You can view details including the:

    • timestamp
    • process name and binary signature status (signed, unsigned, or unverified), and
    • window title name.
    Browser

    Events related to browser use, such as when a user visits a URL or uploads or downloads a file.

    You can view details including the:

    • timestamp
    • browser name
    • tab and target URLs and associated classification categories (these categories, which are mapped to NetSTAR internet classifiers, provide insight into potentially unauthorized, malicious, and careless web behavior)
    • session type (private or normal)
    • download or upload size
    • MIME type
    • danger rating, and
    • transition type.
    Detection

    Events related to detections.

    You can view details including the:

    • timestamp
    • detection name and description
    • severity and risk score
    • associated screenshots
    • associated policy (if applicable), and
    • tags.

    For comprehensive information about actions, also see Detections.
    Email

    Events related to outbound email activity.

    You can view details including the:

    • timestamp
    • email client type
    • sender email address, domain, and username
    • recipient email addresses, domains, and usernames
    • Cc and Bcc recipient email addresses, domains, and usernames
    • subject line
    • attachment filenames, and
    • attachment file size.
    File access

    Events related to file access, such as when a file is opened, modified, closed, executed, deleted, or renamed.

    You can view details including the:

    • timestamp
    • filename
    • file path, and
    • process/child process name and binary signature status (signed, unsigned, or unverified).
    Note

    During content inspection, the FortiDLP Agent examines files of interest locally. File contents are not uploaded to the FortiDLP Infrastructure.
    Google Drive

    Events collected from Google Drive.

    You can view details including the:

    • affected Google Drive labels
    • file id, name, owner, and type
    • membership change information
    • visibility changes for published and unpublished documents, and
    • the user that had their sharing permissions modified.
    Login

    Events related to login activity.

    You can view details including the:

    • timestamp
    • login type (login or logout)
    • UID, and
    • username.
    Note

    When a user locks their machine, this is considered a logout event. When a user unlocks their machine, this is considered a login event.
    Network connection

    Events related to network connections.

    You can view details including the:

    • timestamp
    • connection type (inbound or outbound)
    • process name and its binary signature status (signed, unsigned, or unverified)
    • network addresses (destination and source), and
    • communication protocol.
    Print

    Events related to print jobs. For Windows machines, print jobs sent to local, network, and virtual printers are monitored. For macOS and Linux machines, prints jobs sent to local and network printers are monitored.

    You can view details including the:

    • timestamp
    • file name
    • number of pages
    • size
    • printer name, and
    • printer port (Windows only).
    Note

    On Windows, there is limited visibility of print jobs sent to centralized print servers. In some cases, events for print jobs that are sent to other servers on the network can be captured if the "Render print jobs on client computers" setting is enabled in the printer properties. For more information, click here. From FortiDLP Agent 10.4.0+, there is an option to turn on enhanced printing visibility which resolves this issue.

    For detailed information regarding printing functionality across OSs, see Print monitoring in the FortiDLP Agent Deployment Guide.
    Process start

    Events related to process starts.

    You can view details including the:

    • timestamp, and
    • process/child process name and binary signature status (signed, unsigned, or unverified).
    SharePoint & OneDrive

    Events collected from Microsoft SharePoint and OneDrive.

    You can view details including the:

    • device platform
    • application
    • file name, type, and URL
    • site URL
    • user a resource was shared with, and
    • old and new values of a modified resource.
    USB device

    Events related to USB composite and storage device use.

    You can view details including the:

    • timestamp
    • device name, and
    • device serial number, product ID, and vendor ID.
    Wi-Fi

    Events related to Wi-Fi network connections.

    You can view details including the:

    • timestamp
    • SSID
    • BSSID, and
    • encryption type (WPA, WPA2, or WEP).
    Previous
    Next

    Activity feed

    Activity feed

    The Activity feed displays, by default, a list of events in chronological order, so you can easily see the latest activity occurring in your organization.

    You can click an event to show all of its details, and filter the list by defining a time range, performing search queries, and selecting one or more event streams. With the interactive table, you can pivot to related information and create search queries to dig further into information of interest.

    Above the events table, the total number of events, associated users, and associated nodes is shown for each selected event stream.

    Pinned event fields

    In the table, you can expand an event to view all of its details and then pin important fields to a column to access the information most useful for your investigations. By default, the Actions field is automatically pinned for detection events.

    Pinning fields

    Pinned fields column

    Event streams panel

    The event streams panel lets you filter which streams are visible in the events table. You can manually select one or more streams or turn on a toggle to enable the automatic selection of streams that match a query entered into the search bar at the top of the page.

    Aggregations panel

    In the Aggregations panel, you can view high-level statistics for any event stream, so you can add context related to your current investigation or begin a new one side by side.

    The following table describes the event types the Activity feed captures. For details regarding OS and Agent compatibilities and requirements, refer to the FortiDLP Agent Deployment Guide.

    Event descriptions
    Event type Description
    • Action (New)
    • Action (Legacy)

    Events related to manual (operator-initiated) and automatic (policy-initiated) actions.

    You can view details including the:

    • timestamp
    • action type
    • action result or status, and
    • name of the operator or policy that executed the action.

    For comprehensive information about actions, also see Actions.
    Application

    Events related to application use.

    You can view details including the:

    • timestamp
    • process name and binary signature status (signed, unsigned, or unverified), and
    • window title name.
    Browser

    Events related to browser use, such as when a user visits a URL or uploads or downloads a file.

    You can view details including the:

    • timestamp
    • browser name
    • tab and target URLs and associated classification categories (these categories, which are mapped to NetSTAR internet classifiers, provide insight into potentially unauthorized, malicious, and careless web behavior)
    • session type (private or normal)
    • download or upload size
    • MIME type
    • danger rating, and
    • transition type.
    Detection

    Events related to detections.

    You can view details including the:

    • timestamp
    • detection name and description
    • severity and risk score
    • associated screenshots
    • associated policy (if applicable), and
    • tags.

    For comprehensive information about actions, also see Detections.
    Email

    Events related to outbound email activity.

    You can view details including the:

    • timestamp
    • email client type
    • sender email address, domain, and username
    • recipient email addresses, domains, and usernames
    • Cc and Bcc recipient email addresses, domains, and usernames
    • subject line
    • attachment filenames, and
    • attachment file size.
    File access

    Events related to file access, such as when a file is opened, modified, closed, executed, deleted, or renamed.

    You can view details including the:

    • timestamp
    • filename
    • file path, and
    • process/child process name and binary signature status (signed, unsigned, or unverified).
    Note

    During content inspection, the FortiDLP Agent examines files of interest locally. File contents are not uploaded to the FortiDLP Infrastructure.
    Google Drive

    Events collected from Google Drive.

    You can view details including the:

    • affected Google Drive labels
    • file id, name, owner, and type
    • membership change information
    • visibility changes for published and unpublished documents, and
    • the user that had their sharing permissions modified.
    Login

    Events related to login activity.

    You can view details including the:

    • timestamp
    • login type (login or logout)
    • UID, and
    • username.
    Note

    When a user locks their machine, this is considered a logout event. When a user unlocks their machine, this is considered a login event.
    Network connection

    Events related to network connections.

    You can view details including the:

    • timestamp
    • connection type (inbound or outbound)
    • process name and its binary signature status (signed, unsigned, or unverified)
    • network addresses (destination and source), and
    • communication protocol.
    Print

    Events related to print jobs. For Windows machines, print jobs sent to local, network, and virtual printers are monitored. For macOS and Linux machines, prints jobs sent to local and network printers are monitored.

    You can view details including the:

    • timestamp
    • file name
    • number of pages
    • size
    • printer name, and
    • printer port (Windows only).
    Note

    On Windows, there is limited visibility of print jobs sent to centralized print servers. In some cases, events for print jobs that are sent to other servers on the network can be captured if the "Render print jobs on client computers" setting is enabled in the printer properties. For more information, click here. From FortiDLP Agent 10.4.0+, there is an option to turn on enhanced printing visibility which resolves this issue.

    For detailed information regarding printing functionality across OSs, see Print monitoring in the FortiDLP Agent Deployment Guide.
    Process start

    Events related to process starts.

    You can view details including the:

    • timestamp, and
    • process/child process name and binary signature status (signed, unsigned, or unverified).
    SharePoint & OneDrive

    Events collected from Microsoft SharePoint and OneDrive.

    You can view details including the:

    • device platform
    • application
    • file name, type, and URL
    • site URL
    • user a resource was shared with, and
    • old and new values of a modified resource.
    USB device

    Events related to USB composite and storage device use.

    You can view details including the:

    • timestamp
    • device name, and
    • device serial number, product ID, and vendor ID.
    Wi-Fi

    Events related to Wi-Fi network connections.

    You can view details including the:

    • timestamp
    • SSID
    • BSSID, and
    • encryption type (WPA, WPA2, or WEP).
    Previous
    Next