New features and enhancements

Be the first to know when new features hit the FortiDLP Cloud. In the FortiDLP Console, just click your avatar on the left-hand sidebar and then click What's new. To be notified each time we release shiny new features, select the Notify me about updates checkbox.

Introducing FortiDLP

Released October 29th

We're excited to announce that following Fortinet's acquisition of Next DLP, we're rebranding Reveal as FortiDLP and introducing a new logo. The Reveal UI is now the FortiDLP Console, and Agent rebranding will follow with the release of FortiDLP Agent 12.0.0 in November.

Decryption Tool Extension

Released October 1st

It's now easier than ever to decrypt file shadow copies.

Our new decryption tool browser extension for Google Chrome, Microsoft Edge, and Firefox lets you seamlessly and quickly decrypt shadow copies, either individually or in bulk.

You can launch the extension directly from the Reveal UI's Detection details and Action details panels to decrypt shadow copies. Alternatively, you can download shadow copies from these panels or the external storage bucket, and then upload them to the extension for decryption.

To install the cross-platform Reveal Decryption Tool Extension, visit the File shadowing tab of the Reveal UI's Admin settings.

For more information, refer to File shadowing.

Custom SaaS apps

Released September 17th

Track whether users and nodes are using your company's internal SaaS apps.

When manually adding apps to the inventory, you now have the option to add your own by defining a name, logo, category, risk score, and URL patterns to identify the app.

For more information, refer to Manually adding SaaS apps to the inventory.

Multiple cloud connector configurations

Released September 17th

You can now manage and monitor user activity across multiple Google Drive or Microsoft SharePoint and OneDrive Connector configurations.

For more information, refer to:

• Enabling the Microsoft SharePoint and OneDrive Connector
• Enabling the Google Drive Connector.

Saved selections in the Activity feed

Released September 10th

Preserve your go-to selections in the Activity feed to speed up future investigations.

Your selections of event streams and/or pinned fields will now be automatically saved, so if you navigate to other modules or log out, you can pick up where you left off. Additionally, you can now capture a current selection of these and set it as your default to use at any time.

For more information, refer to Viewing the Activity feed.

Browser extension-specific installation settings

Released August 20th

Reveal now provides browser extension-specific installation settings to give you greater control over your deployment.

For nodes running Reveal Agent 11.1.1+, you can apply varied Reveal Browser Extension installation configurations to manage the extension with the Agent or an external tool. Alternatively, you can use the same installation configuration across all browsers. This new functionality is provided via Agent configuration groups.

Existing (legacy) Agent-managed browser extension installation configurations will remain in effect unless the new setting is configured. If the new setting is configured, it will supersede the legacy configuration for compatible Agents (v11.1.1 or later), and the legacy configuration will continue to apply to nodes running Agent 11.0.1 or earlier. Where the new setting is configured, and an Agent is then downgraded from v11.1.1 or later to v10.5.3 or earlier, the legacy configuration will apply.

For more information, refer to Creating Agent configuration groups.

Multi-factor authentication (MFA) logins for internal operators

Released August 20th

Internal operators can now configure a second layer of security for when they log in to the Reveal UI.

After submitting their username and passphrase, they will be prompted to provide another form of authentication using either an authenticator app or WebAuthn security key before being granted access.

For more information, refer to Configuring multi-factor authentication for your internal operator account.

Enhanced details panels

Released July 30th

We've redesigned our details panels to elevate essential information and ease investigations and analysis.

Along with highlighting key data that is specific to the detection, event, or action in focus, the panels now open on the side of the screen to keep the current page in view. To provide more context when policies are violated, the detection details panel now also captures extended metadata.

For details, refer to:

• Detection details panel
• Event details panel
• Action details panel.

Reveal Beyond

Released July 16th

Integrate Reveal with your corporate cloud drives for comprehensive visibility into user activity across all devices, both managed and unmanaged.

Our Google Drive and Microsoft SharePoint and OneDrive Connectors collect cloud events, such as file uploads, downloads, and modified sharing permissions, which are reported in an event stream for investigation.

Google Drive event stream

For more information, refer to:

• Google Drive Connector
• Microsoft SharePoint and OneDrive Connector.

Google Workspace users

Released July 16th

You can now sync users from your Google Workspace directory to Reveal to map them to device and cloud activity.

For more information, refer to Google Workspace users.

Supporting operators

Released July 2nd

You can now directly manage Fortinet's access to your tenant when you need assistance.

Through a new supporting operator account type, Reveal administrators have the ability to grant Next DLP employees—such as sales engineers, support engineers, and customer success managers—controlled access to their tenant. The access given to supporting operators is time-bound, revocable, audited, and for a specified reason, for example, to investigate a support case.

For more information, refer to Fortinet supporting operators.

Activity feed export

Released June 25th

The Activity feed now has event exporting capabilities.

By exporting the Activity feed to CSV or XLSX, you can give stakeholders comprehensive insight into security events to better assess risks.

Activity feed export of detections

For more information, refer to Exporting the Activity feed.

Cases enhancements

Released June 11th

The Case details page has a new look and feel.

Its modernized, content-centric design elevates essential case information, so you can analyze events and respond to threats faster. The refreshed design also brings the Case details page into line with the Activity feed and lays the groundwork for the introduction of XTND, Reveal 's AI-powered assistant.

For more information, refer to Cases.

SaaS app data export

Released June 4th

Export SaaS app data for external reporting and analyze current app verdicts, risk scores, and entity activity.

From the SaaS apps module's Inventory tab, you can now export data to XLSX or CSV, optionally filtering the data using search queries.

For more information, refer to SaaS apps.

Refined context boxes

Released June 4th

To provide a better experience in the Reveal UI, we've added click-to-open context boxes to present key information and menu options.

The context boxes have been redesigned to optimize your workflow, displaying faster than the former hover boxes and with more concise and relevant information. To further enhance usability, the context boxes include menu options to quickly direct you to other Reveal UI modules.

SentinelOne webhooks

Released May 14th

Integrate Reveal detections with SentinelOne to accelerate your investigations.

Our new preconfigured payload format allows Reveal to send batched detection payloads to the SentinelOne Singularity Platform, enabling analysts to correlate important Reveal activity with other data sources within SentinelOne.

For more information, refer to Setting up SentinelOne webhooks.

Removal of the node 'All' label

Released May 14th

To harmonize label use across entities, the node "All" label has been removed from Reveal .

Existing configurations and policy groups that do not have any associated labels will now apply to all entities.

As part of this change, a simplified label selector has been added to ease setup of the Agent offline warning, Agent configuration groups, and policy groups.

For more information, refer to:

• Agent offline warning
• Agent configuration groups
• Policies.

Policy detection extended metadata

Released April 24th

To accelerate threat analysis and response in third-party systems, more contextual information is now reported for policy detections.

This extended metadata is sent in the detection event's JSON payload, enhancing our Security Information and Event Management (SIEM) Event Streaming Service and webhooks.

This feature is supported with FortiDLP Agent 11.1.1+ and FortiDLP Policy Templates 6.8.0+. Upon upgrading to these versions, reporting of extended metadata will automatically be enabled for existing integrations.

Extended metadata fields are documented using the Avro schema. For details about the available extended metadata fields for FortiDLP's standard and OOB policy templates, see the Reveal Policies Extended Metadata Reference Guide. Additionally, if you would like to reference the Avro files for this release, you can download them from the Next DLP Support Portal here.

For information about sending FortiDLP detections to third-party systems, see:

• SIEM tools
• Webhooks.

Extended metadata is only provided for third-party integrations and is not shown for detections in the Reveal UI. If preferred, reporting of extended metadata can be disabled for Splunk, and for webhooks when custom webhook templates are used. For details, see the above sections.

SaaS App Security

Released April 24th

Track, categorize, and rate the risk of the Software-as-a-Service (SaaS) apps that are being used across your organization.

The SaaS apps module provides a holistic view of user and node interactions with apps, informing you of the number of apps accessed, users who have accessed an app, file transfers that have occurred on an app, and more.

To help you assess each app’s potential for data exposure and organize them as such, preassigned risk scores are provided, and you can decide which apps should be grouped as sanctioned or unsanctioned.

For more information, refer to SaaS apps.

Unified entities in Activity feed

Released April 10th

To ease investigations, users and nodes have been combined into a single column within the Activity feed.

The consolidated "Entities" column allows more event data to display on screen, accelerating analysis and response.

For more information, refer to Activity feed.

Operator reporting enhancements

Released March 27th

The Admin console's Operators tab has been enhanced to provide more operator information.

From there, you can now view SAML, LDAP, and MSSP operator accounts along with internal operator accounts, and can easily navigate to their audit logs. Additionally, for active Reveal UI web sessions, you can now view the corresponding operator roles and account types.

For more information, refer to Operators.

Restoring deleted users and auto-unarchiving directory-deleted users

Released February 23rd

Reinstate users you have manually deleted from Reveal , and re-sync directory-deleted users to unarchive them.

Reveal now provides the flexibility to restore deleted users so that they can be re-synced and re-associated with their events, such as when an employee rejoins your company. Additionally, if a user is auto-archived upon a sync due to being deleted from an LDAP or Entra ID directory, they now just need to be included in a subsequent sync to be automatically unarchived.

For more information, refer to User archiving and deleting.

Label associations for all events

Released February 20th

Locate events more efficiently by using entity labels in search queries.

Within the Investigate module, all events now contain labels derived from the associated user and/or node. Therefore, you can filter any event stream to refine events to those generated by a specific group of entities.

For more information, refer to Investigate.

Additional detection metadata

Released January 10th

More detection metadata fields are available to help you safeguard sensitive information and identify abnormal behavior.

If a policy is breached, the Agent can now report the associated file size in bytes and the application window title.

This new information increases visibility of data exfiltration activities in the FortiDLP Console's detections event stream, as well as in third-party systems, such as Security Information and Event Management (SIEM) tools and those integrated with via webhooks.

The File size field is supported with Reveal Agent 11.0.1+ and Reveal Policy Templates 6.7.0+. The Window title field is supported with Reveal Agent 10.5.1+ and Reveal Policy Templates 6.7.0+.

For details about the detections event stream, refer to Investigate.

For more information about sending FortiDLP detections to third-party systems, refer to:

• SIEM tools
• Webhooks.

Relocated Agent config settings

Released November 29th

Manage nodes more easily with Agent configuration groups.

Auto-archiving settings for duplicate and inactive Agents can now be applied using Agent configuration groups, giving you more flexibility.

Existing global Agent auto-archiving configurations have been preserved within the "base configuration" Agent configuration group for your tenant.

For more information, refer to Creating Agent configuration groups.