Investigate search properties
You can use the following properties to create custom search queries within the Investigate module.
| Property | Format | Description |
|---|---|---|
| Action properties | ||
| action | String | The action taken by the Agent. |
| action_group | String | The action's group identifier. |
| action_uuid | String | The unique identifier assigned by the Agent to the action event. |
| agent_uuid | String | The unique identifier of the FortiDLP node on which the action was initiated. |
| block_download.browser_name | String | The name of the browser that was used when a download was blocked. |
| block_email.attachment_file_path | String | The file path to an attachment on the sender's device where an email was blocked. |
| block_email.recipient | String | The intended recipient of an email which was blocked. |
| block_email.subject | String | The subject line of an email which was blocked. |
| block_upload.browser_name | String | The name of a browser that was used when an upload was blocked. |
| block_upload.file_name | String | The name of a file for which a browser upload was blocked. |
| block_upload.url | String | The URL to which a browser upload was blocked. |
| block_usb_device.usb_session_uuid | String | The identifier of a USB device session which was blocked. |
| block_usb_device.product_id | String | The product ID of a USB device that was blocked. |
| block_usb_device.serial_number | String | The serial number of a USB device that was blocked. |
| block_usb_device.vendor_id | String | The vendor ID of a USB device that was blocked. |
| block_usb_transfer.final_location | String | The final path to a file that was blocked from being transferred to a USB storage device. |
| block_usb_transfer.process_name | String | The binary name of a process that was executed where a USB transfer was blocked. |
| block_usb_transfer.target_path | String | The intended path on a USB storage device for a file that was blocked from being transferred. |
| created_by | String | The unique identifier of the operator or policy that initiated an action. |
| debug_bundle_mode | String | The mode for requesting a debug bundle, such as basic or verbose. Requires Agent 11.0.1+. |
| empty_clipboard.clipboard_name | String | The name of the clipboard that was cleared by an empty clipboard action. Requires Agent 11.0.1+. |
| empty_clipboard.session_username | String | The username of the session during which an empty clipboard action was executed. Requires Agent 11.0.1+. |
| error_message | String | The error occurring during the execution of an action. Requires Agent 11.0.1+. |
| labels | String | The identifier of a label associated with an action event, derived from the associated user and/or node. |
| message.acknowledge_enabled | Boolean |
For display message actions, the presence of an acknowledgment checkbox in a message. Select true to search for messages that contain an acknowledgment checkbox or false to search for messages that did not. Requires Agent 11.0.1+. |
| message.acknowledged | Boolean |
For display message actions containing an acknowledgment checkbox, whether the checkbox has been selected. Select true to search for messages where the checkbox was selected or false to search for messages where it was not. Requires Agent 11.0.1+. |
| message.response_enabled | Boolean |
For display message actions, the presence of a text box in a message for a user response. Select true to search for messages that contained a text box for a user response or false to search for messages that did not. Requires Agent 11.0.1+. |
| message.response_mandatory | Boolean |
For display message actions, the presence of a mandatory text box in a message in which the user must provide a response. Select true to search for messages that contained a text box or false to search for messages that did not. Requires Agent 11.0.1+. |
| message.response_message | String | For display message actions, the response provided by the user into a displayed text box. Requires Agent 11.0.1+. |
| message.session_username | String | The username of the session during which a display message action was executed. Requires Agent 11.0.1+. |
| message.url_clicked | Boolean |
For display message actions containing a URL, whether the link was clicked. Select true to search for messages where the link was clicked or select false to search for messages where it was not. Requires Agent 11.0.1+. |
| message.url_mandatory | Boolean |
For display message actions, the presence of a mandatory URL in a message that the user must click. Select true to search for messages that contained a mandatory URL or false to search for messages that did not. Requires Agent 11.0.1+. |
| performance_report.mode | String | The mode for requesting a performance report, such as standard or advanced. Requires Agent 11.0.1+. |
| reboot.force | Boolean |
For reboot actions, the type of reboot that was performed. Select true to search for a forced reboot or false to search for a standard reboot. Requires Agent 11.0.1+. |
| result | String | The action result. Requires Agent 11.0.1+. |
| screenshot.session_username | String | The username of the session during which a take screenshot action was executed. Requires Agent 11.0.1+. |
| status | String | The action status, such as executed. Requires Agents earlier than 11.0.1. |
| trigger_uuid | String | The unique identifier of the trigger (policy or operator) resulting in one or more actions being executed. Requires Agent 11.0.1+. |
| user_uuid | String | The unique identifier of the FortiDLP user associated with the node on which the action was initiated. |
| Application properties | ||
| agent_uuid | String | The unique identifier of the FortiDLP node that the application event occurred on. |
| application_binary | String | The application binary name. |
| application_window_title | String | The application name displayed in the window title bar. |
| labels | String | The identifier of a label associated with an application event, derived from the associated user and/or node. |
| process_uuid | String | The identifier for the process that executed an application. |
| user_uuid | String | The unique identifier of the FortiDLP user who generated the application event. |
| username | String | The username used to access an application. |
| Browser properties | ||
| account | String |
The username used to log in to the account |
| account.domain | String | If the account username is an email address, the domain of the email address. |
| account.username | String | If the account username is an email address, the username of the email address. |
| agent_uuid | String | The unique identifier of the FortiDLP node that the browser event occurred on. |
| browser | String | The name of the browser that was used. |
| saas_apps.application_id | Integer | The SaaS app unique identifier. |
| saas_apps.category | String | The SaaS app category. |
| saas_apps.name | String | The SaaS app name. |
| saas_apps.risk_score | Integer | The SaaS app risk score. |
| saas_apps.verdict | String | The SaaS app verdict. |
| download_danger | String | The browser tag indicating the danger of a download request. |
| event_type | String | The browser event type, such as download. |
| file_extension | String | The file extension of an uploaded or downloaded file. |
| file_name | String | The name of an uploaded or downloaded file. |
| file_path | String | The file path to an uploaded or downloaded file. |
| final_url | String | The browser request's final URL. |
| final_url_hostname | String | The hostname of the browser request's final URL. |
| final_url_path | String | The file path of the browser request's final URL. |
| final_url_port | Integer | The port of the browser request's final URL. |
| labels | String | The identifier of a label associated with a browser event, derived from the associated user and/or node. |
| login_account_type | String | Whether the account logged in to was corporate or non-corporate. |
| login_protocol | String | The protocol used to log in. |
| login_provider | String | The provider used to log in. |
| mime_ type | String | The media type of an uploaded or downloaded file. |
| navigation_transition_type | String | The method used to navigate to a web page. |
| private_session | Boolean |
The browser session type, such as private. Select true to search for private sessions or false to search for regular sessions. |
| tab_url | String | The URL of the tab that is open when a request is made. This will vary from the URL when navigating inside a frame or when downloading a file. |
| tab_url_hostname | String | The hostname of the tab URL. |
| tab_url_path | String | The tab URL path. That is, the part of the URL between the hostname and the query (?) or fragment (#). For example, for https://example.com/some/path?q=value, the URL path would be /some/path. |
| tab_url_port | Integer | The port number of the tab URL request. |
| url | String | The URL of the request. |
| url_hostname | String | The hostname of the URL. |
| url_path | String | The URL path. That is, the part of the URL between the hostname and the query (?) or fragment (#). For example, for https://example.com/some/path?q=value, the URL path would be /some/path. |
| url_port | Integer | The port number of the URL request. |
| user_uuid | String | The unique identifier of the FortiDLP user who generated the browser event. |
| Detection properties | ||
| account_name | String | The account name or username, such as an account name associated with a failed login attempt which breached a policy. |
| agent_uuid | String | The unique identifier of the FortiDLP node that the detection occurred on. |
| application_name | String | The binary name or friendly name of an application. |
| certificate_name | String | The root certificate subject name, such as the subject name of a newly installed root certificate. |
| created_by | String | The detection's source, such as the name of a violated policy. |
| description | String | The detection's description. |
| detection_type | String list | The detection's trigger, such as a policy breach or Agent offline rule. |
| dst_ip | String | The destination IP address. |
| dst_port | Integer | The destination port number. |
| file_name | String | The filename, such as Business_Proposal.pdf. |
| file_path | String | The file path, such as C:\Users\Amy\Documents\Business_Proposal.pdf. |
| file_size | String | The file size, measured in bytes. |
| host | String | The hostname URL. |
| indicators | String list | The MITRE ATT&CK indicators (tactic, technique, and sub-technique) applied to a detection. |
| inspection_pattern | String | The content inspection pattern name or custom content inspection pattern value ("[a-z]{3}.*"). |
| labels | String | The identifier of a label associated with a detection event, derived from the associated user and/or node. |
| mime_type | String | The file MIME type. |
| origin.browser.saas_app.application_id | Integer | For origin-aware detections, the identifier of the SaaS app that was used to download the initial file. |
| origin.browser.saas_app.category | String | For origin-aware detections, the category of the SaaS app that was used to download the initial file. |
| origin.browser.saas_app.name | String | For origin-aware detections, the name of the SaaS app that was used to download the initial file. |
| origin.browser.saas_app.risk_score | Integer | For origin-aware detections, the risk score assigned to the SaaS app that was used to download the initial file. |
| origin.browser.saas_app.verdict | String | For origin-aware detections, the verdict assigned to the SaaS app that was used to download the initial file. |
| origin.browser.tab_account_name | String | For origin-aware detections, the login account name that was used to downloaded the initial file, such as amy.smith@company.com. |
| origin.browser.tab_title | String | For origin-aware detections, the title of the browser tab that was open when the initial file downloaded, such as Sales - Google Drive. |
| origin.browser.tab_url | String | For origin-aware detections, the URL of the website from which the initial file was downloaded. |
| origin.browser.tab_url.hostname | String | For origin-aware detections, the hostname of the website from which the initial file was downloaded. |
|
origin.browser.tab_url.path |
String |
For origin-aware detections, the URL shown on the tab when the initial file was downloaded. That is, the part of the URL between the hostname and the query (?) or fragment (#). For example, for |
|
origin.browser.tab_url.port |
Integer |
For origin-aware detections, the port number of the tab URL request when the initial file was downloaded. |
| origin.browser.url | String | For origin-aware detections, the initial file's origin URL. |
| origin.browser.url.hostname | String | For origin-aware detections, the initial file's origin website hostname. |
|
origin.browser.url.path |
String |
For origin-aware detections, the URL of the download request for the initial file. That is, the part of the URL between the hostname and the query (?) or fragment (#). For example, for |
|
origin.browser.url.port |
Integer |
For origin-aware detections, the port number of the URL request when the initial file was downloaded. |
|
origin.file_ext |
String |
For origin-aware detections, the extension of the initial file when it was downloaded from its origin website/SaaS app. |
|
origin.file_name |
String |
For origin-aware detections, the name of the initial file when it was downloaded from its origin website/SaaS app. |
| origin.file_path | String | For origin-aware detections, the path of the initial file on the user's computer after it was downloaded. |
|
origin.has_lineages |
Boolean |
For origin-aware detections, whether or not the detection contains data lineage information. Select true to search for detections that have lineage information or false to search for detections that do not have lineage information. |
|
origin.id |
String |
For origin-aware detections, the unique identifier of the initial file that was downloaded. |
|
origin.lineage_operations |
String |
For origin-aware detections, the operation performed on the initial file after it was downloaded from its origin website/SaaS app, such as rename or move. |
|
printer_uuid |
String |
The unique identifier of the printer. |
| process_application_id | String | The application identifier, typically present on Windows and macOS. |
| process_binary_name | String | The process binary name. |
| process_binary_path | String | The binary path of the process relating to a detection, such as the binary path from which the process of a connection was executed. |
| process_signature_accepted | String | The validity of a process binary's digital signature. |
| process_username | String | The username attribute of the process relating to a detection, such as the username of a person who started a process or accessed a file using a process. |
| process_uuid | String | The unique identifier of a process. |
| recipient_email_address | String | The email recipient address. |
| requested_actions | String list | The Agent actions requested by a policy when a detection occurs. |
|
saas_apps.application_id |
Integer |
The SaaS app unique identifier. |
|
saas_apps.category |
String |
The SaaS app category. |
|
saas_apps.name |
String |
The SaaS app name. |
|
saas_apps.risk_score |
Integer |
The SaaS app risk score. |
|
saas_apps.verdict |
String |
The SaaS app verdict. |
| score | Integer | The detection's severity score. |
| sender_email_address | String | The email sender address. |
| src_ip | String | The source IP address. |
| source_port | Integer | The source port number. |
| suppressed_actions | String list | The requested Agent actions that did not execute on the node due to rate limiting. |
| tags | String | The detection's tags, derived from the triggering policy. |
| target_file_name | String | The target filename, such as the name of a newly created compressed file. |
| target_file_path | String | The target file path, such as the path of a newly created compressed file. |
| url | String | The browser request URL. |
| url_classification | String | The URL's classification, if the URL classification feature is enabled. |
| usb_product_id | String | The USB device product ID. |
| usb_serial_number | String | The USB device serial number. |
| usb_vendor_id | String | The USB device vendor ID. |
| user_uuid | String | The identifier for a user relating to a detection, such as the ID of a user who breached a policy. |
| wifi_bssid | String | The Wi-Fi network BSSID. |
| wifi_ssid | String | The Wi-Fi network SSID. |
| window_title | String | The application window title name. |
| File access properties | ||
| action | String | The action performed on a file, such as open. |
| agent_uuid | String | The unique identifier of the FortiDLP node that the detection occurred on. |
| deleted_timestamp | Timestamp |
For file deletes. The timestamp recorded when the file was deleted. |
| file_directory_count.accessed | Integer |
For directory actions. The number of files accessed within a directory. |
| file_directory_count.deleted | Integer |
For directory actions. The number of files deleted within a directory. |
| file_directory_count.modified | Integer |
For directory actions. The number of files modified within a directory. |
| file_extension | String | The extension of a file that was accessed. |
| file_name | String | The name of a file that was accessed. |
| file_path | String | The path of a file that was accessed. |
| labels | String | The identifier of a label associated with a file access event, derived from the associated user and/or node. |
| process_application_id | String | The application identifier, typically present on Windows and macOS. |
| process_binary_name | String | The process binary name. |
| process_signature_accepted | Boolean |
The validity of a process binary's digital signature. Select true to search for processes with valid digital signatures or false to search for processes with invalid digital signatures. |
| process_username | String | The username of the person who started the process. |
| process_uuid | String | The identifier assigned by the FortiDLP Agent to the process that accessed the file. |
| usb_session_uuid | String | The USB session ID, if filtering for a file on a USB drive. |
| user_uuid | String | The unique identifier of the FortiDLP user who generated the file access event. |
| Google Drive properties | ||
| affected_drive_label | String | The Google Drive label that was added to or removed from the file. |
| affected_drive_label_field | String | The Google Drive label field that was changed. |
| event_type | String | The type of event, such as downloaded. |
| file_id | String | The Google Drive file identifier. |
| file_name | String | The name of the file. |
| file_owner_type | String | The type of file owner. |
| file_owner_username | String | The username of the file owner. |
| file_type | String | The type of file. |
| juid | String | The unique identifier of the FortiDLP user who generated the event. |
| labels | String | The event's labels, derived from the associated user. |
| membership_change_type | String | The type of membership change, such as when a role is changed. |
| new_owner_juid | String | The FortiDLP user identifier of the new owner of a resource. |
| new_owner_type | String | The type of new owner of a resource. |
| new_publish_visibility | String | The new publish visibility of a resource, such as Public, Domain, or Nobody. |
| new_value | String | The new value, such as the new membership role when a membership is changed. |
| old_publish_visibility | String | The old publish visibility of a resource, such as Public, Domain, or Nobody. |
| old_value | String | The old value, such as the old membership role when a membership is changed. |
| old_visibility | String | The old visibility of a resource, such as Private or Public. |
| reason | String | The reason for the event. |
| target_juid | String | The FortiDLP user identifier of the event target, such as the identifier of the user that had their sharing permissions modified. |
| target_username | String | The username of the event target, such as the username of the user that had their sharing permissions modified. |
| username | String | The username of the user that performed the action. |
| visibility | String | The visibility of the file, such as Private or Public. |
| visibility_change | String | The type of visibility change, such as Internal. |
| Login properties | ||
| agent_uuid | String |
The unique identifier of the FortiDLP node that the detection occurred on. |
| event_type | String | The login type, such as login_success, login_failure, or logout. |
| is_remote | Boolean | Select true to search for remote logins or false to search for local logins. |
| login_username | String | The username used to log in to a device. |
| labels | String | The identifier of a label associated with a login event, derived from the associated user and/or node. |
| remote_ip | String |
For remote logins. The IP address of the remote machine to which a connection is made. |
| remote_ip_city | String |
For remote logins. The city location of a remote machine that is connected to. |
| remote_ip_country | String |
For remote logins. The country location of a remote machine that is connected to. |
| remote_ip_country_code | String |
For remote logins. The country code that corresponds to the country location of a remote machine that is connected to. |
| event_type | String | The login type, such as login_success, login_failure, or logout. |
| user_id | String | Either the SID on Windows or the user ID on Unix-based systems. |
| user_uuid | String | The unique identifier of the FortiDLP user who generated the login event. |
| Network connection properties | ||
| bytes_received | Integer | The number of bytes received during the lifetime of the connection. |
| bytes_sent | Integer | The number of bytes sent during the lifetime of the connection. |
| connection_uuid | String | The unique identifier assigned by the Agent to the connection. |
| dst_agent_uuid | String | The identifier for an Agent associated with an inbound connection. |
| dst_city | String |
For remote logins. The city where an inbound connection was received. |
| dst_country | String |
For remote logins. The country where an inbound connection was received. |
| dst_country_code | String |
For remote logins. The country code of the country where an inbound connection was received. |
| dst_host | String |
For remote logins. The hostname of the machine that was connected to during an inbound connection. |
| dst_ip | String | The IP address for an inbound connection, in CIDR notation. |
| dst_port | Integer | The port number for an inbound connection. |
| dst_process_application_id | String | The application identifier for an inbound connection, typically present on Windows and macOS. |
| dst_process_binary_path | String | The process name for an inbound connection. |
| dst_process_username | String | The username of the person who started the process for an inbound connection. |
| dst_process_uuid | String | The identifier assigned by the FortiDLP Agent to the process that made an inbound connection. |
| dst_user | String | The identifier for a user associated with an inbound connection. |
| labels | String | The identifier of a label associated with a connection event, derived from the associated user and/or node. |
| src_agent_uuid | String | The unique identifier for a FortiDLP Agent associated with an outbound connection. |
| src_city | String |
For remote logins. The city where an outbound connection was sent from. |
| src_country | String |
For remote logins. The country where an outbound connection was sent from. |
| src_country_code | String |
For remote logins. The country code of the country where an outbound connection was sent from. |
| src_ip | String | The IP address for an outbound connection in CIDR notation. |
| src_port | Integer | The port number for an outbound connection. |
| src_process_application_identifier | String | The application identifier for an outbound connection, typically present on Windows and macOS. |
| src_process_binary_name | String | The process name for an outbound connection. |
| src_process_binary_path | String | The binary path from which the process for an outbound connection was executed. |
| src_process_signature_accepted | Boolean |
The validity of a process binary's digital signature for an outbound connection. Select true to search for processes with valid digital signatures or false to search for processes with invalid digital signatures. |
| src_process_username | String | The username of the person who started the process for an outbound connection. |
| src_process_uuid | String | The identifier assigned by the FortiDLP Agent to the process that made an outbound connection. |
| src_user | String | The unique identifier for a user associated with an outbound connection. |
| Print properties | ||
| agent_uuid | String | The unique identifier of the FortiDLP node that the print event occurred on. |
| binary_name | String | The binary name of the process which created the print job. |
| binary_path | String | The binary path from which the print job process was executed. |
| document_name | String | The print job name, such as the document name or web page title. |
| job_size | Integer | The number of bytes printed. |
| labels | String | The identifier of a label associated with a print event, derived from the associated user and/or node. |
| number_of_pages | Integer | The number of pages printed. |
| output_file_path | String | The location of a file that was printed via print to PDF on Windows. This is not always available. |
| printer address | String | The IP address of the printer. This includes the network port. |
| printer hostname | String | The hostname of a print server, indicating its location. For example, print.example.net. |
| printer_name | String | The printer name. |
| printer_port | String | The printer port. On macOS and Linux, this is typically the printer's URI. |
|
printer_uuid |
String |
The unique identifier of the printer. |
| process_application_id | String | The print application identifier. |
| process_signature_accepted | String | The validity of the process binary's digital signature. |
| process_username | String | The username that was used to print a document. |
| user_uuid | String | The unique identifier of the FortiDLP user who generated the print event. |
| Process start properties | ||
| agent_uuid | String | The unique identifier of the FortiDLP node that the process event occurred on. |
| child_process_info_application_id | String | The application identifier, typically present on Windows and macOS. |
| child_process_binary_hash | String | The subprocess SHA256 hash. |
| child_process_binary_hash_md5 | String | The subprocess MD5 hash. |
| child_process_binary_name | String | The subprocess name. |
| child_process_binary_path | String | The binary path from which the subprocess was executed. |
| child_process_binary_sha1 | String | The subprocess SHA1 hash. |
| child_process_called_path | String | The command line used to initiate the subprocess. |
| child_process_pid | String | The subprocess identifier assigned by the OS. |
| child_process_signature_accepted | Boolean |
The validity of a subprocess binary's digital signature. Select true to search for subprocesses with valid digital signatures or false to search for subprocesses with invalid digital signatures. |
| child_process_signature_present | Boolean |
The presence of a subprocess binary's digital signature. Select true to search for subprocesses with digital signatures or false to search for subprocesses without digital signatures. |
| child_process_signature_signers | String | The subject of the digital signature in the chain. When filtering by this property, you can match any subject in the chain. |
| child_process_uid | String | Either the SID on Windows or the user ID on Unix-based systems for the subprocess. |
| child_process_username | String | The username of the person who started the subprocess. |
| child_process_uuid | String | The subprocess identifier assigned by the Agent. |
| labels | String | The identifier of a label associated with a process event, derived from the associated user and/or node. |
| process_application_identifier | String | The application identifier, typically present on Windows and macOS. |
| process_binary_name | String | The process name. |
| process__binary_path | String | The binary path from which the process was executed. |
| process_signature_accepted | Boolean |
The validity of a process binary's digital signature. Select true to search for processes with valid digital signatures or false to search for processes with invalid digital signatures. |
| process_username | String | The username of the person who started the process. |
| process_uuid | String | The process identifier assigned by the Agent. |
| user_uuid | String | The unique identifier of the FortiDLP user who generated the process event. |
| SharePoint & OneDrive properties | ||
| client_app | String | The name of the application that was used. |
| event_type | String | The type of event, such as downloaded. |
| file_name | String | The file name. |
| file type | String | The file type. |
| file_url | String | The file URL. |
| juid | String | The unique identifier of the FortiDLP user who generated the event. |
| labels | String | The event's labels, derived from the associated user. |
| new_value | String | The new value, such as the new filename of a renamed document. |
| old_value | String | The old value, such as the original filename of a renamed document. |
| platform | String | The platform of the device, such as Windows. |
| shared_link_type | String | The type of shared link, such as Internal. |
| shared_with_user_type | String | The type of user that a resource was shared with, such as External. |
| site_url | String | The URL of the site where the file is located. |
| target_juid | String | The FortiDLP user identifier of the event target, such as the identifier of the user that a resource was shared with. |
| target_username | String | The username of the event target, such as the username that a resource was shared with. |
| username | String | The username of the user that performed the event action. |
| USB device properties | ||
| agent_uuid | String | The unique identifier of the FortiDLP node that the USB event occurred on. |
| device_class | String | The USB device class code. |
| event_type | String | The USB event type. |
| labels | String | The identifier of a label associated with a USB event, derived from the associated user and/or node. |
| product_id | String | The USB device product ID. |
| serial_number | String | The USB device serial number. |
| usb_session_id | String | The identifier of the USB device session. |
| user_uuid | Strong | The unique identifier of the FortiDLP user who generated the USB event. |
| vendor_id | String | The USB device vendor ID. |
| Wi-Fi properties | ||
| agent_uuid | String | The unique identifier of the node that the Wi-Fi event occurred on. |
| bssid | String | The Wi-Fi network BSSID. |
| labels | String | The identifier of a label associated with a Wi-Fi event, derived from the associated user and/or node. |
| ssid | String | The Wi-Fi network SSID. |
| user_uuid | String | The unique identifier of the user who generated the Wi-Fi event. |