Technical Tip: Why the Action timestamp precedes the Detection(s) when enabling Grouping in Policy
| Description | This article describes why the Action timestamp precedes the Detection(s) when enabling Grouping in Policy. |
| Scope | FortiDLP. |
| Solution | Policy: Policies that can trigger many detections are best served with grouping to avoid many detections for a single event. One such policy is an Out-of-Box Sensitive file written to a USB storage device.
The Group Inactivity Limit defines the number of seconds in which no new events that meet the detection criteria have occurred. Every time there is a new event (file written), the Group Inactivity Limit is reset, and the counter restarts. Only once the limit is reached, or the Maximum Group Duration (minutes) is reached, will the detection be raised.
Action(s): Any actions configured in the policy will be triggered at the time of the events themselves and not necessarily at the time of the final detection. Actions will continue to be triggered along with all of the events, subject to any set rate limiting. |