Forticasb-20 3 0-Admin - Guide

FortiCASB - Admin Guide
Version 20.3.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com
FORTINET VIDEO GUIDE

https://video.fortinet.com
FORTINET BLOG
https://blog.fortinet.com
CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com
FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html
NSE INSTITUTE
https://training.fortinet.com
FORTIGUARD CENTER
https://fortiguard.com/
END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: [email protected]
July 1, 2020
FortiCASB 20.3.0 Admin Guide
00-400-000000-20181031
TABLE OF CONTENTS
Change Log 9
What's New 10
Introduction 11
Features 12
Visibility 12
Data security and threat protection 12
Compliance 12
Basic Setup 13
Introduction 13
First Time Setup 13
Add Company 14
Add Business Units 15
Create Business User 16
Add Business Users 16
Business User Login 19
View or Remove Business User 19
View or Remove Business User from Default Business Unit 19
View or Remove Business User from Multiple Business Unit 20
Installing SAAS applications 23
Salesforce 23
25
Office 365 25
Prerequisites 25
Office 365 Account and License 25
Activate Office 365 Account Audit Log 28
Add Office 365 Account 29
Manually Activate Sites Collection 32
Box 34
Dropbox Business 35
Google Drive 36
Prerequisites 36
Create Google Service Account 37
Enable Google Drive API & Authorize Client ID 42
Add Google Drive Account 43
General 45
Reports 45
C-Level Report 45
Compliance Report 46
Customized Compliance Report 47
Alert Report 48
Activity Report 52
Shadow IT 54
Audit log 54
FortiCASB 20.3.0 Admin Guide 3

Fortinet, Inc.
Access Logs 55
Event list 55
55
Salesforce 55
Office 365 57
Box 58
Dropbox Business 59
Google Drive 61
Shadow IT discovery 62
Data pattern 70
Generate Credential 70
Application Specific Features 72
Discovery 72
Administrative Privileges 74
Documents 75
Policy 76
Data Analysis 76
Threat Protection 80
Compliance Policy 81
Customized Policy 82
Policy Configuration 83
Data Analysis Policy Configuration 87
Threat Protection Policy Configuration 90
Compliance Policy Configuration 108
Alert 120
Activity 121
AV Scan and File Quarantine 122
File Quarantine and Notification Configuration 122
File Quarantine Directory 124
Yammer Integration Features 126
Prerequisites 128
Enforce Office 365 Identity in Yammer 129
Yammer License Verification 132
Yammer File Path 134
FortiCASB APIs 136
Request Authorization Methods 136
1. Client Credential 136
2. Username and Password 136
3. Refresh Token 136
Fabricate Request Header and Body 137
Send Request 137
REST API Response 138
API Throttling 138
Get Authorization Token 138
Description 138
Method: POST 138

Fortinet, Inc.
Request Header 138
Request Body Parameters 139
Sample Request 139
Response Variable 139
Sample Response 139
Get Credentials Token 140
Description 140
URL 140
Method: POST 140
Request Header 140
Get Refresh Token 141
Description 141
URL 141
Method: POST 141
Request Header 141
Sample Request 142
Sample Response 142
Get Resource Map 143
Description 143
URL 143
Method: GET 143
Request Header 143
Sample Request 143
Sample Response 144
Get Alert List 144
Description 144
URL 145
Request Method: Post 145
Request Header 145
Sample Request 146
Sample Response 148
Get Business Unit Info 150
Description 150
URL 150
Method: Get 150
Request Header 150
Sample Request 150
Sample Response 151
Get Country List 151
Description 151
URL 152
Method: GET 152

Fortinet, Inc.
Request Header 152
Sample Request 152
Sample Response 152
Get Dashboard Risk 153
Description 153
URL 153
Method: Post 153
Request Header 153
Request Body Parameter 154
Sample Request 154
Sample Response 154
Get Dashboard Statistics 156
Description 156
URL 156
Method: POST 156
Request Header 156
Sample Request 157
Request Variable 157
Get Dashboard Summary 160
Description 160
URL 160
Method: Get 160
Request Header 160
Sample Request 161
Sample Response 161
Get Dashboard Usage 161
Description 161
URL 162
Method: Post 162
Request Header 162
Sample Request 162
Sample Response 163
Get Event 164
Description 164
URL 164
Method: Get 164
Request Header 164
Sample Request 164
Sample Response 165
Get Filter List 166
Description 166

Fortinet, Inc.
URL 166
Method: Get 166
Request Header 166
Sample Request 166
Sample Response 167
Get Policy List 167
Description 167
URL 168
Method: Get 168
Request Header 168
Sample Request 168
Get Service History 169
Description 169
URL 169
Method: GET 169
Request Header 169
Sample Request 170
Sample Response 170
Get Service Status 171
Description 171
URL 172
Method: Get 172
Request Header 172
Sample Request 172
Sample Response 173
Get Severity 174
URL 175
Method: GET 175
Request Header 175
Sample Request 175
Sample Response 175
Get Status 176
Description 176
URL 176
Method: Get 176
Request Header 176
Sample Request 176
Sample Response 177
Get User List 177
Description 177
URL 177
Method: Get 177
Request Header 177
Sample Request 178

Fortinet, Inc.
Sample Response 179
Troubleshooting 181
Getting Started Issues 182
New account with No License Error 182
Renew License error 183
Salesforce 183
OAuth Request errors 183
Office 365 185
Add Site Collection Admin errors 185
Add Users errors 185
Add Groups errors 185
Dropbox Business 187
OAuth Request error 187
Google 188
Google Drive connection errors 188

Fortinet, Inc.
Change Log
Change Log
Date Change Description
07/01/2020 FortiCASB 20.2 Handbook release. Cloud Account Activity and Alert Reports are
now available for export from Reports.
04/03/2020 FortiCASB 20.1 Handbook release. FortiCASB REST API reference added and
Compliance Report feature upgraded in this revision.
09/07/2019 FortiCASB 4.2 Handbook release. IAAS applications and features migrated to
FortiCWP.
04/05/2019 FortiCASB 4.1 Handbook release. Revised Getting Started documentation for Basic
Setup and Install IAAS applications. Added documentations for Topology, Resource,
Resource Profile, and Traffic. Configuration merged into Risk Assessment .
01/08/2019 FortiCASB 2.1 Handbook. First edition. Changing EU Users IP address from
52.59.74.73 or
18.195.109.67 to 34.254.217.50 or 52.18.7.98, in the section "Show IT discovery".

Fortinet, Inc.
What's New
What's New
FortiCASB 20.3.0 Release Highlights
l Office 365 account has new Yammer Integration feature that gives cloud account admins the ability to
monitor and inspect files posted by users within the same organization. Please see Yammer Integration
Features on page 126.
l Anti-Virus Scan now supports all file types for all cloud accounts. Any new files uploaded to any
FortiCASB supported cloud accounts will be scanned for virus and malware.
l New File Quarantine feature is now available with the Anti-Virus scan where files infected by virus or
malware will be removed and relocated to a quarantine folder. Fore more details, please see AV Scan and
File Quarantine on page 122.
(Note: Salesforce accounts will not have the file quarantine implementation in this release as Salesforce is
undergoing file handling mechanism upgrade.)

Fortinet, Inc.
Introduction
Introduction
Welcome, and thank you for selecting FortiCASB for your cloud security and monitoring needs.
FortiCASB is Fortinet's cloud-native Cloud Access Security Broker (CASB) service, which provides visibility,
compliance, data security, and threat protection for cloud-based services. Using direct API access, FortiCASB
enables deep inspection and policy management for data stored in cloud application platforms. It also provides
detailed user analytics and management tools to ensure that policies are enforced and that your organization’s
data is secure.
FortiCASB works by focusing on Gartner's four pillars of security: visibility, compliance, data security, and threat
protection.
l Visibility—Visibility is one of the most important aspects of cloud security. FortiCASB uses a series of
methods such as data scans and analytics to answer the questions: who accessed information, what was
accessed, when it was accessed, and from where did the access originate.
l Compliance—FortiCASB provides file content monitoring to find and report on regulated data in the
cloud.
l Data security—FortiCASB runs scans to check for sensitive data, such as social security numbers or
credit card numbers. It then classifies this data under different levels of sensitivity and sends different
alerts depending on the sensitivity level of the data accessed.
l Threat protection—FortiCASB uses User Entity Behavior Analytics to watch for suspicious or irregular
user behavior. It also sends out alerts for malicious behavior.

Fortinet, Inc.
Features
Features
FortiCASB comes with a series of features that give you visibility of data access and usage, control over data
security and threat protection, and peace of mind over compliance with standards and federal regulations.
Visibility
l Automatic on-demand data scan—FortiCASB examines existing content in all folders to identify
sensitive data subjects or security policies.
l Cloud usage analytics— FortiCASB visually summarizes key usage statistics, including trends over
different time periods as well as drilldown, access count, and usage over time.
l User entitlements review— FortiCASB gives visibility of privileged users, dormant users, and external
users.
l File exposure— FortiCASB highlights the most shared files overall, as well as each user's most shared
files.
Data security and threat protection
l Cloud data loss prevention— FortiCASB enforces DLP policies based on data identifiers, keywords,
and regular expressions for data both at rest and in traffic.
l Threat detection—FortiCASB offers an abundant number of out-of-the-box policies to immediately
detect account-centric threats.
l Malware detection— FortiCASB features a malware detection policy to detect malicious files before they
compromise sensitive data.
l Geo-location analytics—FortiCASB visualizes global access patterns and analyzes activity to identify
unlikely cross-region access attempts indicative of compromised accounts.
l Shadow IT discovery — FortiCASB offers an overview of unsanctioned cloud applications used in the
organization and gives users the ability to control application usage.
l Configuration assessment —FortiCASB offers an large number of out-of-the-box policies for
automated validation of best security practices against the your cloud storage account.
Compliance
l Predefined compliance policies—FortiCASB provides predefined compliance policies designed to

help maintain compliance with ISO 270001, NIST 800-53 V4, and NIST 800-171 regulations.
l Compliance report—FortiCASB can produce compliance reports for audit purposes. These reports show
compliance with ISO 270001, NIST 800-53 V4, and NIST 800-171 regulations.

Fortinet, Inc.
Basic Setup
Basic Setup
This chapter provides the procedures for getting started with FortiCASB.
Introduction
FortiCASB account permissions can have one of three levels:

l Administrator—Administrators have full permissions, including the ability to
create/access/assign companies and organizations.
l Business users with full access— Business users from Forticare who have been
granted full access also have full permissions, including the ability to
create/access/assign companies and organizations.
l Business users with limited access— Business users from Forticare who have
been granted limited access can only view companies they are a part of.
If you are an administrator, continue below.
If you are a business user with limited access, not an administrator in charge of setup
or a user with full access, skip to Business User Login on page 19.
FortiCASB requires different setup procedures, depending on your organization's hierarchy and needs. A
company with a branched hierarchy, such as a company with multiple branch offices or a compartmentalized
organizational structure, will have different requirements than a company with only one unified office.
First Time Setup
To set up your FortiCASB for the first time, you or your organization must have the following in place:
l A valid FortiCASB license. Contact your primary Fortinet Service Provider to obtain a license if you do not
already have one.
l An administrator with a Master FortiCare account to add your company, business units, and users in
FortiCASB.
In accordance with European Union laws and regulations, all data that FortiCASB
collected for European Union (EU) companies must be located in the EU region. To
accommodate for this, you can choose to host your CASB cloud service either on the
Global site or the EU site.
1. Open your web browser, and go to https://www.forticasb.com/

2. Click Login.

Fortinet, Inc.
Basic Setup
You will be redirected to the Fortinet single sign-on webpage.

3. Log into your admin account, or create a new admin account if you do not already have one.
4. Log into FortiCASB with your account.
5. In FortiCASB account selection page, select an account. (if applicable)
You are now redirected to FortiCASB's company selection page. Proceed to Add Company on page 14 to
add company to the account.
If you have a pop-up blocker, it will block the FortiCASB GUI.

Set an exception for the FortiCASB GUI, or open the GUI manually.
Add Company
After selecting a region, the company selection screen will be displayed.

1. Log into FortiCASB: https://www.forticasb.com with your Master FortiCARE account if not logged in yet.
2. Once logged in, Company/Business unit Management dashboard will appear.
3. Click on Add new company+ in the left hand side.
4. Specify a unique company name, and add a brief description. Then click on Add Company.
After a company is setup, proceed to Add Business Units on page 15 to add business unit to the company.

Fortinet, Inc.
Basic Setup
Add Business Units
After creating a company, log into FortiCASB to add a business unit for the company following these steps:
1. Log into FortiCASB: https://www.forticasb.com with Master FortiCARE account.
2. Click on +Add new Business unit from Company/Business unit Management dash board.
3. Under Basic Setting, enter a unique Unit Name based on your preference, and enter a user under Add
User.
4. Click Add to complete adding the business unit.

Repeat this process to add additional business units if applicable.
After a business unit is setup, proceed to Add Business Users on page 16 to add business users to the business
unit.
If there is no business users to add, first create business users following Create Business User on page 16.

Fortinet, Inc.
Basic Setup
Create Business User
Business users can be created to add to the business unit. A FortiCare master account owner can create
business user account and add the business user to the company and the business units in FortiCASB. To
create business user, follow these steps:
1. Log into FortiCARE: https://support.fortinet.com/Main.aspx.
2. Click on Account Management Button in the upper right corner:

3. Click on Mange User at the left hand side, then list of users will display.
4. Click on add user button on the right hand side:

5. Fill in the user name, e-mail address, and phone number for the business user you would like to set
up.
6. Select Full Access to grant the business user full permissions, including the ability to
create/access/assign companies and business units.
7. Select Limited Access to only grant the business user basic access. Then click Save.
8. If Limited Access is selected, click on Add More Products to select a license.
9. Click Save.
Repeat this process to create more business users.
After business user(s) are created, proceed to Add Business Users on page 16 to add the users to business unit.
Add Business Users
FortiCARE Master account holder or full access users can add business users to business units. If there is no
business users to add, first create business users following Create Business User on page 16.
1. Log into FortiCASB: https://www.forticasb.com with your master FortiCARE account.
2. At the FortiCASB Dashboard, click Switch Company at the top right hand corner.

Fortinet, Inc.
Basic Setup
3. Click on the target company at the left hand side, then click Edit Business Unit.
4. The Business Unit Setting will pop up. If there are multiple business units in the same company, click
on the business unit name you want to add users.

Fortinet, Inc.
Basic Setup
5. Click on Add User field and select the business user to add.
6. Click Save to complete adding the user, then click Close

Repeat this process to add more business user if applicable.
Now the business user(s) can log into the business unit with their account.

Fortinet, Inc.
Basic Setup
Business User Login
1. Go to www.forticasb.com.
2. Click Login.
3. Enter your credentials, and then select a FortiCASB user account (if applicable).
4. Select your company and business unit.
You will be brought to the FortiCASB dashboard. Click on the Switch Company icon to switch company,
if applicable.
If your account hasn't been assigned to a business unit, an error message will appear.
Please contact your administrator with Master FortiCare account to add you into the
business unit.
View or Remove Business User
Business unit setting allows you to edit the business unit users. In the business setting, Business Unit ID is
the request variable allowing you to call various FortiCASB REST APIs to retrieve detailed security information
about the business unit.
There are two methods to view or delete business users under business unit(s) in FortiCASB.
The first method is viewing or removing the business users through the default business unit when you just log
into FortiCASB.
The second method is the option of viewing or removing the business users from multiple business units under
the same company.
View or Remove Business User from Default Business Unit
1. Log into FortiCASB with your master FortiCARE account.
2. At the Dashboard page, click on Business Unit Setting at the top right hand corner.

Fortinet, Inc.
Basic Setup
3. Business Unit Setting will pop up and show all the business users in Add User field.
The Unit ID is the Business Unit ID (BuId).
4. To remove a business user, click X next to the business user to remove.

5. Click Save to complete the changes.
View or Remove Business User from Multiple Business Unit
1. Log into FortiCASB with your master FortiCARE account.
2. At the Dashboard page, click on Switch Company at the top right hand corner.

Fortinet, Inc.
Basic Setup
3. In Company/Business unit Management Dashboard, click on Edit Business Unit.

4. Business Unit Setting will pop up and show all business users in Add User field.
The Unit ID is the Business Unit ID (BuId).
5. To remove a business user, click on X next to the business user to remove.

6. Click Save to complete the changes.

Fortinet, Inc.
Basic Setup
To view or remove users from a different business unit, click the other business unit(s) underneath and repeat
the steps 5-6.

Fortinet, Inc.
Installing SAAS applications
Both administrators and users can add SaaS applications to a company. Once added, all users in the company
can view the cloud application.
Salesforce
FortiCASB offers an API-based approach, pulling data directly from Salesforce via RESTful API. Authentication
is done through OAUth2.0. FortiCASB uses an access token for API queries.
Prerequisites
To use API access, your organization must be using one of the following editions (the API is enabled by
default):
l Enterprise Edition
l Unlimited Edition
l Developer Edition
l Performance Edition
The user account installed in FortiCASB must have the following permissions:
l View All Data
l View All Users
l API Enabled
You may either use an existing account or create a new account. If you create a new account, wait at least 24
hours for the new account to take effect before granting access to FortiCASB.
The following features require "Manage Users" permission as well:

l User login tracking
l User IP address tracking
l Geographical location tracking
l User password change tracking
Without "Manage Users" permissions, FortiCASB cannot obtain user login IPs.
Therefore, any user activity will not appear on the Activity map.

Fortinet, Inc.
Installation
1. From the menu on the left-hand side, select Overview > Dashboard.
2. From the Cloud App Status widget, click ADD, located next to Salesforce.
3. Click OK.
You will be navigated to the Salesforce website for authentication.
If you have a custom Salesforce domain, enter it here.
4. Log in to authenticate.
Salesforce will prompt you to allow or deny access.
5. Click Allow to grant FortiCASB permissions to monitor your Salesforce application.
After you click Allow, you will be redirected back to the FortiCASB dashboard.

Fortinet, Inc.
You can check the installation result and SaaS platform monitoring status in the Salesforce dashboard.
For more information on common installation issues, see "Troubleshooting on page

181".
Office 365
FortiCASB offers an API-based approach. It monitors Office 365 activity by using web notification and by
pulling data directly from Office 365 via RESTful API. Authentication is done through OAuth2.0. FortiCASB
uses an access token for API queries.
Prerequisites
There are two prerequisite you need to setup your Office 365 account before you can add the Office 365
account on FortiCASB. Please follow the steps below.
1. Office 365 Account and License on page 25 - Create an Office 365 account with
Global Administrator role.
2. Activate Office 365 Account Audit Log on page 28 - Enable Office 365 Audit
Log to record user activities of the Office 365 account.
3. Add Office 365 Account on page 29- Activate site collection by adding the Office 365
account to FortiCASB.
Office 365 Account and License
You may use an existing account or create a new account. If you create a new account, wait for at least 24
hours for the new account to take effect before granting access to FortiCASB. If you already have a Office 365
license, check with Determine the type of Office 365 license on page 26 to determine the type of Office 365
license you have.

Fortinet, Inc.
License Requirement
Make sure your office 365 account license plan includes Active Directory integration. FortiCASB requires
Active Directory support for most of its features. The following Office 365 licenses support Active Directory
integration:
l Office 365 Business
l Office 365 Business Essentials
l Office 365 Business Premium
l Office 365 ProPlus
l Office 365 Enterprise E1
l Office 365 Enterprise K1
Lastly, make sure the role you use to add the Office 365 account on FortiCASB is Global Administrator and
you have AzureAD Premium P2 license(optional).
Without the AzureAD "Premium P2" license, FortiCASB's Discovery feature cannot see user entitlements. All
other functions on FortiCASB will not be affected. User Entitlements is simply a feature on FortiCASB that lets
you see the roles and permissions that each user is entitled with. For more information on how to obtain
AzureAD Premium P2 license, go to:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-get-started-premium
You will also need to set up the AzureAD Privileged Identity Management application. For more information on
how to do so, go to:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure.
Determine the type of Office 365 license
To determine what Office 365 license you have, follow the steps below:
1. Log into Office 365 account: https://www.office.com/.
2. Click on Apps button , located on the top-left corner of your Office 365 home screen.
3. Select Admin.
4. Click the Settings button , located on the top-right corner of your Office 365 admin center.
5. Click Office 365, located under "Your app settings".

Fortinet, Inc.
You will be redirected to your Office 365 Account page.

6. Click View Subscriptions from the list.
It will display your Office 365 License, along with your Azure Active Directory Premium P2 license, if you have
purchased it.

Fortinet, Inc.
Activate Office 365 Account Audit Log
Office 365 audit log needs to be activated to record user and admin activities, this allows FortiCASB to monitor
activities of the Office 365 account. It may take several hours after you turn on audit log before FortiCASB
receives the audit logs from your Office 365 account.
To enable this feature, follow the steps below:
1. Search and Click on Security & Compliance, from your Office 365 account portal screen.
2. Click on Search > Audit log search from the menu on the left-hand side.

Fortinet, Inc.
3. Click Turn on auditing.
Now you may activate site collection by adding the Office 365 account to FortiCASB.
Add Office 365 Account
The final step is to add the Office 365 account to FortiCASB to activate site collection. Please follow the steps
below.
1. Go to Overview > Dashboard.
2. From the Cloud App Status widget, click ADD, located next to Office 365.

Fortinet, Inc.
3. You will be prompted to provide administrator credentials. This is for the automation process of adding the
global administrator as the "site collection administrator" for the users under the administrator account. For
more details refer to https://docs.microsoft.com/en-us/sharepoint/manage-user-profiles
Note: The credentials are only used for a one time configuration, FortiCASB will not store your Office 365
credential.
Alternatively, if you don't want FortiCASB to audit your OneDrives, or want to install it manually, you can
check "Prefer not to provide".
If you have a custom SharePoint homepage URL, you will have to allow
collection manually. See Manually Activate Sites Collection on page 32.
4. Click OK.
You will be redirected to the Office 365 login screen.
5. After logging in, Office 365 will prompt you to accept FortiCASB access.
Note: FortiCASB does not request all but only partial permissions from the global administrator user.
Below is a list of permissions requested by FortiCASB.

Fortinet, Inc.
Permissions requested by FortiCASB
Read and write files in all site collections
Read items in all site collections (preview)
Read files in all site collections
Read and write all users' full profiles
Read all users' full profiles
Read and write items in all site collections (preview)
Read all users' full profiles
Read all groups
Read and write all groups
Read directory data
Read and write directory data
Access directory as the signed in user
Read all files that user can access
Read items in all site collections
Read all groups
Read directory data
Read activity report for your organization
Read activity data for your organization
Sign in and read user profile
Read directory data
6. After you accept FortiCASB to access your Office 365 account, you will be redirected back to the
FortiCASB dashboard.
You can check the installation result and SaaS platform monitoring status in the Office 365 dashboard. Notice
that Add Sites Collection Admin is checked indicating that FortiCASB can now audit your OneDrive data.

Fortinet, Inc.
If you checked "Prefer not to provide" earlier during authentication, please refer to
Manually Activate Sites Collection on page 32 for more details.
Manually Activate Sites Collection
When you clicked "Prefer not to provide" earlier during authentication to activate sties collection, FortiCASB
is connected to global administrator's Office 365 account with minimum access, and no OneDrive data is
accessible by FortiCASB.
Follow these steps to make OneDrive data accessible:
1. Log into https://admin.microsoft.com/ using your global administrator account.
2. In the left pane, under Admin centers, select SharePoint.
3. After SharePoint admin center pop-up, select Classic SharePoint admin center in the left pane.
4. In Classic SharePoint admin center page, select User Profiles in the left pane.
5. In User Profiles page, under People category, select Manager User Profiles.

Fortinet, Inc.
6. In Find profiles box, enter a licensed user under the global account administrator and click Find.
7. Right click on the account name and select Manage site collections owners.
8. In the field for Site Collection Administrators, add the global administrator account's user name or e-
mail address and press Enter.
9. Click on Ok button to complete adding the global administrator as one of the site collection administrators.

Fortinet, Inc.
Box
FortiCASB offers an API-based approach, pulling data directly from Box via RESTful API. Authentication is
done through OAUth2.0. FortiCASB uses an access token for API queries.
Prerequisites
default):
l Business Edition
l Developer Edition
The user account installed in FortiCASB must have the following permissions:
l Read and write all files and folders stored in Box
l Manage users
l Manage groups
l Manage enterprise properties
You may either use an existing account or create a new account. If you create a new account, wait at least 24
hours for the new account to take effect before granting access to FortiCASB.
The following features require "Admin User" permission as well:

l User login tracking
l User IP address tracking
l Geographical location tracking
l User password change tracking
l Change admin role tracking
Without "Admin User" permissions, FortiCASB cannot obtain user login IPs. Therefore,
any user activity will not appear on the Activity map.
Installation
2. From the Cloud App Status widget, click ADD, located next to Box.

Fortinet, Inc.
3. Click OK.
You will be navigated to the Box website for authentication.
4. Log in to authenticate.
Box will prompt you to allow or deny access.
5. Click Allow to grant FortiCASB permissions to monitor your Box application.
You can check the installation result and SaaS platform monitoring status in the Box dashboard.
For more information on common installation issues, see Troubleshooting on page

181.
Dropbox Business
FortiCASB offers an API-based approach, pulling data directly from Box via RESTful API. Authentication is
done through OAUth2.0. FortiCASB uses an access token for API queries.
Prerequisites
To use API access, your organization must be using one of the following Dropbox Business plans:
l Standard Plan
l Advanced Plan
l Enterprise Plan
The user account installed in FortiCASB must have the following permission:

Fortinet, Inc.
l Team Admin
You may either use an existing account or create a new account.
Installation
2. From the Cloud App Status widget, click ADD, located next to Dropbox.
3. Click OK.You will be navigated to the Dropbox website for authentication.

4. Log in to authenticate. Dropbox will prompt you to allow or deny access.
5. Click Allow to grant FortiCASB permissions to monitor your Dropbox application.
You can check the installation result and SaaS platform monitoring status in the Dropbox dashboard.
For more information on common installation issues, see Troubleshooting on

page 181
Google Drive
FortiCASB offers an API-based approach, pulling data directly from Google Drive via RESTful API.
Authentication is done through OAUth2.0. FortiCASB uses an access token for API queries.
Prerequisites
default):

Fortinet, Inc.
l Business Edition
The user account installed in FortiCASB must be a Super Administrator in your G suite account. For steps on
how to check if your account is a Super Adminstrator, see Google Drive connection errors on page 188.
Due to Google requirements, only G Suite accounts with a business or enterprise

license can use FortiCASB. G suite accounts with a basic license will be not be
able to use FortiCASB.
You may either use an existing account or create a new account. Wait at least 24 hours for the new account to
take effect before granting access to FortiCASB.
There are two prerequisite steps you need to setup your Google Drive account before you can add the Google
Drive account on FortiCASB. Please follow the steps below.
1. Create Google Service Account on page 37
2. Enable Google Drive API & Authorize Client ID on page 42
3. Add Google Drive Account on page 43
Create Google Service Account
Make sure you create a service account for the G Suite account that will be linked to FortiCASB. A service
account delegated with domain-wide authority is necessary for FortiCASB to visit files in both personal and
team drives under your G Suite account.

Fortinet, Inc.
Without the service account, you can still use FortiCASB. However, the features related to files in FortiCASB,
such as Discovery, will not work.
For more information regarding service accounts and domain-wide authority delegation, go to:
https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority
Google Service Account Creation Steps:
1. Go to https://console.developers.google.com and log in with your Google Account.

2. Click on the drop-down menu of Select a project.
3. Select an existing project or Create New Project by clicking New Project.
4. Enter a Project Name and click Create.

5. Once a project is created, from the Navigation menu, go to IAM & admin > Service accounts.

Fortinet, Inc.
6. Click +Create service account.

7. Enter a "Service account name" of your preference and click create. Service account ID will populate
automatically.
Keep the service account ID later for Google drive authentication during
installation.
8. Click Continue when prompted for entering service account permissions.

9. Click on +Create Key and select P12 to create a private key. The P12 private key will be downloaded
automatically, then click Done.

Fortinet, Inc.
Keep the private key later for Google drive authentication during installation.
10. Once service account is created, select the service account created and click on under Actions on the
right-hand side, then click on Edit.

Fortinet, Inc.
11. Enable G Suite Domain-wide Delegation and enter in a Product name for the consent screen, then
click Save.
12. Select View Client ID from service account that was created, and record down the client ID.

Fortinet, Inc.
Enable Google Drive API & Authorize Client ID
1. Go to Navigation Menu > APIs & Services > Dashboard.

2. Click on ENABLE APIS AND SERVICES.
3. Search for the Google Drive API and enable it.
4. Go to https://admin.google.com and log in with the same Google Account.
5. Scroll down and click on More Controls.
6. Go to Security > Advanced Settings.
7. Click Manage API client access.
8. Enter in the Client ID recorded earlier for Client Name and https://www.googleapis.com/auth/drive
for One or More API Scopes. Your Client ID should be a string of numbers. Then click Authorize.

Fortinet, Inc.
Add Google Drive Account
2. From the Cloud App Status widget, click ADD, located next to Google Drive.
3. Upload the service account ID and Private Key (P12 File) from earlier for the G suite account. Your
service account ID should end in ".gserviceaccount.com".
4. Click OK.
You will be navigated to the Google website for authentication. Make sure to use the same G suite
account for authentication.
If you have a custom Google domain, enter it here.
5. Log in to authenticate. Google will prompt you to allow or deny access.
6. Click Allow to grant FortiCASB permission to monitor your Google application.
You will be redirected back to the FortiCASB dashboard. You can check the installation result and SaaS
platform monitoring status in the Google Drive dashboard.

Fortinet, Inc.

Fortinet, Inc.
General
General
This section covers general operations and features in using FortiCASB:
Reports
FortiCASB allows you to generate C-level, Compliance, and Shadow IT reports.

C-Level reports are quarterly, monthly, or annual reports. Compliance reports give an overview of overall
compliance with policies such as HIPAA, SOX/COBIT, and PCI. Shadow IT reports highlight unsanctioned
application usage.
C-Level Report
1. Go to Overview > Report > C-Level from FortiCASB left navigation pane.
2. Choose a report type (Yearly, Quarterly, or Monthly Report), and select the year, month or quarter.
3. Press Ok to start generating the report.
4. After the report is generated, it will be available under the Action column. To view the report, click on the

Fortinet, Inc.
General
view button.
Compliance Report
Compliance report are automatically generated monthly, quarterly, and yearly. You may also customized a
time frame to generate compliance reports. HIPAA, GDPR, SOX-COBIT, and PCI are in zip format while ISO
27001 and NIST800 reports are in PDF.
The prerequisite to generate Compliance report is to enable and configure Compliance

Policies required by your organization. For more details on configuring Compliance
policies, please refer to Policy Configuration on page 83.
After you have enabled Compliance Policies, follow the steps below to generate Compliance report.
1. Go to Overview > Report > Compliance from FortiCASB navigation pane.
2. Select the report type (HIPAA, PCI, SOX-COBIT, and etc.), a scheduled period (Monthly, Quarterly, and
etc.), and a cloud apps (Office 365, Google, etc.) to filter the generated reports.

Fortinet, Inc.
General
3. Click the download button under Action Column to download desired report.
Customized Compliance Report
1. Click on Generate Now in Report/Compliance page.

2. Select a Report Type.
3. Select a Cloud Application (Office 365, Google, etc.)

Fortinet, Inc.
General
4.
5. Select a Time Frame that is within 90 days of the current day.
6. Click Generate Now to generate the report.
7. The report will be generated with your user name, cloud application, report type, and date range as the file
title.
For example, a Office 365 PCI compliance report with a date range of 3/1/2020 to 3/14/2020 will be " 'User
Name' Office 365 PCI Compliance Report Mar 14 00:00:00 - Mar 14 23:59:59 UTC. zip".
Alert Report
Alert Report keeps track of all daily security alerts and lets you download daily security report. At the end of
each month, all daily Alert report will be consolidated into one monthly report for download.
l Activate Alert Report on page 49
l Export Daily/Monthly Report on page 50

Fortinet, Inc.
General
Activate Alert Report
To enable Alert Report to export all daily security alerts, please enable any of the Compliance policies below to
activate the feature:
l NIST800/53 - Track all security alerts
l NIST800/171 - Track all security alerts
l ISO27001 - Track all security alerts
Note: only one of the policies above is needed to be enabled to activate Alert Report.
Activate Alert Report through NIST800/53
1. Click on the targeted cloud account. (Salesforce, Office 365, etc.) from FortiCASB navigation menu.
2. Go to Policy > Compliance, and click NIST800-53 rev4 tab.
3. Locate the policy NIST800/53 - Track all security alerts.
4. Click on the toggle switch button under Status column to turn the on the policy.
Activate Alert Report through NIST800/171
2. Go to Policy > Compliance, and click NIST SP800-171 tab.
3. Locate the policy NIST800/171 - Track all security alerts.

Fortinet, Inc.
General
4. Click on the toggle switch button under Status column to turn on the policy.
Activate Alert Report through ISO27001
2. Go to Policy > Compliance, and click ISO 27001 tab.
3. Locate the policy ISO27001 - Track all security alerts.
4. Click on the toggle switch button under Status column to turn on the policy.
Export Daily/Monthly Report
Daily security alert report is compiled into a CSV file and made available for export. At the end of each month,
all daily reports of the that month are combined and packaged into a ZIP file and made available for download.
An alternative option of exporting daily reports is to consolidate up-to-date daily reports of the current month
into one ZIP file.
Follow the steps below to export reports.
1. From FortiCASB navigation menu, go to Report > Alert.

2. In the Current Month tab, click the cloud account drop down menu and select a cloud account
(Salesforce, Office 365, etc.).

Fortinet, Inc.
General
Option 1 - Select any of the daily report and click download button to download the daily report.
Option 2 - Click Package Up-To-Date for Download button to combine all up to date daily reports of
the current month into one zip file. The combined ZIP file will be made available for download with .zip
extension.
3. Click History tab to export monthly security alert reports. Click the year drop down menu to select year,
and cloud account drop down menu to select a cloud account, and all monthly security alert reports
available of that year will be available for export.

Fortinet, Inc.
General
Activity Report
Activity Report keeps track of all daily cloud account activities and lets you download daily activity report. At the
end of each month, all daily activity reports will be consolidated into one monthly report for download.
l Activate Activity Report on page 52
l Export Daily/Monthly Report on page 53
Activate Activity Report
To enable Activity Report to export all daily activities, please enable the following Compliance policy below to
activate the feature:
l NIST800/53 - Display content of audit record
Follow the steps below to enable the policy
1. Click on the targeted cloud account (Salesforce, Office 365, etc.) from FortiCASB navigation menu.
2. Go to Policy > Compliance, and click NIST800-53 rev4 tab.
3. Locate the policy NIST800/53 - Display content of audit record.
4. Click on the toggle switch button under Status column to turn the on the policy.

Fortinet, Inc.
General
Export Daily/Monthly Report
Daily activity report is compiled into a CSV file and made available for export. At the end of each month, all
daily reports of the that month are combined and packaged into a ZIP file and made available for download.
An alternative option of exporting daily reports is to consolidate up-to-date daily reports of the current month
into one ZIP file.
Follow the steps below to export reports.
1. From FortiCASB navigation menu, go to Report > Activity.

2. In the Current Month tab, click the cloud account drop down menu and select a cloud account
(Salesforce, Office 365, etc.).
Option 1 - Select any of the daily report and click download button to download the daily report.
Option 2 - Click Package Up-To-Date for Download button to combine all up to date daily reports of
the current month into one zip file. The combined ZIP file will be made available for download with .zip
extension.
3. Click History tab to export monthly activity reports. Click the year drop down menu to select year, and
cloud account drop down menu to select a cloud account, and all monthly activity reports available of
that year will be available for export.

Fortinet, Inc.
General
Shadow IT
1. Go to Overview > Report > Shadow IT from FortiCASB left navigation pane.
2. Click the arrow next to Shadow IT Report.
3. In General tab, choose an export file format(zip, xlsx, pdf, csv, docx).
4. Choose a report date range.

5. Click Save.
6. Click Generate to generate the report.
7. After the report is generated, it will be available to download under Action column.
Audit log
FortiCASB records all administrator activities. You can filter your searches by using the Filter option. To access
the Audit log page, go to Overview > Audit log.

Fortinet, Inc.
General
For detailed description of each operation or event, please refer to Event list on page
55.
Access Logs
FortiCASB accesses your information by downloading files, scanning the downloads, then subsequently
deleting the downloads at regular intervals.
NOTE: For your privacy, FortiCASB does not retain your files. You may check to see when and which files
FortiCASB has downloaded, scanned, and deleted by clicking the Access Logs button, located at the top-right
corner.
Event list
This section shows the types of events FortiCASB supports. These types of events will be traced at the Activity
page of each cloud application, and they can also be used as criteria when configuring policy and applying
filters.
The File Download event is monitored within the FortiCASB Audit log. To find the audit
log, go to Overview > Audit Log from the navigation menu on the left.
Salesforce
Event Type Event
Login Login Success
Login Failed
User Create User
Modify User
Change Password

Fortinet, Inc.
General
Event Type Event
Activate User
Deactivate User
Change User Profile
Change User Role
Change User Email
Change User Permission Set
Group Add Group
Add Group Member
Update Group
Change Group Access
Add External Group Member (Customer)
Invite People
Profile Create Profile
Modify Profile
Permission Set Add Permission Set
Modify Permission Set
Feed Post
Modify Post
Comment
Modify Comment
File Upload File
Upload New Version
Download File
Edit File
Share Share File
Share File with People
Share File with Group
Share File via Link
Download File via Link
Business Account Modification

Fortinet, Inc.
General
Event Type Event
Account Owner Change
Contact Modification
Contact Owner Change
Account Create
Contact Create
Office 365
Event Type Event
Login Login Success
Login Failed
User Create User
Delete User
Modify User
Restore User
Change Password
Modify Role
Group Add Group
Delete Group
Add Group Member
Update Group
Add Group Owner
Delete Group Owner
Set Group Managed By
Create Group Settings
Update Group Settings
Delete Group Settings
Set Group License
File Upload File
Delete File
Download File

Fortinet, Inc.
General
Event Type Event
Modify File
Access File
Move File
Copy File
Rename File
Edit File
Share Share File
Create Anonymous Link
Delete Anonymous Link
Create Company Link
Delete Company Link
Company Link Used
Other Modify License
Delete Folder
Create Sharing Invitation
Edit Company Info
Box
Event Type Event
File/Folder Upload File
Copy File
Download File
Edit File
Move File
Preview File
Rename File
Open File
Modify File
Create Lock
Comment

Fortinet, Inc.
General
Event Type Event
Login Login Success
Login Failed
User Create User
Modify User
Delete User
Group Add Group
Update Group
Group Add Membership
Metadata Create Metadata Template
Update Metadata Template
Create Metadata Instance
Update Metadata Instance
Collaboration Collaboration Invite
Collaboration Accept
Collaboration Role Change
Update Collaboration Expiration
Collaboration Expiration
Share Share File
Update Shared File
Update Shared Expiration
Share Expiration
Dropbox Business
Event Type Event
Login Login Success
Login Failed
Logout
Login As User Session Start
Login As User Session End
User (Member) Create User

Fortinet, Inc.
General
Event Type Event
User Change Name
User Change Status
User Change Admin Role
User Change Email
Change Password
Password Restore
Password Restore All
Group Add Group
Delete Group
Add Group Member
Remove Group Member
Group Rename
File File Add
File Download
File Preview
File Edit
File Delete
File Add Comment
File Move
File Copy
File Rename
File Restore
File Revert
File Share Share Link Create
Share Link Create Password
Share Link Public
Share Link Disable
Share Link Team Only
Share Link Set Expiration
Share Link Remove Expiration

Fortinet, Inc.
General
Event Type Event
Share Link View
Share Link Download
Share Link Team Copy
Google Drive
Event Type Event
Login Login Success
Login Failure
Login Challenge
Logout
File Create File
Upload File
Edit File
View File
Rename File
Move File
Delete File
Download File
Preview File
Trash File
Untrash File
User Create User
Suspend User
Unsuspend User
Modify User
Change Password
Create Data Transfer Request
Delete User
Assign Role
Unassign Role

Fortinet, Inc.
General
Shadow IT discovery
FortiCASB provides features for shadow IT discovery. By integrating with FortiGate and FortiAnalyzer,
FortiCASB gives users a concrete overview of all sanctioned and unsanctioned cloud applications
organization wide. Furthermore, FortiCASB calculates a risk score for each application and gives users the
ability to control application usage.
FortiCASB's Shadow IT discovery helps users enhance the security of their cloud application environment with
the following features:
l Unsanctioned Application Discovery—FortiCASB uses logs from FortiGate and FortiAnalyzer as well
as its own discovery process to deliver a comprehensive view of risk and usage of cloud applications.
l Cloud Risk Score—FortiCASB generates a cloud risk score for each cloud application. This score is
calculated using many factors, such as but not limited to: user numbers, size of the company, multi-factor
authentication support, and service hosting location. These factors are used to generate scores in multiple
criteria, which are then aggregated into one final score.
l Access Control—Users can block or monitor certain applications using FortiCASB and FortiGate.
l Data Correlation—FortiCASB uses data from FortiGate and FortiAnalyzer, as well as its own data to
define and identify riskier activities.
Configuration and requirements
Shadow IT discovery requires a FortiGate or FortiAnalyzer policy.

Configuration details depend on your specific setup requirements. See the scenarios below, and find the one
which best suits your needs.
Scenario 1: You want to receive logs from FortiGate.
l See FortiGate configuration. After step 13, follow the instructions under Log configuration using FortiGate
GUI on page 66I. Then, follow the instructions under FortiCASB configuration as needed.
Scenario 2: You want to receive logs from FortiGate, but it is already providing logs to another
device.
l See FortiGate configuration. After step 13, follow the instructions under Log configuration using FortiGate
CLI. Then, follow the instructions under FortiCASB configuration as needed.
Scenario 3: You want to receive logs from FortiAnalyzer.
l See FortiAnalyzer configuration. Then, follow the instructions under FortiCASB configuration as needed.

Fortinet, Inc.
General
FortiGate configuration
1. Go to Security Profiles > SSL/SSH Inspection.

2. Create a new SSL/SSH inspection profile called deep-test.
3. Configure the profile as shown below:
4. Go to Security Profiles > Application Control.

5. Set all categories to Monitor.
6. Under Options, enable Allow and Log DNS Traffic and Replacement Messages for HTTP-based
Applications.

Fortinet, Inc.
General
FortiGate 5.6
FortiGate 5.4
7. Go to Security Profiles > Cloud Access Security Inspection.

8. Under the Action column, set all action to Monitor.

Fortinet, Inc.
General
9. Go to Policy & Objects > IPv4 Policy.

10. Create a new policy named Shadow-IT.
11. Configure the policy as shown below:
12. Configure Security Profiles.

a. To use access control, choose the Web Filter created with the URL filter set.
b. Open Application Control to allow FortiCASB to track how many cloud applications are visited.
c. To correlate log data with FortiCASB data, make sure Application Control is open, and set
SSL/SSH Inspection to deep-test.
NOTE: For FortiGate 5.4, set CASI to the default.

Fortinet, Inc.
General
13. Open Log Allowed Traffic, and select either Security Events or All Sessions.
Log configuration using FortiGate GUI
14. Go to Log & Report > Log Settings.

15. Open Send Logs to FortiAnalyzer/FortiManager.
16. Set the FortiCASB receiver's IP address for IP Address.
The FortiCASB receiver IP address can be found by pressing the Device button from the FortiCASB
Shadow IT dashboard. It will be one of the followin addresses:
Global Users 34.212.87.235 or 52.27.136.156
EU Users 34.254.217.50 or 52.18.7.98
Enter the IP address into the appropriate section of the FortiGate UI, shown below, then click Test
Connectivity.

Fortinet, Inc.
General
Log configuration using FortiGate CLI
17. Login to the FortiGate's CLI mode.

18. Configure log settings for the second FortiAnalyzer device on the FortiGate.
#config log fortianalyzer2 setting
#set status enable
#set server <FortiCASB server IP>
#set enc-algorithm high-medium
#set upload-option realtime
#set reliable enable
#end
19. Configure the log filter to only forward application-ctrl logs:
#config log fortianalyzer2 filter
#set filter-type include
#set filter "logid(1059028704)"
#end
20. Test the connection using the following CLI command:
#execute log fortianalyzer test-connectivity 2
If the connection is successful, the FortiGate will return the following:

Registration: registered
Connection: allow
Otherwise, the FortiGate will return an error code.
FortiAnalyzer configuration
1. Provide a public IPv4 address to your FortiAnalyzer. Make sure this IP address with the appropriate TCP
port(default 443) can be accessed from the external network, via the internet.
2. Finish steps 1-12 of the FortiGate configuration.
3. Use the following commands to add RPC-permit's read and write permissions to the user:
a. config system admin user
b. edit admin
c. set rpc-permit read-write

Fortinet, Inc.
General
FortiCASB configuration
1. Choose the device type to connect.

a. Click the Device button, located on the top right, from the Shadow IT dashboard.
b. Choose either FortiGate or FortiAnalyzer.

2. Enter the device DevID.
a. If the DevID is for FortiGate, fill in the other fields.
b. If the DevID is for FortiAnalyzer, fill in the other fields, then select the FortiGate device(s) to add.
Using Shadow IT discovery
Access control
After analyzing an application using FortiCASB, users can use FortiGate's Web Filter to block or monitor the
application.
1. Use FortiCASB to get the host name of the traffic to be controlled.
2. On the FortiGate device, go to Security Profile > Web Filter.
3. Under Static URL Filter, choose the URL filter.
4. Click Create to add a new URL filter.
5. Choose a Type.
6. Choose an Action.
7. Set Status to Open.
8. Click OK.

Fortinet, Inc.
General
Shadow IT Dashboard
Usage of unsanctioned cloud applications
All unsanctioned cloud applications are given a ranking based on the risk score, the number of users, and
volume of use. FortiCASB uses that data to pinpoint and display the applications, clients, and sessions that are
most at risk. FortiCASB also displays the percentage of risky applications, clients, and sessions using pie
charts.
File insight
File insight shows the total number of sanctioned cloud applications the organization is using, the total number
of users, and the total number of files stored in each cloud application.
Application list
The application list displays all appliations monitored by FortiCASB. Filter the list using the time range box on
the top right, the risk score slider on the top left, and the categories checkboxes on the left.
Click a specific application to display detailed information regarding the application.

Fortinet, Inc.
General
Data pattern
FortiCASB uses data patterns to create policies for monitoring files. You can create customized data patterns
from the Data Pattern page. These data patterns can be used when creating customized policies.
To create a customized data pattern, follow the steps below:
1. Go to Overview > Data Pattern.
2. Fill in the settings shown
Name Enter a name for the data pattern.
Description Enter a description for the data pattern.
Category Select a data category from the list.
File Extensions Specify file types to be monitored.
Uncompressed File Specify the upper bound of an object size, in MB, for a full content scan.
Size
Compressed File Specify the upper bound of a zip file size, in MB, for a full content scan.
Size
Regex Context Enter in a phrase or string of characters, andwill monitor any file containing
that phrase.
3. Click +Add.
Generate Credential
FortiCASB REST API resources are free of use for development purpose. To use these API resources, an
OAuth 2.0 bearer token is required in the Authorization header. One method to get OAuth 2.0 bearer token is to
call Get Credentials Token. Before calling Get Credentials Token API, follow the steps below to generate a
credential.
1. Log into FortiCASB with your account.
2. Go to Business Unit Setting in the top left hand corner.
3. Click on API Setting tab.

Fortinet, Inc.
General
4. Enter a name in Credentials Name field, and click Generate.

5. Copy down the credential to be used to call the API later.
The generated credential can be used repeatedly as long as it is not revoked on FortiCASB.

Fortinet, Inc.
Application Specific Features
This section covers features specific to each of the cloud application installed on FortiCASB.
Discovery
FortiCASB classifies data as either data at rest or traffic data. Data at rest is data uploaded onto the cloud
application before it has been linked with FortiCASB, while traffic data is any data uploaded after FortiCASB
has started monitoring the cloud application.
You can run scans on the data in your cloud platforms to determine their contents. Depending on the policies
you set, FortiCASB will classify this data as either sensitive data or non-sensitive data. This can be seen in
the Discovery page for each cloud application.
The Discovery page shows basic information about the data in your cloud application, as well as information
about the users with access to your data.
If you don't run a manual scan, FortiCASB will scan files on an individual basis whenever a user accesses the
file.
If you would like to sync data, you can run Sync from the User and Document page.
Panel descriptions
User Entitlements—shows all users with access to your cloud application.
Privileged User Any user with specific administrative privileges. For a list of these specific
privileges, see Discovery on page 72
Dormant User Any user that has not accessed the cloud application for at least 30 days.
External User Any user from an external company with access to your cloud application.
If the User Entitlements panel can't get privileged roles for your Office 365 platform,
make sure you have global administrator privileges and have Azure Active Directory
Premium P2.
Sensitive Data Discovery—gives an overview of sensitive data on your cloud application.
Sensitive Files Shows the number of files on your cloud application with sensitive
information, out of the total number of files.
High Risk File Owners Shows how many users own files with sensitive information.

Fortinet, Inc.
Shared Files Shows the number of shared files
Malware Files Shows the number of files with malware scan results
Click the number under Policy Violation to show the specific policies triggered.
Use Filter to filter or search through the list.
File Exposure—gives an overview of shared files on your cloud application.
Exposure Summary Gives a summary of the file exposure. Click to filter the list.
Top File-Sharing Owners Shows the owners sharing the most files.
Top Users/Groups with Shows the users or groups with access to the most files.
access to Shared Files
External Collaboration—highlights the file shared to the external user/group
External Summary Gives a summary of the external files.
Top External Domains Shows external domains which are shared the most files.
Top External Users Shows external users which are shared the most files.
Click on [...] under Share or Link for more details.

Use Filter to filter or search through the list.

Fortinet, Inc.
Administrative Privileges
Salesforce
A user with any of the following administrative permissions is considered a privileged user:
l Assign Permission Sets
l Manage Sharing
l Modify All Data
l Manage Encryption Keys
l View All Data
l View All Users
Office 365
A user with any of the following administrator roles is considered a privileged user:
l global administrator
l billing administrator
l password administrator
l service administrator
l user management administrator
l Exchange administrator
l SharePoint administrator
l Skype for Business administrator
Box
An admin with all of the following permissions is considered a privileged user:

l Manage users and groups
l Make calls on behalf of users
l View all data
Dropbox Business
A Team Admin is considered a privileged user.
Google
A user with any of the following administrator roles is considered a privileged user:
l Super Administrator
l Groups Administrator
l User Management Administrator

Fortinet, Inc.
l Help Desk Administrator

l Services Administrator
l User Customized Administrator
Documents
The Documents page shows all the files FortiCASB is currently monitoring. The infographic gives an overview
of the files categorized by File Type, Sensitive Data, and Share Type.
If you don't run a manual scan, FortiCASB will scan files on an individual basis whenever a user accesses the
file.
If you would like to sync data, you can run Sync from the User and Document page.
List filter
l Click on the infographic to filter the list by File Type, Sensitive Data, or Share Type.
l Use the search bar on the top-right side to search by user.
DLP Scanned Documents
Show the number of documents which has been DLP-scanned.
State
l Sensitive: File hit the DLP policies

l External: File shared to the external user/group
l Malware: File hit the malware policies
File download
You can download a file FortiCASB is monitoring by clicking the download link in the Operation column.

Fortinet, Inc.
Policy
There are two main purposes of FortiCASB policies:

l Scans and reports use of policies you set to differentiate between sensitive and non-sensitive data.
l Generate alerts depending on the policies you set.
Default policies on FortiCASB
l Data Analysis on page 76

l Threat Protection on page 80
l Compliance Policy on page 81
l Customized Policy on page 82
To activate a policy to trigger alert, please refer to Policy Configuration on page 83.
Data Analysis
DA policies keep track of sensitive data. For example, if a user accesses a file containing Social Security
Numbers (SSNs) and you have the SSN policy set, FortiCASB will send you an alert.
File types supported by DA scans
Uncompressed Microsoft Word Document (.doc, .docx)
Microsoft Powerpoint Document (.ppt, .pptx)
Microsft Excel Document (.xls, .xlsx)

Fortinet, Inc.
Text File (.txt, .rtf)
Portable Document Format (.pdf)
Compressed .zip .zip
.tar
.7z
.gz
DA policies
Data Analysis policies trigger alerts whenever a monitored file is accessed, regardless
of the type of access. If you only want alerts for specific actions, set a Customized
policy.
Identity number
US Social Security Policy FortiCASB scans for SSNs during Discovery scans, and
triggers an alert when targets with SSNs are accessed.
CN Resident Identity Policy FortiCASB scans for CN resident identity numbers during
Discovery scans, and triggers an alert when targets with
such numbers are accessed.
Polish Social Security Number Policy FortiCASB scans for Polish SSNs during Discovery scans,
and triggers an alert when targets with Polish SSNs are
accessed.
Credit card number
Visa Credit Card Policy FortiCASB scans for Visa credit card numbers during Discovery
scans, and triggers an alert when targets with such numbers are
accessed.
MasterCard Policy FortiCASB scans for MasterCard credit card numbers during
Discovery scans, and triggers an alert when targets with such
numbers are accessed.
American Express Policy FortiCASB scans for American Express credit card numbers during
Diners Club Card Policy FortiCASB scans for Diners Club credit card numbers during
Discover Card Policy FortiCASB scans for Discover credit card numbers during Discovery

Fortinet, Inc.
accessed.
JCB Policy FortiCASB scans for JCB credit card numbers during Discovery
accessed.
Maestro Card Policy FortiCASB scans for Maestro credit card numbers during Discovery
accessed.
Driver license number
UK Driver License Policy FortiCASB scans for UK driver license numbers during Discovery
accessed.
US-FL Driver License Policy FortiCASB scans for FL driver license numbers during Discovery
accessed.
US-CA Driver License Policy FortiCASB scans for CA driver license numbers during Discovery
accessed.
CN Driver License Policy FortiCASB scans for CN driver license numbers during Discovery
accessed.
Email address
Email Address Policy FortiCASB scans for email addresses during Discovery
scans, and triggers an alert when targets with email addresses are
accessed.
Insurance number
CA Insurance Number Policy FortiCASB scans for CA insurance numbers during Discovery
accessed.
UK Insurance Number Policy FortiCASB scans for UK insurance numbers during Discovery
accessed.

Fortinet, Inc.
Passport number
UK Passport Number Policy FortiCASB scans for UK passport numbers during

Discovery scans, and triggers an alert when targets
with such numbers are accessed.
CN Passport Number Policy FortiCASB scans for CN passport numbers during

USA/Germany Passport Number Policy FortiCASB scans for USA/Germany passport numbers
during Discovery scans, and triggers an alert when
targets with such numbers are accessed.
AU Passport Number Policy FortiCASB scans for AU passport numbers during

JP Passport Number Policy FortiCASB scans for JP passport numbers during

CA Passport Number Policy FortiCASB scans for CA passport numbers during

FR Passport Number Policy FortiCASB scans for FR passport numbers during

Bank account number
China Union Pay Policy FortiCASB scans for China Union Pay account numbers during
Discovery scans, and triggers an alert when targets with such numbers
are accessed.
UK IBAN Policy FortiCASB scans for UK IBANs during Discovery scans, and triggers an
alert when targets with such IBANs are accessed.
Swiss IBAN Policy FortiCASB scans for Swiss IBANs during Discovery scans, and triggers
an alert when targets with such IBANs are accessed.
German IBAN Policy FortiCASB scans for German IBANs during Discovery scans, and
triggers an alert when targets with such IBANs are accessed.
Italian IBAN Policy FortiCASB scans for Italian IBANs during Discovery scans, and triggers
an alert when targets with such IBANs are accessed.
Swedish IBAN Policy FortiCASB scans for Swedish IBANs during Discovery scans, and
Spanish IBAN Policy FortiCASB scans for Spanish IBANs during Discovery scans, and

Fortinet, Inc.
Birthdate
Birthdate Policy FortiCASB scans for birthdates during Discovery scans, and triggers
an alert when targets with birthdates are accessed.
Malware/Ransomware
Ransomware Encrypted File FortiCASB scans for Ransomware Encrypted File during Discovery
Detection Policy scans, and triggers an alert when targets are accessed.
Threat Protection
Threat protection policies track suspicious user behavior. For example, if a user fails to enter his or her
password correctly multiple times in a row and you have the Excessive Login Failures policy active, FortiCASB
will send you an alert.
Threat protection policies
Access
Excessive Login Failures Triggers an alert when the number of failed logins for a user exceeds a set
threshold.
Password Change Triggers an alert when passwords are changed.
Suspicious Movement Triggers an alert when a change in a user's geographic location exceeds
threshold parameters.
Unapproved Login Location Triggers an alert when a user logs in from an unapproved geographic
location.
Suspicious Activity
Restricted User Triggers an alert when a monitored user performs select activities.
Suspicious IP Triggers an alert when there is activity from a suspicious IP.
Suspicious Time Triggers an alert when there is activity outside of work hours.
Suspicious Location Triggers an alert when there is activity from suspicious locations.

Fortinet, Inc.
Sensitive Activity
Sensitive Event Triggers an alert when a sensitive event occurs.
Sensitive File Triggers an alert when a specified sensitive file is accessed.
Ransomware Behavior Triggers an alert when the directory's file(s) had been replaced.
Detection
Abnormal Traffic
Large File Upload Triggers an alert when a file upload exceeds a size threshold.
Compliance Policy
Compliance policies monitor cloud accounts in compliance with various Compliance standards (SOX-COBIT,
PCI, HIPAA, etc.). The main purpose of Compliance Policy is to generate Compliance reports in accordance
with your organization's compliance standard.
For example, if a user accesses a file containing private heath information and you have the corresponding
HIPAA policy enabled, FortiCASB will add the corresponding access logs in the Compliance report.
The prerequisite to generate Compliance report is to enable and configure Compliance

Policies required by your organization. For more details on configuring Compliance
policies, please refer to Policy Configuration on page 83.
List of Compliance policies
See Policy Configuration on page 83 for instructions/examples on setting policies.
SOX-COBIT
SOX-COBIT policies help your organization track and show compliance with the Sarbanes-Oxley (SOX) Act of
2002 using COBIT guidelines. Use these policies to monitor your cloud applications for SOX compliance, then
use the Report feature to print a report detailing compliance specifics.
PCI
PCI policies help your organization track and show compliance with the Payment Card Industry Data Security
Standard (PCI DSS). Use these policies to monitor your cloud applications for PCI DSS compliance, then use
the Report feature to print a report detailing compliance specifics.

Fortinet, Inc.
HIPAA
HIPAA policies help your organization track and show compliance with the Health Insurance Portability and
Accountability Act (HIPAA). Use these policies to monitor your cloud applications for HIPAA compliance, then
use the Report feature to print a report detailing compliance specifics.
GDPR
GDPR policies help your organization track and show compliance with the EU General Data protection
Regulation (GDPR). Use these policies to monitor your cloud applications for GDPR compliance, then use the
Report feature to print a report detailing compliance specifics. Personal data type can be setup inside GDPR
policy configuration for monitoring.
ISO 270001
ISO 270001 is the best-known standard in the family in providing requirements for an information security
management system (ISMS). ISO 270001 policies help your organization manage the security of assets, such
as financial information, intellectual property, employee details, and information entrusted to you by third
parties.
NIST 800-53 V4
NIST 800-53 V4 is the recommended security controls for federal information systems and organizations. It
documents security controls for all federal information systems.
NIST 800-171
NIST 800-171 can help to protect controlled Unclassified Information in Non-federal Information Systems and
Organizations.
Customized Policy
FortiCASB allows you to create personalized policies to suit your organization needs.
To add a custom policy, go to Threat Protection > Customized and click Add.
Custom policies focus on two aspects, content monitoring and activity monitoring. Content monitoring is
primarily used to monitor files for sensitive data. Activity monitoring is primarily used to monitor users and user
activities.
The following examples illustrate how to create some common custom policies.

Fortinet, Inc.
Example 1: To monitor all downloads of a public link containing sensitive data
To receive an alert whenever a file containing sensitive data is downloaded from a public link, use the Exposure
setting along with the Data Pattern setting. For example, to monitor a Salesforce link containing a social
security number:
1. Go to the Content tab.
2. Select Specific Data Patterns, on the right.
3. Click the box labeled Data Pattern, then select DLP SSN.
4. Click the box labeled Exposure, then select SALESFORCE_LINK.
5. Go to the Activity tab.
6. Select Specific Events, on the right.
7. Click the box labeled Event, then select Download File.
8. Configure any other settings as needed.
Example 2: To monitor all activities of a group of users
To receive an alert whenever a specific user or group of users performs any action, use the User setting. For
example, to monitor a group of users:
1. Go to the Activity tab.
2. Select Specific Users, on the right.
3. Click the box labeled User, then select users to monitor. Alternatively, check the Exclude box on the right
to monitor all users besides the ones selected.
4. Configure any other settings as needed.
Policy Configuration
Policy setting allows you to configure each policy to fit the need of your usage. Follow the steps below to
configure policies.
1. Select a cloud application from FortiCASB main dashboard.
2. Click the Policy drop down menu, and select any type of Policy (Data Analysis, Threat Protection or
Compliance)
3. Click on the toggle switch under Status column to turn the Policy On or Off.

Fortinet, Inc.
Only the policy that is turned On can trigger alerts or record data in reports.
4. Click on the right arrow sign > next to the policy to configure.
5. Configure the settings in General and Context tab as described below in Policy Setting Tables. Every
policy has different setting parameters. Follow the setting parameters table below to configure each
policy.
6. Click Save to complete the configuration.
The policy you set should be active after a few minutes.
For Compliance report, only polices with in Alert column will generate alerts. All
other Compliance polices will generate data in Compliance reports.
General Configuration
These are the common parameters in General setting tab in Policy Configuration. Every policy has different
setting parameters. Not all parameters are available in any given policy setting.

Fortinet, Inc.
Parameter Name Configurable Description
Name No The name of the policy.
Status Yes Specify whether or not the policy is enabled to trigger alert.
A policy is active when it is set to true.
Policy Description No The description of the policy
Severity Level Yes The severity level for the policy, you can set the severity
level as Critical, Alert, Warning, or Information.
Policy Type No The specific type of policy within the policy group. For
example, PCI is a type of Compliance policy.
Context Configuration
These are the common parameters in Context tab in Policy Configuration. Every policy has different setting
parameters. Not all parameters are available in any given policy setting.
Parameter Name Type of Policy Description
Matching Threshold Data Analysis Specify the minimum threshold for an alert. For
example, a Credit Card Number policy with threshold
set to two will trigger an alert when two or more
credit card numbers are detected.
Data Pattern Data Analysis, Specify the DLP or customized data pattern to be
Compliance Policy associated with the policy to protect the type of
sensitive data. FortiCASB will search for the selected
DLP data pattern during Discovery scans.
File Path Regex Compliance Policy Specify the targeted regular expression pattern of
the cloud storage files which FortiCASB will run DLP
scan on.

Fortinet, Inc.
Notification Configuration
These are the common parameters in Notification tab of Policy Configuration. Not all policy has notification
function.
Notification Setting Parameters Description
Enable Email Notification Check the box to allow FortiCASB to send an

email whenever an alert is triggered.
Email Receiver Either select a user to receive notifications, or

enter in an email address.
For more details on FortiCASB policy configurations, please see Data Analysis Policy
Configuration on page 87, Threat Protection Policy Configuration on page 90, and
Compliance Policy Configuration on page 108.

Fortinet, Inc.
Data Analysis Policy Configuration
Data Analysis policies have very similar configuration. Here are two examples of configuring Data Analysis
policies.
l DLP CA Driver License Policy on page 87
l DLP Visa Credit Card Policy on page 88
DLP CA Driver License Policy
Description
Data Loss Prevention (DLP) CA Driver License policy identifies United States California driver license number
accessed through cloud account activity. When the number of driver license numbers accessed in any activity
incident reaches the preconfigured threshold, an alert will be triggered.
Follow the steps below to enable and configure the policy

1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
2. Click on Policy drop down menu and select Data Analysis.
3. Locate DLP CA Driver License Policy and click on the right arrow key > button to expand the policy.
4. Click on General tab, click Status toggle switch button to enable the policy. The default is always turned
on.
5. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).

Fortinet, Inc.
6. Click Context tab to configure settings.
7. In Matching Threshold, enter threshold of the number of driver license numbers to be detected in an
activity incident for an alert to be generated.
For example, a matching threshold of 2 will trigger an alert when two or more driver license numbers are
detected in the cloud account activity.
8. Click Save to save and update the configuration.
After the policy is enabled and configured, when cloud account activity detects access
of driver license numbers reaches the preconfigured matching threshold, an alert will
be triggered. For more details, please refer to Alert on page 120.
DLP Visa Credit Card Policy
Description
Data Loss Prevention (DLP) Visa Credit Card policy identifies visa credit card numbers accessed through the
cloud account activity, when the number of visa credit card numbers accessed in any activity incident reaches
the preconfigured threshold, an alert will be triggered.

2. Click on Policy drop down menu and select Data Analysis.

Fortinet, Inc.
3. Locate DLP Visa Credit Card Policy and click on the right arrow key > button to expand the policy.
4. Click on General tab, click Status toggle switch button to enable the policy. The default is always turned
on.
7. In Matching Threshold, enter the threshold of the number of credit card numbers to be detected in an
activity incident for an alert to be generated.
For example, a matching threshold of 2 will trigger an alert when two or more credit card numbers are
detected in the cloud account activity.
After the policy is enabled and configured, when cloud account activity detects access
of visa credit card numbers reaches the preconfigured matching threshold, an alert will
be triggered. For more details, please refer to Alert on page 120.

Fortinet, Inc.
Threat Protection Policy Configuration
List of all Threat Protection Policy Configuration guides
l Excessive Login Failures on page 91
l Suspicious Movement on page 92
l Unapproved Login Location on page 94
l Restricted User on page 96
l Suspicious IP on page 98
l Suspicious Time on page 99
l Suspicious Location on page 101
l Sensitive File on page 103
l Sensitive Event on page 104
l Large File Upload on page 106

Fortinet, Inc.
Excessive Login Failures
Description
Excessive Login Failures monitors for excessive login attempts of unidentified user in a time interval.
Administrators are able to customize the threshold of number of failed login attempts and the time interval
(minutes) before an alert is generated.

2. Click on Policy drop down menu and select Threat Protection.
3. Locate Excessive Login Failures and click on the right arrow key > button to expand the policy.
4. Click on General tab, click Status toggle switch button to enable the policy.
5.

Fortinet, Inc.
8.
9. In Login Attempts, enter the threshold of the number of failed login attempts before an alert is
generated.
10. In Interval (minute), enter the time interval of the first failed login attempt of the same user.
After the policy is enabled and configured, whenever an unidentified user exceeded the
login attempts threshold within in the given time interval, an alert will be triggered in
the alert page. For more details, please refer to Alert on page 120.
Suspicious Movement
Description
Suspicious Movement policy monitors changes in users geographical location. When the speed (mph) of
traveling between the original and the new location exceeds the maximum threshold, an alert will be generated
to inform on the unidentified cloud account intrusion.
The policy also takes in account of the proximity distance of the new location before checking for the speed in
which the user traveled.
In exception cases, known users can be excluded from being monitored by placing them on the IP allow list.

Fortinet, Inc.

3. Locate Suspicious Movement and click on the right arrow key > button to expand the policy.

Fortinet, Inc.
7. In Velocity Setting (mph), enter the maximum speed in which a user can travel between two locations in
any given time before being viewed as suspicious movement. The most commonly used value for this
parameter is commercial flight speed, 600 mph.
8. In Distance Tolerance (mile) field, enter a proximity distance that will not be accounted for in monitoring
for suspicious movement.
For example, if you entered 50 miles, any login within 50 miles of the origin will not be taken as suspicious
movement.
9. In IP Allow List, enter sets of IP ranges to be excluded from being monitored for suspicious movements.
This is useful when you know the users who travel periodically.
10. Click Save to update the configuration.
After the policy is enabled and configured, whenever the new user login location
exceeded the maximum speed threshold, an alert will be sent on the illegal login, for
more details, please refer to Alert on page 120.
Unapproved Login Location
Description
Unapproved Login Location policy monitors for logins from block listed country.

3. Locate Unapproved Login Location and click on the right arrow key > button to expand the policy.

Fortinet, Inc.
7. Click Select Country drop down menu to select a county for Unapproved Location List. This will
generate an alert whenever there is a login attempt from the block listed country. Click Add to finish
adding the country. Repeat this step to add more countries if needed.
After the policy is enabled and configured, whenever an unidentified user login from
the block listed location, an alert will be triggered in the alert page. For more details,
please refer to Alert on page 120.

Fortinet, Inc.
Restricted User
Description
Restricted User policy monitors for cloud account activities conducted by targeted users. An alert will be sent
whenever targeted user(s) performs certain activities.

3. Locate Restricted User and click on the right arrow key > button to expand the policy.
5.

Fortinet, Inc.
8.
9. In Event section, click to select Specific events then click the drop down field under it to select specific
event(s). To select all events instead, click on Select all events.
10. In Suspicious User section, click to select Specify users and click the Select User drop down field to
select user(s). To select all users instead, click Select all users.
After the policy is enabled and configured, whenever the targeted users perform certain
activities, an alert will be triggered in the alert page. For more details, please refer to
Alert on page 120.

Fortinet, Inc.
Suspicious IP
Description
Suspicious IP policy monitors cloud account activities conducted by targeted IP addresses. Alerts will be sent
when any activities are performed by the targeted IPs.

3. Locate Suspicious IP and click on the right arrow key > button to expand the policy.
5.

Fortinet, Inc.
8.
9. In Suspicious IP section, click to enter the beginning and ending IP range, and click + to add. Repeat
this step to enter more IP ranges,
After the policy is enabled and configured, whenever a targeted IP performs any
activity, an alert will be triggered in the alert page. For more details, please refer to
Alert on page 120.
Suspicious Time
Description
Suspicious Time policy monitors cloud account activities outside of regular working hours.

3. Locate Suspicious Time and click on the right arrow key > button to expand the policy.

Fortinet, Inc.
8. In Suspicious Time section, click on Select day in week drop down menu to select a day in the week to
monitor for suspicious event. Then enter the beginning and end time of the day to monitor the event.
After the policy is enabled and configured, whenever the specific activity is conducted
in the suspicions time frame during the target day of the week, an alert will be triggered
in the alert page. For more details, please refer to Alert on page 120.

Fortinet, Inc.
Suspicious Location
Description
Suspicious Location policy monitors for cloud account activities not shown on location allow list.

3. Locate Suspicious Location and click on the right arrow key > button to expand the policy.

Fortinet, Inc.
7. In Location Allow List, click Select Country drop down menu to select a country to be added to the
location Allow list. Click Add to finish adding the location. Repeat the same process to add more location.
After the policy is enabled and configured, whenever there is any cloud account activity
outside of the allow list locations, an alert will be triggered in the alert page. For more
details, please refer to Alert on page 120.

Fortinet, Inc.
Sensitive File
Description
Sensitive File policy monitors and sends an alert when targeted cloud account files are being accessed. The
location of the cloud account file path is configured through Regex.

3. Locate Sensitive File and click on the right arrow key > button to expand the policy.

Fortinet, Inc.
7. Enter a valid Regex of the target file path to be monitored. Here are examples of file path Regex:
a. ".*" targets all files in the cloud account.
b. "^(?:[\w]\:|\\)(\\[a-z_\-\s0-9\.]+)+\.(txt|gif|pdf|doc|docx|xls|xlsx)$" targets files begin with x:\ or \\ with
files ending in the following types of extensions: txt, gif, pdf, doc, docx, xls, xlsx. Here are the file
paths that will this file path Regex matches:
i. \\192.168.0.1\folder\file.pdf
ii. c:\my folder\abc abc.docx
Reference: https://www.codeproject.com/Tips/216238/Regular-Expression-to-Validate-File-Path-and-Exten
8. Click Save to update the policy configuration.
After the policy is enabled and configured, whenever any file targeted by the file path
Regex is accessed on the cloud account, an alert will be triggered in the alert page. For
Sensitive Event
Description
Sensitive Event policy monitors specific cloud account activities and triggers alerts.


Fortinet, Inc.
3. Locate Sensitive Event and click on the right arrow key > button to expand the policy.

Fortinet, Inc.
8. In Threshold (Times), enter the maximum number of times the event or activity is being performed by
the same user before an alert is triggered.
9. In Interval (Minutes), specify the amount of time that the user conducts the targeted activities before
triggering an alert.
A typical example for the policy usage is downloading or uploading multiple files in a given amount of time
would trigger an alert.
After the policy is enabled and configured, whenever the specific activity is conducted
repeatedly by the same user in a given time frame, an alert will be triggered in the alert
page. For more details, please refer to Alert on page 120.
Large File Upload
Description
Large File Upload policy monitor and tracks for file size uploaded to the cloud account, an alert will be sent
when the file uploaded exceeded file size threshold.

3. Locate Large File Upload and click on the right arrow key > button to expand the policy.

Fortinet, Inc.
5.
3.
4. Enter the maximum file size (MB) of the file to be uploaded to the cloud account without triggering an alert.
After the policy is enabled and configured, whenever a file larger than the file size
threshold is uploaded to the cloud account, an alert will be triggered in the alert page.
For more details, please refer to Alert on page 120.

Fortinet, Inc.
Compliance Policy Configuration
Here are two typical types of configurations that you will find in Compliance Policy Configuration:
l Data Pattern Configuration on page 108
l File Path Regex Configuration on page 110
Here are some other examples of Compliance Policy Configurations:

l SOX-COBIT - Access to Sensitive Data on page 112
l PCI - Failed Access Attempt Detection on page 114
l PCI - Privileged Account Activity on page 116
l PCI - Retention Violation for Cardholder Data on page 118
Data Pattern Configuration
Description
Data pattern utilizes Data Analysis policies (DLP Policies) to target the specific type of data within the cloud
storage accounts. The benefit of being able to configure data pattern in Compliance policies is only the
targeted data pattern is scope thus eliminate false positives. For more information, please see Data Analysis
on page 76 for more info.

Fortinet, Inc.
Example
GDPR - Personal Data Discovery
Description
GDPR - Personal Data Discovery policy identifies what personal data the company has and where it resides.
You can configure what type of data is considered as personal data and the cloud storage file path. Compliance
report will gather and display info on targeted personal data.

2. Click on Policy drop down menu and select Compliance, then select GDPR tab.
3. Locate GDPR - Personal Data Discovery and click on the right arrow key > button to expand the policy.
Note: this policy only generates data in Compliance Report.

Fortinet, Inc.
7. In File Path Regex, enter a valid Regex of the target file path to be monitored.
8. In Data Patterns, click on the field and select the data patterns (financial, personal identity information,
etc.) to be monitored.
9. Click Save to upgrade the configuration.
After the policy is enabled and configured, Compliance report will display records of
files that are considered to be personal data that is residing at the targeted file path.
For more details, please see Compliance Report on page 46.
File Path Regex Configuration
Description
File Path Regex configures the location of the files of interest in the cloud storage account by using Regex.
Regex is regular expression that is used to extract information from documents by searching and matching
using specific search patterns. Here are a couple examples of Regex:
1. ".*" targets all files in the cloud account.
2. "^(?:[\w]\:|\\)(\\[a-z_\-\s0-9\.]+)+\.(txt|gif|pdf|doc|docx|xls|xlsx)$" targets files begin with x:\ or \\ with files
ending in the following types of extensions: txt, gif, pdf, doc, docx, xls, xlsx. Here are the file paths that will
this file path Regex matches:
a. \\192.168.0.1\folder\file.pdf
b. c:\my folder\abc abc.docx

Fortinet, Inc.
Example
PCI - Track all cardholder data access
Description
PCI - Track all cardholder data access policy tracks all users access to cloud account data. It collects all activity
logs and send alert regarding those activities. Compliance report also shows logs of all alerts triggered by this
policy.

2. Click on Policy drop down menu and select Compliance, then select PCI-DSS tab.
3. Locate PCI - Track all cardholder data access and click on the right arrow key > button to expand the
policy.
Note: this policy generates both alert in Alert page and data in Compliance Report.

Fortinet, Inc.
7. In File Path Regex, enter a valid Regex of the target file path to be monitored. Here are examples of file
path Regex:
After the policy is enabled and configured, whenever anyone accessed the targeted
files with the specific data patterns, an alert will be triggered in the alert page. For
Compliance report will also record any alerts generated by this policy, for more details,
please see Compliance Report on page 46.
SOX-COBIT - Access to Sensitive Data
Description
Access to Sensitive Data policy monitors and tracks access to sensitive data located in the cloud account.
Sensitive data location can be configured through file path Regex.

Fortinet, Inc.

3. Locate Access to Sensitive Data and click on the right arrow key > button to expand the policy.
7. In File Path Regex, enter a valid Regex of the target file path to be monitored. Here are examples of file
path Regex:

Fortinet, Inc.

After the policy is enabled and configured, whenever any targeted sensitive file is
accessed, an alert will be triggered in the alert page. For more details, please refer to
Alert on page 120.
PCI - Failed Access Attempt Detection
Description
Privileged Account Activity policy monitors and tracks targeted users' activities on the cloud accounts. The
policy allows configuration on which user and what type of activities to be monitored.

3. Locate PCI - Failed Access Attempt Detection and click on the right arrow key > button to expand the
policy.

Fortinet, Inc.
7. In Login Attempts, enter the threshold for the number of failed login attempts before an alert is
generated.
8. In Interval (minute), enter the time frame for all failed login attempts before an alert is generated.
For example, given an interval of 3 minutes and login attempts of 5. If a user had more than 5 failed login
attempts in 3 minutes, an alert will be sent to inform on the suspicious login attempts on the cloud
account.

Fortinet, Inc.
After the policy is enabled and configured, whenever there are excessive failed login
attempts on the cloud account, an alert will be triggered in the alert page. For more
PCI - Privileged Account Activity
Description
Privileged Account Activity policy monitors and tracks targeted users' activities on the cloud accounts. The
policy allows configuration on which user and what type of activities to be monitored.

3. Locate PCI - Privileged Account Activity and click on the right arrow key > button to expand the policy.

Fortinet, Inc.
8. In Monitored User section, click Specify users and click the drop down field under it to select user(s) to
be monitored. To select all users, click Select all users.

Fortinet, Inc.
9. Click Save to update the configurations.
After the policy is enabled and configured, whenever there is any specific activity
conducted by targeted user(s), an alert will be triggered in the alert page. For more
PCI - Retention Violation for Cardholder Data
Description
Check if the designated cloud storage data has exceeded the retention time set by the cardholder. The
cardholder is able to set the cloud storage file path with the designated retention time.

3. Locate PCI - Retention Violation for Cardholder Data and click on the right arrow key > button to
expand the policy.

Fortinet, Inc.
Note: this policy only generates data in Compliance Report.
7. In File Path Regex, enter a valid Regex of the target file path for the storage data under the retention
restriction. Here are examples of file path Regex:
8. In Retention Time (day), enter the number of days as the retention time for the cloud storage data.
etc.) that shall be under the retention restriction.

Fortinet, Inc.
After the policy is enabled and configured, when the targeted data exceeded the
maximum retention time, Compliance report will record retention violation generated ,
for more details, please see Compliance Report on page 46.
Alert
FortiCASB sends you alerts when one of your set policies are triggered.
l DLP policies pertain to the types of data stored in the cloud application.
l Threat protection policies pertain to suspicious user activity.
l Compliance policies pertain to specific regulations, such as HIPAA, PCI, and SOX.
To view alerts of each cloud application, click on a cloud application drop down men and click on Alert.
All the alerts are triggered by policies that are setup to trigger alerts when there are any activity that violated the
policies.
Click on the right arrow key of an alert to show the summary of the alert.

Fortinet, Inc.
To activate a policy to trigger alert, please refer to Policy Configuration on page 83.
Daily cloud account alerts can be compiled into Alert reports for export, please see
Alert Report on page 48.
Activity
FortiCASB monitors and tracks user data traffic and activities on your cloud platforms.
The Activity page contains both a map displaying (approximate) geolocations of events and activities list.
Map options
l Activity—Click on an activity indicator on the map to bring up an activity notification from that specific
location.
l Move—Move the map by clicking a point and dragging your mouse.
l Zoom—Use the buttons on the bottom-right corner of the map to zoom in and out.
l Refresh—Click the Refresh button to refresh the map.

Fortinet, Inc.
l Clear Map—Click the Clear Map button to clear the map of activity indicators.
l Filter—Click the Filter button to filter the activity notifications shown.
Raw event list
Events that come directly from a cloud API or web notifications are displayed in Javascript Object Notation
(JSON) format.
Alert correlation
One activity may trigger multiple alerts. Click the event to open the corresponding alert page.
Daily cloud account activities can be compiled into Activity reports for export, please
see Activity Report on page 52.
AV Scan and File Quarantine
FortiCASB conducts active anti-virus and malware detection scan when you press sync in Document page or
when new files are uploaded to the cloud accounts. FortiCASB AV scan supports any type of file in detecting
virus or malware.
If a file is detected to be infected by virus or malware in the cloud account, a notification will be sent to the file
owner and email addresses preconfigured by FortiCASB admin user, and the file will be quarantined for review.
l File Quarantine and Notification Configuration on page 122
l File Quarantine Directory on page 124
File Quarantine and Notification Configuration
When a file is found to be infected by malware or virus, FortiCASB will remove the file from the original
directory and move it to a default quarantine directory in the cloud account. File Quarantine Directory on page
124has details on the location of the quarantine directory.

Fortinet, Inc.
A notification will be sent to notify the file owner to take action on the quarantined file. The default quarantine
directory is preconfigured by FortiCASB.
Salesforce accounts have not yet implemented the file quarantine feature as
Salesforce is undergoing file handling mechanism upgrade. The feature will be added
to Salesforce account in the future release.
Follow the steps below to configure file quarantine and notification:

1. From FortiCASB navigation pane, click on your cloud application (e.g, Office 365).
2. Go to Policy > Data Analysis.
3. Scroll down to find "AV Scan Policy", click on the > sign to expand it.
4. In the General tab, make sure the Status is enabled, if it is not, enable it by clicking the toggle switch
button.
5. Click on the Notification tab, and click on the Enable Email Notification toggle switch button to enable
it.

Fortinet, Inc.
6. In the Email Receivers filed, enter the email addresses that will receive notification when a file is
infected by virus or malware.
Note: The notification will be sent to both the file owner and the email addresses listed in the Email
Receivers field.
7. Click on the Remediation tab, and click Enable Permission toggle switch button to enable file
quarantine function.
8. Click Save to save your setting.
File Quarantine Directory
When a file is detected to be infected with virus or malware, it will be removed from the original directory and
placed in a default file quarantine directory, "forticasb_quarantine_directory~". The quarantine directory will
be placed at the root or top level of the file owner's account.
If the infected file is in a shared account directory, the file will be removed from the shared account directory
and placed at the root level of the file owner's account inside the directory, "forticasb_quarantine_
directory~".
Quarantine directory location by cloud account platform:
Cloud Account Platform Quarantine Directory Location
Google Drive Root or top level of the file owner's account.
Office 365 One Drive Root or top level of the file owner's account.
Office 365 SharePoint Root or top level at the SharePoint Site of the file owner.
Box Root or top level of the file owner's account.
Dropbox Root or top level of the file owner's account.
It is recommended for the file owner to review and remove the infected file from the
quarantine directory.

Fortinet, Inc.
Examples of quarantine directory on different cloud accounts
Quarantine directory on Office 365 One Drive:
Quarantine directory on Dropbox Account:
Quarantine directory on Office 365 SharePoint Site:

Fortinet, Inc.
Yammer Integration Features
FortiCASB Yammer integration allows you to monitor and inspect all the files posted on Yammer by users
within your organization. All users within your organization that is also a Yammer user, will show as "Yammer
Licensed" on FortiCASB.
From FortiCASB control panel, go to Office 365 > Users to see the FortiCASB users that are also on Yammer.
Yammer licensed column would show if the user is also a Yammer licensed user.

Fortinet, Inc.
All Yammer uploaded files by the Yammer Licensed user are able to be viewed in FortiCASB Office 365
Documents. All Yammer files can be distinguished through Apps column in Office 365 > Documents in
FortiCASB.
When clicking on a Yammer uploaded file name, you can view detailed file information such as creator, created
date, last modified, date, file path, and etc. The Sync Now button updates the Yammer file metadata in real
time

Fortinet, Inc.
Prerequisites
Yammer integration in FortiCASB requires enforcing Office 365 identity in Yammer. When turning this setting
on, it may disrupt Yammer users’ access to Yammer, especially those who do not have Office 365 account,
they will be locked out of Yammer. Therefore, before making this change, please inform your Yammer users to
do the following:

Fortinet, Inc.
l Make sure that all Yammer users have Azure AD account. You can figure out who does not have an Azure
AD account by comparing the list of users on Yammer with the list of users in Office 365. From Yammer,
go to Settings > Edit Network Settings > Export Users to export all users.
l Help the Yammer users who do not have Azure AD account to get Azure AD account before enforcing
Office 365 identity.
You need to be a global administrator on Office 365 and be synchronized to Yammer as verified
administrator to enforce Office 365 identity in Yammer.
From your Yammer account, go to Settings > Edit Network Settings > Admins to verify your Yammer
admin account is synchronized to Office 365 global administrator account. Below is a screen shot of a synced
admin in Yammer:
Enforce Office 365 Identity in Yammer
1. Log into Yammer with your Yammer admin account.

2. If you are using the new Yammer, go to Settings > Edit Network Admin Settings in the upper right
hand side.

Fortinet, Inc.
If you are using the old Yammer, go to Settings > Network Admin at the upper left hand side.
3. Click Security Settings under Content and Security.
4. Scroll down to Office 365 Identity Enforcement, click on Enforce Office 365 identity checkbox.

Fortinet, Inc.
5. A confirmation message will ask you to select the appropriate level of enforcement.
6. Select Committed Enforcement and press okay.

Note: Once you made this change, you will not be able to undo it, your users will not be able to log in with
their Yammer user accounts anymore, only Yammer users with Azure Active Directory accounts will be
able to log in to Yammer moving forward.
7. Click Save to save your settings.
8. Go back to Security Settings after at least 15 minutes, and check the status under Office 365
Connected Yammer Groups, it should be enabled.

Fortinet, Inc.
Yammer License Verification
After enforcing Office 365 identity on all Yammer users, you can verify the Yammer user has integrated into
FortiCASB through Microsoft Office Administrator. You must be the Office 365 global administrator in order to
verify the user license info. Follow these steps to verify the user credentials:
1. Log into Office 365 (https://www.office.com/) as the global administrator.
2. Click on Admin to access Microsoft 365 admin center.
3. On the left control panel, expand Users and select Active Users.
4. Click on any licensed user, and the user profile will pop up.

Fortinet, Inc.
5. In the user profile, Select Licenses and Apps tab, and expand Apps section.
6. Scroll all the way down, and you will see Yammer Enterprise checkbox. The user needs to have
Yammer Enterprise checked in order to be integrated with FortiCASB.

Fortinet, Inc.
7. Repeat step 4-6 on all Yammer users.
Yammer File Path
After Office 365 identity is enforced in Yammer, all files uploaded to Yammer will be relocated to the folder
Shared Document/Apps/Yammer/ in the user SharePoint. FortiCASB will retrieve all the files metadata

Fortinet, Inc.
through this file path on SharePoint. Therefore, please keep this file path without changing it to let FortiCASB
obtain file metadata in Yammer. This is the Yammer file path shown in FortiCASB.

Fortinet, Inc.
FortiCASB APIs
FortiCASB APIs
FortiCASB service endpoints supports HTTP requests through the use of REST APIs. This section contains
documentation for FortiCASB REST API service endpoints. FortiCASB provides one endpoint with single
authentication token to simplify developer experience. All the service endpoints can be accessed through a
single access/bearer token. The HTTP requests provide access to valuable FortiCASB cloud resources. All
FortiCASB REST APIs, such as Get, POST, etc. require access/bearer token in assembling HTTPS requests.
Request Authorization Methods
There are 3 methods of acquiring the access/bearer token from FortiCASB to assemble a REST API request to
access FortiCASB resources.
1. Client Credential
Client credential can be used to generate access/bearer token to form request headers. First, you will need to
log into FortiCASB and generate a FortiCASB credential, please follow the guide in Generate Credential on
page 70. This is only a one-time process, and only one credential is necessary to generate access/bearer token.
After you have acquired a client credential, it can be used permanently to assemble the request header to
obtain an access/bearer token as long as the client credential is not revoked.
Follow the example in Get Credentials Token on page 140 to use client credential to assemble HTTPS POST
request header to acquire access/bearer token.
2. Username and Password
Another method of acquiring access/bearer token is through your FortiCASB account username and password.
Follow the example in Get Authorization Token on page 138 to assemble HTTPS POST request header to
acquire access/bearer token using your username and password.
3. Refresh Token
The use of refresh token requires one of the two methods above. Once you get the response through client
credential or username/password, you may use the refresh token in the response body to acquire more bearer
tokens without using client credential or user/name password. Follow the example in Get Refresh Token on
page 141 to generate access/bearer token using refresh token. The refresh token will expire 8 hours after
generated.

Fortinet, Inc.
FortiCASB APIs
Fabricate Request Header and Body
After acquiring access/bearer token, use the bearer token to assemble a REST API request. Like all other REST
APIT requests, FortiCASB operate through a secured channel: URI request with HTTPS protocol. The details of
the request parameters are determined by the specific REST API specification.
You may take a closer look in each REST API specification to determine what additional fields are necessary to
fulfill the request. Request body is an optional field, depending on the API specification, some parameters may
be required and others are optional.
Send Request
There are 5 request headers that are often used in FortiCASB REST API requests. The first 3 are default
request headers.
Request Header Description
Host The domain name of the REST service endpoint or the IP address
Authorization Access/bearer token generated earlier through one of the get token
methods
Content-Type This default header is set as "application/json"
Company ID The company ID of the company which the username or the credential is
originated from. Company ID can be obtained from Get Resource Map on
page 143.
Business Unit ID Business unit ID is the ID of the business unit which the user is entitled to
access. Business unit ID can be obtained through View or Remove
Business User on page 19. Alternatively, it can also be obtained from the
REST API Get Resource Map on page 143
When you have assembled the request header and body, the request is ready to be sent to the REST endpoint.
Here is a GET request example in HTTPS:
GET /api/v1/country/list? HTTP/1.1

Host: www.forticasb.com
Authorization: Bearer
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzY29wZSI6IkFQSSIsImlzcyI6ImZhdXRoLXNlcnZlc
iIsImhvc3QiOlsiRkNXUCJdLCJleHAiOjE1ODY5MTUxNjQsImFpZCI6InFhLmNhc2IxQGdtYWlsLmNvbSJ
9.Hh2yVHEEd73BJ31rEjB2C-iclodmMigEPIwtuRwCObo
Content-Type: application/json

Fortinet, Inc.
FortiCASB APIs
REST API Response
After you sent the request to FortiCASB service endpoint, you will receive a response header and a response
body. The above request calls for the list of countries, and here is a part of the response in JSON format:
[
{
"id":"US",
"country":"United States of America"
}
]
API Throttling
API throttling refers to the limit that FortiCASB sets on the number of requests in a range of time to prevent the
application sending too many requests. The API throttling of FortiCASB is 100TPM (times per minute),
meaning there can have 100 requests in one minute.
Get Authorization Token
Description
Get FortiCASB access token by the FortiCASB username and password.
URL
/api/v1/auth/token
Method: POST
Request Header
Key Value Type Description
Content-Type application/x-www-form-urlencoded String

Fortinet, Inc.
FortiCASB APIs
Request Body Parameters
Name Required Value Description
grant_type Required password
username Required <username> FortiCASB account user name
password Required <password> FortiCASB account password
Sample Request
Request URL POST https://www.forticasb.com/api/v1/auth/token
Request Header Content-Type: application/x-www-form-urlencoded
Request Body grant_type: password

username: XXXXXXXXXX
password: XXXXXXXXXX
Response Variable
Name Type Description
access_token String Access token returned
refresh_token String Refresh token returned
token_type String Type of token
expires String Timestamp of when the token will expire
Sample Response
{
"token_type": "bearer",
"expires": 1.585002117836E12,
"access_token":
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzY29wZSI6IkFQSSIsImlzcyI6ImZhdXRoLXNlc
nZlciIsImhvc3QiOlsiRkNXUCJdLCJleHAiOjE1ODUwMDIxMTcsImFpZCI6InFhLmNhc2IxQGdtYWls
LmNvbSJ9.TFfhF3jRDnoj1W96gFOuMnxvAhdwU55IQdO6tpkOpH0",
"refresh_token": "I4WnuRUY0xHEsoNMDvmurq_
J45VHyuxa4DRWq5mevlYB1YT1yL2TUAA8vRRNNyOyy5RwEww62j0cAM8yxa4B5kU8GbTrty2kgSD7nf
bmYEaPNQIBIi5Mv7jq0fHkn0Z-5z43CwI5yWF3pfGygvYoqaL0_YC5np5AKSPP3S49KhA"
}

Fortinet, Inc.
FortiCASB APIs
Get Credentials Token
Description
Get the FortiCASB OAuth 2.0 bearer token by the credentials generated on FortiCASB. Before using this API,
first generate a credential on FortiCASB through Generate Credential on page 70.
URL
/api/v1/auth/credentials/token/
Method: POST
Request Header
Authorization Basic <FortiCASB credentials> String Authorization credential

generated by FortiCASB
Content-Type application/x-www-form-urlencoded String
grant_ Required client_credentials

type
Sample Request
Request URL POST https://www.forticasb.com/api/v1/auth/credentials/token/
Request Header Authorization: Basic a0eddbf4-6840-4bb7-9789-acffd4ffac02

Content-Type: application/x-www-form-urlencoded
Request Body grant_type=client_credentials
Response Variable
refresh_token String Refresh token returned

Fortinet, Inc.
FortiCASB APIs
expires String Timestamp of when the token will expire
Sample Response
{
"expires": 1.585248581336E12,
"access_token":
nZlciIsImhvc3QiOlsiRkNBU0IiXSwiZXhwIjoxNTg1MjQ4NTgxLCJhaWQiOiJxYS5jYXNiMUBnbWFp
bC5jb20ifQ.PVfdrQ7NJYdYTu0PmIQnNUJJTWq3ZmW-iw2ux_8LLCM",
"refresh_token": "I4WnuRUY0xHEsoNMDvmuronKCCut-
9FKHZOT4Pfuancwh46UUz5irXDK98bRmDKREdg05VQmjbN8zrcvsyatl9DvuuSOBfhQ4Kztmwu5Vrho
Ml3tpq1U_feWjs866PcMix9BUO2DYRzLXWucyjiyyT7uHZMwakKhps9vbWm9gzq3XpCej-
yeX7ze0TNrWSG3WLh5n5sydU5NMNI_Stt-WycO05ZQL4FvRmqjn1-8Hz0"
}
Get Refresh Token
Description
Get refresh token uses the short-lived refresh token from past access token requests (Get Authorization
Token or Get Credentials Token) without having to use credentials or username/password.
URL
/api/v1/auth/token/refresh
Method: POST
Request Header
Content-Type application/x-www-form- String

urlencoded

Fortinet, Inc.
FortiCASB APIs
grant_type Required refresh_token
refresh_token Required <Refresh Token> Refresh

token
generated
from the past
Get
Authorization
Token and
Get
Credentials
Token
request
responses.
Sample Request
Request POST https://www.forticasb.com/api/v1/auth/token/refresh

URL
Request Content-Type: application/x-www-form-urlencoded
Header
Request grant_type: refresh_token
Body refresh_token: 2j0cAM8yxa4B5kU8GbTrty2kgSD7nfbmYEaPNQ
Response Variable
expires String Timestamp of when the

token will expire
Sample Response
{
"expires": 1.585002361532E12,
"access_token":

Fortinet, Inc.
FortiCASB APIs
nZlciIsImhvc3QiOlsiRkNXUCJdLCJleHAiOjE1ODUwMDIzNjEsImFpZCI6InFhLmNhc2IxQGdtYWls
LmNvbSJ9.Y7RGkrRn6hvfqCbPF9LGNchYGMiEIK2WljPqSbffsk0"
}
Get Resource Map
Description
Get all users and account basic information from FortiCASB, including the company ID, user name, bushiness
unit IDs, etc.
Company ID (companyID ) and business unit ID (buId) are the response variables that you will need to call
many other FortiCASB REST APIs.
URL
/api/v1/resourceURLMap
Method: GET
Request Header
Authorization Bearer <Authorization String Authorization credential generated by FortiCASB

Token>
Content-Type application/json String
Sample Request
Request URL GET https://www.forticasb.com/api/v1/resourceURLMap

Request Header Authorization: Bearer <Authorization_Token>
Response Variable
resourceURL String API request endpoint
roleId Long Login user identity

Fortinet, Inc.
FortiCASB APIs
username String Login user name
buMapSet.companyId Long Company ID (companyId) of which the business unit is

under.
buMapSet.buId Long Business unit ID (buId) of which the user account is under.
buMapSet.buName String Business unit name
Sample Response
[
{
"resourceURL":"https://qa1.staging.forticasb.com",
"roleId":1,
"username":"casb qacasb1",
"buMapSet":[
{
"buName":"research authentication",
"companyId":6,
"buId":238187
},
{
"buName":"aaa",
"companyId":6,
"buId":6384
}
]
}
]
Get Alert List
Description
Get cloud service account alert details.

Fortinet, Inc.
FortiCASB APIs
URL
/api/v1/alert/list
Request Method: Post
Request Header
companyId <Company ID> Integer Company ID
Authorization Bearer String Authorization credential generated by

<Authorization FortiCASB
Token>
buId <Business Unit Long The targeted business unit ID on FortiCASB.

ID> Business unit ID can be obtained through View
or Remove Business User on page 19.
Alternatively, it can also be obtained from the
REST API Get Resource Map on page 143
service <Cloud Service> String Cloud service name such as

Salesforce,Office365, etc.
Name Required Type Description
startTime Required long Timestamp, filter to get open alert

time after start date
endTime Required long Timestamp, filter to get open alert

time before start date
skip Required integer Indexes in a result set. Used to

exclude response from the first N
items of a resource collection.
limit Required integer Maximum number of return items
user Optional List<String> Filter to search user email
policy Optional List<String> Filter to search alert id
activity Optional List<String> Filter to search alert by activities
objectIdList Optional List<String> Filter to search alert by object identity

Fortinet, Inc.
FortiCASB APIs
objectName Optional String Filter to search alert by object name
severity Optional List<String> Filter to search alert by severity
status Optional List<String> Filter to search by status
idList Optional List<String> Filter to search alert by alert IDs
alertType Optional List<String> Filter to search alert by alert types
countryList Optional List<String> Filter to search alert by countries
Sample Request
Request URL POST https://www.forticasb.com/api/v1/alert/list

companyId: 6
buid: 6384
service: Salesforce
Request Body {
"service":"Salesforce",
"startTime":1583792777000,
"endTime":1583879177000,
"id":"",
"user":[
],
"policy":[
],
"activity":[
],
"objectid":[
],
"severity":[
],
"status":[
],
"city":[
],
"idList":[
],
"alertType":[
],
"asc":"severity",
"desc":"",
"end_dt":"2020-03-10T15:26:17-0700",
"start_dt":"2020-03-09T15:26:17-0700",
"id_list":[
],
"skip":0,
"limit":20
}

Fortinet, Inc.
FortiCASB APIs
Response Variable
buId Long Business ID
companyId Long Company ID
id String Alert ID
object String Object name that triggered the alert
objectType String Object type of alert
objectId String Object id that triggered the alert
severity String Severity of the alert
serviceId String ID to distinguish different account of the cloud service
violationActivity String Activity violation that triggered alert
displayOperation String Operation that triggered alert
createTime long Timestamp of when the alert is created in UTC
updateTime long Timestamp of when the alert is updated in UTC
policyName String Violation policy name
policyId String Name of the policy that alert is triggered by
policyCode String ID of the policy that alert is triggered by
contextName String Context name of violation policy
userId String ID of the user who trigger the alert
eventId String ID of the event
eventIdList Array List id of the events
service Application Cloud service
resultDesc String Description for violation context
geoLocationList Array Place where the activity occurred.
alertType String Classification of the alert
alertSubType String Sub classification of the alert
defineType String Type of policy, predefined or customized
state String Alert state
totalPage long Total page of alert results
skip integer Indexes in a result set. Used to exclude a response from

the first N items of a resource collection.
limit integer Maximum number of return alerts in one page

Fortinet, Inc.
FortiCASB APIs
totaCount integer Total number of activities on file
user String The registered user name of FCASB
userName String The registered user email of FCASB
Sample Response
{
"data":[
{
"buId":6384,
"companyId":"6",
"timestampUUID":"203A8qR797nn390d6CQhOH6DjrdiGx9A",
"id":"203A8qR797nn390d6CQhOH6DjrdiGx9A",
"objectType":"USER",
"objectId":"0050P000006d7J1QAI",
"user":"0050P000006d7J1QAI",
"userName":"0050P000006d7J1QAI",
"severity":"Alert",
"applicationId":"00D0P000000Db1XUAS",
"violationActivity":"SALESFORCE_MODIFY_PERMISSION_SET",
"displayOperation":"Modify Permission Set",
"createTime":1583830347799,
"updateTime":1583830347000,
"policyName":"Restricted User",
"policyId":"16615",
"policyCode":"FC-ACT-010",
"contextName":"Restricted User",
"userId":"0050P000006d7J1QAI",
"eventId":"203A8hk004-akeXpvvQdWBzRhXAwDyJw",
"eventIdList":[
"203A8hk004-akeXpvvQdWBzRhXAwDyJw"
],
"resultDesc":"hit the rule: all user include and all event
include",
"matches":0,
"geoLocationList":[
],
"alertType":"Threat protection",
"defineType":"Predefined",
"state":"Open"
},
{
"buId":6384,
"companyId":"6",
"timestampUUID":"203A8qR796Xvf-yGqIQvSPwS7831UnKA",
"id":"203A8qR796Xvf-yGqIQvSPwS7831UnKA",
"user":"0050P000006d7J1QAI",

Fortinet, Inc.
FortiCASB APIs
"severity":"Alert",
"createTime":1583830347798,
"updateTime":1583830347000,
"policyId":"16615",
"eventId":"203A8hk003U7DBS8g5ScuSgpxwM_TUTw",
"eventIdList":[
"203A8hk003U7DBS8g5ScuSgpxwM_TUTw"
],
include",
"matches":0,
"geoLocationList":[
],
"state":"Open"
},
{
"buId":6384,
"companyId":"6",
"timestampUUID":"203A8qR661F8irdySGQZ2gT5BxOk3plg",
"id":"203A8qR661F8irdySGQZ2gT5BxOk3plg",
"user":"0050P000006d7J1QAI",
"severity":"Alert",
"createTime":1583830347664,
"updateTime":1583830347000,
"policyId":"16615",
"eventId":"203A8hk002J2FkUSUIQjaCHtr9UDBLXQ",
"eventIdList":[
"203A8hk002J2FkUSUIQjaCHtr9UDBLXQ"
],
include",
"matches":0,
"geoLocationList":[
],

Fortinet, Inc.
FortiCASB APIs
"state":"Open"
},
],
"totalPage":0,
"limit":20,
"skip":0,
"totalCount":6
}
Get Business Unit Info
Description
Get details of the business unit.
URL
/api/v1/businessUnit/info
Method: Get
Request Header
Authorization Bearer String Authorization credential generated by FortiCASB

<Authorization
Token>
buId <Business Unit Long The targeted business unit ID on FortiCASB. Business unit
ID> ID can be obtained through View or Remove Business
User on page 19. Alternatively, it can also be obtained
from the REST API Get Resource Map on page 143
Sample Request
Request URL GET https://www.forticasb.com/api/v1/businessUnit/info

buid: 6384

Fortinet, Inc.
FortiCASB APIs
Response Variable
companyId Required Long Company ID
companyName Required String The registered parent

company name in FortiCASB
buId Required Long Business unit ID
displayName Required String Business unit display name
region Required String Registered region
companyEmail Optional String Registered email
primary Optional Boolean Is primary or not
users Optional long Number of users
Sample Response
{
"companyId":6,
"companyName":"qa",
"buId":6384,
"displayName":"aaa",
"region":"global",
"companyEmail":"",
"primary":false,
"users":0
}
Get Country List
Description
Get a list of all countries.

Fortinet, Inc.
FortiCASB APIs
URL
/api/v1/country/list
Method: GET
Request Header

<Authorization
Token>
Sample Request
Request URL GET https://www.forticasb.com/api/v1/country/list

Response Variable
id String The country code, represents "Country" for filtering alerts
country String The country name, represent "Country Name" for filtering alerts
Sample Response
[
{
"id":"AU",
"country":"Australia"
},
{
"id":"CN",
"country":"China"
},
{
"id":"DE",
"country":"Germany"
},
{

Fortinet, Inc.
FortiCASB APIs
"id":"ES",
"country":"Spain"
},
{
"id":"JP",
"country":"Japan"
},
{
"id":"US",
"country":"United States of America"
},
]
Get Dashboard Risk
Description
Get all risk trend data of all monitoring accounts in the business unit.
URL
/api/v1/dashboard/risk
Method: Post
Request Header

<Authorization
Token>
buId <Account Long The targeted business unit ID on FortiCASB. Business

Number> unit ID can be obtained through View or Remove
Business User on page 19. Alternatively, it can also be
obtained from the REST API Get Resource Map on page
143
timeZone <Time Zone> String Numeric representation of time zone of the user, ex.
+0800

Fortinet, Inc.
FortiCASB APIs
Request Body Parameter
startTime Required long Timestamp, starting time of filtered

open alerts
endTime Required long Timestamp, ending time of filtered

open alerts
Sample Request
Request URL POST https://www.forticasb.com/api/v1/dashboard/risk

buid: 6384
timezone: -0700
Request Body {
"startTime":1585518361548,
"endTime":1585604761548
}
Response Variable
name String Cloud service name
id String Risk sequence number
key String The time that the risk was detected
value long The risk number on this date
Sample Response
{
"data":[
{
"name":"Box",
"values":[
{
"id":"0",
"key":"2020-03-10T18:00:00+0000",
"value":0
},
{

Fortinet, Inc.
FortiCASB APIs
"id":"1",
"key":"2020-03-10T18:30:00+0000",
"value":0
}
]
},
{
"name":"Salesforce",
"values":[
{
"id":"0",
"key":"2020-03-10T18:00:00+0000",
"value":0
},
{
"id":"1",
"key":"2020-03-10T18:30:00+0000",
"value":0
}
]
},
{
"name":"Dropbox",
"values":[
{
"id":"0",
"key":"2020-03-10T18:00:00+0000",
"value":0
},
{
"id":"1",
"key":"2020-03-10T18:30:00+0000",
"value":0
}
]
},
{
"name":"Google",
"values":[
{
"id":"0",
"key":"2020-03-10T18:00:00+0000",
"value":0
},
{
"id":"1",
"key":"2020-03-10T18:30:00+0000",
"value":0
}
]
},
{
"name":"Office365",
"values":[
{
"id":"0",
"key":"2020-03-10T18:00:00+0000",

Fortinet, Inc.
FortiCASB APIs
"value":0
},
{
"id":"1",
"key":"2020-03-10T18:30:00+0000",
"value":0
}
]
}
]
}
Get Dashboard Statistics
Description
Get crucial statistics data from the cloud service in the business unit.
URL
/api/v1/dashboard/statistics
Method: POST
Request Header

<Authorization
Token>
buId <Business unit ID> Long The targeted business unit ID on FortiCASB. Business
unit ID can be obtained through View or Remove
143
+0800.
service <Saledforce> String Cloud service account

Fortinet, Inc.
FortiCASB APIs
startTime long Timestamp, starting time of filtered open alerts
endTime long Timestamp, ending time of filtered open alerts
Sample Request
Request URL POST https://www.forticasb.com/api/v1/dashboard/statistics

timeZone: +0800
Service: Salesforce
buid: 6384
Request Body {
"startTime":1583865778729,
"endTime":1583952178729
}
Request Variable
topRiskUsers List Top risk users in a time period
topRiskObjects List Top risk objects in a time period
topHitPolicies List Top hit policies in a time period
topRiskEventType List Top risk event type in a time period
topRiskPositions List Top risk positions in a time period
topActivityPositions List Top activity positions in a time period
alertTrend List The trend of alert in a time period
usageTrend List The trend of usage in a time period
riskSeverity List The risk severity statistics
name String Position of the alert
id String Corresponding ID number of the event, policy, risk user, risk

object, risk position
key String The event name, risk user name, policy name, activity name,
alert name, risk object name, trend time
value long The number of the statics items

Fortinet, Inc.
FortiCASB APIs
Sample Response
{
"topRiskUsers":[
{
"id":"0050P000006k18GQAQ",
"key":"yue zhang",
"value":2
}
],
"topRiskObjects":[
{
"id":"0690P000006mwkbQAA",
"key":"SSN2020-03-11T17:00:24.746Z.txt",
"value":4
},
{
"id":"0690P000006mwlPQAQ",
"key":"CA_Driver2020-03-
11T17:00:30.133Z.txt",
"value":4
},
{
"id":"0690P000006mwloQAA",
"key":"CN_Passport2020-03-
11T17:00:32.464Z.txt",
"value":4
},
{
"id":"0690P000006mwkgQAA",
"key":"CNID2020-03-11T17:00:25.632Z.txt",
"value":3
},
{
"id":"0690P000006mwlUQAQ",
"key":"CN_Driver2020-03-
11T17:00:30.566Z.txt",
"value":3
}
],
"topHitPolicies":[
{
"id":"16615",
"key":"Restricted User",
"value":35
},
{
"id":"16598",
"key":"DLP UK Passport Number Policy",
"value":4
},
{
"id":"16601",
"key":"DLP USA/Germany Passport Number
Policy",
"value":4
},

Fortinet, Inc.
FortiCASB APIs
{
"id":"16599",
"key":"DLP AU Passport Number Policy",
"value":3
},
{
"id":"16603",
"key":"DLP CA Driver License Policy",
"value":3
}
],
"topRiskEventType":[
{
"id":"202",
"key":"Upload File",
"value":76
},
{
"id":"238",
"key":"Post",
"value":4
},
{
"id":"214",
"key":"Login Success",
"value":2
},
{
"id":"239",
"key":"Comment",
"value":1
}
],
"topRiskPositions":[
{
"name":"United States of America",
"key":"US",
"value":83
}
],
"topActivityPositions":[
{
"name":"United States of America",
"key":"US",
"value":35
}
],
"alertTrend":[
{
"id":"0",
"key":"2020-03-10T21:00:00+0000",
"value":0
}
],
"usageTrend":[
{
"id":"0",

Fortinet, Inc.
FortiCASB APIs
"key":"2020-03-10T21:00:00+0000",
"value":0
}
],
"riskSeverity":[
{
"id":"0",
"key":"Alert",
"value":82
},
{
"id":"1",
"key":"Critical",
"value":1
}
]
}
Get Dashboard Summary
Description
Get dashboard summary.
URL
/api/v1/dashboard/summary
Method: Get
Request Header

<Authorization
Token>
buId <Business Unit Long The targeted business unit ID on FortiCASB.

ID> Business unit ID can be obtained through View or
Remove Business User on page 19. Alternatively,
it can also be obtained from the REST API Get
Resource Map on page 143
companyId <Company ID> String Company ID

Fortinet, Inc.
FortiCASB APIs
roleId <User ID> Long Login User ID
Sample Request
Request URL GET https://www.forticasb.com/api/v1/dashboard/summary

companyId: 6
buid: 6384
roleid: 1
Response Variable
loginUser String The login user e-mail.
alertCount long Number of alerts in the last 30 days
activitiesCount long Number of activities in the last 30 days
fileScannedCount long Number of files scanned in the last 30 days
Sample Response
{
"loginUser":"[email protected]",
"alertsCount":3220,
"activitiesCount":9514,
"fileScannedCount":340
}
Get Dashboard Usage
Description
Get all activity usage trend data of all the monitoring cloud accounts in the business unit.

Fortinet, Inc.
FortiCASB APIs
URL
/api/v1/dashboard/usage
Method: Post
Request Header

<Authorization
Token>
buId <Business Unit Long The targeted business unit ID on FortiCASB. Business
ID> unit ID can be obtained through View or Remove
143
+0800.
startTime long Timestamp, starting time of filtered open alerts
endTime long Timestamp, ending time of filtered open alerts
Sample Request
Request URL POST https://www.forticasb.com/api/v1/dashboard/usage

timeZone: +0800
buid: 6384
Request Body {
"startTime":1583865778729,
"endTime":1583952178729
}

Fortinet, Inc.
FortiCASB APIs
Response Variable
name String Cloud service name
id String Usage sequence number
key String The time that the usage was detected
value long The usage number at the date
Sample Response
{
"data": [
{
"name": "Box",
"values": [
{
"id": "0",
"key": "2020-03-10T18:30:00+0000",
"value": 0
}
]
},
{
"name": "Salesforce",
"values": [
{
"id": "0",
"key": "2020-03-10T18:30:00+0000",
"value": 0
}
]
},
{
"name": "Dropbox",
"values": [
{
"id": "0",
"key": "2020-03-10T18:30:00+0000",
"value": 0
}
]
},
{
"name": "Google",
"values": [
{
"id": "0",
"key": "2020-03-10T18:30:00+0000",
"value": 0
}
]

Fortinet, Inc.
FortiCASB APIs
},
{
"name": "Office365",
"values": [
{
"id": "0",
"key": "2020-03-10T18:30:00+0000",
"value": 0
}
]
}
]
}
Get Event
Description
Get activity events definition from FortiCASB.
URL
/api/v1/event
Method: Get
Request Header

<Authorization
Token>
service <Cloud Service> String Cloud service name such as Salesforce, Office365, etc.
Sample Request
Request URL GET https://www.forticasb.com/api/v1/event

service: Salesforce

Fortinet, Inc.
FortiCASB APIs
Response Variable
id integer The activity id, represents "Activity ID" for

filtering alerts and activity
name String Name of the activity operation, represents

"Activity Name" for filtering alerts and activity
nameEnum OperationNameEnum The activity operation type, represents

"Activity" enum for filtering alerts and activity
value String The activity ID, represents "Activity" for

filtering alerts and activity
category String The category of activity, represents "Activity

Category" for filtering alerts and activity
searchField String The search field of the filter
Sample Response
[
{
"id":202,
"name":"Upload File",
"nameEnum":"UPLOAD_FILE",
"value":"202",
"category":"FILE",
"searchField":"activity"
},
{
"id":203,
"name":"Download File",
"nameEnum":"DOWNLOAD_FILE",
"value":"203",
"category":"FILE",
},
{
"id":206,
"name":"Upload New Version",
"nameEnum":"UPLOAD_NEW_VERSION",
"value":"206",
"category":"FILE",
},
]

Fortinet, Inc.
FortiCASB APIs
Get Filter List
Description
Get all users created filter lists in the specific cloud service under the targeted business unit.
URL
/api/v1/filter/list
Method: Get
Request Header

<Authorization
Token>
service <Cloud Service String Cloud service name such as Salesforce, Office365, etc.
Name>
Sample Request
Request URL GET https://www.forticasb.com/api/v1/filter/list

buid: 6384
service: Office365
Response Variable
id String The serial number

Fortinet, Inc.
FortiCASB APIs
name String The filter name that user created
filter String The filter that the user saved
source String The filter source page
Sample Response
[
{
"id":36156,
"name":"casb test",
"filter":"{\"selectPolicyObject\":[],\"selectFileTypeObject\":
[],\"selectShareTypeObject\":[],\"selectSensitiveDataObject\":
[],\"selectOwnerObject\":[],\"selectShareToInternalObject\":
[],\"selectShareToGuestObject\":[],\"selectUserObject\":
[],\"selectSharedUserObject\":[],\"selectActivityObject\":
[{\"id\":2,\"name\":\"Upload
File\",\"category\":\"FILE\"}],\"selectSeverityObject\":
[],\"selectAlertTypeObject\":[],\"selectStatusObject\":
[],\"selectCountryObject\":[],\"ipList\":[],\"selectAuditOperateObject\":
[],\"selectAuditModuleObject\":[],\"selectAuditVendorObject\":
[],\"isShare\":false,\"isLink\":false,\"isNewFinding\":false,\"isViolation\":
false,\"isSuccess\":null,\"object\":\"\",\"selectedHistoryPeriod\":
{\"time\":\"Last 24 hours\",\"displayTime\":\"Last 24
hours\"},\"selectedPeriod\":{\"start_dt\":\"2020-03-10T23:38:45.069Z\",\"end_
dt\":\"2020-03-11T23:38:45.069Z\",\"value\":{\"time\":\"Last 24
hours\",\"displayTime\":\"Last 24 hours\"}}}",
"source":"alert"
}
]
Get Policy List
Description
Get all FortiCASB policies which trigger alerts in the business unit.

Fortinet, Inc.
FortiCASB APIs
URL
/api/v1/alert/policy/list
Method: Get
Request Header

<Authorization
Token>
buId <Business Unit Long The targeted business unit ID on FortiCASB. Business
ID> unit ID can be obtained through View or Remove
143
service <Saledforce> String Cloud service account
Sample Request
Request URL GET https://www.forticasb.com/api/v1/policy/list

buid: 6384
service: Salesforce
Response Variable
name String Policy name
category String Category of the policy
id String Policy code for identifying the policy
Sample Response
[
{

Fortinet, Inc.
FortiCASB APIs
"name": "DLP China Resident Identity Policy",

"id": "FC-ACT-029",
"category": "DLP"
},
{
"name": "AV Scan Policy",
"id": "FC-ACT-254",
"category": "DLP"
},
{
"name": "Restricted User Activity",
"id": "FC-ACT-010",
"category": "Threat protection"
},
{
"name": "Password Change",
"id": "FC-ACT-011",
"category": "Threat protection"
}
]
Get Service History
Description
Get cloud service OAuth history of the business unit.
URL
/api/v1/service/history/{service}
Method: GET
Request Header

<Authorization
Token>

Fortinet, Inc.
FortiCASB APIs
Sample Request
Request URL GET https://www.forticasb.com/api/v1/service/history/Salesforce

buid: 6384
Response Variable
id Required long The OAuth history ID
buId Required Long Business unit ID
service Required Application Cloud service name
scanId Optional String Application name + company

name
actionStatusCode Optional String The user name that is

registered with this cloud
service
message Optional String The returned message of cloud

service status history
date Optional long Timestamp, the time that

processed this step
lastStep Optional String The last process step
casbUser Optional String The user email that is used in

FortiCASB
cloudUser Optional String The user name that is

registered in this cloud service
account
Sample Response
[
{
"id":31289,
"scanId":"SALESFORCEVb-gvLgmSLCWw8U_BSh6Vw",

Fortinet, Inc.
FortiCASB APIs
"buId":6384,
"application":"SALESFORCE",
"actionStatusCode":"Success",
"message":"",
"date":1583432356528,
"lastStep":"Update OAuth Data",
"casbUser":"[email protected]",
"cloudUser":"[email protected]"
},
{
"id":31267,
"buId":6384,
"message":"",
"date":1583378643280,
},
{
"id":24433,
"buId":6384,
"message":"",
"date":1582918837831,
},
{
"id":16572,
"buId":6384,
"message":"",
"date":1582585855516,
"lastStep":"Save OAuth Data",
}
]
Get Service Status
Description
Get the cloud service information and authentication status under the same business unit.

Fortinet, Inc.
FortiCASB APIs
URL
/api/v1/service/status/{service}
Method: Get
Request Header

<Authorization
Token>
Sample Request
Request URL GET https://www.forticasb.com/api/v1/service/status/Salesforce

buid: 6384
Response Variable
step Required String The

operation
step at this
stage
total Required int The number

of steps
processing Required int Number of

processing
steps
actionStatusCode Required ActionStatusCode The result

Fortinet, Inc.
FortiCASB APIs
code of this
stage's
operation
code Required String Add cloud

service
status code
stepOrder Required int The order of

the related
operation
casbUser Optional String The user

email that is
used in
FortiCASB
cloudUser Optional String The user

name that is
registered
with the
cloud service
date Optional long Timestamp,

the time that
this cloud
service is
added into
FortiCASB
process Optional List<OAuthProcess> The

processes of
the getting
this cloud
service's
OAuth
message Optional String The

message
with the
process
Sample Response
{
"code": "100",
"casbUser": "[email protected]",
"cloudUser": "[email protected]",
"date": 1583432355315,
"process": [
{

Fortinet, Inc.
FortiCASB APIs
"step": "OAuth Request",

"total": 1,
"processing": 1,
"actionStatusCode": "100",
"message": "",
"stepOrder": 1
},
{
"step": "Check License",
"total": 1,
"processing": 1,
"message": "",
"stepOrder": 2
},
{
"step": "Update OAuth Data",
"total": 1,
"processing": 1,
"message": "",
"stepOrder": 3
},
{
"step": "Initial Data Pulling Logic",
"total": 1,
"processing": 1,
"message": "",
"stepOrder": 5
},
{
"step": "Remove old OAuth data",
"total": 1,
"processing": 1,
"message": "",
"stepOrder": 5
}
]
}
Get Severity
Description
Get all alert severity definitions from FortiCASB.

Fortinet, Inc.
FortiCASB APIs
URL
/api/v1/severity
Method: GET
Request Header
Authorization Bearer <Authorization Token> String Authorization credential

generated by FortiCASB
Sample Request
Request URL GET https://www.forticasb.com/api/v1/severity

Response Variable
id String The severity code, represents "Severity" code filter in filtering alerts
name String The severity name, represents "Severity" name filter for filtering
alerts
Sample Response
[
{
"id":"1",
"name":"Critical"
},
{
"id":"2",
"name":"Alert"
},
{
"id":"3",
"name":"Warning"
},
{

Fortinet, Inc.
FortiCASB APIs
"id":"4",
"name":"Information"
},
{
"id":"5",
"name":"Pass"
}
]
Get Status
Description
Get status definition from FortiCASB system.
URL
/api/v1/status
Method: Get
Request Header
Authorization Bearer <Authorization String Authorization credential generated by FortiCASB

Token>
Sample Request
Request URL GET https://www.forticasb.com/api/v1/status

Response Variable
id String Status ID
name String Service Status

Fortinet, Inc.
FortiCASB APIs
Sample Response
[
{
"id":"1",
"name":"New"
},
{
"id":"2",
"name":"In progress"
},
{
"id":"3",
"name":"Resolved"
},
{
"id":"4",
"name":"Discard"
}
]
Get User List
Description
Get details of all users of the cloud services under the same company and business unit.
URL
api/v1/profile/user/list
Method: Get
Request Header
companyId <Company ID> Integer Company ID

<Authorization
Token>

Fortinet, Inc.
FortiCASB APIs
service <Cloud Service> String Name of the cloud service such as Salesforce, Office365,
etc.
skip <Skip Number> Integer Indexes in a result set. Used to exclude response from the
first N items of a resource collection.
limit <Limit per Page> Integer Maximum number of return items per page.
Sample Request
Request URL GET https://www.forticasb.com/api/v1/profile/user/list

service: Salesforce
buid: 8
companyid: 7
skip: 0
limit: 2
Response Variable
companyId Required Long Company ID
userId Required String The user identity
origUserId Required String The original user

identity
deleted Required boolean The current user

information deleted or
not
createdDate Required long Timestamp, user

created date
service Required Application Cloud service name
isActive Required boolean User active status
buId optional Long Business unit ID

Fortinet, Inc.
FortiCASB APIs
createdById optional String The ID which created

this user
lastModifiedDate optional long Timestamp, the last

time that this user has
been modified
lastModifiedById optional String The last user id that

modified this user
information
lastLoginDate optional long Timestamp, the last

time that this user
login into FortiCASB
systemModstamp optional long Timestamp of the

system
email optional String The email of the

registered user
userName optional String The user name of the

registered user
name optional String This user's name
firstName optional String This user's first name
lastName optional String This user's last name
userType optional UserTypeEnum User type
profileId optional String This user's profile ID
userRoleId optional String This user's role ID
Sample Response
[
{
"companyId": "7",
"buId": 8,
"userId": "0050P000006kOBcQAM",
"origUserId": "0050P000006kOBcQAM",
"deleted": false,
"createdDate": 1492555111000,
"createdById": "0050P000006d7J0QAI",
"lastModifiedDate": 1583370489000,
"systemModstamp": 1545262127000,
"email": "[email protected]",
"userName": "[email protected]",
"name": "forti3 net3",
"firstName": "forti3",
"lastName": "net3",
"service": "SALESFORCE",

Fortinet, Inc.
FortiCASB APIs
"lastLoginDate": 1545262127000,
"userType": "CsnOnly",
"isActive": true,
"profileId": "00e0P000000JYKPQA4"
},
{
"companyId": "7",
"buId": 8,
"userId": "0054U000009GCaMQAW",
"origUserId": "0054U000009GCaMQAW",
"deleted": false,
"createdDate": 1595303943000,
"createdById": "0050P000006d7J1QAI",
"lastModifiedDate": 1595303943000,
"systemModstamp": 0,
"email": "[email protected]",
"userName": "xxxxxx@00d0p000000db1xuas",
"name": "Platform Integration User",
"lastName": "Platform Integration User",
"service": "SALESFORCE",
"lastLoginDate": 0,
"isActive": true,
"profileId": "00e0P000000a7HVQAY"
}
]

Fortinet, Inc.
Troubleshooting
Troubleshooting
Information and solutions for the following problems are included in this section:
Getting Started
l I have a new account but no license

l I have renewed my license, but cannot use it.
Salesforce
l I get an "OAuth Request" error.
Office 365
l I get an error at the "Add Sites Collection Admin" step.

l I get an error at the "Add Users" step.
l I get an error at the "Add Groups" step.
Dropbox Business
l I get an "OAuth Request" error.
Google
l I can't connect Google Drive to FortiCASB.

Fortinet, Inc.
Troubleshooting
Getting Started Issues
Information and solutions for the following problems are included in this section:
l New account with No License Error
l Renew License error
New account with No License Error
Please check on your Master FortiCARE account to see if the license is present with these steps:
1. Log into FortiCare https://support.fortinet.com/ with your Master FortiCare account.

2. From the top main menu click on Asset > Manage/View Products.
3. Check and see if the licenses you purchased is shown in the product list.
4. If you find your license on the list, then you can add the license through creating a company. Please see
Basic Setup on page 13.
5. If you do not see the license you purchased is on the list, please contact FortiCARE support.

Fortinet, Inc.
Troubleshooting
Renew License error
When you have renewed your license but cannot find it on your FortiCASB Dashboard, follow these steps to see
if the license appears in your FortiCARE account.
1. Log into FortiCare https://support.fortinet.com/ with your Master FortiCare account.

2. From the top main menu click on Asset > View Account Service.
3. Check and see if the license/contract you purchased is shown in the product list.
4. If you do not see the license/contract you purchased is on the list, please contact FortiCARE support.
5. If your license is on the list, then it only need to be assigned to the company/business unit on FortiCASB.
Salesforce
OAuth Request errors
If an error occurs, an error message will be displayed on the Salesforce panel.

The following sections show some common error messages, as well as possible solutions:
l If your error message says "Saas application API gateway not accessible", go to Saas application API
gateway not accessible error on page 184

Fortinet, Inc.
Troubleshooting
Saas application API gateway not accessible error
FortiCASB requires users to have three specific Salesforce permissions. To check your Salesforce permissions,
follow these steps:
1. From your Salesforce menu, go to Setup > Manage Users > Users.
2. Click on the profile of the integrated user.
For example, if the integrated user is listed as a "System Administrator", click on System Administrator
under "Profile".
3. Make sure you have the "API Enabled", "View All Data", and "View All Users" permissions enabled.
If you have all these permissions and still encounter the error, your organization could have reached
Salesforce's daily API request limit. To check if you have reached this limit, follow these steps:
1. From your Salesforce menu, go to Setup > Company Profile > Company Information.
2. Check "API Requests, Last 24 Hours" to see if you have reached your maximum limit.
If you have reached this limit, wait for the next 24 hour period to try again.
Salesforce enforces API call limits based on a per-organization basis, not a per-user
basis. If your organization has multiple applications sharing Salesforce API requests,
please consolidate usage between applications.

Fortinet, Inc.
Troubleshooting
Office 365
Add Site Collection Admin errors
The following sections show some common causes for this error, as well as possible solutions.
l If your azure domain does not end in ".onmicrosoft.com", go to Customized SharePoint homepage URL on page
185
Customized SharePoint homepage URL
FortiCASB's "Add Site Collection Admin" feature currently only supports the default azure domain format
(abc.onmicrosoft.com). If you have a custom SharePoint homepage URL, you will have to allow collection manually.
1. From your SharePoint Online Admin Center, click user profiles.
2. Use the "Find profiles" feature to find a user, right-click that user's account name, then click Manage site
collection owners.
3. In the "Site Collection Administrators" box, enter your admin username, then click the icon.
4. Click OK. FortiCASB can now audit this user's OneDrives.
5. Repeat steps one through four for each user you wish to audit.
6. From the FortiCASB Office 365 authentication menu, check "Prefer not to provide".
Add Users errors
Even if such an error occurs, FortiCASB will still monitor users that do not trigger this error. For
example, in this case, FortiCASB will monitor the 37 users that were added successfully, even
if this error is not corrected.
The following sections show some common causes for this error, as well as possible solutions.
l If these users have never logged into their Office 365 accounts before, go to Adding users with new Office 365
accounts on page 185.
Adding users with new Office 365 accounts
Office 365 activates a new user's SharePoint portal when he or she logs in for the first time. For a brand new O365
account, log into the account once to activate the portal, then add the user in FortiCASB.
Add Groups errors
Some groups do not generate or manipulate files. FortiCASB will not monitor these groups. FortiCASB will also not
monitor groups the site administrator does not have permission to monitor.

Fortinet, Inc.
Troubleshooting
Even if such an error occurs, FortiCASB will still monitor groups that do not trigger this error.

Fortinet, Inc.
Troubleshooting
Dropbox Business
OAuth Request error
Please check the user role of the account used to log in to Dropbox Business. This account must have "Team Admin"
Permissions.

Fortinet, Inc.
Troubleshooting
Google
Google Drive connection errors
If FortiCASB will not connect to your Google Drive account, one common reason is because your Google account is not
a Super Administrator and does not have the correct permissions.
To check if your Google account is a Super Administrator, go to https://admin.google.com/, and log in with your Google
account.
If your interface is the same as the one shown below, you are a Super Administrator.
If you are not a Super Administrator, either ask the Super Administrator to grant you Super Administrator permissions or
use the Super Administrator's Google account to link to FortiCASB.
If you're unsure who your administrator is, contact your IT department, help desk, or the manager who gave you the
account.
Due to Google requirements, only G Suite accounts with a

business or enterprise license can use FortiCASB. G suite
accounts with a basic license will be unable to use FortiCASB.

Fortinet, Inc.
Copyright© 2020 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.

Forticasb-20 3 0-Admin - Guide

Uploaded by

Copyright:

Available Formats

Forticasb-20 3 0-Admin - Guide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Forticasb-20 3 0-Admin - Guide

Uploaded by

Copyright:

Available Formats

FortiCASB - Admin Guide

FORTINET VIDEO GUIDE

CUSTOMER SERVICE & SUPPORT

FORTINET TRAINING & CERTIFICATION PROGRAM

END USER LICENSE AGREEMENT

FortiCASB 20.3.0 Admin Guide 3

FortiCASB 20.3.0 Admin Guide 4

FortiCASB 20.3.0 Admin Guide 5

FortiCASB 20.3.0 Admin Guide 6

FortiCASB 20.3.0 Admin Guide 7

FortiCASB 20.3.0 Admin Guide 8

Date Change Description

FortiCASB 20.3.0 Admin Guide 9

FortiCASB 20.3.0 Release Highlights

FortiCASB 20.3.0 Admin Guide 10

FortiCASB 20.3.0 Admin Guide 11

Data security and threat protection

l Predefined compliance policies—FortiCASB provides predefined compliance policies designed to

FortiCASB 20.3.0 Admin Guide 12

FortiCASB account permissions can have one of three levels:

First Time Setup

1. Open your web browser, and go to https://www.forticasb.com/

FortiCASB 20.3.0 Admin Guide 13

You will be redirected to the Fortinet single sign-on webpage.

If you have a pop-up blocker, it will block the FortiCASB GUI.

After selecting a region, the company selection screen will be displayed.

FortiCASB 20.3.0 Admin Guide 14

Add Business Units

4. Click Add to complete adding the business unit.

FortiCASB 20.3.0 Admin Guide 15

Create Business User

2. Click on Account Management Button in the upper right corner:

4. Click on add user button on the right hand side:

Add Business Users

FortiCASB 20.3.0 Admin Guide 16

FortiCASB 20.3.0 Admin Guide 17

6. Click Save to complete adding the user, then click Close

FortiCASB 20.3.0 Admin Guide 18

Business User Login

View or Remove Business User

View or Remove Business User from Default Business Unit

1. Log into FortiCASB with your master FortiCARE account.

FortiCASB 20.3.0 Admin Guide 19

4. To remove a business user, click X next to the business user to remove.

View or Remove Business User from Multiple Business Unit

1. Log into FortiCASB with your master FortiCARE account.

FortiCASB 20.3.0 Admin Guide 20

3. In Company/Business unit Management Dashboard, click on Edit Business Unit.

5. To remove a business user, click on X next to the business user to remove.

FortiCASB 20.3.0 Admin Guide 21

FortiCASB 20.3.0 Admin Guide 22

Installing SAAS applications

The following features require "Manage Users" permission as well:

FortiCASB 20.3.0 Admin Guide 23

FortiCASB 20.3.0 Admin Guide 24

For more information on common installation issues, see "Troubleshooting on page

Office 365 Account and License

FortiCASB 20.3.0 Admin Guide 25

Determine the type of Office 365 license