Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • FortiDLP Console User Guide

    Home FortiDLP FortiDLP Console User Guide

    Event streams

    Event streams

    The Event streams tab categorizes events, enabling you to conduct focused searches and analyses centered around events that have the same root cause.

    When you select an event stream, you are brought to a page that contains the events for the category. You can either view key event data within the Aggregations subtab, or access all of the events in a table within the Events subtab.

    Aggregations

    In the Aggregations subtab, you can view high-level statistics for event data and use key information in search queries. The widgets are customizable via menus that let you select the information you want to display.

    Events

    In the Events subtab, you can view events in more detail within an interactive table. If you click an event value, a context menu will display, allowing you to add it to a search query or to pivot to related information.

    The following table describes the event types the Event streams tab captures. For details regarding OS and Agent compatibilities and requirements, refer to the FortiDLP Agent Deployment Guide.

    Event descriptions
    Event type Description
    • Action (New)
    • Action (Legacy)

    Events related to manual (operator-initiated) and automatic (policy-initiated) actions.

    You can view details including the:

    • timestamp
    • action type
    • action result or status, and
    • name of the operator or policy that executed the action.

    For comprehensive information about actions, also see Actions.
    Application

    Events related to application use.

    You can view details including the:

    • timestamp
    • process name and binary signature status (signed, unsigned, or unverified), and
    • window title name.
    Browser

    Events related to browser use, such as when a user visits a URL or uploads or downloads a file.

    You can view details including the:

    • timestamp
    • browser name
    • tab and target URLs and associated classification categories (these categories, which are mapped to NetSTAR internet classifiers, provide insight into potentially unauthorized, malicious, and careless web behavior)
    • session type (private or normal)
    • download or upload size
    • MIME type
    • danger rating, and
    • transition type.
    Detection

    Events related to detections.

    You can view details including the:

    • timestamp
    • detection name and description
    • severity and risk score
    • associated screenshots
    • associated policy (if applicable), and
    • tags.

    For comprehensive information about actions, also see Detections.
    Email

    Events related to outbound email activity.

    You can view details including the:

    • timestamp
    • email client type
    • sender email address, domain, and username
    • recipient email addresses, domains, and usernames
    • Cc and Bcc recipient email addresses, domains, and usernames
    • subject line
    • attachment filenames, and
    • attachment file size.
    File access

    Events related to file access, such as when a file is opened, modified, closed, executed, deleted, or renamed.

    You can view details including the:

    • timestamp
    • filename
    • file path, and
    • process/child process name and binary signature status (signed, unsigned, or unverified).
    Note

    During content inspection, the FortiDLP Agent examines files of interest locally. File contents are not uploaded to the FortiDLP Infrastructure.
    Google Drive

    Events collected from Google Drive.

    You can view details including the:

    • affected Google Drive labels
    • file id, name, owner, and type
    • membership change information
    • visibility changes for published and unpublished documents, and
    • the user that had their sharing permissions modified.
    Login

    Events related to login activity.

    You can view details including the:

    • timestamp
    • login type (login or logout)
    • UID, and
    • username.
    Note

    When a user locks their machine, this is considered a logout event. When a user unlocks their machine, this is considered a login event.
    Network connection

    Events related to network connections.

    You can view details including the:

    • timestamp
    • connection type (inbound or outbound)
    • process name and its binary signature status (signed, unsigned, or unverified)
    • network addresses (destination and source), and
    • communication protocol.
    Print

    Events related to print jobs. For Windows machines, print jobs sent to local, network, and virtual printers are monitored. For macOS and Linux machines, prints jobs sent to local and network printers are monitored.

    You can view details including the:

    • timestamp
    • file name
    • number of pages
    • size
    • printer name, and
    • printer port (Windows only).
    Note

    On Windows, there is limited visibility of print jobs sent to centralized print servers. In some cases, events for print jobs that are sent to other servers on the network can be captured if the "Render print jobs on client computers" setting is enabled in the printer properties. For more information, click here. From FortiDLP Agent 10.4.0+, there is an option to turn on enhanced printing visibility which resolves this issue.

    For detailed information regarding printing functionality across OSs, see Print monitoring in the FortiDLP Agent Deployment Guide.
    Process start

    Events related to process starts.

    You can view details including the:

    • timestamp, and
    • process/child process name and binary signature status (signed, unsigned, or unverified).
    SharePoint & OneDrive

    Events collected from Microsoft SharePoint and OneDrive.

    You can view details including the:

    • device platform
    • application
    • file name, type, and URL
    • site URL
    • user a resource was shared with, and
    • old and new values of a modified resource.
    USB device

    Events related to USB composite and storage device use.

    You can view details including the:

    • timestamp
    • device name, and
    • device serial number, product ID, and vendor ID.
    Wi-Fi

    Events related to Wi-Fi network connections.

    You can view details including the:

    • timestamp
    • SSID
    • BSSID, and
    • encryption type (WPA, WPA2, or WEP).
    Previous
    Next

    Event streams

    Event streams

    The Event streams tab categorizes events, enabling you to conduct focused searches and analyses centered around events that have the same root cause.

    When you select an event stream, you are brought to a page that contains the events for the category. You can either view key event data within the Aggregations subtab, or access all of the events in a table within the Events subtab.

    Aggregations

    In the Aggregations subtab, you can view high-level statistics for event data and use key information in search queries. The widgets are customizable via menus that let you select the information you want to display.

    Events

    In the Events subtab, you can view events in more detail within an interactive table. If you click an event value, a context menu will display, allowing you to add it to a search query or to pivot to related information.

    The following table describes the event types the Event streams tab captures. For details regarding OS and Agent compatibilities and requirements, refer to the FortiDLP Agent Deployment Guide.

    Event descriptions
    Event type Description
    • Action (New)
    • Action (Legacy)

    Events related to manual (operator-initiated) and automatic (policy-initiated) actions.

    You can view details including the:

    • timestamp
    • action type
    • action result or status, and
    • name of the operator or policy that executed the action.

    For comprehensive information about actions, also see Actions.
    Application

    Events related to application use.

    You can view details including the:

    • timestamp
    • process name and binary signature status (signed, unsigned, or unverified), and
    • window title name.
    Browser

    Events related to browser use, such as when a user visits a URL or uploads or downloads a file.

    You can view details including the:

    • timestamp
    • browser name
    • tab and target URLs and associated classification categories (these categories, which are mapped to NetSTAR internet classifiers, provide insight into potentially unauthorized, malicious, and careless web behavior)
    • session type (private or normal)
    • download or upload size
    • MIME type
    • danger rating, and
    • transition type.
    Detection

    Events related to detections.

    You can view details including the:

    • timestamp
    • detection name and description
    • severity and risk score
    • associated screenshots
    • associated policy (if applicable), and
    • tags.

    For comprehensive information about actions, also see Detections.
    Email

    Events related to outbound email activity.

    You can view details including the:

    • timestamp
    • email client type
    • sender email address, domain, and username
    • recipient email addresses, domains, and usernames
    • Cc and Bcc recipient email addresses, domains, and usernames
    • subject line
    • attachment filenames, and
    • attachment file size.
    File access

    Events related to file access, such as when a file is opened, modified, closed, executed, deleted, or renamed.

    You can view details including the:

    • timestamp
    • filename
    • file path, and
    • process/child process name and binary signature status (signed, unsigned, or unverified).
    Note

    During content inspection, the FortiDLP Agent examines files of interest locally. File contents are not uploaded to the FortiDLP Infrastructure.
    Google Drive

    Events collected from Google Drive.

    You can view details including the:

    • affected Google Drive labels
    • file id, name, owner, and type
    • membership change information
    • visibility changes for published and unpublished documents, and
    • the user that had their sharing permissions modified.
    Login

    Events related to login activity.

    You can view details including the:

    • timestamp
    • login type (login or logout)
    • UID, and
    • username.
    Note

    When a user locks their machine, this is considered a logout event. When a user unlocks their machine, this is considered a login event.
    Network connection

    Events related to network connections.

    You can view details including the:

    • timestamp
    • connection type (inbound or outbound)
    • process name and its binary signature status (signed, unsigned, or unverified)
    • network addresses (destination and source), and
    • communication protocol.
    Print

    Events related to print jobs. For Windows machines, print jobs sent to local, network, and virtual printers are monitored. For macOS and Linux machines, prints jobs sent to local and network printers are monitored.

    You can view details including the:

    • timestamp
    • file name
    • number of pages
    • size
    • printer name, and
    • printer port (Windows only).
    Note

    On Windows, there is limited visibility of print jobs sent to centralized print servers. In some cases, events for print jobs that are sent to other servers on the network can be captured if the "Render print jobs on client computers" setting is enabled in the printer properties. For more information, click here. From FortiDLP Agent 10.4.0+, there is an option to turn on enhanced printing visibility which resolves this issue.

    For detailed information regarding printing functionality across OSs, see Print monitoring in the FortiDLP Agent Deployment Guide.
    Process start

    Events related to process starts.

    You can view details including the:

    • timestamp, and
    • process/child process name and binary signature status (signed, unsigned, or unverified).
    SharePoint & OneDrive

    Events collected from Microsoft SharePoint and OneDrive.

    You can view details including the:

    • device platform
    • application
    • file name, type, and URL
    • site URL
    • user a resource was shared with, and
    • old and new values of a modified resource.
    USB device

    Events related to USB composite and storage device use.

    You can view details including the:

    • timestamp
    • device name, and
    • device serial number, product ID, and vendor ID.
    Wi-Fi

    Events related to Wi-Fi network connections.

    You can view details including the:

    • timestamp
    • SSID
    • BSSID, and
    • encryption type (WPA, WPA2, or WEP).
    Previous
    Next