Assign confidence levels in FortiGuard managed DLP dictionaries
Users can select a FortiGuard dictionary with varying confidence levels based on their specific requirements.
-
The high level provides maximum precision to minimize false positives.
-
The medium level balances match quantity and precision.
-
The low level captures the most matches, but may result in more false positives.
A valid DLP license is required to obtain the latest package. When applying a FortiGuard built-in dictionary to a custom sensor, the dictionary with the highest confidence level is selected by default. |
Use case examples
In these use case examples, various Canadian Social Insurance Number (SIN) formats are tested at different confidence levels using different protocols.
|
Low Confidence |
Medium Confidence |
High Confidence |
---|---|---|---|
SIN format |
Matching criteria: regular expression, data validation |
Matching criteria: regular expression, data validation SIN format validation |
Matching criteria: regular expression, data validation, SIN format validation, Match-around data |
815489034 |
match |
does not match |
does not match |
193849270 |
match |
match |
does not match |
sin# 193849270 |
match |
match |
match |
To verify that a FortiGuard dictionary with the low confidence level will block matching message through an HTTPS post:
-
Configure a DLP profile with a DLP sensor that uses the Canadian SIN card dictionary (
fg-can-natl_id-sin-dict
) DLP dictionary with the Confidence level set to Low and then use the profile in a policy. -
Test that an HTTPS message containing a SIN is blocked. DLP Test > HTTPS Post can be used to send a test message:
The message is blocked:
-
Go to Log & Report > Security Events and view the Data Loss Prevention logs matching the can-natl_id-sin-dict-low dictionary.
-
Check the raw logs:
1: date=2024-05-29 time=16:55:27 eventtime=1717026926501493215 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="vdom1" ruleid=1 rulename="sensor_can_sin_low" dlpextra="Sensor 'sensor_can_sin_low' matching any: ('g-fg-can-natl_id-sin-dict-low'=1) >= 1; match." filtertype="sensor" filtercat="message" severity="medium" policyid=1 poluuid="a084e3dc-1d48-51ef-5286-940d89557186" policytype="policy" sessionid=64304 epoch=2100732550 eventid=1 srcip=10.1.100.241 srcport=34184 srccountry="Reserved" srcintf="port2" srcintfrole="undefined" srcuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" dstip=35.209.95.242 dstport=443 dstcountry="United States" dstintf="port1" dstintfrole="undefined" dstuuid="5a9d01f6-1d48-51ef-1c5f-c5a49f106988" proto=6 service="HTTPS" filetype="N/A" direction="outgoing" action="block" hostname="dlptest.com" url="https://dlptest.com/https-post/" agent="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36" httpmethod="POST" referralurl="https://dlptest.com/https-post/" profile="customer_can_sin"
To verify that a FortiGuard dictionary with medium confidence level will block matching message through a FTPS post:
-
Configure a DLP profile with a DLP sensor that uses the Canadian SIN card dictionary (
fg-can-natl_id-sin-dict
) DLP dictionary with the Confidence level set to Medium and then use the profile in a policy. -
Test that posting a file that contains
193849270
is blocked. -
Go to Log & Report > Security Events and view the Data Loss Prevention logs matching the can-natl_id-sin-dict-med dictionary.
-
Check the raw logs:
1: date=2024-09-25 time=12:25:59 eventtime=1727292359601830454 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 rulename="sensor_can_sin_med" dlpextra="Sensor 'sensor_can_sin' matching any: ('fg-can-natl_id-sin-dict-med'=1) >= 1; match." filtertype="sensor" filtercat="file" severity="medium" policyid=3 poluuid="b95909fe-7ac4-51ef-736b-ed6723925bc6" policytype="policy" sessionid=1263148728 epoch=805294546 eventid=0 srcip=10.45.1.41 srcport=48609 srccountry="Reserved" srcintf="port6" srcintfrole="undefined" dstip=10.40.1.226 dstport=6223 dstcountry="Reserved" dstintf="port1" dstintfrole="undefined" proto=6 service="FTPS" filetype="unknown" direction="outgoing" action="block" filename="can_sin_med.txt" filesize=12 profile="default"
To verify that the FortiGuard dictionary with a high confidence level will block matching message through an SMTP post:
-
Configure a DLP profile with a DLP sensor that uses the Canadian SIN card dictionary (
fg-can-natl_id-sin-dict
) DLP dictionary with the Confidence level set to High and then use the profile in a policy. -
Test that sending email with an attached file that contains
sin# 193849270
is blocked. -
Go to Log & Report > Security Events and view the Data Loss Prevention logs matching the can-natl_id-sin-dict-high dictionary.
-
Check the raw logs:
1: date=2024-09-25 time=13:11:00 eventtime=1727295059589158625 tz="-0700" logid="0954024576" type="utm" subtype="dlp" eventtype="dlp" level="warning" vd="root" ruleid=1 rulename="sensor_can_sin_high" dlpextra="Sensor 'sensor_can_sin' matching any: ('fg-can-natl_id-sin-dict-high'=1) >= 1; match." filtertype="sensor" filtercat="file" severity="medium" policyid=3 sessionid=168480999 epoch=1488425925 eventid=2 srcip=10.40.1.229 srcport=0 srccountry="Reserved" srcintf="unknown-0" srcintfrole="undefined" dstip=52.96.166.82 dstport=587 dstcountry="United States" dstintf="unknown-0" dstintfrole="undefined" proto=6 service="SMTPS" filetype="unknown" direction="outgoing" action="block" from="annasundayhi@outlook.com" to="annasundayhi@outlook.com" sender="annasundayhi@outlook.com" recipient="annasundayhi@outlook.com" subject="718485" attachment="yes" filename="can_sin_high.txt" filesize=15 profile="default"