Fortinet black logo

Administration Guide

Home FortiInsight Cloud 21.2.0 Administration Guide

Policies

21.2.0
21.2.0
21.1.0
6.4.0
6.2.0
6.0.0
5.6.0
5.4.0
Copy Link
Copy Doc ID 37385887-1beb-11ec-8c53-00505692583a:768217
Download PDF

Policies

FortiInsight policies inspect incoming events in real time as they arrive from endpoints. A policy has a set of criteria that FortiInsight compares to incoming events and raises an alert if an event matches the criteria.

You can set up policies to tell FortiInsight when you want to be notified about particular activities. The alerts page shows you all alerts that have been generated based on policies that you have built.

You can create an unlimited number of policies. You can see the status of policies (active or inactive) in the policy list without having to view the details of each policy.

Creating a policy

  1. Go to Policy > Settings.
  2. Click New.
  3. Set a policy name, description, and severity level.
  4. In the Policy to build section, enter criteria for the policy.
  5. If you require immediate notifications about the policy, enter an email address in the Emails to notify field.

The following image shows the New Policy screen.

Editing a policy

  1. Click on a policy.
  2. Edit the search criteria that apply to the policy.
  3. To save your changes, click Update Policy.

Retrospective policy breaches

At the bottom of a policy page, FortiInsight shows the number of previous alerts that would have been triggered by the policy rules, based on your FortiInsight data to date.

To see the events that would have triggered alerts, navigate to a Threat Hunting page, where the policy details are prefilled in the search bar.

The following image shows an example of the retrospective policy breaches message:

Frameworks and labels

If a policy is relevant to one or more compliance frameworks, you can assign compliance frameworks to the policy when you create it.

The Framework column shows all of the compliance frameworks that are associated with a policy. You can use labels in a similar way to mark particular types of activity. The Label column shows all labels that are associated with a policy.

The following image shows an example of the Framework and Label columns.

Out-of-the-box policies

FortiInsight comes with several policies. You can use these policies as they are, modify them to suit your requirements, or use them as a base for creating your own policies.

The following image shows the policies that FortiInsight comes with:

Note that the following out-of-the-box policies from FortiInsight 5.2.0 have moved from Policies and are now part of the default collections on the Threat Hunting page (Threat Hunting > Collections):

  • Browser Download
  • Browser Upload
  • Files Backed up to Cloud
  • Outlook Upload
  • Outlook Download
Previous
Next

Policies

FortiInsight policies inspect incoming events in real time as they arrive from endpoints. A policy has a set of criteria that FortiInsight compares to incoming events and raises an alert if an event matches the criteria.

You can set up policies to tell FortiInsight when you want to be notified about particular activities. The alerts page shows you all alerts that have been generated based on policies that you have built.

You can create an unlimited number of policies. You can see the status of policies (active or inactive) in the policy list without having to view the details of each policy.

Creating a policy

  1. Go to Policy > Settings.
  2. Click New.
  3. Set a policy name, description, and severity level.
  4. In the Policy to build section, enter criteria for the policy.
  5. If you require immediate notifications about the policy, enter an email address in the Emails to notify field.

The following image shows the New Policy screen.

Editing a policy

  1. Click on a policy.
  2. Edit the search criteria that apply to the policy.
  3. To save your changes, click Update Policy.

Retrospective policy breaches

At the bottom of a policy page, FortiInsight shows the number of previous alerts that would have been triggered by the policy rules, based on your FortiInsight data to date.

To see the events that would have triggered alerts, navigate to a Threat Hunting page, where the policy details are prefilled in the search bar.

The following image shows an example of the retrospective policy breaches message:

Frameworks and labels

If a policy is relevant to one or more compliance frameworks, you can assign compliance frameworks to the policy when you create it.

The Framework column shows all of the compliance frameworks that are associated with a policy. You can use labels in a similar way to mark particular types of activity. The Label column shows all labels that are associated with a policy.

The following image shows an example of the Framework and Label columns.

Out-of-the-box policies

FortiInsight comes with several policies. You can use these policies as they are, modify them to suit your requirements, or use them as a base for creating your own policies.

The following image shows the policies that FortiInsight comes with:

Note that the following out-of-the-box policies from FortiInsight 5.2.0 have moved from Policies and are now part of the default collections on the Threat Hunting page (Threat Hunting > Collections):

  • Browser Download
  • Browser Upload
  • Files Backed up to Cloud
  • Outlook Upload
  • Outlook Download
Previous
Next