Fortinet white logo
Fortinet white logo

Administration Guide

Assign confidence levels in FortiGuard managed DLP dictionaries

Assign confidence levels in FortiGuard managed DLP dictionaries

Users can select a FortiGuard dictionary with varying confidence levels based on their specific requirements.

  • The high level provides maximum precision to minimize false positives.

  • The medium level balances match quantity and precision.

  • The low level captures the most matches, but may result in more false positives.

Note

A valid DLP license is required to obtain the latest package.

When applying a FortiGuard built-in dictionary to a custom sensor, the dictionary with the highest confidence level is selected by default.

Use case examples

In these use case examples, various Canadian Social Insurance Number (SIN) formats are tested at different confidence levels using different protocols.

Low Confidence

Medium Confidence

High Confidence

SIN format

Matching criteria: regular expression, data validation

Matching criteria: regular expression, data validation SIN format validation

Matching criteria: regular expression, data validation, SIN format validation, Match-around data

815489034

match

does not match

does not match

193849270

match

match

does not match

sin# 193849270

match

match

match

To verify that a FortiGuard dictionary with the low confidence level will block matching message through an HTTPS post:
  1. Configure a DLP profile with a DLP sensor that uses the Canadian SIN card dictionary (fg-can-natl_id-sin-dict) DLP dictionary with the Confidence level set to Low and then use the profile in a policy.

  2. Test that an HTTPS message containing a SIN is blocked. DLP Test > HTTPS Post can be used to send a test message:

    The message is blocked:

  3. Go to Log & Report > Security Events and view the Data Loss Prevention logs matching the can-natl_id-sin-dict-low dictionary.

  4. Check the raw logs:

    1: date=2024-05-29 time=16:55:27 eventtime=1717026926501493215 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" ruleid=1 rulename="sensor_can_sin_low" dlpextra="Sensor 'sensor_can_sin_low' matching any: ('g-fg-can-natl_id-sin-dict-low'=1) >= 1; match." filtertype="sensor" filtercat="message" severity="medium" policyid=1 poluuid="a084e3dc-1d48-51ef-5286-940d89557186" policytype="policy" sessionid=64304 epoch=2100732550 eventid=1 srcip=10.1.100.241 srcport=34184 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" dstip=35.209.95.242 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" proto=6 service="HTTPS" filetype="N/A" direction="outgoing" action="block" hostname="dlptest.com" url="https://dlptest.com/https-post/" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" httpmethod="POST" referralurl="https://dlptest.com/https-post/" profile="customer_can_sin"
To verify that a FortiGuard dictionary with medium confidence level will block matching message through a FTPS post:
  1. Configure a DLP profile with a DLP sensor that uses the Canadian SIN card dictionary (fg-can-natl_id-sin-dict) DLP dictionary with the Confidence level set to Medium and then use the profile in a policy.

  2. Test that posting a file that contains 193849270 is blocked.

  3. Go to Log & Report > Security Events and view the Data Loss Prevention logs matching the can-natl_id-sin-dict-med dictionary.

  4. Check the raw logs:

    1: date=2024-05-29 time=17:43:38 eventtime=1717029818309788622 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" ruleid=2 rulename="sensor_can_sin_med" dlpextra="Sensor 'sensor_can_sin_mid' matching any: ('g-fg-can-natl_id-sin-dict-med'=1) >= 1; match." filtertype="sensor" filtercat="file" severity="medium" policyid=1 poluuid="a084e3dc-1d48-51ef-5286-940d89557186" policytype="policy" sessionid=65893 epoch=2100732638 eventid=0 srcip=10.1.100.241 srcport=37561 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" dstip=172.16.200.175 dstport=33065 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" dstuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" proto=6 service="FTPS" filetype="unknown" direction="outgoing" action="block" filename="can_sin_med.txt" filesize=10 profile="customer_can_sin"
To verify that the FortiGuard dictionary with a high confidence level will block matching message through an SMTP post:
  1. Configure a DLP profile with a DLP sensor that uses the Canadian SIN card dictionary (fg-can-natl_id-sin-dict) DLP dictionary with the Confidence level set to High and then use the profile in a policy.

  2. Test that sending email with an attached file that contains sin# 193849270 is blocked.

  3. Go to Log & Report > Security Events and view the Data Loss Prevention logs matching the can-natl_id-sin-dict-high dictionary.

  4. Check the raw logs:

    1: date=2024-05-30 time=11:37:18 eventtime=1717094238851929893 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" ruleid=3 rulename="sensor_can_sin_high" dlpextra="Sensor 'sensor_can_sin_high' matching any: ('g-fg-can-natl_id-sin-dict-high'=1) >= 1; match." filtertype="sensor" filtercat="file" severity="medium" policyid=1 poluuid="a084e3dc-1d48-51ef-5286-940d89557186" policytype="policy" sessionid=96838 epoch=1455065196 eventid=2 srcip=10.1.100.171 srcport=51141 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" dstip=172.16.200.175 dstport=25 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" dstuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" proto=6 service="SMTP" filetype="unknown" direction="outgoing" action="block" from="johndoe@example.com" to="smithwhite@example.com" sender="emailuser1@qa.fortinet.com" recipient="emailuser2@qa.fortinet.com" subject="Canadian SIN" attachment="yes" filename="sin.txt" filesize=70 profile="customer_can_sin"

Assign confidence levels in FortiGuard managed DLP dictionaries

Assign confidence levels in FortiGuard managed DLP dictionaries

Users can select a FortiGuard dictionary with varying confidence levels based on their specific requirements.

  • The high level provides maximum precision to minimize false positives.

  • The medium level balances match quantity and precision.

  • The low level captures the most matches, but may result in more false positives.

Note

A valid DLP license is required to obtain the latest package.

When applying a FortiGuard built-in dictionary to a custom sensor, the dictionary with the highest confidence level is selected by default.

Use case examples

In these use case examples, various Canadian Social Insurance Number (SIN) formats are tested at different confidence levels using different protocols.

Low Confidence

Medium Confidence

High Confidence

SIN format

Matching criteria: regular expression, data validation

Matching criteria: regular expression, data validation SIN format validation

Matching criteria: regular expression, data validation, SIN format validation, Match-around data

815489034

match

does not match

does not match

193849270

match

match

does not match

sin# 193849270

match

match

match

To verify that a FortiGuard dictionary with the low confidence level will block matching message through an HTTPS post:
  1. Configure a DLP profile with a DLP sensor that uses the Canadian SIN card dictionary (fg-can-natl_id-sin-dict) DLP dictionary with the Confidence level set to Low and then use the profile in a policy.

  2. Test that an HTTPS message containing a SIN is blocked. DLP Test > HTTPS Post can be used to send a test message:

    The message is blocked:

  3. Go to Log & Report > Security Events and view the Data Loss Prevention logs matching the can-natl_id-sin-dict-low dictionary.

  4. Check the raw logs:

    1: date=2024-05-29 time=16:55:27 eventtime=1717026926501493215 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" ruleid=1 rulename="sensor_can_sin_low" dlpextra="Sensor 'sensor_can_sin_low' matching any: ('g-fg-can-natl_id-sin-dict-low'=1) >= 1; match." filtertype="sensor" filtercat="message" severity="medium" policyid=1 poluuid="a084e3dc-1d48-51ef-5286-940d89557186" policytype="policy" sessionid=64304 epoch=2100732550 eventid=1 srcip=10.1.100.241 srcport=34184 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" dstip=35.209.95.242 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" proto=6 service="HTTPS" filetype="N/A" direction="outgoing" action="block" hostname="dlptest.com" url="https://dlptest.com/https-post/" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" httpmethod="POST" referralurl="https://dlptest.com/https-post/" profile="customer_can_sin"
To verify that a FortiGuard dictionary with medium confidence level will block matching message through a FTPS post:
  1. Configure a DLP profile with a DLP sensor that uses the Canadian SIN card dictionary (fg-can-natl_id-sin-dict) DLP dictionary with the Confidence level set to Medium and then use the profile in a policy.

  2. Test that posting a file that contains 193849270 is blocked.

  3. Go to Log & Report > Security Events and view the Data Loss Prevention logs matching the can-natl_id-sin-dict-med dictionary.

  4. Check the raw logs:

    1: date=2024-05-29 time=17:43:38 eventtime=1717029818309788622 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" ruleid=2 rulename="sensor_can_sin_med" dlpextra="Sensor 'sensor_can_sin_mid' matching any: ('g-fg-can-natl_id-sin-dict-med'=1) >= 1; match." filtertype="sensor" filtercat="file" severity="medium" policyid=1 poluuid="a084e3dc-1d48-51ef-5286-940d89557186" policytype="policy" sessionid=65893 epoch=2100732638 eventid=0 srcip=10.1.100.241 srcport=37561 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" dstip=172.16.200.175 dstport=33065 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" dstuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" proto=6 service="FTPS" filetype="unknown" direction="outgoing" action="block" filename="can_sin_med.txt" filesize=10 profile="customer_can_sin"
To verify that the FortiGuard dictionary with a high confidence level will block matching message through an SMTP post:
  1. Configure a DLP profile with a DLP sensor that uses the Canadian SIN card dictionary (fg-can-natl_id-sin-dict) DLP dictionary with the Confidence level set to High and then use the profile in a policy.

  2. Test that sending email with an attached file that contains sin# 193849270 is blocked.

  3. Go to Log & Report > Security Events and view the Data Loss Prevention logs matching the can-natl_id-sin-dict-high dictionary.

  4. Check the raw logs:

    1: date=2024-05-30 time=11:37:18 eventtime=1717094238851929893 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" ruleid=3 rulename="sensor_can_sin_high" dlpextra="Sensor 'sensor_can_sin_high' matching any: ('g-fg-can-natl_id-sin-dict-high'=1) >= 1; match." filtertype="sensor" filtercat="file" severity="medium" policyid=1 poluuid="a084e3dc-1d48-51ef-5286-940d89557186" policytype="policy" sessionid=96838 epoch=1455065196 eventid=2 srcip=10.1.100.171 srcport=51141 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" dstip=172.16.200.175 dstport=25 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" dstuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" proto=6 service="SMTP" filetype="unknown" direction="outgoing" action="block" from="johndoe@example.com" to="smithwhite@example.com" sender="emailuser1@qa.fortinet.com" recipient="emailuser2@qa.fortinet.com" subject="Canadian SIN" attachment="yes" filename="sin.txt" filesize=70 profile="customer_can_sin"