Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Console User Guide

    Home FortiDLP FortiDLP Console User Guide

    Viewing incidents

    Viewing incidents

    FortiDLP provides an extended retention period for incidents, storing them indefinitely. Incident detections are retained for 372 days.

    Note

    Actions associated with incidents/incident detections are subject to the standard retention period. Therefore, artifacts resulting from actions—for example, screenshots—will not be viewable past your retention period.

    To accelerate threat investigation and response, the top of the Incidents module highlights the total number of clustered and sequenced incidents, also allowing you to filter by the incident type. Additionally, it indicates when an entity has reached a sequence rule's limit (described more below).

    The table provides the newest or most recently updated incidents at the top for quick access. An aggregation menu can also be displayed to show you the most/least common incident properties. To refine the data in view, you can either type into the search bar at the top of the page or click a property value and then add a filter.

    By selecting a table row, you can visit the Incident details page to inspect and manage a single incident. From here, you can see key information corresponding to the incident in view that will vary by the incident type. To drill down into an incident's detections, you can filter by more properties and search terms and view more aggregations. You can also examine the individual detections forming the incident by clicking a detection's table row. A bar graph is also provided, which plots the incident's detections by time. The page is customizable, allowing you to show/hide sections using the Page view menu.

    The Incident details page eases investigations by enabling detections to be exported to CSV/XLSX and added to cases. It also correlates new clustered incidents with old ones, displaying details of resolved but associated incidents which were formed by the same cluster data.

    When you start your investigation, you can easily change its status from New to In review. Then you can set it to Resolved once you have finished investigating. See Reviewing incidents and Resolving incidents for details.

    Clustered incident limit and fallback incident

    A policy can generate clustered incidents that group detections by a maximum of 100 active, distinct cluster data key values.

    Example

    For example, if you configure the Sensitive file uploaded policy template, which clusters detections by domain name, the corresponding key would be hostname and the values would be the specific domain names by which detections are grouped as incidents.

    When a detection occurs that has the 101st cluster data key value, it will be added to a "fallback" incident, as well as a detection with the 102nd value and so on.

    Example

    For example, with the Sensitive file uploaded policy template, the first 100 website domains will create individual incidents.

    After the bounding limit is reached, all detections—independent of their associated domain—will be added to a single fallback incident until at least one of the previous 100 incidents is resolved.
    Sequenced incident limit

    A maximum of 10 sequenced incidents can exist for the same entity and sequence rule at the same time. If this limit is reached, further incidents will not be created for the entity and rule until one or more of the existing incidents are marked as "In review" or "Resolved".

    To ease management of incidents where the limit has been met, the overview page indicates the number of times the limit has been reached and allows you to quickly filter for corresponding incidents.

    How to view incidents
    1. In the FortiDLP Console, on the left-hand sidebar, click .
    2. Do one of the following:
      • To view incidents with a New or In review status, click and then turn the Hide resolved incidents toggle on.
      • To view incidents with a New, In review, or Resolved status, click and then turn the Hide resolved incidents toggle off.
    3. Optionally, do the following:
      • To display and/or modify the aggregations:
        1. On the top-right corner of the page, click Aggregations.
        2. Select different properties from the menus and/or change the Top 10 default. Top menu options show the most common values for a property and Bottom menu options show you the least common values.
      • To modify the table columns:
        • Click Columns and select/deselect the relevant checkboxes.
        • Change the Items/page default. You can show 10, 25, or 50 incidents on the page.
      • To filter the incidents using a search query:
        1. At the top of the page, click the search bar.
        2. Select a search property from the menu, or type a text string to search for a property and then select it (the panel displays matching properties as you type). For some properties, you can also use the time selector. See Incident search properties for more information.
        3. Select or type one of the following operators (the options shown are dependent on the property you chose):
          • = (equals).
          • != (does not equal).
          • in (in). For example, entering agent.country in ["United States", "United Kingdom"] returns incidents related to nodes that were last located in either the US or the UK.
          • !in (not in). For example, entering user.department !in [Finance, Sales] returns incidents related to nodes with associated users who are not from either the Finance or the Sales department.
          • < (less than).
          • <= (less than or equal to).
          • > (greater than).
          • >= (greater than or equal to).
        4. Type a search string. The search is case insensitive, but strings containing spaces must be wrapped in double quotes—for example, agent.country != "united states".
        5. Do one of the following:
          • To submit your query, press Enter or click Search now.
          • To add another filter:
            1. Click And and repeat the steps above.
            2. Press Enter or click Search now.
              Note

              Only AND logic is supported (not OR logic). However, you can use the in or !in operators to apply OR logic in relation to specific properties. For example, to search for nodes from either the United States or the United Kingdom, enter agent.country in ["United States", "United Kingdom"].

              3. The FortiDLP Console displays incidents matching your criteria.

      • To filter the incidents by a specific value on the page or view more information about a value, click the value and then click the relevant context box button.
        • Tooltip

        The following list summarizes the buttons that display:

        • Filters the current page for incidents with the same value.
        • Filters the current page for incidents without the value.
        • Copies a value to your clipboard.
        • Filters by a value within the Investigate module.
        • Filters by a value within the SaaS apps module's Inventory tab.
        • Displays more information about a value.
        • Displays a submenu containing the following options:
          • Filters by a value within the Users module.
          • Filters by a value within the Nodes module (if selected from a user's context box) or takes you to the Node profile page (if selected from a node's context box).
        • Opens a policy template configuration within the Policies module.
        • Filters by a value within Admin settings.
      • To view an incident's details page, select the incident’s table row.
        • Optionally, do the following:
          • To filter the incident time range:
            1. On the right side of the menu bar, click.
            2. In the From fields, type or select the detection start date and time.
            3. In the To fields, type or select the detection end date and time.
            4. Click Apply.
          • To view the related sequence rule or policy configuration, in either the Sequence rule or Created by policy panel, click .
          • To view previously resolved clustered incidents formed by the same cluster data, in the Associated incidents panel, click.
          • To show/hide sections of the page, click Page view and then select/deselect the relevant checkboxes.
    Previous
    Next

    Viewing incidents

    Viewing incidents

    FortiDLP provides an extended retention period for incidents, storing them indefinitely. Incident detections are retained for 372 days.

    Note

    Actions associated with incidents/incident detections are subject to the standard retention period. Therefore, artifacts resulting from actions—for example, screenshots—will not be viewable past your retention period.

    To accelerate threat investigation and response, the top of the Incidents module highlights the total number of clustered and sequenced incidents, also allowing you to filter by the incident type. Additionally, it indicates when an entity has reached a sequence rule's limit (described more below).

    The table provides the newest or most recently updated incidents at the top for quick access. An aggregation menu can also be displayed to show you the most/least common incident properties. To refine the data in view, you can either type into the search bar at the top of the page or click a property value and then add a filter.

    By selecting a table row, you can visit the Incident details page to inspect and manage a single incident. From here, you can see key information corresponding to the incident in view that will vary by the incident type. To drill down into an incident's detections, you can filter by more properties and search terms and view more aggregations. You can also examine the individual detections forming the incident by clicking a detection's table row. A bar graph is also provided, which plots the incident's detections by time. The page is customizable, allowing you to show/hide sections using the Page view menu.

    The Incident details page eases investigations by enabling detections to be exported to CSV/XLSX and added to cases. It also correlates new clustered incidents with old ones, displaying details of resolved but associated incidents which were formed by the same cluster data.

    When you start your investigation, you can easily change its status from New to In review. Then you can set it to Resolved once you have finished investigating. See Reviewing incidents and Resolving incidents for details.

    Clustered incident limit and fallback incident

    A policy can generate clustered incidents that group detections by a maximum of 100 active, distinct cluster data key values.

    Example

    For example, if you configure the Sensitive file uploaded policy template, which clusters detections by domain name, the corresponding key would be hostname and the values would be the specific domain names by which detections are grouped as incidents.

    When a detection occurs that has the 101st cluster data key value, it will be added to a "fallback" incident, as well as a detection with the 102nd value and so on.

    Example

    For example, with the Sensitive file uploaded policy template, the first 100 website domains will create individual incidents.

    After the bounding limit is reached, all detections—independent of their associated domain—will be added to a single fallback incident until at least one of the previous 100 incidents is resolved.
    Sequenced incident limit

    A maximum of 10 sequenced incidents can exist for the same entity and sequence rule at the same time. If this limit is reached, further incidents will not be created for the entity and rule until one or more of the existing incidents are marked as "In review" or "Resolved".

    To ease management of incidents where the limit has been met, the overview page indicates the number of times the limit has been reached and allows you to quickly filter for corresponding incidents.

    How to view incidents
    1. In the FortiDLP Console, on the left-hand sidebar, click .
    2. Do one of the following:
      • To view incidents with a New or In review status, click and then turn the Hide resolved incidents toggle on.
      • To view incidents with a New, In review, or Resolved status, click and then turn the Hide resolved incidents toggle off.
    3. Optionally, do the following:
      • To display and/or modify the aggregations:
        1. On the top-right corner of the page, click Aggregations.
        2. Select different properties from the menus and/or change the Top 10 default. Top menu options show the most common values for a property and Bottom menu options show you the least common values.
      • To modify the table columns:
        • Click Columns and select/deselect the relevant checkboxes.
        • Change the Items/page default. You can show 10, 25, or 50 incidents on the page.
      • To filter the incidents using a search query:
        1. At the top of the page, click the search bar.
        2. Select a search property from the menu, or type a text string to search for a property and then select it (the panel displays matching properties as you type). For some properties, you can also use the time selector. See Incident search properties for more information.
        3. Select or type one of the following operators (the options shown are dependent on the property you chose):
          • = (equals).
          • != (does not equal).
          • in (in). For example, entering agent.country in ["United States", "United Kingdom"] returns incidents related to nodes that were last located in either the US or the UK.
          • !in (not in). For example, entering user.department !in [Finance, Sales] returns incidents related to nodes with associated users who are not from either the Finance or the Sales department.
          • < (less than).
          • <= (less than or equal to).
          • > (greater than).
          • >= (greater than or equal to).
        4. Type a search string. The search is case insensitive, but strings containing spaces must be wrapped in double quotes—for example, agent.country != "united states".
        5. Do one of the following:
          • To submit your query, press Enter or click Search now.
          • To add another filter:
            1. Click And and repeat the steps above.
            2. Press Enter or click Search now.
              Note

              Only AND logic is supported (not OR logic). However, you can use the in or !in operators to apply OR logic in relation to specific properties. For example, to search for nodes from either the United States or the United Kingdom, enter agent.country in ["United States", "United Kingdom"].

              3. The FortiDLP Console displays incidents matching your criteria.

      • To filter the incidents by a specific value on the page or view more information about a value, click the value and then click the relevant context box button.
        • Tooltip

        The following list summarizes the buttons that display:

        • Filters the current page for incidents with the same value.
        • Filters the current page for incidents without the value.
        • Copies a value to your clipboard.
        • Filters by a value within the Investigate module.
        • Filters by a value within the SaaS apps module's Inventory tab.
        • Displays more information about a value.
        • Displays a submenu containing the following options:
          • Filters by a value within the Users module.
          • Filters by a value within the Nodes module (if selected from a user's context box) or takes you to the Node profile page (if selected from a node's context box).
        • Opens a policy template configuration within the Policies module.
        • Filters by a value within Admin settings.
      • To view an incident's details page, select the incident’s table row.
        • Optionally, do the following:
          • To filter the incident time range:
            1. On the right side of the menu bar, click.
            2. In the From fields, type or select the detection start date and time.
            3. In the To fields, type or select the detection end date and time.
            4. Click Apply.
          • To view the related sequence rule or policy configuration, in either the Sequence rule or Created by policy panel, click .
          • To view previously resolved clustered incidents formed by the same cluster data, in the Associated incidents panel, click.
          • To show/hide sections of the page, click Page view and then select/deselect the relevant checkboxes.
    Previous
    Next