Fortinet white logo
Fortinet white logo

FortiDLP Console User Guide

Investigate search properties

Investigate search properties

You can use the following properties to create custom search queries within the Investigate module.

Investigate search properties
Property Format Description
Action properties
action String The action taken by the Agent.
action_group String The action's group identifier.
action_uuid String The unique identifier assigned by the Agent to the action event.
agent_uuid String The unique identifier of the FortiDLP node on which the action was initiated.
block_download.browser_name String The name of the browser that was used when a download was blocked.
block_email.attachment_file_path String The file path to an attachment on the sender's device where an email was blocked.
block_email.recipient String The intended recipient of an email which was blocked.
block_email.subject String The subject line of an email which was blocked.
block_upload.browser_name String The name of a browser that was used when an upload was blocked.
block_upload.file_name String The name of a file for which a browser upload was blocked.
block_upload.url String The URL to which a browser upload was blocked.
block_usb_device.usb_session_uuid String The identifier of a USB device session which was blocked.
block_usb_device.product_id String The product ID of a USB device that was blocked.
block_usb_device.serial_number String The serial number of a USB device that was blocked.
block_usb_device.vendor_id String The vendor ID of a USB device that was blocked.
block_usb_transfer.final_location String The final path to a file that was blocked from being transferred to a USB storage device.
block_usb_transfer.process_name String The binary name of a process that was executed where a USB transfer was blocked.
block_usb_transfer.target_path String The intended path on a USB storage device for a file that was blocked from being transferred.
created_by String The unique identifier of the operator or policy that initiated an action.
debug_bundle_mode String The mode for requesting a debug bundle, such as basic or verbose. Requires Agent 11.0.1+.
empty_clipboard.clipboard_name String The name of the clipboard that was cleared by an empty clipboard action. Requires Agent 11.0.1+.
empty_clipboard.session_username String The username of the session during which an empty clipboard action was executed. Requires Agent 11.0.1+.
error_message String The error occurring during the execution of an action. Requires Agent 11.0.1+.
labels String The identifier of a label associated with an action event, derived from the associated user and/or node.
message.acknowledge_enabled Boolean

For display message actions, the presence of an acknowledgment checkbox in a message.

Select true to search for messages that contain an acknowledgment checkbox or false to search for messages that did not. Requires Agent 11.0.1+.

message.acknowledged Boolean

For display message actions containing an acknowledgment checkbox, whether the checkbox has been selected.

Select true to search for messages where the checkbox was selected or false to search for messages where it was not. Requires Agent 11.0.1+.

message.response_enabled Boolean

For display message actions, the presence of a text box in a message for a user response.

Select true to search for messages that contained a text box for a user response or false to search for messages that did not. Requires Agent 11.0.1+.

message.response_mandatory Boolean

For display message actions, the presence of a mandatory text box in a message in which the user must provide a response.

Select true to search for messages that contained a text box or false to search for messages that did not. Requires Agent 11.0.1+.

message.response_message String For display message actions, the response provided by the user into a displayed text box. Requires Agent 11.0.1+.
message.session_username String The username of the session during which a display message action was executed. Requires Agent 11.0.1+.
message.url_clicked Boolean

For display message actions containing a URL, whether the link was clicked.

Select true to search for messages where the link was clicked or select false to search for messages where it was not. Requires Agent 11.0.1+.

message.url_mandatory Boolean

For display message actions, the presence of a mandatory URL in a message that the user must click.

Select true to search for messages that contained a mandatory URL or false to search for messages that did not. Requires Agent 11.0.1+.

performance_report.mode String The mode for requesting a performance report, such as standard or advanced. Requires Agent 11.0.1+.
reboot.force Boolean

For reboot actions, the type of reboot that was performed.

Select true to search for a forced reboot or false to search for a standard reboot. Requires Agent 11.0.1+.

result String The action result. Requires Agent 11.0.1+.
screenshot.session_username String The username of the session during which a take screenshot action was executed. Requires Agent 11.0.1+.
status String The action status, such as executed. Requires Agents earlier than 11.0.1.
trigger_uuid String The unique identifier of the trigger (policy or operator) resulting in one or more actions being executed. Requires Agent 11.0.1+.
user_uuid String The unique identifier of the FortiDLP user associated with the node on which the action was initiated.
Application properties
agent_uuid String The unique identifier of the FortiDLP node that the application event occurred on.
application_binary String The application binary name.
application_window_title String The application name displayed in the window title bar.
labels String The identifier of a label associated with an application event, derived from the associated user and/or node.
process_uuid String The identifier for the process that executed an application.
user_uuid String The unique identifier of the FortiDLP user who generated the application event.
username String The username used to access an application.
Browser properties
account String

The username used to log in to the account

account.domain String If the account username is an email address, the domain of the email address.
account.username String If the account username is an email address, the username of the email address.
agent_uuid String The unique identifier of the FortiDLP node that the browser event occurred on.
browser String The name of the browser that was used.
saas_apps.application_id Integer The SaaS app unique identifier.
saas_apps.category String The SaaS app category.
saas_apps.name String The SaaS app name.
saas_apps.risk_score Integer The SaaS app risk score.
saas_apps.verdict String The SaaS app verdict.
download_danger String The browser tag indicating the danger of a download request.
event_type String The browser event type, such as download.
file_extension String The file extension of an uploaded or downloaded file.
file_name String The name of an uploaded or downloaded file.
file_path String The file path to an uploaded or downloaded file.
final_url String The browser request's final URL.
final_url_hostname String The hostname of the browser request's final URL.
final_url_path String The file path of the browser request's final URL.
final_url_port Integer The port of the browser request's final URL.
labels String The identifier of a label associated with a browser event, derived from the associated user and/or node.
login_account_type String Whether the account logged in to was corporate or non-corporate.
login_protocol String The protocol used to log in.
login_provider String The provider used to log in.
mime_ type String The media type of an uploaded or downloaded file.
navigation_transition_type String The method used to navigate to a web page.
private_session Boolean

The browser session type, such as private.

Select true to search for private sessions or false to search for regular sessions.

tab_url String The URL of the tab that is open when a request is made. This will vary from the URL when navigating inside a frame or when downloading a file.
tab_url_hostname String The hostname of the tab URL.
tab_url_path String The tab URL path. That is, the part of the URL between the hostname and the query (?) or fragment (#). For example, for https://example.com/some/path?q=value, the URL path would be /some/path.
tab_url_port Integer The port number of the tab URL request.
url String The URL of the request.
url_hostname String The hostname of the URL.
url_path String The URL path. That is, the part of the URL between the hostname and the query (?) or fragment (#). For example, for https://example.com/some/path?q=value, the URL path would be /some/path.
url_port Integer The port number of the URL request.
user_uuid String The unique identifier of the FortiDLP user who generated the browser event.
Detection properties
account_name String The account name or username, such as an account name associated with a failed login attempt which breached a policy.
agent_uuid String The unique identifier of the FortiDLP node that the detection occurred on.
application_name String The binary name or friendly name of an application.
certificate_name String The root certificate subject name, such as the subject name of a newly installed root certificate.
created_by String The detection's source, such as the name of a violated policy.
description String The detection's description.
detection_type String list The detection's trigger, such as a policy breach or Agent offline rule.
dst_ip String The destination IP address.
dst_port Integer The destination port number.
file_name String The filename, such as Business_Proposal.pdf.
file_path String The file path, such as C:\Users\Amy\Documents\Business_Proposal.pdf.
file_size String The file size, measured in bytes.
host String The hostname URL.
indicators String list The MITRE ATT&CK indicators (tactic, technique, and sub-technique) applied to a detection.
inspection_pattern String The content inspection pattern name or custom content inspection pattern value ("[a-z]{3}.*").
labels String The identifier of a label associated with a detection event, derived from the associated user and/or node.
mime_type String The file MIME type.
origin.browser.saas_app.application_id Integer For origin-aware detections, the identifier of the SaaS app that was used to download the initial file.
origin.browser.saas_app.category String For origin-aware detections, the category of the SaaS app that was used to download the initial file.
origin.browser.saas_app.name String For origin-aware detections, the name of the SaaS app that was used to download the initial file.
origin.browser.saas_app.risk_score Integer For origin-aware detections, the risk score assigned to the SaaS app that was used to download the initial file.
origin.browser.saas_app.verdict String For origin-aware detections, the verdict assigned to the SaaS app that was used to download the initial file.
origin.browser.tab_account_name String For origin-aware detections, the login account name that was used to downloaded the initial file, such as amy.smith@company.com.
origin.browser.tab_title String For origin-aware detections, the title of the browser tab that was open when the initial file downloaded, such as Sales - Google Drive.
origin.browser.tab_url String For origin-aware detections, the URL of the website from which the initial file was downloaded.
origin.browser.tab_url.hostname String For origin-aware detections, the hostname of the website from which the initial file was downloaded.

origin.browser.tab_url.path

String

For origin-aware detections, the URL shown on the tab when the initial file was downloaded. That is, the part of the URL between the hostname and the query (?) or fragment (#). For example, for https://example.com/some/path?q=value, the URL path would be /some/path.

origin.browser.tab_url.port

Integer

For origin-aware detections, the port number of the tab URL request when the initial file was downloaded.

origin.browser.url String For origin-aware detections, the initial file's origin URL.
origin.browser.url.hostname String For origin-aware detections, the initial file's origin website hostname.

origin.browser.url.path

String

For origin-aware detections, the URL of the download request for the initial file. That is, the part of the URL between the hostname and the query (?) or fragment (#). For example, for https://example.com/some/path?q=value, the URL path would be /some/path.

origin.browser.url.port

Integer

For origin-aware detections, the port number of the URL request when the initial file was downloaded.

origin.file_ext

String

For origin-aware detections, the extension of the initial file when it was downloaded from its origin website/SaaS app.

origin.file_name

String

For origin-aware detections, the name of the initial file when it was downloaded from its origin website/SaaS app.

origin.file_path String For origin-aware detections, the path of the initial file on the user's computer after it was downloaded.

origin.has_lineages

Boolean

For origin-aware detections, whether or not the detection contains data lineage information.

Select true to search for detections that have lineage information or false to search for detections that do not have lineage information.

origin.id

String

For origin-aware detections, the unique identifier of the initial file that was downloaded.

origin.lineage_operations

String

For origin-aware detections, the operation performed on the initial file after it was downloaded from its origin website/SaaS app, such as rename or move.

printer_uuid

String

The unique identifier of the printer.

process_application_id String The application identifier, typically present on Windows and macOS.
process_binary_name String The process binary name.
process_binary_path String The binary path of the process relating to a detection, such as the binary path from which the process of a connection was executed.
process_signature_accepted String The validity of a process binary's digital signature.
process_username String The username attribute of the process relating to a detection, such as the username of a person who started a process or accessed a file using a process.
process_uuid String The unique identifier of a process.
recipient_email_address String The email recipient address.
requested_actions String list The Agent actions requested by a policy when a detection occurs.

saas_apps.application_id

Integer

The SaaS app unique identifier.

saas_apps.category

String

The SaaS app category.

saas_apps.name

String

The SaaS app name.

saas_apps.risk_score

Integer

The SaaS app risk score.

saas_apps.verdict

String

The SaaS app verdict.

score Integer The detection's severity score.
sender_email_address String The email sender address.
src_ip String The source IP address.
source_port Integer The source port number.
suppressed_actions String list The requested Agent actions that did not execute on the node due to rate limiting.
tags String The detection's tags, derived from the triggering policy.
target_file_name String The target filename, such as the name of a newly created compressed file.
target_file_path String The target file path, such as the path of a newly created compressed file.
url String The browser request URL.
url_classification String The URL's classification, if the URL classification feature is enabled.
usb_product_id String The USB device product ID.
usb_serial_number String The USB device serial number.
usb_vendor_id String The USB device vendor ID.
user_uuid String The identifier for a user relating to a detection, such as the ID of a user who breached a policy.
wifi_bssid String The Wi-Fi network BSSID.
wifi_ssid String The Wi-Fi network SSID.
window_title String The application window title name.
File access properties
action String The action performed on a file, such as open.
agent_uuid String The unique identifier of the FortiDLP node that the detection occurred on.
deleted_timestamp Timestamp

For file deletes.

The timestamp recorded when the file was deleted.

file_directory_count.accessed Integer

For directory actions.

The number of files accessed within a directory.

file_directory_count.deleted Integer

For directory actions.

The number of files deleted within a directory.

file_directory_count.modified Integer

For directory actions.

The number of files modified within a directory.

file_extension String The extension of a file that was accessed.
file_name String The name of a file that was accessed.
file_path String The path of a file that was accessed.
labels String The identifier of a label associated with a file access event, derived from the associated user and/or node.
process_application_id String The application identifier, typically present on Windows and macOS.
process_binary_name String The process binary name.
process_signature_accepted Boolean

The validity of a process binary's digital signature.

Select true to search for processes with valid digital signatures or false to search for processes with invalid digital signatures.

process_username String The username of the person who started the process.
process_uuid String The identifier assigned by the FortiDLP Agent to the process that accessed the file.
usb_session_uuid String The USB session ID, if filtering for a file on a USB drive.
user_uuid String The unique identifier of the FortiDLP user who generated the file access event.
Google Drive properties
affected_drive_label String The Google Drive label that was added to or removed from the file.
affected_drive_label_field String The Google Drive label field that was changed.
event_type String The type of event, such as downloaded.
file_id String The Google Drive file identifier.
file_name String The name of the file.
file_owner_type String The type of file owner.
file_owner_username String The username of the file owner.
file_type String The type of file.
juid String The unique identifier of the FortiDLP user who generated the event.
labels String The event's labels, derived from the associated user.
membership_change_type String The type of membership change, such as when a role is changed.
new_owner_juid String The FortiDLP user identifier of the new owner of a resource.
new_owner_type String The type of new owner of a resource.
new_publish_visibility String The new publish visibility of a resource, such as Public, Domain, or Nobody.
new_value String The new value, such as the new membership role when a membership is changed.
old_publish_visibility String The old publish visibility of a resource, such as Public, Domain, or Nobody.
old_value String The old value, such as the old membership role when a membership is changed.
old_visibility String The old visibility of a resource, such as Private or Public.
reason String The reason for the event.
target_juid String The FortiDLP user identifier of the event target, such as the identifier of the user that had their sharing permissions modified.
target_username String The username of the event target, such as the username of the user that had their sharing permissions modified.
username String The username of the user that performed the action.
visibility String The visibility of the file, such as Private or Public.
visibility_change String The type of visibility change, such as Internal.
Login properties
agent_uuid String

The unique identifier of the FortiDLP node that the detection occurred on.

event_type String The login type, such as login_success, login_failure, or logout.
is_remote Boolean Select true to search for remote logins or false to search for local logins.
login_username String The username used to log in to a device.
labels String The identifier of a label associated with a login event, derived from the associated user and/or node.
remote_ip String

For remote logins.

The IP address of the remote machine to which a connection is made.

remote_ip_city String

For remote logins.

The city location of a remote machine that is connected to.

remote_ip_country String

For remote logins.

The country location of a remote machine that is connected to.

remote_ip_country_code String

For remote logins.

The country code that corresponds to the country location of a remote machine that is connected to.

event_type String The login type, such as login_success, login_failure, or logout.
user_id String Either the SID on Windows or the user ID on Unix-based systems.
user_uuid String The unique identifier of the FortiDLP user who generated the login event.
Network connection properties
bytes_received Integer The number of bytes received during the lifetime of the connection.
bytes_sent Integer The number of bytes sent during the lifetime of the connection.
connection_uuid String The unique identifier assigned by the Agent to the connection.
dst_agent_uuid String The identifier for an Agent associated with an inbound connection.
dst_city String

For remote logins.

The city where an inbound connection was received.

dst_country String

For remote logins.

The country where an inbound connection was received.

dst_country_code String

For remote logins.

The country code of the country where an inbound connection was received.

dst_host String

For remote logins.

The hostname of the machine that was connected to during an inbound connection.

dst_ip String The IP address for an inbound connection, in CIDR notation.
dst_port Integer The port number for an inbound connection.
dst_process_application_id String The application identifier for an inbound connection, typically present on Windows and macOS.
dst_process_binary_path String The process name for an inbound connection.
dst_process_username String The username of the person who started the process for an inbound connection.
dst_process_uuid String The identifier assigned by the FortiDLP Agent to the process that made an inbound connection.
dst_user String The identifier for a user associated with an inbound connection.
labels String The identifier of a label associated with a connection event, derived from the associated user and/or node.
src_agent_uuid String The unique identifier for a FortiDLP Agent associated with an outbound connection.
src_city String

For remote logins.

The city where an outbound connection was sent from.

src_country String

For remote logins.

The country where an outbound connection was sent from.

src_country_code String

For remote logins.

The country code of the country where an outbound connection was sent from.

src_ip String The IP address for an outbound connection in CIDR notation.
src_port Integer The port number for an outbound connection.
src_process_application_identifier String The application identifier for an outbound connection, typically present on Windows and macOS.
src_process_binary_name String The process name for an outbound connection.
src_process_binary_path String The binary path from which the process for an outbound connection was executed.
src_process_signature_accepted Boolean

The validity of a process binary's digital signature for an outbound connection.

Select true to search for processes with valid digital signatures or false to search for processes with invalid digital signatures.

src_process_username String The username of the person who started the process for an outbound connection.
src_process_uuid String The identifier assigned by the FortiDLP Agent to the process that made an outbound connection.
src_user String The unique identifier for a user associated with an outbound connection.
Print properties
agent_uuid String The unique identifier of the FortiDLP node that the print event occurred on.
binary_name String The binary name of the process which created the print job.
binary_path String The binary path from which the print job process was executed.
document_name String The print job name, such as the document name or web page title.
job_size Integer The number of bytes printed.
labels String The identifier of a label associated with a print event, derived from the associated user and/or node.
number_of_pages Integer The number of pages printed.
output_file_path String The location of a file that was printed via print to PDF on Windows. This is not always available.
printer address String The IP address of the printer. This includes the network port.
printer hostname String The hostname of a print server, indicating its location. For example, print.example.net.
printer_name String The printer name.
printer_port String The printer port. On macOS and Linux, this is typically the printer's URI.

printer_uuid

String

The unique identifier of the printer.

process_application_id String The print application identifier.
process_signature_accepted String The validity of the process binary's digital signature.
process_username String The username that was used to print a document.
user_uuid String The unique identifier of the FortiDLP user who generated the print event.
Process start properties
agent_uuid String The unique identifier of the FortiDLP node that the process event occurred on.
child_process_info_application_id String The application identifier, typically present on Windows and macOS.
child_process_binary_hash String The subprocess SHA256 hash.
child_process_binary_hash_md5 String The subprocess MD5 hash.
child_process_binary_name String The subprocess name.
child_process_binary_path String The binary path from which the subprocess was executed.
child_process_binary_sha1 String The subprocess SHA1 hash.
child_process_called_path String The command line used to initiate the subprocess.
child_process_pid String The subprocess identifier assigned by the OS.
child_process_signature_accepted Boolean

The validity of a subprocess binary's digital signature.

Select true to search for subprocesses with valid digital signatures or false to search for subprocesses with invalid digital signatures.

child_process_signature_present Boolean

The presence of a subprocess binary's digital signature.

Select true to search for subprocesses with digital signatures or false to search for subprocesses without digital signatures.

child_process_signature_signers String The subject of the digital signature in the chain. When filtering by this property, you can match any subject in the chain.
child_process_uid String Either the SID on Windows or the user ID on Unix-based systems for the subprocess.
child_process_username String The username of the person who started the subprocess.
child_process_uuid String The subprocess identifier assigned by the Agent.
labels String The identifier of a label associated with a process event, derived from the associated user and/or node.
process_application_identifier String The application identifier, typically present on Windows and macOS.
process_binary_name String The process name.
process__binary_path String The binary path from which the process was executed.
process_signature_accepted Boolean

The validity of a process binary's digital signature.

Select true to search for processes with valid digital signatures or false to search for processes with invalid digital signatures.

process_username String The username of the person who started the process.
process_uuid String The process identifier assigned by the Agent.
user_uuid String The unique identifier of the FortiDLP user who generated the process event.
SharePoint & OneDrive properties
client_app String The name of the application that was used.
event_type String The type of event, such as downloaded.
file_name String The file name.
file type String The file type.
file_url String The file URL.
juid String The unique identifier of the FortiDLP user who generated the event.
labels String The event's labels, derived from the associated user.
new_value String The new value, such as the new filename of a renamed document.
old_value String The old value, such as the original filename of a renamed document.
platform String The platform of the device, such as Windows.
shared_link_type String The type of shared link, such as Internal.
shared_with_user_type String The type of user that a resource was shared with, such as External.
site_url String The URL of the site where the file is located.
target_juid String The FortiDLP user identifier of the event target, such as the identifier of the user that a resource was shared with.
target_username String The username of the event target, such as the username that a resource was shared with.
username String The username of the user that performed the event action.
USB device properties
agent_uuid String The unique identifier of the FortiDLP node that the USB event occurred on.
device_class String The USB device class code.
event_type String The USB event type.
labels String The identifier of a label associated with a USB event, derived from the associated user and/or node.
product_id String The USB device product ID.
serial_number String The USB device serial number.
usb_session_id String The identifier of the USB device session.
user_uuid Strong The unique identifier of the FortiDLP user who generated the USB event.
vendor_id String The USB device vendor ID.
Wi-Fi properties
agent_uuid String The unique identifier of the node that the Wi-Fi event occurred on.
bssid String The Wi-Fi network BSSID.
labels String The identifier of a label associated with a Wi-Fi event, derived from the associated user and/or node.
ssid String The Wi-Fi network SSID.
user_uuid String The unique identifier of the user who generated the Wi-Fi event.

Investigate search properties

Investigate search properties

You can use the following properties to create custom search queries within the Investigate module.

Investigate search properties
Property Format Description
Action properties
action String The action taken by the Agent.
action_group String The action's group identifier.
action_uuid String The unique identifier assigned by the Agent to the action event.
agent_uuid String The unique identifier of the FortiDLP node on which the action was initiated.
block_download.browser_name String The name of the browser that was used when a download was blocked.
block_email.attachment_file_path String The file path to an attachment on the sender's device where an email was blocked.
block_email.recipient String The intended recipient of an email which was blocked.
block_email.subject String The subject line of an email which was blocked.
block_upload.browser_name String The name of a browser that was used when an upload was blocked.
block_upload.file_name String The name of a file for which a browser upload was blocked.
block_upload.url String The URL to which a browser upload was blocked.
block_usb_device.usb_session_uuid String The identifier of a USB device session which was blocked.
block_usb_device.product_id String The product ID of a USB device that was blocked.
block_usb_device.serial_number String The serial number of a USB device that was blocked.
block_usb_device.vendor_id String The vendor ID of a USB device that was blocked.
block_usb_transfer.final_location String The final path to a file that was blocked from being transferred to a USB storage device.
block_usb_transfer.process_name String The binary name of a process that was executed where a USB transfer was blocked.
block_usb_transfer.target_path String The intended path on a USB storage device for a file that was blocked from being transferred.
created_by String The unique identifier of the operator or policy that initiated an action.
debug_bundle_mode String The mode for requesting a debug bundle, such as basic or verbose. Requires Agent 11.0.1+.
empty_clipboard.clipboard_name String The name of the clipboard that was cleared by an empty clipboard action. Requires Agent 11.0.1+.
empty_clipboard.session_username String The username of the session during which an empty clipboard action was executed. Requires Agent 11.0.1+.
error_message String The error occurring during the execution of an action. Requires Agent 11.0.1+.
labels String The identifier of a label associated with an action event, derived from the associated user and/or node.
message.acknowledge_enabled Boolean

For display message actions, the presence of an acknowledgment checkbox in a message.

Select true to search for messages that contain an acknowledgment checkbox or false to search for messages that did not. Requires Agent 11.0.1+.

message.acknowledged Boolean

For display message actions containing an acknowledgment checkbox, whether the checkbox has been selected.

Select true to search for messages where the checkbox was selected or false to search for messages where it was not. Requires Agent 11.0.1+.

message.response_enabled Boolean

For display message actions, the presence of a text box in a message for a user response.

Select true to search for messages that contained a text box for a user response or false to search for messages that did not. Requires Agent 11.0.1+.

message.response_mandatory Boolean

For display message actions, the presence of a mandatory text box in a message in which the user must provide a response.

Select true to search for messages that contained a text box or false to search for messages that did not. Requires Agent 11.0.1+.

message.response_message String For display message actions, the response provided by the user into a displayed text box. Requires Agent 11.0.1+.
message.session_username String The username of the session during which a display message action was executed. Requires Agent 11.0.1+.
message.url_clicked Boolean

For display message actions containing a URL, whether the link was clicked.

Select true to search for messages where the link was clicked or select false to search for messages where it was not. Requires Agent 11.0.1+.

message.url_mandatory Boolean

For display message actions, the presence of a mandatory URL in a message that the user must click.

Select true to search for messages that contained a mandatory URL or false to search for messages that did not. Requires Agent 11.0.1+.

performance_report.mode String The mode for requesting a performance report, such as standard or advanced. Requires Agent 11.0.1+.
reboot.force Boolean

For reboot actions, the type of reboot that was performed.

Select true to search for a forced reboot or false to search for a standard reboot. Requires Agent 11.0.1+.

result String The action result. Requires Agent 11.0.1+.
screenshot.session_username String The username of the session during which a take screenshot action was executed. Requires Agent 11.0.1+.
status String The action status, such as executed. Requires Agents earlier than 11.0.1.
trigger_uuid String The unique identifier of the trigger (policy or operator) resulting in one or more actions being executed. Requires Agent 11.0.1+.
user_uuid String The unique identifier of the FortiDLP user associated with the node on which the action was initiated.
Application properties
agent_uuid String The unique identifier of the FortiDLP node that the application event occurred on.
application_binary String The application binary name.
application_window_title String The application name displayed in the window title bar.
labels String The identifier of a label associated with an application event, derived from the associated user and/or node.
process_uuid String The identifier for the process that executed an application.
user_uuid String The unique identifier of the FortiDLP user who generated the application event.
username String The username used to access an application.
Browser properties
account String

The username used to log in to the account

account.domain String If the account username is an email address, the domain of the email address.
account.username String If the account username is an email address, the username of the email address.
agent_uuid String The unique identifier of the FortiDLP node that the browser event occurred on.
browser String The name of the browser that was used.
saas_apps.application_id Integer The SaaS app unique identifier.
saas_apps.category String The SaaS app category.
saas_apps.name String The SaaS app name.
saas_apps.risk_score Integer The SaaS app risk score.
saas_apps.verdict String The SaaS app verdict.
download_danger String The browser tag indicating the danger of a download request.
event_type String The browser event type, such as download.
file_extension String The file extension of an uploaded or downloaded file.
file_name String The name of an uploaded or downloaded file.
file_path String The file path to an uploaded or downloaded file.
final_url String The browser request's final URL.
final_url_hostname String The hostname of the browser request's final URL.
final_url_path String The file path of the browser request's final URL.
final_url_port Integer The port of the browser request's final URL.
labels String The identifier of a label associated with a browser event, derived from the associated user and/or node.
login_account_type String Whether the account logged in to was corporate or non-corporate.
login_protocol String The protocol used to log in.
login_provider String The provider used to log in.
mime_ type String The media type of an uploaded or downloaded file.
navigation_transition_type String The method used to navigate to a web page.
private_session Boolean

The browser session type, such as private.

Select true to search for private sessions or false to search for regular sessions.

tab_url String The URL of the tab that is open when a request is made. This will vary from the URL when navigating inside a frame or when downloading a file.
tab_url_hostname String The hostname of the tab URL.
tab_url_path String The tab URL path. That is, the part of the URL between the hostname and the query (?) or fragment (#). For example, for https://example.com/some/path?q=value, the URL path would be /some/path.
tab_url_port Integer The port number of the tab URL request.
url String The URL of the request.
url_hostname String The hostname of the URL.
url_path String The URL path. That is, the part of the URL between the hostname and the query (?) or fragment (#). For example, for https://example.com/some/path?q=value, the URL path would be /some/path.
url_port Integer The port number of the URL request.
user_uuid String The unique identifier of the FortiDLP user who generated the browser event.
Detection properties
account_name String The account name or username, such as an account name associated with a failed login attempt which breached a policy.
agent_uuid String The unique identifier of the FortiDLP node that the detection occurred on.
application_name String The binary name or friendly name of an application.
certificate_name String The root certificate subject name, such as the subject name of a newly installed root certificate.
created_by String The detection's source, such as the name of a violated policy.
description String The detection's description.
detection_type String list The detection's trigger, such as a policy breach or Agent offline rule.
dst_ip String The destination IP address.
dst_port Integer The destination port number.
file_name String The filename, such as Business_Proposal.pdf.
file_path String The file path, such as C:\Users\Amy\Documents\Business_Proposal.pdf.
file_size String The file size, measured in bytes.
host String The hostname URL.
indicators String list The MITRE ATT&CK indicators (tactic, technique, and sub-technique) applied to a detection.
inspection_pattern String The content inspection pattern name or custom content inspection pattern value ("[a-z]{3}.*").
labels String The identifier of a label associated with a detection event, derived from the associated user and/or node.
mime_type String The file MIME type.
origin.browser.saas_app.application_id Integer For origin-aware detections, the identifier of the SaaS app that was used to download the initial file.
origin.browser.saas_app.category String For origin-aware detections, the category of the SaaS app that was used to download the initial file.
origin.browser.saas_app.name String For origin-aware detections, the name of the SaaS app that was used to download the initial file.
origin.browser.saas_app.risk_score Integer For origin-aware detections, the risk score assigned to the SaaS app that was used to download the initial file.
origin.browser.saas_app.verdict String For origin-aware detections, the verdict assigned to the SaaS app that was used to download the initial file.
origin.browser.tab_account_name String For origin-aware detections, the login account name that was used to downloaded the initial file, such as amy.smith@company.com.
origin.browser.tab_title String For origin-aware detections, the title of the browser tab that was open when the initial file downloaded, such as Sales - Google Drive.
origin.browser.tab_url String For origin-aware detections, the URL of the website from which the initial file was downloaded.
origin.browser.tab_url.hostname String For origin-aware detections, the hostname of the website from which the initial file was downloaded.

origin.browser.tab_url.path

String

For origin-aware detections, the URL shown on the tab when the initial file was downloaded. That is, the part of the URL between the hostname and the query (?) or fragment (#). For example, for https://example.com/some/path?q=value, the URL path would be /some/path.

origin.browser.tab_url.port

Integer

For origin-aware detections, the port number of the tab URL request when the initial file was downloaded.

origin.browser.url String For origin-aware detections, the initial file's origin URL.
origin.browser.url.hostname String For origin-aware detections, the initial file's origin website hostname.

origin.browser.url.path

String

For origin-aware detections, the URL of the download request for the initial file. That is, the part of the URL between the hostname and the query (?) or fragment (#). For example, for https://example.com/some/path?q=value, the URL path would be /some/path.

origin.browser.url.port

Integer

For origin-aware detections, the port number of the URL request when the initial file was downloaded.

origin.file_ext

String

For origin-aware detections, the extension of the initial file when it was downloaded from its origin website/SaaS app.

origin.file_name

String

For origin-aware detections, the name of the initial file when it was downloaded from its origin website/SaaS app.

origin.file_path String For origin-aware detections, the path of the initial file on the user's computer after it was downloaded.

origin.has_lineages

Boolean

For origin-aware detections, whether or not the detection contains data lineage information.

Select true to search for detections that have lineage information or false to search for detections that do not have lineage information.

origin.id

String

For origin-aware detections, the unique identifier of the initial file that was downloaded.

origin.lineage_operations

String

For origin-aware detections, the operation performed on the initial file after it was downloaded from its origin website/SaaS app, such as rename or move.

printer_uuid

String

The unique identifier of the printer.

process_application_id String The application identifier, typically present on Windows and macOS.
process_binary_name String The process binary name.
process_binary_path String The binary path of the process relating to a detection, such as the binary path from which the process of a connection was executed.
process_signature_accepted String The validity of a process binary's digital signature.
process_username String The username attribute of the process relating to a detection, such as the username of a person who started a process or accessed a file using a process.
process_uuid String The unique identifier of a process.
recipient_email_address String The email recipient address.
requested_actions String list The Agent actions requested by a policy when a detection occurs.

saas_apps.application_id

Integer

The SaaS app unique identifier.

saas_apps.category

String

The SaaS app category.

saas_apps.name

String

The SaaS app name.

saas_apps.risk_score

Integer

The SaaS app risk score.

saas_apps.verdict

String

The SaaS app verdict.

score Integer The detection's severity score.
sender_email_address String The email sender address.
src_ip String The source IP address.
source_port Integer The source port number.
suppressed_actions String list The requested Agent actions that did not execute on the node due to rate limiting.
tags String The detection's tags, derived from the triggering policy.
target_file_name String The target filename, such as the name of a newly created compressed file.
target_file_path String The target file path, such as the path of a newly created compressed file.
url String The browser request URL.
url_classification String The URL's classification, if the URL classification feature is enabled.
usb_product_id String The USB device product ID.
usb_serial_number String The USB device serial number.
usb_vendor_id String The USB device vendor ID.
user_uuid String The identifier for a user relating to a detection, such as the ID of a user who breached a policy.
wifi_bssid String The Wi-Fi network BSSID.
wifi_ssid String The Wi-Fi network SSID.
window_title String The application window title name.
File access properties
action String The action performed on a file, such as open.
agent_uuid String The unique identifier of the FortiDLP node that the detection occurred on.
deleted_timestamp Timestamp

For file deletes.

The timestamp recorded when the file was deleted.

file_directory_count.accessed Integer

For directory actions.

The number of files accessed within a directory.

file_directory_count.deleted Integer

For directory actions.

The number of files deleted within a directory.

file_directory_count.modified Integer

For directory actions.

The number of files modified within a directory.

file_extension String The extension of a file that was accessed.
file_name String The name of a file that was accessed.
file_path String The path of a file that was accessed.
labels String The identifier of a label associated with a file access event, derived from the associated user and/or node.
process_application_id String The application identifier, typically present on Windows and macOS.
process_binary_name String The process binary name.
process_signature_accepted Boolean

The validity of a process binary's digital signature.

Select true to search for processes with valid digital signatures or false to search for processes with invalid digital signatures.

process_username String The username of the person who started the process.
process_uuid String The identifier assigned by the FortiDLP Agent to the process that accessed the file.
usb_session_uuid String The USB session ID, if filtering for a file on a USB drive.
user_uuid String The unique identifier of the FortiDLP user who generated the file access event.
Google Drive properties
affected_drive_label String The Google Drive label that was added to or removed from the file.
affected_drive_label_field String The Google Drive label field that was changed.
event_type String The type of event, such as downloaded.
file_id String The Google Drive file identifier.
file_name String The name of the file.
file_owner_type String The type of file owner.
file_owner_username String The username of the file owner.
file_type String The type of file.
juid String The unique identifier of the FortiDLP user who generated the event.
labels String The event's labels, derived from the associated user.
membership_change_type String The type of membership change, such as when a role is changed.
new_owner_juid String The FortiDLP user identifier of the new owner of a resource.
new_owner_type String The type of new owner of a resource.
new_publish_visibility String The new publish visibility of a resource, such as Public, Domain, or Nobody.
new_value String The new value, such as the new membership role when a membership is changed.
old_publish_visibility String The old publish visibility of a resource, such as Public, Domain, or Nobody.
old_value String The old value, such as the old membership role when a membership is changed.
old_visibility String The old visibility of a resource, such as Private or Public.
reason String The reason for the event.
target_juid String The FortiDLP user identifier of the event target, such as the identifier of the user that had their sharing permissions modified.
target_username String The username of the event target, such as the username of the user that had their sharing permissions modified.
username String The username of the user that performed the action.
visibility String The visibility of the file, such as Private or Public.
visibility_change String The type of visibility change, such as Internal.
Login properties
agent_uuid String

The unique identifier of the FortiDLP node that the detection occurred on.

event_type String The login type, such as login_success, login_failure, or logout.
is_remote Boolean Select true to search for remote logins or false to search for local logins.
login_username String The username used to log in to a device.
labels String The identifier of a label associated with a login event, derived from the associated user and/or node.
remote_ip String

For remote logins.

The IP address of the remote machine to which a connection is made.

remote_ip_city String

For remote logins.

The city location of a remote machine that is connected to.

remote_ip_country String

For remote logins.

The country location of a remote machine that is connected to.

remote_ip_country_code String

For remote logins.

The country code that corresponds to the country location of a remote machine that is connected to.

event_type String The login type, such as login_success, login_failure, or logout.
user_id String Either the SID on Windows or the user ID on Unix-based systems.
user_uuid String The unique identifier of the FortiDLP user who generated the login event.
Network connection properties
bytes_received Integer The number of bytes received during the lifetime of the connection.
bytes_sent Integer The number of bytes sent during the lifetime of the connection.
connection_uuid String The unique identifier assigned by the Agent to the connection.
dst_agent_uuid String The identifier for an Agent associated with an inbound connection.
dst_city String

For remote logins.

The city where an inbound connection was received.

dst_country String

For remote logins.

The country where an inbound connection was received.

dst_country_code String

For remote logins.

The country code of the country where an inbound connection was received.

dst_host String

For remote logins.

The hostname of the machine that was connected to during an inbound connection.

dst_ip String The IP address for an inbound connection, in CIDR notation.
dst_port Integer The port number for an inbound connection.
dst_process_application_id String The application identifier for an inbound connection, typically present on Windows and macOS.
dst_process_binary_path String The process name for an inbound connection.
dst_process_username String The username of the person who started the process for an inbound connection.
dst_process_uuid String The identifier assigned by the FortiDLP Agent to the process that made an inbound connection.
dst_user String The identifier for a user associated with an inbound connection.
labels String The identifier of a label associated with a connection event, derived from the associated user and/or node.
src_agent_uuid String The unique identifier for a FortiDLP Agent associated with an outbound connection.
src_city String

For remote logins.

The city where an outbound connection was sent from.

src_country String

For remote logins.

The country where an outbound connection was sent from.

src_country_code String

For remote logins.

The country code of the country where an outbound connection was sent from.

src_ip String The IP address for an outbound connection in CIDR notation.
src_port Integer The port number for an outbound connection.
src_process_application_identifier String The application identifier for an outbound connection, typically present on Windows and macOS.
src_process_binary_name String The process name for an outbound connection.
src_process_binary_path String The binary path from which the process for an outbound connection was executed.
src_process_signature_accepted Boolean

The validity of a process binary's digital signature for an outbound connection.

Select true to search for processes with valid digital signatures or false to search for processes with invalid digital signatures.

src_process_username String The username of the person who started the process for an outbound connection.
src_process_uuid String The identifier assigned by the FortiDLP Agent to the process that made an outbound connection.
src_user String The unique identifier for a user associated with an outbound connection.
Print properties
agent_uuid String The unique identifier of the FortiDLP node that the print event occurred on.
binary_name String The binary name of the process which created the print job.
binary_path String The binary path from which the print job process was executed.
document_name String The print job name, such as the document name or web page title.
job_size Integer The number of bytes printed.
labels String The identifier of a label associated with a print event, derived from the associated user and/or node.
number_of_pages Integer The number of pages printed.
output_file_path String The location of a file that was printed via print to PDF on Windows. This is not always available.
printer address String The IP address of the printer. This includes the network port.
printer hostname String The hostname of a print server, indicating its location. For example, print.example.net.
printer_name String The printer name.
printer_port String The printer port. On macOS and Linux, this is typically the printer's URI.

printer_uuid

String

The unique identifier of the printer.

process_application_id String The print application identifier.
process_signature_accepted String The validity of the process binary's digital signature.
process_username String The username that was used to print a document.
user_uuid String The unique identifier of the FortiDLP user who generated the print event.
Process start properties
agent_uuid String The unique identifier of the FortiDLP node that the process event occurred on.
child_process_info_application_id String The application identifier, typically present on Windows and macOS.
child_process_binary_hash String The subprocess SHA256 hash.
child_process_binary_hash_md5 String The subprocess MD5 hash.
child_process_binary_name String The subprocess name.
child_process_binary_path String The binary path from which the subprocess was executed.
child_process_binary_sha1 String The subprocess SHA1 hash.
child_process_called_path String The command line used to initiate the subprocess.
child_process_pid String The subprocess identifier assigned by the OS.
child_process_signature_accepted Boolean

The validity of a subprocess binary's digital signature.

Select true to search for subprocesses with valid digital signatures or false to search for subprocesses with invalid digital signatures.

child_process_signature_present Boolean

The presence of a subprocess binary's digital signature.

Select true to search for subprocesses with digital signatures or false to search for subprocesses without digital signatures.

child_process_signature_signers String The subject of the digital signature in the chain. When filtering by this property, you can match any subject in the chain.
child_process_uid String Either the SID on Windows or the user ID on Unix-based systems for the subprocess.
child_process_username String The username of the person who started the subprocess.
child_process_uuid String The subprocess identifier assigned by the Agent.
labels String The identifier of a label associated with a process event, derived from the associated user and/or node.
process_application_identifier String The application identifier, typically present on Windows and macOS.
process_binary_name String The process name.
process__binary_path String The binary path from which the process was executed.
process_signature_accepted Boolean

The validity of a process binary's digital signature.

Select true to search for processes with valid digital signatures or false to search for processes with invalid digital signatures.

process_username String The username of the person who started the process.
process_uuid String The process identifier assigned by the Agent.
user_uuid String The unique identifier of the FortiDLP user who generated the process event.
SharePoint & OneDrive properties
client_app String The name of the application that was used.
event_type String The type of event, such as downloaded.
file_name String The file name.
file type String The file type.
file_url String The file URL.
juid String The unique identifier of the FortiDLP user who generated the event.
labels String The event's labels, derived from the associated user.
new_value String The new value, such as the new filename of a renamed document.
old_value String The old value, such as the original filename of a renamed document.
platform String The platform of the device, such as Windows.
shared_link_type String The type of shared link, such as Internal.
shared_with_user_type String The type of user that a resource was shared with, such as External.
site_url String The URL of the site where the file is located.
target_juid String The FortiDLP user identifier of the event target, such as the identifier of the user that a resource was shared with.
target_username String The username of the event target, such as the username that a resource was shared with.
username String The username of the user that performed the event action.
USB device properties
agent_uuid String The unique identifier of the FortiDLP node that the USB event occurred on.
device_class String The USB device class code.
event_type String The USB event type.
labels String The identifier of a label associated with a USB event, derived from the associated user and/or node.
product_id String The USB device product ID.
serial_number String The USB device serial number.
usb_session_id String The identifier of the USB device session.
user_uuid Strong The unique identifier of the FortiDLP user who generated the USB event.
vendor_id String The USB device vendor ID.
Wi-Fi properties
agent_uuid String The unique identifier of the node that the Wi-Fi event occurred on.
bssid String The Wi-Fi network BSSID.
labels String The identifier of a label associated with a Wi-Fi event, derived from the associated user and/or node.
ssid String The Wi-Fi network SSID.
user_uuid String The unique identifier of the user who generated the Wi-Fi event.