Fortinet black logo

Online Help

Home FortiCNP 22.3.a Online Help
22.3.a
22.4.a
22.3.b
22.3.a

Threat Detection Policy

Threat Detection Policy

Threat Detection - User Activity Policy

User Activity policies track suspicious user behavior. For example, if a user fails to enter his or her password correctly multiple times in a row and you have the "Excessive Login Failures policy" enabled, FortiCNP will send you an alert.

To access User Activity policies, go to POLICIES > Threat Detection > User Activity tab from the navigation pane.

Access

Policy Name

Description
Excessive Login Failures Triggers an alert when the number of failed logins for a user exceeds a set threshold.
Password Change Triggers an alert when passwords are changed.
Suspicious Movement Triggers an alert when a change in a user's geographic location exceeds threshold parameters.

Suspicious Activity

Policy Name

Description
Restricted User Activity Triggers an alert when a monitored user performs select activities.
Suspicious Time Triggers an alert when there is activity outside of work hours.
Suspicious Location Triggers an alert when there is activity from suspicious locations.

Sensitive Activity

Policy Name

Description
Excessive Event Triggers an alert when selected event occurrence exceeds threshold.
Ransomware Behavior Detection Triggers an alert when the directory's file(s) had been replaced.

Threat Detection - Network Policy

Network policies focuses on network security protocols, including monitoring of botnet activity and inbound traffic from various internet sources such as SSH, SMTP, FTP, ports, etc.

To access network policies go to POLICIES > Threat Detection > Network tab.

For tutorial and examples on configuring Threat Detection Policies, please see Predefined Policy Configuration.

Previous
Next

Threat Detection Policy

Threat Detection - User Activity Policy

User Activity policies track suspicious user behavior. For example, if a user fails to enter his or her password correctly multiple times in a row and you have the "Excessive Login Failures policy" enabled, FortiCNP will send you an alert.

To access User Activity policies, go to POLICIES > Threat Detection > User Activity tab from the navigation pane.

Access

Policy Name

Description
Excessive Login Failures Triggers an alert when the number of failed logins for a user exceeds a set threshold.
Password Change Triggers an alert when passwords are changed.
Suspicious Movement Triggers an alert when a change in a user's geographic location exceeds threshold parameters.

Suspicious Activity

Policy Name

Description
Restricted User Activity Triggers an alert when a monitored user performs select activities.
Suspicious Time Triggers an alert when there is activity outside of work hours.
Suspicious Location Triggers an alert when there is activity from suspicious locations.

Sensitive Activity

Policy Name

Description
Excessive Event Triggers an alert when selected event occurrence exceeds threshold.
Ransomware Behavior Detection Triggers an alert when the directory's file(s) had been replaced.

Threat Detection - Network Policy

Network policies focuses on network security protocols, including monitoring of botnet activity and inbound traffic from various internet sources such as SSH, SMTP, FTP, ports, etc.

To access network policies go to POLICIES > Threat Detection > Network tab.

For tutorial and examples on configuring Threat Detection Policies, please see Predefined Policy Configuration.

Previous
Next