FortiCASB - Admin Guide

Version 20.4.0
FORTINET DOCUMENT LIBRARY
https://docs.fortinet.com

FORTINET VIDEO GUIDE

https://video.fortinet.com

FORTINET BLOG
https://blog.fortinet.com

CUSTOMER SERVICE & SUPPORT

https://support.fortinet.com

FORTINET TRAINING & CERTIFICATION PROGRAM

https://www.fortinet.com/support-and-training/training.html

NSE INSTITUTE
https://training.fortinet.com

FORTIGUARD CENTER
https://fortiguard.com/

END USER LICENSE AGREEMENT

https://www.fortinet.com/doc/legal/EULA.pdf

FEEDBACK
Email: [email protected]

December 30, 2020

FortiCASB 20.4.0 Admin Guide
00-400-000000-20181031
 TABLE OF CONTENTS

Change Log 10
What's New 11
Introduction 12
Features 13
Visibility 13
Data security and threat protection 13
Compliance 13
Basic Setup 14
Introduction 14
First Time Setup 14
Add Company 15
Add Business Units 16
Create Business User 17
Add Business Users 17
Business User Login 20
View or Remove Business User 20
View or Remove Business User from Default Business Unit 20
View or Remove Business User from Multiple Business Unit 21
Installing SAAS applications 24
Salesforce 24
26
Office 365 26
Prerequisites 26
Office 365 Account and License 27
Activate Office 365 Account Audit Log 29
Disable Multi-Factor Authentication 30
Add Admin to Sharepoint Site 33
Add Office 365 Account 37
Manually Activate Sites Collection 41
Box 43
Prerequisites 43
44
Installation 44
Dropbox Business 45
Prerequisites 45
Installation 45
Google Drive 46
Prerequisites 47
Create Google Service Account 47
Enable Google Drive API & Authorize Client ID 52
Add Google Drive Account 53
AWS S3 55
Prerequisites 55

FortiCASB 20.4.0 Admin Guide 3

Fortinet, Inc.
 55
AWS Policy Creation 55
AWS Role Creation 57
Update AWS Role External ID (optional) 60
AWS Configure CloudTrail Setting 61
Add AWS S3 Account 63
Google Cloud Storage 65
Prerequisites 65
Steps to Add Google Cloud Account 65
Configure G Suite Account 65
Configure Service Account 66
Enable required APIs 72
Enable activity and alert monitoring 74
Add Google Cloud Storage Account 74
Microsoft Azure Storage 76
Prerequisites 76
Setup Azure Subscription 77
Add Reader role to the Subscription 79
Add Reader roles to multiple subscriptions simultaneously (optional) 80
Collect Subscription and Directory IDs 82
Setup Blob Storage 83
Enable Blob Log Monitoring 84
Setup Storage Blob Data Reader 85
Add Azure Storage Account 86
ServiceNow 88
Prerequisite 88
Register FortiCASB with ServiceNow 88
Add ServiceNow Account 90
Webex Teams 91
Prerequisites 92
Configure WebEx admin account 92
Add Webex Teams account 93
General 95
Reports 95
C-Level Report 95
Compliance Report 96
Customized Compliance Report 97
Alert Report 98
Activity Report 102
Shadow IT 104
Audit log 104
Access Logs 105
Event list 105
105
Salesforce 105
Office 365 107
Box 108
Dropbox Business 109

FortiCASB 20.4.0 Admin Guide 4

Fortinet, Inc.
 Google Drive 111
Shadow IT discovery 112
Data pattern 120
Generate Credential 120
Application Specific Features 122
Discovery 122
Administrative Privileges 124
Documents 125
Documents Highlights 125
Policy 129
Data Analysis 129
Threat Protection 133
Compliance Policy 134
Customized Policy 135
Policy Configuration 136
Data Analysis Policy Configuration 140
Threat Protection Policy Configuration 143
Compliance Policy Configuration 161
Alert 173
Activity 174
AV Scan and File Quarantine 175
File Quarantine and Notification Configuration 175
File Quarantine Directory 177
Yammer Integration Features 179
Prerequisites 181
Enforce Office 365 Identity in Yammer 182
Yammer License Verification 185
Yammer File Path 187
FortiCASB APIs 189
Request Authorization Methods 189
1. Client Credential 189
2. Username and Password 189
3. Refresh Token 189
Fabricate Request Header and Body 190
Send Request 190
REST API Response 191
API Throttling 191
Get Authorization Token 191
Description 191
Method: POST 191
Request Header 191
Request Body Parameters 192
Sample Request 192
Response Variable 192
Sample Response 192
Get Credentials Token 193

FortiCASB 20.4.0 Admin Guide 5

Fortinet, Inc.
 Description 193
URL 193
Method: POST 193
Request Header 193
Get Refresh Token 194
Description 194
URL 194
Method: POST 194
Request Header 194
Request Body Parameters 195
Sample Request 195
Response Variable 195
Sample Response 195
Get Resource Map 196
Description 196
URL 196
Method: GET 196
Request Header 196
Sample Request 196
Response Variable 196
Sample Response 197
Get Alert List 197
Description 197
URL 198
Request Method: Post 198
Request Header 198
Request Body Parameters 198
Sample Request 199
Response Variable 200
Sample Response 201
Get Business Unit Info 203
Description 203
URL 203
Method: Get 203
Request Header 203
Sample Request 203
Response Variable 204
Sample Response 204
Get Country List 204
Description 204
URL 205
Method: GET 205
Request Header 205
Sample Request 205
Response Variable 205
Sample Response 205
Get Dashboard Risk 206
Description 206

FortiCASB 20.4.0 Admin Guide 6

Fortinet, Inc.
 URL 206
Method: Post 206
Request Header 206
Request Body Parameter 207
Sample Request 207
Response Variable 207
Sample Response 207
Get Dashboard Statistics 209
Description 209
URL 209
Method: POST 209
Request Header 209
Request Body Parameters 210
Sample Request 210
Response Variable 210
Get Dashboard Summary 213
Description 213
URL 213
Method: Get 213
Request Header 213
Sample Request 214
Response Variable 214
Sample Response 214
Get Dashboard Usage 214
Description 214
URL 215
Method: Post 215
Request Header 215
Request Body Parameters 215
Sample Request 215
Response Variable 216
Sample Response 216
Get Event 217
Description 217
URL 217
Method: Get 217
Request Header 217
Sample Request 217
Response Variable 218
Sample Response 218
Get Filter List 219
Description 219
URL 219
Method: Get 219
Request Header 219
Sample Request 219
Sample Response 220
Get Policy List 220

FortiCASB 20.4.0 Admin Guide 7

Fortinet, Inc.
 Description 220
URL 221
Method: Get 221
Request Header 221
Sample Request 221
Get Service History 222
Description 222
URL 222
Method: GET 222
Request Header 222
Sample Request 223
Response Variable 223
Sample Response 223
Get Service Status 224
Description 224
URL 225
Method: Get 225
Request Header 225
Sample Request 225
Response Variable 225
Sample Response 226
Get Severity 227
URL 228
Method: GET 228
Request Header 228
Sample Request 228
Response Variable 228
Sample Response 228
Get Status 229
Description 229
URL 229
Method: Get 229
Request Header 229
Sample Request 229
Response Variable 229
Sample Response 230
Get User List 230
Description 230
URL 230
Method: Get 230
Request Header 230
Sample Request 231
Response Variable 231
Sample Response 232
Troubleshooting 234
Getting Started Issues 235
New account with No License Error 235
Renew License error 236

FortiCASB 20.4.0 Admin Guide 8

Fortinet, Inc.
 Salesforce 236
OAuth Request errors 236
Office 365 238
Add Site Collection Admin errors 238
Add Users errors 238
Add Groups errors 238
Dropbox Business 240
OAuth Request error 240
Google 241
Google Drive connection errors 241
Appendix 242
Appendix A: Amazon Policy Usage 242

FortiCASB 20.4.0 Admin Guide 9

Fortinet, Inc.
Change Log

Change Log

Date Change Description

07/01/2020 FortiCASB 20.2 Handbook release. Cloud Account Activity and Alert Reports are
now available for export from Reports.

04/03/2020 FortiCASB 20.1 Handbook release. FortiCASB REST API reference added and
Compliance Report feature upgraded in this revision.

09/07/2019 FortiCASB 4.2 Handbook release. IAAS applications and features migrated to
FortiCWP.

04/05/2019 FortiCASB 4.1 Handbook release. Revised Getting Started documentation for Basic
Setup and Install IAAS applications. Added documentations for Topology, Resource,
Resource Profile, and Traffic. Configuration merged into Risk Assessment .
01/08/2019 FortiCASB 2.1 Handbook. First edition. Changing EU Users IP address from
52.59.74.73 or
18.195.109.67 to 34.254.217.50 or 52.18.7.98, in the section "Show IT discovery".

FortiCASB 20.4.0 Admin Guide 10

Fortinet, Inc.
What's New

What's New

FortiCASB 20.4.0 Release Highlights

New cloud apps will be added to our protected apps lineup:

l AWS S3
l Google Cloud Storage
l Azure Storage
l ServiceNow
l Cisco WebEx Teams
Actual use cases for each cloud app may vary. Please see documentation for details

FortiCASB 20.4.0 Admin Guide 11

Fortinet, Inc.
Introduction

Introduction

Welcome, and thank you for selecting FortiCASB for your cloud security and monitoring needs.
FortiCASB is Fortinet's cloud-native Cloud Access Security Broker (CASB) service, which provides visibility,
compliance, data security, and threat protection for cloud-based services. Using direct API access, FortiCASB
enables deep inspection and policy management for data stored in cloud application platforms. It also provides
detailed user analytics and management tools to ensure that policies are enforced and that your organization’s
data is secure.
FortiCASB works by focusing on Gartner's four pillars of security: visibility, compliance, data security, and threat
protection.
l Visibility—Visibility is one of the most important aspects of cloud security. FortiCASB uses a series of
methods such as data scans and analytics to answer the questions: who accessed information, what was
accessed, when it was accessed, and from where did the access originate.
l Compliance—FortiCASB provides file content monitoring to find and report on regulated data in the
cloud.
l Data security—FortiCASB runs scans to check for sensitive data, such as social security numbers or
credit card numbers. It then classifies this data under different levels of sensitivity and sends different
alerts depending on the sensitivity level of the data accessed.
l Threat protection—FortiCASB uses User Entity Behavior Analytics to watch for suspicious or irregular
user behavior. It also sends out alerts for malicious behavior.

FortiCASB 20.4.0 Admin Guide 12

Fortinet, Inc.
Features

Features

FortiCASB comes with a series of features that give you visibility of data access and usage, control over data
security and threat protection, and peace of mind over compliance with standards and federal regulations.

Visibility

l Automatic on-demand data scan—FortiCASB examines existing content in all folders to identify
sensitive data subjects or security policies.
l Cloud usage analytics— FortiCASB visually summarizes key usage statistics, including trends over
different time periods as well as drilldown, access count, and usage over time.
l User entitlements review— FortiCASB gives visibility of privileged users, dormant users, and external
users.
l File exposure— FortiCASB highlights the most shared files overall, as well as each user's most shared
files.

Data security and threat protection

l Cloud data loss prevention— FortiCASB enforces DLP policies based on data identifiers, keywords,
and regular expressions for data both at rest and in traffic.
l Threat detection—FortiCASB offers an abundant number of out-of-the-box policies to immediately
detect account-centric threats.
l Malware detection— FortiCASB features a malware detection policy to detect malicious files before they
compromise sensitive data.
l Geo-location analytics—FortiCASB visualizes global access patterns and analyzes activity to identify
unlikely cross-region access attempts indicative of compromised accounts.
l Shadow IT discovery — FortiCASB offers an overview of unsanctioned cloud applications used in the
organization and gives users the ability to control application usage.
l Configuration assessment —FortiCASB offers an large number of out-of-the-box policies for
automated validation of best security practices against the your cloud storage account.

Compliance

l Predefined compliance policies—FortiCASB provides predefined compliance policies designed to

help maintain compliance with ISO 270001, NIST 800-53 V4, and NIST 800-171 regulations.
l Compliance report—FortiCASB can produce compliance reports for audit purposes. These reports show
compliance with ISO 270001, NIST 800-53 V4, and NIST 800-171 regulations.

FortiCASB 20.4.0 Admin Guide 13

Fortinet, Inc.
Basic Setup

Basic Setup

This chapter provides the procedures for getting started with FortiCASB.

Introduction

FortiCASB account permissions can have one of three levels:

l Administrator—Administrators have full permissions, including the ability to
create/access/assign companies and organizations.
l Business users with full access— Business users from Forticare who have been
granted full access also have full permissions, including the ability to
create/access/assign companies and organizations.
l Business users with limited access— Business users from Forticare who have
been granted limited access can only view companies they are a part of.
If you are an administrator, continue below.
If you are a business user with limited access, not an administrator in charge of setup
or a user with full access, skip to Business User Login on page 20.

FortiCASB requires different setup procedures, depending on your organization's hierarchy and needs. A
company with a branched hierarchy, such as a company with multiple branch offices or a compartmentalized
organizational structure, will have different requirements than a company with only one unified office.

First Time Setup

To set up your FortiCASB for the first time, you or your organization must have the following in place:
l A valid FortiCASB license. Contact your primary Fortinet Service Provider to obtain a license if you do not
already have one.
l An administrator with a Master FortiCare account to add your company, business units, and users in
FortiCASB.

In accordance with European Union laws and regulations, all data that FortiCASB
collected for European Union (EU) companies must be located in the EU region. To
accommodate for this, you can choose to host your CASB cloud service either on the
Global site or the EU site.

1. Open your web browser, and go to https://www.forticasb.com/

2. Click Login.

FortiCASB 20.4.0 Admin Guide 14

Fortinet, Inc.
Basic Setup

You will be redirected to the Fortinet single sign-on webpage.

3. Log into your admin account, or create a new admin account if you do not already have one.
4. Log into FortiCASB with your account.
5. In FortiCASB account selection page, select an account. (if applicable)
You are now redirected to FortiCASB's company selection page. Proceed to Add Company on page 15 to
add company to the account.

If you have a pop-up blocker, it will block the FortiCASB GUI.

Set an exception for the FortiCASB GUI, or open the GUI manually.

Add Company

After selecting a region, the company selection screen will be displayed.

1. Log into FortiCASB: https://www.forticasb.com with your Master FortiCARE account if not logged in yet.
2. Once logged in, Company/Business unit Management dashboard will appear.
3. Click on Add new company+ in the left hand side.

4. Specify a unique company name, and add a brief description. Then click on Add Company.
After a company is setup, proceed to Add Business Units on page 16 to add business unit to the company.

FortiCASB 20.4.0 Admin Guide 15

Fortinet, Inc.
Basic Setup

Add Business Units

After creating a company, log into FortiCASB to add a business unit for the company following these steps:
1. Log into FortiCASB: https://www.forticasb.com with Master FortiCARE account.
2. Click on +Add new Business unit from Company/Business unit Management dash board.

3. Under Basic Setting, enter a unique Unit Name based on your preference, and enter a user under Add
User.

4. Click Add to complete adding the business unit.

Repeat this process to add additional business units if applicable.
After a business unit is setup, proceed to Add Business Users on page 17 to add business users to the business
unit.
If there is no business users to add, first create business users following Create Business User on page 17.

FortiCASB 20.4.0 Admin Guide 16

Fortinet, Inc.
Basic Setup

Create Business User

Business users can be created to add to the business unit. A FortiCare master account owner can create
business user account and add the business user to the company and the business units in FortiCASB. To
create business user, follow these steps:
1. Log into FortiCARE: https://support.fortinet.com/Main.aspx.

2. Click on Account Management Button in the upper right corner:

3. Click on Mange User at the left hand side, then list of users will display.

4. Click on add user button on the right hand side:

5. Fill in the user name, e-mail address, and phone number for the business user you would like to set
up.
6. Select Full Access to grant the business user full permissions, including the ability to
create/access/assign companies and business units.
7. Select Limited Access to only grant the business user basic access. Then click Save.
8. If Limited Access is selected, click on Add More Products to select a license.
9. Click Save.
Repeat this process to create more business users.
After business user(s) are created, proceed to Add Business Users on page 17 to add the users to business unit.

Add Business Users

FortiCARE Master account holder or full access users can add business users to business units. If there is no
business users to add, first create business users following Create Business User on page 17.
1. Log into FortiCASB: https://www.forticasb.com with your master FortiCARE account.

2. At the FortiCASB Dashboard, click Switch Company at the top right hand corner.

FortiCASB 20.4.0 Admin Guide 17

Fortinet, Inc.
Basic Setup

3. Click on the target company at the left hand side, then click Edit Business Unit.

4. The Business Unit Setting will pop up. If there are multiple business units in the same company, click
on the business unit name you want to add users.

FortiCASB 20.4.0 Admin Guide 18

Fortinet, Inc.
Basic Setup

5. Click on Add User field and select the business user to add.

6. Click Save to complete adding the user, then click Close

Repeat this process to add more business user if applicable.
Now the business user(s) can log into the business unit with their account.

FortiCASB 20.4.0 Admin Guide 19

Fortinet, Inc.
Basic Setup

Business User Login

1. Go to www.forticasb.com.
2. Click Login.
3. Enter your credentials, and then select a FortiCASB user account (if applicable).
4. Select your company and business unit.

You will be brought to the FortiCASB dashboard. Click on the Switch Company icon to switch company,
if applicable.

If your account hasn't been assigned to a business unit, an error message will appear.
Please contact your administrator with Master FortiCare account to add you into the
business unit.

View or Remove Business User

Business unit setting allows you to edit the business unit users. In the business setting, Business Unit ID is
the request variable allowing you to call various FortiCASB REST APIs to retrieve detailed security information
about the business unit.
There are two methods to view or delete business users under business unit(s) in FortiCASB.
The first method is viewing or removing the business users through the default business unit when you just log
into FortiCASB.
The second method is the option of viewing or removing the business users from multiple business units under
the same company.

View or Remove Business User from Default Business Unit

1. Log into FortiCASB with your master FortiCARE account.

2. At the Dashboard page, click on Business Unit Setting at the top right hand corner.

FortiCASB 20.4.0 Admin Guide 20

Fortinet, Inc.
Basic Setup

3. Business Unit Setting will pop up and show all the business users in Add User field.
The Unit ID is the Business Unit ID (BuId).

4. To remove a business user, click X next to the business user to remove.

5. Click Save to complete the changes.

View or Remove Business User from Multiple Business Unit

1. Log into FortiCASB with your master FortiCARE account.

2. At the Dashboard page, click on Switch Company at the top right hand corner.

FortiCASB 20.4.0 Admin Guide 21

Fortinet, Inc.
Basic Setup

3. In Company/Business unit Management Dashboard, click on Edit Business Unit.

4. Business Unit Setting will pop up and show all business users in Add User field.
The Unit ID is the Business Unit ID (BuId).

5. To remove a business user, click on X next to the business user to remove.

6. Click Save to complete the changes.

FortiCASB 20.4.0 Admin Guide 22

Fortinet, Inc.
Basic Setup

To view or remove users from a different business unit, click the other business unit(s) underneath and repeat
the steps 5-6.

FortiCASB 20.4.0 Admin Guide 23

Fortinet, Inc.
Installing SAAS applications

Installing SAAS applications

Both administrators and users can add SaaS applications to a company. Once added, all users in the company
can view the cloud application.

Salesforce

FortiCASB offers an API-based approach, pulling data directly from Salesforce via RESTful API. Authentication
is done through OAUth2.0. FortiCASB uses an access token for API queries.

Prerequisites

To use API access, your organization must be using one of the following editions (the API is enabled by
default):
l Enterprise Edition
l Unlimited Edition
l Developer Edition
l Performance Edition
The user account installed in FortiCASB must have the following permissions:
l View All Data
l View All Users
l API Enabled
You may either use an existing account or create a new account. If you create a new account, wait at least 24
hours for the new account to take effect before granting access to FortiCASB.

The following features require "Manage Users" permission as well:

l User login tracking
l User IP address tracking
l Geographical location tracking
l User password change tracking
Without "Manage Users" permissions, FortiCASB cannot obtain user login IPs.
Therefore, any user activity will not appear on the Activity map.

Installation

1. Log into FortiCASB with your account.

2. Go to Overview > Dashboard, click on the Salesforce account navigation button and select Add
Cloud Account.

FortiCASB 20.4.0 Admin Guide 24

Fortinet, Inc.
Installing SAAS applications

3. You will be prompted to re-direct to Salesforce for authentication. Click OK to continue.

4. Log in to authenticate. If you have a custom Salesforce domain, enter it here.

Salesforce will prompt you to allow or deny access.

FortiCASB 20.4.0 Admin Guide 25

Fortinet, Inc.
Installing SAAS applications

5. Click Allow to grant FortiCASB permissions to monitor your Salesforce application.

After you click Allow, you will be redirected back to the FortiCASB dashboard.
You can check the installation result and SaaS platform monitoring status in the Salesforce dashboard.

For more information on common installation issues, see "Troubleshooting on page

234".

Office 365

FortiCASB offers an API-based approach. It monitors Office 365 activity by using web notification and by
pulling data directly from Office 365 via RESTful API. Authentication is done through OAuth2.0. FortiCASB
uses an access token for API queries.

Prerequisites

There are a few prerequisite before adding the Office 365 account on FortiCASB. Please follow the steps
below.

1. Office 365 Account and License on page 27 - Create Office 365 account with
Global Administrator role.
2. Activate Office 365 Account Audit Log on page 29 - Enable Office 365 Audit
Log to record user activities of the Office 365 account.
3. Disable Multi-Factor Authentication on page 30- Temporarily disable the account
multi-factor authentication before adding the Office 365 account to FortiCASB.
4. Add Admin to Sharepoint Site on page 33- Incorporate protection on Office 365
Sharepoint sites by adding the Office 365 account to the site admin.
5. Add Office 365 Account on page 37- Activate site collection by adding the Office 365
account to FortiCASB.

FortiCASB 20.4.0 Admin Guide 26

Fortinet, Inc.
Installing SAAS applications

Office 365 Account and License

You may use an existing account or create a new account. If you create a new account, wait for at least 24
hours for the new account to take effect before granting access to FortiCASB. If you already have a Office 365
license, check with Determine the type of Office 365 license on page 27 to determine the type of Office 365
license you have.

License Requirement

Make sure your office 365 account license plan includes Active Directory integration. FortiCASB requires
Active Directory support for most of its features. The following Office 365 licenses support Active Directory
integration:
l Office 365 Business
l Office 365 Business Essentials
l Office 365 Business Premium
l Office 365 ProPlus
l Office 365 Enterprise E1
l Office 365 Enterprise E3
l Office 365 Enterprise E5
l Office 365 Enterprise K1

Lastly, make sure the role you use to add the Office 365 account on FortiCASB is Global Administrator and
you have AzureAD Premium P2 license(optional).
Without the AzureAD "Premium P2" license, FortiCASB's Discovery feature cannot see user entitlements. All
other functions on FortiCASB will not be affected. User Entitlements is simply a feature on FortiCASB that lets
you see the roles and permissions that each user is entitled with. For more information on how to obtain
AzureAD Premium P2 license, go to:
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-get-started-premium

You will also need to set up the AzureAD Privileged Identity Management application. For more information on
how to do so, go to:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure.

Determine the type of Office 365 license

To determine what Office 365 license you have, follow the steps below:
1. Log into Office 365 account: https://www.office.com/.

2. Click on Apps button , located on the top-left corner of your Office 365 home screen.
3. Select Admin.

4. Click the Settings button , located on the top-right corner of your Office 365 admin center.

FortiCASB 20.4.0 Admin Guide 27

Fortinet, Inc.
Installing SAAS applications

5. Click Office 365, located under "Your app settings".

You will be redirected to your Office 365 Account page.

6. Click View Subscriptions from the list.
It will display your Office 365 License, along with your Azure Active Directory Premium P2 license, if you have
purchased it.

FortiCASB 20.4.0 Admin Guide 28

Fortinet, Inc.
Installing SAAS applications

Activate Office 365 Account Audit Log

Office 365 audit log needs to be activated to record user and admin activities, this allows FortiCASB to monitor
activities of the Office 365 account. It may take several hours after you turn on audit log before FortiCASB
receives the audit logs from your Office 365 account.
To enable this feature, follow the steps below:
1. Search and Click on Security & Compliance, from your Office 365 account portal screen.
2. Click on Search > Audit log search from the menu on the left-hand side.

FortiCASB 20.4.0 Admin Guide 29

Fortinet, Inc.
Installing SAAS applications

3. Click Turn on auditing.

Now you may activate site collection by adding the Office 365 account to FortiCASB.

Disable Multi-Factor Authentication

Before adding your Office 365 admin account to FortiCASB, please verify the admin account has disabled the
multi-factor authentication (MFA). Muliti-factor authentication would prevent the OAuth verification to process
smoothly while adding the account on FortiCASB.
The multi-factor authentication can be enabled again after the account has been added to FortiCASB.
1. Log into Office 365 (https://office.com) with your account to be added to FortiCASB.

2. Click on the App Launcher button at the top left corner, and select Admin.

FortiCASB 20.4.0 Admin Guide 30

Fortinet, Inc.
Installing SAAS applications

3. In Microsoft 365 admin center left navigation menu, click on Users drop down menu and select Active
users.

4. Locate your account from the active users list, and click on your Display Name.

FortiCASB 20.4.0 Admin Guide 31

Fortinet, Inc.
Installing SAAS applications

5. The account user profile will pop-up. In Account tab, scroll down and click on Manage Multi-factor
Authentication.

6. Make sure Multi-Factor Authentication status is set to "Disabled". If the status is "Enabled", please set it
to "Disabled".

FortiCASB 20.4.0 Admin Guide 32

Fortinet, Inc.
Installing SAAS applications

Add Admin to Sharepoint Site

Before adding your Office 365 admin account to FortiCASB, please verify that the account is one of the
Company Administrators of the Office 365 Sharepoint Sites. This is to ensure that FortiCASB is able to monitor
and protect the account's Sharepoint sites.
1. Log into Office 365 (https://office.com) with your admin account to be added to FortiCASB.

2. Click on App Launcher button at the top left corner, and select Admin.

FortiCASB 20.4.0 Admin Guide 33

Fortinet, Inc.
Installing SAAS applications

3. In Microsoft 365 admin center left navigation menu, click on Show all to show other options. Scroll
down to Admin Centers and click SharePoint to enter SharePoint admin center.

4. In SharePoint admin center, click on Sites drop down menu, and select Active Sties.

FortiCASB 20.4.0 Admin Guide 34

Fortinet, Inc.
Installing SAAS applications

5. In Active sties, under Primary admin column, scroll down to look for "Company Administrator".

6. Click on the Site name of the user shown as "Company Administrator".

7. The Sharepoint site profile will pop-up, then click on Permissions tab.

FortiCASB 20.4.0 Admin Guide 35

Fortinet, Inc.
Installing SAAS applications

8. Check if your account is one of the site admins. If not, click Manage to add your account to the Manage
admins, then click Save. In this way, FortiCASB will be able to monitor and protect the sharepoint site
after your admin account is added to FortiCASB.

FortiCASB 20.4.0 Admin Guide 36

Fortinet, Inc.
Installing SAAS applications

Note: If you want FortiCASB to monitor and protect other Sharepoint sites of the same domain, repeat step 6-
8 with a different Sharepoint site.

Add Office 365 Account

After all the Office 365 configurations are completed from previous sections, follow these steps to add your
Office 365 account on FortiCASB.
1. Log into FortiCASB with your account.

2. Go to Overview > Dashboard, click on the Office 365 account navigation button and select Add
Cloud Account.

FortiCASB 20.4.0 Admin Guide 37

Fortinet, Inc.
Installing SAAS applications

3. You will be prompted to provide administrator credentials. This is for the automation process of adding the
global administrator as the "site collection administrator" for the users under the administrator account. For
more details refer to https://docs.microsoft.com/en-us/sharepoint/manage-user-profiles
Note: The credentials are only used for a one time configuration, FortiCASB will not store your Office 365
credential.

Alternatively, if you don't want FortiCASB to audit your OneDrives, or want to install it manually, you can
check "Prefer not to provide".

If you have a custom SharePoint homepage URL, you will have to allow
collection manually. See Manually Activate Sites Collection on page 41.

4. Click OK.
You will be redirected to the Office 365 login screen.
5. After logging in, Office 365 will prompt you to accept FortiCASB access.
Note: FortiCASB does not request all but only partial permissions from the global administrator user.
Below is a list of permissions requested by FortiCASB.

FortiCASB 20.4.0 Admin Guide 38

Fortinet, Inc.
Installing SAAS applications

Permissions
requested
by
FortiCASB
Read and
write files in
all site
collections

Read items in
all site
collections
(preview)

Read files in
all site
collections

Read and
write all users'
full profiles

Read all
users' full
profiles

Read and
write items in
all site
collections
(preview)

Read all
users' full
profiles

Read all
groups

Read and
write all
groups

Read
directory data

Read and
write directory
data

Access
directory as
the signed in
user

FortiCASB 20.4.0 Admin Guide 39

Fortinet, Inc.
Installing SAAS applications

Read all files

that user can
access

Read items in
all site
collections

Read all
groups

Read
directory data

Read activity
report for your
organization

Read activity
data for your
organization

Sign in and
read user
profile

Read
directory data

6. After you accept FortiCASB to access your Office 365 account, you will be redirected back to the
FortiCASB dashboard.
You can see the installation checklist and monitoring status in the Office 365 dashboard. Notice that Add
Sites Collection Admin is checked indicating that FortiCASB can now audit your OneDrive data.

FortiCASB 20.4.0 Admin Guide 40

Fortinet, Inc.
Installing SAAS applications

If you checked "Prefer not to provide" earlier during authentication, please refer to
Manually Activate Sites Collection on page 41 for more details.

Manually Activate Sites Collection

When you clicked "Prefer not to provide" earlier during authentication to activate sties collection, FortiCASB
is connected to global administrator's Office 365 account with minimum access, and no OneDrive data is
accessible by FortiCASB.
Follow these steps to make OneDrive data accessible:
1. Log into https://admin.microsoft.com/ using your global administrator account.
2. In the left pane, under Admin centers, click SharePoint.

3. After SharePoint admin center pop-up, click More features, and open User profiles.

FortiCASB 20.4.0 Admin Guide 41

Fortinet, Inc.
Installing SAAS applications

4. In User Profiles page, under People, select Manager User Profiles.

5. In Find profiles box, enter a licensed user under the global account administrator and click Find.
6. Right click on the account name and select Manage site collections owners.

7. In the field for Site Collection Administrators, add the global administrator account's user name or e-
mail address and press Enter.

FortiCASB 20.4.0 Admin Guide 42

Fortinet, Inc.
Installing SAAS applications

8. Click on Ok button to complete adding the global administrator as one of the site collection administrators.

Box

FortiCASB offers an API-based approach, pulling data directly from Box via RESTful API. Authentication is
done through OAUth2.0. FortiCASB uses an access token for API queries.

Prerequisites

To use API access, your organization must be using one of the following editions (the API is enabled by
default):
l Business Edition
l Enterprise Edition
l Developer Edition
The user account installed in FortiCASB must have the following permissions:
l Read and write all files and folders stored in Box
l Manage users

FortiCASB 20.4.0 Admin Guide 43

Fortinet, Inc.
Installing SAAS applications

l Manage groups
l Manage enterprise properties
You may either use an existing account or create a new account. If you create a new account, wait at least 24
hours for the new account to take effect before granting access to FortiCASB.

The following features require "Admin User" permission as well:

l User login tracking
l User IP address tracking
l Geographical location tracking
l User password change tracking
l Change admin role tracking
Without "Admin User" permissions, FortiCASB cannot obtain user login IPs. Therefore,
any user activity will not appear on the Activity map.

Installation

1. Log into FortiCASB with your account.

2. Go to Overview > Dashboard, click on the Box account navigation button and select Add Cloud
Account.

3. You will be navigated to the Box website for authentication. log in to authenticate.
Box will prompt you to allow or deny access.
4. Click Allow to grant FortiCASB permissions to monitor your Box application.
After you click Allow, you will be redirected back to the FortiCASB dashboard.
You can check the installation checklist and SaaS platform monitoring status in the Box dashboard.

For more information on common installation issues, see Troubleshooting on page

234.

FortiCASB 20.4.0 Admin Guide 44

Fortinet, Inc.
Installing SAAS applications

Dropbox Business

FortiCASB offers an API-based approach, pulling data directly from Box via RESTful API. Authentication is
done through OAUth2.0. FortiCASB uses an access token for API queries.

Prerequisites

To use API access, your organization must be using one of the following Dropbox Business plans:
l Standard Plan
l Advanced Plan
l Enterprise Plan
The user account installed in FortiCASB must have the following permission:
l Team Admin
You may either use an existing account or create a new account.

Installation

1. Log into FortiCASB with your account.

2. Go to Overview > Dashboard, click on the Dropbox account navigation button and select Add
Cloud Account.

3. Click OK.You will be navigated to the Dropbox website for authentication.

FortiCASB 20.4.0 Admin Guide 45

Fortinet, Inc.
Installing SAAS applications

4. Log in to authenticate. Dropbox will prompt you to allow or deny access.

5. Click Allow to grant FortiCASB permissions to monitor your Dropbox application.
After you click Allow, you will be redirected back to the FortiCASB dashboard.
You can check the installation result and SaaS platform monitoring status in the Dropbox dashboard.

For more information on common installation issues, see Troubleshooting on

page 234

Google Drive

FortiCASB offers an API-based approach, pulling data directly from Google Drive via RESTful API.
Authentication is done through OAUth2.0. FortiCASB uses an access token for API queries.

FortiCASB 20.4.0 Admin Guide 46

Fortinet, Inc.
Installing SAAS applications

Prerequisites

To use API access, your organization must be using one of the following editions (the API is enabled by
default):
l Business Edition
l Enterprise Edition
The user account installed in FortiCASB must be a Super Administrator in your G suite account. For steps on
how to check if your account is a Super Adminstrator, see Google Drive connection errors on page 241.

Due to Google requirements, only G Suite accounts with a business or enterprise

license can use FortiCASB. G suite accounts with a basic license will be not be
able to use FortiCASB.

You may either use an existing account or create a new account. Wait at least 24 hours for the new account to
take effect before granting access to FortiCASB.

There are two prerequisite steps you need to setup your Google Drive account before you can add the Google
Drive account on FortiCASB. Please follow the steps below.
1. Create Google Service Account on page 47

2. Enable Google Drive API & Authorize Client ID on page 52

3. Add Google Drive Account on page 53

Create Google Service Account

Make sure you create a service account for the G Suite account that will be linked to FortiCASB. A service
account delegated with domain-wide authority is necessary for FortiCASB to visit files in both personal and
team drives under your G Suite account.

Without the service account, you can still use FortiCASB. However, the features related to files in FortiCASB,
such as Discovery, will not work.

FortiCASB 20.4.0 Admin Guide 47

Fortinet, Inc.
Installing SAAS applications

For more information regarding service accounts and domain-wide authority delegation, go to:
https://developers.google.com/identity/protocols/OAuth2ServiceAccount#delegatingauthority

Google Service Account Creation Steps:

1. Go to https://console.developers.google.com and log in with your Google Account.

2. Click on the drop-down menu of Select a project.

3. Select an existing project or Create New Project by clicking New Project.

4. Enter a Project Name and click Create.

5. After a project is created, go to Navigation menu, and click on Identity > Service accounts.

FortiCASB 20.4.0 Admin Guide 48

Fortinet, Inc.
Installing SAAS applications

6. Click +Create service account.

7. Enter a "Service account name" of your preference and click create. Service account ID will populate
automatically.

Keep the service account ID later for Google drive authentication during
installation.

8. Click Continue when prompted for entering service account permissions.

9. Click on +Create Key and select P12 to create a private key. The P12 private key will be downloaded
automatically, then click Done.

FortiCASB 20.4.0 Admin Guide 49

Fortinet, Inc.
Installing SAAS applications

Keep the private key later for Google drive authentication during installation.

10. Once service account is created, select the service account created and click on under Actions on the
right-hand side, then click on Edit.

FortiCASB 20.4.0 Admin Guide 50

Fortinet, Inc.
Installing SAAS applications

11. Enable G Suite Domain-wide Delegation and enter in a Product name for the consent screen, then
click Save.

12. Select View Client ID from service account that was created, and record down the client ID.

FortiCASB 20.4.0 Admin Guide 51

Fortinet, Inc.
Installing SAAS applications

Enable Google Drive API & Authorize Client ID

1. Go to Navigation Menu > APIs & Services > Dashboard.

2. Click on ENABLE APIS AND SERVICES.
3. Search for the Google Drive API and enable it.
4. Go to https://admin.google.com and log in with the same Google Account.
5. Click Security in Admin Console.
6. In Security page, scroll down and click API controls.
7. In API controls page, click MANAGE DOMAIN WIDE DELEGATION.
8. Click Add new and add the Client ID from step 12 of Create Google Service Account on page 47.

FortiCASB 20.4.0 Admin Guide 52

Fortinet, Inc.
Installing SAAS applications

9. Add https://www.googleapis.com/auth/drive to OAuth scope and click AUTHORIZE.

Add Google Drive Account

After all the Google Drive configurations are completed from previous sections, follow these steps to add your
Google Drive account on FortiCASB.
1. Log into FortiCASB with your account.
2. Go to Overview > Dashboard from navigation menu, click on the Google Drive account navigation
button and select Add Cloud Account.

FortiCASB 20.4.0 Admin Guide 53

Fortinet, Inc.
Installing SAAS applications

3. Upload the service account ID and Private Key (P12 File) from earlier for the G suite account. Your
service account ID should end in ".gserviceaccount.com".
4. Click OK.
You will be navigated to the Google website for authentication. Make sure to use the same G suite
account for authentication.
If you have a custom Google domain, enter it here.
5. Log in to authenticate. Google will prompt you to allow or deny access.
6. Click Allow to grant FortiCASB permission to monitor your Google application.
You will be redirected back to the FortiCASB dashboard. You can check the installation checklist and SaaS
platform monitoring status in the Google Drive dashboard.

FortiCASB 20.4.0 Admin Guide 54

Fortinet, Inc.
Installing SAAS applications

AWS S3

Prerequisites

Make sure the AWS account user you use to perform the tasks below is an Administrator User. For
instruction on creating an Administrator User for your AWS account please refer to
https://docs.aws.amazon.com/mediapackage/latest/ug/setting-up-create-iam-user.html.
Use the Administrator User to create new AWS Policy, Role, and configure the CloudTrail setting:
1. AWS Policy Creation on page 55
2. AWS Role Creation on page 57
3. Update AWS Role External ID (optional) on page 60
4. AWS Configure CloudTrail Setting on page 61
5. Add AWS S3 Account on page 63
After all 3 steps are completed, go back to FortiCASB to finish adding the AWS account.

AWS Policy Creation

1. Go to your AWS console dashboard.

2. Search and click IAM

FortiCASB 20.4.0 Admin Guide 55

Fortinet, Inc.
Installing SAAS applications

3. Click Policies from the menu on the left.

4. Click Create policy.
5. Go to the JSON tab.
6. Replace the existing JSON code with the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:Put*",
"s3:Delete*",
"s3:CreateBucket",
"iam:List*",
"iam:Get*",
"cloudtrail:LookupEvent
s",
"cloudtrail:GetTrailStatu
s",
"cloudtrail:DescribeTrail
s",
"cloudtrail:ListTags",
"cloudtrail:GetEventSelec
tors",
"config:Get*",
"config:Describe*",
"config:Deliver*",
"config:List*"
],
"Resource": "*",
"Effect": "Allow"
}
]

FortiCASB 20.4.0 Admin Guide 56

Fortinet, Inc.
Installing SAAS applications

}
7. Click Review policy.
8. Name the new policy.
9. Click Create policy.
Your new policy will be created.

Please keep your policy name later for role creation.

For the purpose behind the AWS services being used to create the custom policy,
please refer to Appendix A: Amazon Policy Usage on page 242.

AWS Role Creation

Obtain External ID from FortiCASB

Before creating an AWS Role, you will need to create an External ID from FortiCASB. The External ID is an
unique 32-bit token that meets AWS security requirement that protects the AWS Role.
1. Log into FortiCASB with your account.

2. Go to Overview > Dashboard, click on the AWS S3 account navigation button and select Add
Cloud Account.

1. Enter your "AWS Account ID" and click Validate to validate the account, then click Generate to generate
"FortiCASB-generated external ID". Click copy to save it later for creating AWS Role.

FortiCASB 20.4.0 Admin Guide 57

Fortinet, Inc.
Installing SAAS applications

Note: If you already generated an External ID a few hours earlier, after you click Validate with your account ID,
the external ID will be retrieved automatically without clicking Generate.

If you already have an AWS Role associated with FortiCASB, and only need to update
the External ID. Please refer to Update AWS Role External ID (optional) on page 60

Create AWS Role.

1. Click Roles from the menu on the left.

2. Click Create role.
3. Click Another AWS account.

4. Enter the following Account ID: 854209929931.

FortiCASB 20.4.0 Admin Guide 58

Fortinet, Inc.
Installing SAAS applications

Note: This is the Amazon AWS account that FortiCASB uses to monitor the new role that is being created.
5. Select the box Require external ID and enter in an External ID generated earlier.

The External ID must be the one generated earlier through FortiCASB using the
same AWS account. If the External ID is not generated from FortiCASB, the AWS
account cannot be added to FortiCASB.

6. Make sure the box Require MFA is not selected.

7. Click Next: Permissions.
8. Click Filter, then select Customer managed.

9. Select the box for the policy you created earlier.

10. Click Next: Tag, and then click Next: Review.
11. Enter a name of your preference for the role name.
12. Click Create role.
13. Click the role name, and copy the AWS Role ARN.
Example of AWS Role ARN: arn:aws:iam::123456123456:role/FortiCASBTester

Please keep the AWS Role ARN later for AWS authentication during installation.

FortiCASB 20.4.0 Admin Guide 59

Fortinet, Inc.
Installing SAAS applications

Update AWS Role External ID (optional)

If you have previously created an AWS role, you will only need to update the old External ID to the new
FortiCASB generated 32-bit External ID token without creating a new AWS role.

Follow the steps below to update the External ID:

1. Log into your AWS account portal using your Administrator User.
2. Search and click on IAM (Manage Access to AWS resources) from the AWS portal page.
3. Click on Roles, search and click on the AWS Role you created for adding AWS to FortiCASB from AWS S3
on page 55.
4. Click Trust Relationships tab and click on Edit trust relationship.

5. Replace the External ID in the Policy Document JSON in the line "sts:ExternalId".

FortiCASB 20.4.0 Admin Guide 60

Fortinet, Inc.
Installing SAAS applications

6. Click Update Trust Policy to finish updating the External ID.

AWS Configure CloudTrail Setting

1. Go to your AWS console dashboard.

2. Click on services drop down menu and search for "Cloud Trail".
3. Once you are in Cloud Trail, click on Trails in the left panel.

4. Click Create trail.

FortiCASB 20.4.0 Admin Guide 61

Fortinet, Inc.
Installing SAAS applications

5. Enter a trail name based on your preference.

6. Select Yes to Apply trail to all regions.
7. Select All for Read/Write events.
8. Under Data event > S3, check on Select all S3 buckets in your account, Read, and Write.

9. Scroll down and click advanced to show hidden menu.

10. Name the S3 bucket based on your preference, the bucket name is used for CloudTrail S3 bucket for
AWS authentication.

11. Leave the Log file prefix blank.

FortiCASB 20.4.0 Admin Guide 62

Fortinet, Inc.
Installing SAAS applications

You have finished all the preliminary steps to add your AWS account. Now go back to
FortiCASB and click Next.

Add AWS S3 Account

After all the AWS S3 configurations are completed from previous sections, follow these steps to add your AWS
S3 account on FortiCASB.
1. Log into FortiCASB with your account.

2. Go to Overview > Dashboard, click on the AWS S3 account navigation button and select Add
Cloud Account.

3. Enter your "AWS Account ID" and click Validate to validate the account. If you have created an AWS role
following AWS Role Creation on page 57, the same external ID will automatically retrieved without
generating a new one.

FortiCASB 20.4.0 Admin Guide 63

Fortinet, Inc.
Installing SAAS applications

4. Review the key configurations list to see if you have finish all the required configurations, then click Next.

5. Enter the "AWS Account ID" and "AWS Role ARN" from the AWS CloudTrail Configuration that you have
completed earlier.
6. Click Add AWS S3 Account to complete adding the account.

FortiCASB 20.4.0 Admin Guide 64

Fortinet, Inc.
Installing SAAS applications

Google Cloud Storage

Prerequisites

To use FortiCASB with Google Cloud Platform, you must have a G Suite account,service account, and the
JSON private key associated with the service account. The service account must have “G Suite Domain-
wide Delegation” enabled and Project Owner/Organization Administrator roles for monitoring.

Steps to Add Google Cloud Account

1. Configure G Suite Account on page 65

2. Configure Service Account on page 66
3. Enable required APIs on page 72
4. Enable activity and alert monitoring on page 74
5. Add Google Cloud Storage Account on page 74

Your G Suite account can be either an existing account or a new account. If you have just created a new
account, you must wait for at least 24 hours for the account to take effect before granting it access to
FortiCASB. The G Suite account to which you connect from within FortiCASB must have the Super Admin role
in your G Suite account.

Configure G Suite Account

Use the following steps to check if your account has the Super Admin role:
1. Go to https://admin.google.com/ and log in with your Google Suite account credentials.

2. In the upper-left corner, click the navigation menu , and select Directory > Users.
3. Click on user account of interest.

FortiCASB 20.4.0 Admin Guide 65

Fortinet, Inc.
Installing SAAS applications

4. Scroll down to the Admin roles and privileges section, click the draw-down button.

5. In the Roles section, make sure that the Super Admin role has been assigned. Otherwise, hover over
the Roles section, click the Edit icon, and select Super Admin in the pop-up window.

Configure Service Account

For your service account, you may either use an existing or new account.
l New Service Account Creation on page 67
l Using Existing Service Account on page 70

FortiCASB 20.4.0 Admin Guide 66

Fortinet, Inc.
Installing SAAS applications

l Grant Service Account API Access on page 70

l Grant Service Account Owner Role on page 71
l Grant service account Organization Administrator role on page 72

New Service Account Creation

1. Go to https://console.developers.google.com and log in with your Google Suite account.

2. Click on the drop-down menu > Select a project.

3. Select an existing project you want to monitor or Create a New Project by clicking New Project.

4. Click the Navigation Menu on the top left corner, go to IAM & admin > Service accounts.

FortiCASB 20.4.0 Admin Guide 67

Fortinet, Inc.
Installing SAAS applications

5. Click +Create service account button.

6. Enter a Service account name of your preference and click create. Service account ID will populate
automatically.

Keep the service account ID for later during Google cloud authentication during
installation.

7. Click Continue when prompted for entering service account permissions.

8. Click on +Create Key and select JSON to create a private key. The JSON private key will be downloaded
automatically, then click Done.

Keep the JSON key later for Google cloud authentication during installation.

9. Once service account is created, select the service account created and click on under Actions icon
> Edit.

FortiCASB 20.4.0 Admin Guide 68

Fortinet, Inc.
Installing SAAS applications

10. Enable G Suite Domain-wide Delegation.

FortiCASB 20.4.0 Admin Guide 69

Fortinet, Inc.
Installing SAAS applications

Using Existing Service Account

1. Select the project that contains the service account to be used.

2. Click the Navigation Menu in the upper-left corner of the page, and select IAM & Admin >
Service Accounts.

Note:Make sure Domain-wide delegation is enabled. If not, click on Actions icon > Edit to enable
it.

3. If you don’t have a JSON private key, then click Actions icon > Edit , and select +Create Key.
4. Select JSON in the Key type field, and click CREATE.The JSON private key will automatically
downloaded.
Note: Be sure to keep this key and your service account ID for use later during Google cloud
authentication.
Once your service account is ready, you must grant it API access to the G Suite API.

Grant Service Account API Access

1. Click the Navigation Menu in the upper-left corner of the page, and then select IAM & admin >
Service Accounts.
2. In the Domain-wide delegation column, click View Client ID.

FortiCASB 20.4.0 Admin Guide 70

Fortinet, Inc.
Installing SAAS applications

3. In the pop-up window, save the client ID for step 7.

4. Go to https://admin.google.com and log into the same Google account.
5. Scroll down and click on More Controls > Security.

6. In Security, scroll down and select Advanced Settings.

7. Click Manage API client access.

8. In the Client Name field, enter the Client ID saved in Step 3. Your Client ID must be a string of numbers.
9. In the One or More API Scopes field, enter:
"https://www.googleapis.com/auth/admin.directory.user,https://www.googleapis.com/auth/admin.reports
.audit.readonly".
After getting your service account ID and JSON private key, grant the service account with Owner and
Organization Administrator role for the projects to be monitored.

Grant Service Account Owner Role

1. Select the project to be monitored.

2. Click the Navigation Menu on the upper-left corner, select IAM & admin > IAM.
3. Click the ADD button on the top.

FortiCASB 20.4.0 Admin Guide 71

Fortinet, Inc.
Installing SAAS applications

4. In the New Members field, enter the service account ID you want to use.
5. In the Select a role field, select Project > Owner.
6. Click the SAVE button.
7. Repeat the steps above for all the projects to be monitored.
Additionally, on the same service account, grant Organization Administrator.

Grant service account Organization Administrator role

1. Select the project to be monitored.

2. Click the Navigation Menu on the upper-left corner, select IAM & admin > IAM.
3. Click the ADD button on the top.
4. In the New members field, enter the service account ID you want to use.
5. In the Select a role field, select Resource Manager > Organization Administrator
Note: You can also enter "Organization Administrator" in the filter for fast access.
6. Click the SAVE button.

Enable required APIs

After adding roles to the service account, you must make sure that the following APIs are enabled on all
projects for monitoring. This will ensure that FortiCASB can gather information from the Google Cloud.
l Cloud Resource Manager API
l App Engine Admin API

FortiCASB 20.4.0 Admin Guide 72

Fortinet, Inc.
Installing SAAS applications

l Cloud Key Management Service (KMS) API

l Compute Engine API
l Cloud SQL
l Google Cloud Storage JSON API
l Google Cloud Storage
l Cloud SQL Admin API
l Stackdriver Logging API
l Admin SDK
l Identity and Access Management (IAM) API

To enable the APIs, do the following:

1. Go to the project to be monitored.

2. Click the Navigation Menu in the upper-left corner, and select APIs & Services>Dashboard.
3. In the Enabled APIs and services list, make sure that the required APIs are listed (enabled).

FortiCASB 20.4.0 Admin Guide 73

Fortinet, Inc.
Installing SAAS applications

If any of the APIs is not enabled, use the below steps to enable it:

1. Go to the project want to be monitored.

2. Click the Navigation Menu in the upper-left corner, and select APIs & Services > Dashboard.
3. Click the ENABLE APIS AND SERVICES button on the top.
4. In the Search for APIs & Services field, enter the name of a required API.
5. From the search results, select the API.
6. Click the ENABLE button.
7. Wait until Google Cloud has enabled the API.
Note: While you are enabling an API, a dialog may pop up prompting you to enable billing. If that happens,
follow the prompts onscreen to enable billing.

Enable activity and alert monitoring

If you would like to enable FortiCASB activity and alert monitoring, you must turn on audit logging using the
following steps:
1. Go to the project to be monitored.
2. Click the Navigation Menu in the upper-left corner, and select IAM & admin>Audit Logs.
3. Select Google Cloud Storage in the list.
4. Enable all log types, i.e., Admin Read, Data Read, and Data Write.

5. Click the SAVE button.

Add Google Cloud Storage Account

After all the Google Cloud Storage configurations are completed, follow these steps to add your Google Cloud
Storage account on FortiCASB.

FortiCASB 20.4.0 Admin Guide 74

Fortinet, Inc.
Installing SAAS applications

1. Log into FortiCASB with your account.

2. Go to Overview > Dashboard, click on the Google Cloud account navigation button and select Add
Cloud Account.

3. Review the key configurations list to see if you have finish all the required configurations, then click Next.

4. In User Email field, enter your email address which you used to create the service account.

FortiCASB 20.4.0 Admin Guide 75

Fortinet, Inc.
Installing SAAS applications

5. In Service Account ID field, enter the ID of your service account. Your service account ID should end in
".gserviceaccount.com".
6. In Upload Service Account Private Key, click Choose File to browse and upload your service
account's private key (i.e., a JSON file).
7. Click Add Google Cloud Storage Account to complete adding your Google Cloud Storage account.

Microsoft Azure Storage

FortiCASB offers an API-based approach. It monitors Azure Cloud activity by using Web notification and by
pulling data directly from Azure Cloud via the RESTful API. Authentication is done through OAUth2.0.
FortiCASB uses access token to generate API queries.

Prerequisites

You may use an existing Azure AD account or create a new account. If you create a new account, wait for at
least 24 hours for the new account to take effect before granting access to FortiCASB.

FortiCASB 20.4.0 Admin Guide 76

Fortinet, Inc.
Installing SAAS applications

Make sure the user account that will be used on FortiCASB has a Global Administrator role, Application
Administrator + Global Reader roles, or Cloud Application Administrator + Global Reader roles.
You will also need to set up the Azure AD Privileged Identity Management application. For more information on
how to do so, go to:
https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure.
FortiCASB supports all types of Azure AD licenses. However, depending on the features supported by the Azure
AD license, FortiCASB will only integrate features available to that license. For example, a free Azure AD
license does not include sign-in activity report, thus FortiCASB cannot provide sign-in activities from the free
Azure AD account.
Follow each section below to help you setup the Azure Subscription, Roles, and configure the Blob Storage in
preparation to add the Azure Subscription to FortiCASB:
1. Setup Azure Subscription on page 77
2. Add Reader role to the Subscription on page 79
3. Add Reader roles to multiple subscriptions simultaneously (optional) on page 80
4. Collect Subscription and Directory IDs on page 82
5. Setup Blob Storage on page 83
6. Enable Blob Log Monitoring on page 84
7. Setup Storage Blob Data Reader on page 85
8. Add Azure Storage Account on page 86

Setup Azure Subscription

Once you have your Azure license ready, you will need a subscription ID to use FortiCASB. If you do not have a
subscription yet, please follow these steps:
1. Log into the Azure portal https://portal.azure.com using your Azure account.
2. Search and click on Subscriptions.
3. Click on +Add button to add a subscription.

FortiCASB 20.4.0 Admin Guide 77

Fortinet, Inc.
Installing SAAS applications

4. Select the subscription desired and complete the rest of the billing steps.

Note: You will need a minimum of "Pay-As-You-Go" subscription to use FortiCASB.

FortiCASB 20.4.0 Admin Guide 78

Fortinet, Inc.
Installing SAAS applications

Add Reader role to the Subscription

Add a Reader role to the Subscription that is going to be added FortiCASB. The purpose is to provide
FortiCASB with read access to the resources under the Subscription.
1. Search and click on Subscriptions.
2. Click on the Subscription that is going to be used on FortiCASB.
3. In the Subscription menu, click on Access control (IAM).

4. Click on +Add and select "Add role assignment".

5. In Add role assignment drop down menu, click on Select a role and select Reader.
6. Leave Assign access to as "Azure AD user, group, or service principal".

FortiCASB 20.4.0 Admin Guide 79

Fortinet, Inc.
Installing SAAS applications

7. In Select field, search and select a member (user account) that will be associated with the role.

The member (user account) should have a Global Administrator role,

Application Administrator + Global Reader roles, or Cloud Application
Administrator + Global Reader roles as stated in the Perquisite.

8. Click Save to finish creating the Reader role.

Add Reader roles to multiple subscriptions simultaneously (optional)

To add multiple subscriptions to FortiCASB with one user account simultaneously, follow these steps to
configure the subscriptions with read access. If the user account has Global Administrator role, only do step
6-9.
1. Log in to Azure portal as the master account user.
2. In the search field, search and click on "users".
3. Click on the user that will be used when adding the Subscriptions to FortiCASB.
4. In the middle Profile navigation menu, click on Assigned roles.

FortiCASB 20.4.0 Admin Guide 80

Fortinet, Inc.
Installing SAAS applications

5. Click +Add assignments to add Global reader role and Global Administrator role to the user.
(Global Administrator role will be removed later)

6. Log out of the master account user, and log back in as the user whom the new roles are assigned to.
7. Search and click on "Azure Active Directory".
8. In the middle Azure Active Directory navigation menu, click on Properties.
9. Click Yes under Access management for Azure resources, and click Save. This step allows the user
to manage access of all Subscriptions under the Azure account.

10. Log out of the user account, and log back in as the master account.
11. Follow the steps 2-4 above, and remove the Global administrator role.
Now all the Subscriptions under the user account have Reader role, and you can add multiple Azure
Subscriptions at the same time.

FortiCASB 20.4.0 Admin Guide 81

Fortinet, Inc.
Installing SAAS applications

Collect Subscription and Directory IDs

For Azure Authentication during installation, please find and record down Azure Subscription and Directory IDs.

View Subscription ID

To view your subscription ID after you have setup subscription, please follow these steps:
1. From the portal page, search and click on Subscriptions.
2. Once Subscriptions page opens, you will notice the subscription ID column next to the subscription.

View Directory ID

Obtain Directory ID following the steps below:

1. From the portal page, search and click on Azure Active Directory.
2. Click on MANAGE > Properties.
3. Under Directory properties, you will find Directory ID.

FortiCASB 20.4.0 Admin Guide 82

Fortinet, Inc.
Installing SAAS applications

Setup Blob Storage

A Storage account with blob log monitoring enabled is required to install FortiCASB. If you do not have a
storage account yet, please follow the steps below to create a storage account:
1. From the portal page, search and click on storage account.
2. Click +Add to create a storage account.
3. Under Basics > Subscription field. Make sure you select the subscription that is linked to your
subscription ID.

FortiCASB 20.4.0 Admin Guide 83

Fortinet, Inc.
Installing SAAS applications

4. In Resource group field, select a resource group based on your preference or create a new one.
5. In Storage account name filed , enter an account name based on your preference.
6. Click Review + create. Once validation passed, click Create.

Enable Blob Log Monitoring

Once storage account is created, to enable blob log monitoring:

1. Select the storage account of interest.
2. From the left menu, select Monitoring (classic) > Diagnostic settings.

FortiCASB 20.4.0 Admin Guide 84

Fortinet, Inc.
Installing SAAS applications

3. Turn On diagnostic logs. Under the Blob properties, enable Read/Write/Delete under Logging.

Setup Storage Blob Data Reader

The last step is to grant Storage Blob Data Reader permission to the Azure AD user. This is a necessary step
for FortiCASB DLP and virus scan to read and analyze the data stored in the Storage Blob account as well as
integrating Azure cloud traffic in FortiCASB.
1. From the Azure portal page, search and click Subscriptions.
2. Select your subscription.
3. Select Access Control (IAM), and click +Add, then Add role assignment pane will pop-up.
4. In Role field, type and select Storage Blob Data Reader.
5. In Assign access to field, leave it as Azure AD user, group, or service principal.
6. In Select field, type and select the name or e-mail address of the Azure AD user.

FortiCASB 20.4.0 Admin Guide 85

Fortinet, Inc.
Installing SAAS applications

7. Click Save to complete granting the role to the Azure AD user.

Add Azure Storage Account

Once you have all the Azure Storage Configurations, you can add Azure Storage account on FortiCASB
following these following steps:
1. Log into FortiCASB with your account.

2. Go to Overview > Dashboard, click on the Azure Storage account navigation button and select Add
Cloud Account.

3. Review the key configurations list to see if you have finish all the required configurations, then click Next.

FortiCASB 20.4.0 Admin Guide 86

Fortinet, Inc.
Installing SAAS applications

4. Enter your subscription ID you saved earlier in Subscription ID field.

5. Click Add Azure Storage Account.

FortiCASB 20.4.0 Admin Guide 87

Fortinet, Inc.
Installing SAAS applications

ServiceNow

Prerequisite

Before adding ServiceNow to FortiCASB, a FortiCASB OAuth API endpoint needs to be created on ServiceNow
with your ServiceNow admin account.
Note: Only ServiceNow Istanbul or higher version is supported.
Follow these steps to configure and add ServiceNow account on FortiCASB:
1. Register FortiCASB with ServiceNow on page 88
2. Add ServiceNow Account on page 90

Register FortiCASB with ServiceNow

1. Log into ServiceNow management console with your admin account.

2. On the left navigation menu, scroll down and select System OAuth, and click on Application Registry.

3. Click on New and select Create an OAuth API endpoint for external clients.

FortiCASB 20.4.0 Admin Guide 88

Fortinet, Inc.
Installing SAAS applications

4. Enter an unique Name for the OAuth client application.

5. Enter a Client Secret.

6. In Redirect URL field, enter the URL based on your FortiCASB region:

Global https://www.forticasb.com/api/v1/oauth/redirect/S
Region erviceNow

Europe https://eu.forticasb.com/api/v1/oauth/redirect/Ser
an viceNow
Union
Region

7. Keep a record of Client ID and Client Secret for use in adding the ServiceNow account to FortiCASB.
8. Leave Refresh Token Lifespan and Access Token Lifespan fields as default.
9. Click Submit and go back to FortiCASB to add the ServiceNow account to FortiCASB.

FortiCASB 20.4.0 Admin Guide 89

Fortinet, Inc.
Installing SAAS applications

Add ServiceNow Account

After finish registering FortiCASB with ServiceNow, you can now add the ServiceNow account on FortiCASB.
Follow the instructions below to add the ServiceNow account on FortiCASB:
1. Log into FortiCASB with your account.

2. Go to Overview > Dashboard, click on the ServiceNow navigation button and select Add Cloud
Account.

3. Review the key configurations list to see if you have finish all the required configurations, and click Next.

4. In Client ID and Client Secret fields, enter the "Client ID" and "Client Secrets" recorded earlier. In
ServiceNow url, enter your ServiceNow url.

FortiCASB 20.4.0 Admin Guide 90

Fortinet, Inc.
Installing SAAS applications

5. Click Add ServiceNow Account to add the ServiceNow account.

Webex Teams

FortiCASB offers protection on Webex Teams file sharing and events monitoring. All the files shared on Webex
Teams space chats are protected against virus and monitored for compliance violation. Events monitoring
monitors for suspicious user activities or unauthorized events.
Types of Webex account activities monitored by FortiCASB:

Admin Regular Event (Without IP)

Event (With
IP)

Admin Log In Create Messages

Create User Create Memberships

Delete User Delete Memberships

Update Memberships

FortiCASB 20.4.0 Admin Guide 91

Fortinet, Inc.
Installing SAAS applications

Prerequisites

The Webex user account must be under Webe Plus, Business, or Enterprise subscription plan. Webex free
subscription plan is not supported.
Follow the steps below to add Webex team to FortiCASB:
1. Configure WebEx admin account on page 92
2. Add Webex Teams account on page 93

Configure WebEx admin account

1. Log into Cisco WebEx Admin with your Webex admin account
2. Click on your user profile icon drop down menu, and click Cisco Webex Control Hub.

3. In Cisco Webex Control Hub navigation menu, click on Management > Users.
4. Click on the user that will the added to FortiCASB. In Roles and Security, click on Administrator
Roles, make sure the user has the following:
a. The user is a Full Administrator.
b. The user has the Compliance Office role.
(Ask another admin to assign the role if needed.)

FortiCASB 20.4.0 Admin Guide 92

Fortinet, Inc.
Installing SAAS applications

Follow the rest of the steps in Add Webex Teams account on page 93 to complete adding the Webex account
on FortiCASB.

Add Webex Teams account

After the Webex Team configurations are completed from the previous section, follow these steps to add your
Webex Team account on FortiCASB.
1. Log into FortiCASB with your account.

2. Go to Overview > Dashboard, click on the Webex Team account navigation button and select Add
Cloud Account.

FortiCASB 20.4.0 Admin Guide 93

Fortinet, Inc.
Installing SAAS applications

3. Review the key configurations list to see if you have finish all the required configurations, click Grant
Access@Webex. Then you will be re-directed to Webex OAuth verification page.
Note: Before clicking on Grant Access@Webex, make sure you log out of Webex if you have another
account that is log in on another web page.

4. Enter your Webex credentials and press Submit. Then go back to the FortiCASB page.
If there is an error adding the account, refer to the error messages to re-add the Webex account.

FortiCASB 20.4.0 Admin Guide 94

Fortinet, Inc.
General

General

This section covers general operations and features in using FortiCASB:

Reports

FortiCASB allows you to generate C-level, Compliance, and Shadow IT reports.

C-Level reports are quarterly, monthly, or annual reports. Compliance reports give an overview of overall
compliance with policies such as HIPAA, SOX/COBIT, and PCI. Shadow IT reports highlight unsanctioned
application usage.

C-Level Report

1. Go to Overview > Report > C-Level from FortiCASB left navigation pane.
2. Choose a report type (Yearly, Quarterly, or Monthly Report), and select the year, month or quarter.
3. Press Ok to start generating the report.
4. After the report is generated, it will be available under the Action column. To view the report, click on the

FortiCASB 20.4.0 Admin Guide 95

Fortinet, Inc.
General

view button.

Compliance Report

Compliance report are automatically generated monthly, quarterly, and yearly. You may also customized a
time frame to generate compliance reports. HIPAA, GDPR, SOX-COBIT, and PCI are in zip format while ISO
27001 and NIST800 reports are in PDF.

The prerequisite to generate Compliance report is to enable and configure Compliance

Policies required by your organization. For more details on configuring Compliance
policies, please refer to Policy Configuration on page 136.

After you have enabled Compliance Policies, follow the steps below to generate Compliance report.
1. Go to Overview > Report > Compliance from FortiCASB navigation pane.
2. Select the report type (HIPAA, PCI, SOX-COBIT, and etc.), a scheduled period (Monthly, Quarterly, and
etc.), and a cloud apps (Office 365, Google, etc.) to filter the generated reports.

FortiCASB 20.4.0 Admin Guide 96

Fortinet, Inc.
General

3. Click the download button under Action Column to download desired report.

Customized Compliance Report

1. Click on Generate Now in Report/Compliance page.

2. Select a Report Type.
3. Select a Cloud Application (Office 365, Google, etc.)

FortiCASB 20.4.0 Admin Guide 97

Fortinet, Inc.
General

4.
5. Select a Time Frame that is within 90 days of the current day.
6. Click Generate Now to generate the report.
7. The report will be generated with your user name, cloud application, report type, and date range as the file
title.
For example, a Office 365 PCI compliance report with a date range of 3/1/2020 to 3/14/2020 will be " 'User
Name' Office 365 PCI Compliance Report Mar 14 00:00:00 - Mar 14 23:59:59 UTC. zip".

Alert Report

Alert Report keeps track of all daily security alerts and lets you download daily security report. At the end of
each month, all daily Alert report will be consolidated into one monthly report for download.

l Activate Alert Report on page 99

l Export Daily/Monthly Report on page 100

FortiCASB 20.4.0 Admin Guide 98

Fortinet, Inc.
General

Activate Alert Report

To enable Alert Report to export all daily security alerts, please enable any of the Compliance policies below to
activate the feature:
l NIST800/53 - Track all security alerts
l NIST800/171 - Track all security alerts
l ISO27001 - Track all security alerts
Note: only one of the policies above is needed to be enabled to activate Alert Report.

Activate Alert Report through NIST800/53

1. Click on the targeted cloud account. (Salesforce, Office 365, etc.) from FortiCASB navigation menu.
2. Go to Policy > Compliance, and click NIST800-53 rev4 tab.
3. Locate the policy NIST800/53 - Track all security alerts.

4. Click on the toggle switch button under Status column to turn the on the policy.

Activate Alert Report through NIST800/171

1. Click on the targeted cloud account. (Salesforce, Office 365, etc.) from FortiCASB navigation menu.
2. Go to Policy > Compliance, and click NIST SP800-171 tab.
3. Locate the policy NIST800/171 - Track all security alerts.

FortiCASB 20.4.0 Admin Guide 99

Fortinet, Inc.
General

4. Click on the toggle switch button under Status column to turn on the policy.

Activate Alert Report through ISO27001

1. Click on the targeted cloud account. (Salesforce, Office 365, etc.) from FortiCASB navigation menu.
2. Go to Policy > Compliance, and click ISO 27001 tab.
3. Locate the policy ISO27001 - Track all security alerts.

4. Click on the toggle switch button under Status column to turn on the policy.

Export Daily/Monthly Report

Daily security alert report is compiled into a CSV file and made available for export. At the end of each month,
all daily reports of the that month are combined and packaged into a ZIP file and made available for download.
An alternative option of exporting daily reports is to consolidate up-to-date daily reports of the current month
into one ZIP file.

Follow the steps below to export reports.

1. From FortiCASB navigation menu, go to Report > Alert.

2. In the Current Month tab, click the cloud account drop down menu and select a cloud account
(Salesforce, Office 365, etc.).

FortiCASB 20.4.0 Admin Guide 100

Fortinet, Inc.
General

Option 1 - Select any of the daily report and click download button to download the daily report.
Option 2 - Click Package Up-To-Date for Download button to combine all up to date daily reports of
the current month into one zip file. The combined ZIP file will be made available for download with .zip
extension.

3. Click History tab to export monthly security alert reports. Click the year drop down menu to select year,
and cloud account drop down menu to select a cloud account, and all monthly security alert reports
available of that year will be available for export.

FortiCASB 20.4.0 Admin Guide 101

Fortinet, Inc.
General

Activity Report

Activity Report keeps track of all daily cloud account activities and lets you download daily activity report. At the
end of each month, all daily activity reports will be consolidated into one monthly report for download.

l Activate Activity Report on page 102

l Export Daily/Monthly Report on page 103

Activate Activity Report

To enable Activity Report to export all daily activities, please enable the following Compliance policy below to
activate the feature:
l NIST800/53 - Display content of audit record

Follow the steps below to enable the policy

1. Click on the targeted cloud account (Salesforce, Office 365, etc.) from FortiCASB navigation menu.
2. Go to Policy > Compliance, and click NIST800-53 rev4 tab.
3. Locate the policy NIST800/53 - Display content of audit record.

4. Click on the toggle switch button under Status column to turn the on the policy.

FortiCASB 20.4.0 Admin Guide 102

Fortinet, Inc.
General

Export Daily/Monthly Report

Daily activity report is compiled into a CSV file and made available for export. At the end of each month, all
daily reports of the that month are combined and packaged into a ZIP file and made available for download.
An alternative option of exporting daily reports is to consolidate up-to-date daily reports of the current month
into one ZIP file.

Follow the steps below to export reports.

1. From FortiCASB navigation menu, go to Report > Activity.

2. In the Current Month tab, click the cloud account drop down menu and select a cloud account
(Salesforce, Office 365, etc.).

Option 1 - Select any of the daily report and click download button to download the daily report.
Option 2 - Click Package Up-To-Date for Download button to combine all up to date daily reports of
the current month into one zip file. The combined ZIP file will be made available for download with .zip
extension.

3. Click History tab to export monthly activity reports. Click the year drop down menu to select year, and
cloud account drop down menu to select a cloud account, and all monthly activity reports available of
that year will be available for export.

FortiCASB 20.4.0 Admin Guide 103

Fortinet, Inc.
General

Shadow IT

1. Go to Overview > Report > Shadow IT from FortiCASB left navigation pane.
2. Click the arrow next to Shadow IT Report.
3. In General tab, choose an export file format(zip, xlsx, pdf, csv, docx).

4. Choose a report date range.

5. Click Save.
6. Click Generate to generate the report.
7. After the report is generated, it will be available to download under Action column.

Audit log

FortiCASB records all administrator activities. You can filter your searches by using the Filter option. To access
the Audit log page, go to Overview > Audit log.

FortiCASB 20.4.0 Admin Guide 104

Fortinet, Inc.
General

For detailed description of each operation or event, please refer to Event list on page
105.

Access Logs

FortiCASB accesses your information by downloading files, scanning the downloads, then subsequently
deleting the downloads at regular intervals.
NOTE: For your privacy, FortiCASB does not retain your files. You may check to see when and which files
FortiCASB has downloaded, scanned, and deleted by clicking the Access Logs button, located at the top-right
corner.

Event list

This section shows the types of events FortiCASB supports. These types of events will be traced at the Activity
page of each cloud application, and they can also be used as criteria when configuring policy and applying
filters.

The File Download event is monitored within the FortiCASB Audit log. To find the audit
log, go to Overview > Audit Log from the navigation menu on the left.

Salesforce

Event Type Event

Login Login Success

Login Failed

User Create User

Modify User

Change Password

FortiCASB 20.4.0 Admin Guide 105

Fortinet, Inc.
General

Event Type Event

Activate User

Deactivate User

Change User Profile

Change User Role

Change User Email

Change User Permission Set

Group Add Group

Add Group Member

Update Group

Change Group Access

Add External Group Member (Customer)

Invite People

Profile Create Profile

Modify Profile

Permission Set Add Permission Set

Modify Permission Set

Feed Post

Modify Post

Comment

Modify Comment

File Upload File

Upload New Version

Download File

Edit File

Share Share File

Share File with People

Share File with Group

Share File via Link

Download File via Link

Business Account Modification

FortiCASB 20.4.0 Admin Guide 106

Fortinet, Inc.
General

Event Type Event

Account Owner Change

Contact Modification

Contact Owner Change

Account Create

Contact Create

Office 365

Event Type Event

Login Login Success

Login Failed

User Create User

Delete User

Modify User

Restore User

Change Password

Modify Role

Group Add Group

Delete Group

Add Group Member

Update Group

Add Group Owner

Delete Group Owner

Set Group Managed By

Create Group Settings

Update Group Settings

Delete Group Settings

Set Group License

File Upload File

Delete File

Download File

FortiCASB 20.4.0 Admin Guide 107

Fortinet, Inc.
General

Event Type Event

Modify File

Access File

Move File

Copy File

Rename File

Edit File

Share Share File

Create Anonymous Link

Delete Anonymous Link

Create Company Link

Delete Company Link

Company Link Used

Other Modify License

Delete Folder

Create Sharing Invitation

Edit Company Info

Box

Event Type Event

File/Folder Upload File

Copy File

Download File

Edit File

Move File

Preview File

Rename File

Open File

Modify File

Create Lock

Comment

FortiCASB 20.4.0 Admin Guide 108

Fortinet, Inc.
General

Event Type Event

Login Login Success

Login Failed

User Create User

Modify User

Delete User

Group Add Group

Update Group

Group Add Membership

Metadata Create Metadata Template

Update Metadata Template

Create Metadata Instance

Update Metadata Instance

Collaboration Collaboration Invite

Collaboration Accept

Collaboration Role Change

Update Collaboration Expiration

Collaboration Expiration

Share Share File

Update Shared File

Update Shared Expiration

Share Expiration

Dropbox Business

Event Type Event

Login Login Success

Login Failed

Logout

Login As User Session Start

Login As User Session End

User (Member) Create User

FortiCASB 20.4.0 Admin Guide 109

Fortinet, Inc.
General

Event Type Event

User Change Name

User Change Status

User Change Admin Role

User Change Email

Change Password

Password Restore

Password Restore All

Group Add Group

Delete Group

Add Group Member

Remove Group Member

Group Rename

File File Add

File Download

File Preview

File Edit

File Delete

File Add Comment

File Move

File Copy

File Rename

File Restore

File Revert

File Share Share Link Create

Share Link Create Password

Share Link Public

Share Link Disable

Share Link Team Only

Share Link Set Expiration

Share Link Remove Expiration

FortiCASB 20.4.0 Admin Guide 110

Fortinet, Inc.
General

Event Type Event

Share Link View

Share Link Download

Share Link Team Copy

Google Drive

Event Type Event

Login Login Success

Login Failure

Login Challenge

Logout

File Create File

Upload File

Edit File

View File

Rename File

Move File

Delete File

Download File

Preview File

Trash File

Untrash File

User Create User

Suspend User

Unsuspend User

Modify User

Change Password

Create Data Transfer Request

Delete User

Assign Role

Unassign Role

FortiCASB 20.4.0 Admin Guide 111

Fortinet, Inc.
General

Shadow IT discovery

FortiCASB provides features for shadow IT discovery. By integrating with FortiGate and FortiAnalyzer,
FortiCASB gives users a concrete overview of all sanctioned and unsanctioned cloud applications
organization wide. Furthermore, FortiCASB calculates a risk score for each application and gives users the
ability to control application usage.
FortiCASB's Shadow IT discovery helps users enhance the security of their cloud application environment with
the following features:
l Unsanctioned Application Discovery—FortiCASB uses logs from FortiGate and FortiAnalyzer as well
as its own discovery process to deliver a comprehensive view of risk and usage of cloud applications.
l Cloud Risk Score—FortiCASB generates a cloud risk score for each cloud application. This score is
calculated using many factors, such as but not limited to: user numbers, size of the company, multi-factor
authentication support, and service hosting location. These factors are used to generate scores in multiple
criteria, which are then aggregated into one final score.
l Access Control—Users can block or monitor certain applications using FortiCASB and FortiGate.
l Data Correlation—FortiCASB uses data from FortiGate and FortiAnalyzer, as well as its own data to
define and identify riskier activities.

Configuration and requirements

Shadow IT discovery requires a FortiGate or FortiAnalyzer policy.

Configuration details depend on your specific setup requirements. See the scenarios below, and find the one
which best suits your needs.

Scenario 1: You want to receive logs from FortiGate.

l See FortiGate configuration. After step 13, follow the instructions under Log configuration using FortiGate
GUI on page 116I. Then, follow the instructions under FortiCASB configuration as needed.

Scenario 2: You want to receive logs from FortiGate, but it is already providing logs to another
device.

l See FortiGate configuration. After step 13, follow the instructions under Log configuration using FortiGate
CLI. Then, follow the instructions under FortiCASB configuration as needed.

Scenario 3: You want to receive logs from FortiAnalyzer.

l See FortiAnalyzer configuration. Then, follow the instructions under FortiCASB configuration as needed.

FortiCASB 20.4.0 Admin Guide 112

Fortinet, Inc.
General

FortiGate configuration

1. Go to Security Profiles > SSL/SSH Inspection.

2. Create a new SSL/SSH inspection profile called deep-test.
3. Configure the profile as shown below:

4. Go to Security Profiles > Application Control.

5. Set all categories to Monitor.
6. Under Options, enable Allow and Log DNS Traffic and Replacement Messages for HTTP-based
Applications.

FortiCASB 20.4.0 Admin Guide 113

Fortinet, Inc.
General

FortiGate 5.6

FortiGate 5.4

7. Go to Security Profiles > Cloud Access Security Inspection.

8. Under the Action column, set all action to Monitor.

FortiCASB 20.4.0 Admin Guide 114

Fortinet, Inc.
General

9. Go to Policy & Objects > IPv4 Policy.

10. Create a new policy named Shadow-IT.
11. Configure the policy as shown below:

12. Configure Security Profiles.

a. To use access control, choose the Web Filter created with the URL filter set.
b. Open Application Control to allow FortiCASB to track how many cloud applications are visited.
c. To correlate log data with FortiCASB data, make sure Application Control is open, and set
SSL/SSH Inspection to deep-test.
NOTE: For FortiGate 5.4, set CASI to the default.

FortiCASB 20.4.0 Admin Guide 115

Fortinet, Inc.
General

13. Open Log Allowed Traffic, and select either Security Events or All Sessions.

Log configuration using FortiGate GUI

14. Go to Log & Report > Log Settings.

15. Open Send Logs to FortiAnalyzer/FortiManager.
16. Set the FortiCASB receiver's IP address for IP Address.
The FortiCASB receiver IP address can be found by pressing the Device button from the FortiCASB
Shadow IT dashboard. It will be one of the followin addresses:

Global Users 34.212.87.235 or 52.27.136.156

EU Users 34.254.217.50 or 52.18.7.98

Enter the IP address into the appropriate section of the FortiGate UI, shown below, then click Test
Connectivity.

FortiCASB 20.4.0 Admin Guide 116

Fortinet, Inc.
General

Log configuration using FortiGate CLI

17. Login to the FortiGate's CLI mode.

18. Configure log settings for the second FortiAnalyzer device on the FortiGate.
#config log fortianalyzer2 setting
#set status enable
#set server <FortiCASB server IP>
#set enc-algorithm high-medium
#set upload-option realtime
#set reliable enable
#end
19. Configure the log filter to only forward application-ctrl logs:
#config log fortianalyzer2 filter
#set filter-type include
#set filter "logid(1059028704)"
#end
20. Test the connection using the following CLI command:
#execute log fortianalyzer test-connectivity 2

If the connection is successful, the FortiGate will return the following:

Registration: registered
Connection: allow

Otherwise, the FortiGate will return an error code.

FortiAnalyzer configuration

1. Provide a public IPv4 address to your FortiAnalyzer. Make sure this IP address with the appropriate TCP
port(default 443) can be accessed from the external network, via the internet.
2. Finish steps 1-12 of the FortiGate configuration.
3. Use the following commands to add RPC-permit's read and write permissions to the user:
a. config system admin user
b. edit admin
c. set rpc-permit read-write

FortiCASB 20.4.0 Admin Guide 117

Fortinet, Inc.
General

FortiCASB configuration

1. Choose the device type to connect.

a. Click the Device button, located on the top right, from the Shadow IT dashboard.

b. Choose either FortiGate or FortiAnalyzer.

2. Enter the device DevID.
a. If the DevID is for FortiGate, fill in the other fields.
b. If the DevID is for FortiAnalyzer, fill in the other fields, then select the FortiGate device(s) to add.

Using Shadow IT discovery

Access control

After analyzing an application using FortiCASB, users can use FortiGate's Web Filter to block or monitor the
application.
1. Use FortiCASB to get the host name of the traffic to be controlled.
2. On the FortiGate device, go to Security Profile > Web Filter.
3. Under Static URL Filter, choose the URL filter.
4. Click Create to add a new URL filter.
5. Choose a Type.
6. Choose an Action.
7. Set Status to Open.
8. Click OK.

FortiCASB 20.4.0 Admin Guide 118

Fortinet, Inc.
General

Shadow IT Dashboard

Usage of unsanctioned cloud applications

All unsanctioned cloud applications are given a ranking based on the risk score, the number of users, and
volume of use. FortiCASB uses that data to pinpoint and display the applications, clients, and sessions that are
most at risk. FortiCASB also displays the percentage of risky applications, clients, and sessions using pie
charts.

File insight

File insight shows the total number of sanctioned cloud applications the organization is using, the total number
of users, and the total number of files stored in each cloud application.

Application list

The application list displays all appliations monitored by FortiCASB. Filter the list using the time range box on
the top right, the risk score slider on the top left, and the categories checkboxes on the left.

Click a specific application to display detailed information regarding the application.

FortiCASB 20.4.0 Admin Guide 119

Fortinet, Inc.
General

Data pattern

FortiCASB uses data patterns to create policies for monitoring files. You can create customized data patterns
from the Data Pattern page. These data patterns can be used when creating customized policies.
To create a customized data pattern, follow the steps below:
1. Go to Overview > Data Pattern.
2. Fill in the settings shown

Name Enter a name for the data pattern.

Description Enter a description for the data pattern.

Category Select a data category from the list.

File Extensions Specify file types to be monitored.

Uncompressed File Specify the upper bound of an object size, in MB, for a full content scan.
Size

Compressed File Specify the upper bound of a zip file size, in MB, for a full content scan.
Size

Regex Context Enter in a phrase or string of characters, andwill monitor any file containing
that phrase.

3. Click +Add.

Generate Credential

FortiCASB REST API resources are free of use for development purpose. To use these API resources, an
OAuth 2.0 bearer token is required in the Authorization header. One method to get OAuth 2.0 bearer token is to
call Get Credentials Token. Before calling Get Credentials Token API, follow the steps below to generate a
credential.
1. Log into FortiCASB with your account.
2. Go to Business Unit Setting in the top left hand corner.

3. Click on API Setting tab.

FortiCASB 20.4.0 Admin Guide 120

Fortinet, Inc.
General

4. Enter a name in Credentials Name field, and click Generate.

5. Copy down the credential to be used to call the API later.
The generated credential can be used repeatedly as long as it is not revoked on FortiCASB.

FortiCASB 20.4.0 Admin Guide 121

Fortinet, Inc.
Application Specific Features

Application Specific Features

This section covers features specific to each of the cloud application installed on FortiCASB.

Discovery

FortiCASB classifies data as either data at rest or traffic data. Data at rest is data uploaded onto the cloud
application before it has been linked with FortiCASB, while traffic data is any data uploaded after FortiCASB
has started monitoring the cloud application.
You can run scans on the data in your cloud platforms to determine their contents. Depending on the policies
you set, FortiCASB will classify this data as either sensitive data or non-sensitive data. This can be seen in
the Discovery page for each cloud application.
The Discovery page shows basic information about the data in your cloud application, as well as information
about the users with access to your data.
If you don't run a manual scan, FortiCASB will scan files on an individual basis whenever a user accesses the
file.
If you would like to sync data, you can run Sync from the User and Document page.

Panel descriptions

User Entitlements—shows all users with access to your cloud application.

Privileged User Any user with specific administrative privileges. For a list of these specific
privileges, see Discovery on page 122

Dormant User Any user that has not accessed the cloud application for at least 30 days.

External User Any user from an external company with access to your cloud application.

If the User Entitlements panel can't get privileged roles for your Office 365 platform,
make sure you have global administrator privileges and have Azure Active Directory
Premium P2.

Sensitive Data Discovery—gives an overview of sensitive data on your cloud application.

Sensitive Files Shows the number of files on your cloud application with sensitive
information, out of the total number of files.

High Risk File Owners Shows how many users own files with sensitive information.

FortiCASB 20.4.0 Admin Guide 122

Fortinet, Inc.
Application Specific Features

Shared Files Shows the number of shared files

Malware Files Shows the number of files with malware scan results

Click the number under Policy Violation to show the specific policies triggered.
Use Filter to filter or search through the list.

File Exposure—gives an overview of shared files on your cloud application.

Exposure Summary Gives a summary of the file exposure. Click to filter the list.

Top File-Sharing Owners Shows the owners sharing the most files.

Top Users/Groups with Shows the users or groups with access to the most files.
access to Shared Files

External Collaboration—highlights the file shared to the external user/group

External Summary Gives a summary of the external files.

Top External Domains Shows external domains which are shared the most files.

Top External Users Shows external users which are shared the most files.

Click on [...] under Share or Link for more details.

Use Filter to filter or search through the list.

FortiCASB 20.4.0 Admin Guide 123

Fortinet, Inc.
Application Specific Features

Administrative Privileges

Salesforce

A user with any of the following administrative permissions is considered a privileged user:
l Assign Permission Sets
l Manage Sharing
l Modify All Data
l Manage Encryption Keys
l View All Data
l View All Users

Office 365

A user with any of the following administrator roles is considered a privileged user:
l global administrator
l billing administrator
l password administrator
l service administrator
l user management administrator
l Exchange administrator
l SharePoint administrator
l Skype for Business administrator

Box

An admin with all of the following permissions is considered a privileged user:

l Manage users and groups
l Make calls on behalf of users
l View all data

Dropbox Business

A Team Admin is considered a privileged user.

Google

A user with any of the following administrator roles is considered a privileged user:
l Super Administrator
l Groups Administrator
l User Management Administrator

FortiCASB 20.4.0 Admin Guide 124

Fortinet, Inc.
Application Specific Features

l Help Desk Administrator

l Services Administrator
l User Customized Administrator

Documents

The Documents page shows all the files FortiCASB is currently monitoring. The infographic gives an overview
of the files categorized by File Type, Data Analysis, and Share Type.
The Sync button allows you to manually pull files from the cloud application accounts to FortiCASB. FortiCASB
also automatically receives updates whenever users attempt to access files on the cloud application accounts.
Manually clicking Sync to synchronize the files on FortiCASB with files on the cloud application account is an
alternative way to update files on FortiCASB, and may not be necessary unless you find the files shown on
FortiCASB not in sync with the files on the cloud application accounts
The Sync function is also available on Users page.

Documents Highlights

Document Filter

l Click on the infographic bubbles to filter documents by File Type, Data Analysis, or Share Type. Data
Analysis filters files through DLP scan, the results are categorized by the type of DLP search.
For example, "DLP SSN" filter will only show files with Social Security Numbers, "DLP Visa Credit Card"
filter will only show files with Visa credit card numbers.

FortiCASB 20.4.0 Admin Guide 125

Fortinet, Inc.
Application Specific Features

l Click Advanced Search tab to conduct custom file search instead of default file search types from Basic
Search.

Document States

l Sensitive: Files with sensitive information searched and matched by DLP policies such as Social Security
Number, Visa Credit Card number, etc.
l External: Files shared with the external users/groups.
l Malware: Infectious files searched and matched by the malware policies through AV scan.

FortiCASB 20.4.0 Admin Guide 126

Fortinet, Inc.
Application Specific Features

Document Download and Details

In Operation Column, you can view and download a file by clicking .

Click to view detail information on the file.

FortiCASB 20.4.0 Admin Guide 127

Fortinet, Inc.
Application Specific Features

FortiCASB 20.4.0 Admin Guide 128

Fortinet, Inc.
Application Specific Features

Policy

There are two main purposes of FortiCASB policies:

l Scans and reports use of policies you set to differentiate between sensitive and non-sensitive data.
l Generate alerts depending on the policies you set.

Default policies on FortiCASB

l Data Analysis on page 129

l Threat Protection on page 133
l Compliance Policy on page 134
l Customized Policy on page 135

To activate a policy to trigger alert, please refer to Policy Configuration on page 136.

Data Analysis

DA policies keep track of sensitive data. For example, if a user accesses a file containing Social Security
Numbers (SSNs) and you have the SSN policy set, FortiCASB will send you an alert.

File types supported by DA scans

Uncompressed Microsoft Word Document (.doc, .docx)

Microsoft Powerpoint Document (.ppt, .pptx)

Microsft Excel Document (.xls, .xlsx)

FortiCASB 20.4.0 Admin Guide 129

Fortinet, Inc.
Application Specific Features

Text File (.txt, .rtf)

Portable Document Format (.pdf)

Compressed .zip .zip

.tar

.7z

.gz

DA policies

Data Analysis policies trigger alerts whenever a monitored file is accessed, regardless
of the type of access. If you only want alerts for specific actions, set a Customized
policy.

Identity number

US Social Security Policy FortiCASB scans for SSNs during Discovery scans, and
triggers an alert when targets with SSNs are accessed.

CN Resident Identity Policy FortiCASB scans for CN resident identity numbers during
Discovery scans, and triggers an alert when targets with
such numbers are accessed.

Polish Social Security Number Policy FortiCASB scans for Polish SSNs during Discovery scans,
and triggers an alert when targets with Polish SSNs are
accessed.

Credit card number

Visa Credit Card Policy FortiCASB scans for Visa credit card numbers during Discovery
scans, and triggers an alert when targets with such numbers are
accessed.

MasterCard Policy FortiCASB scans for MasterCard credit card numbers during
Discovery scans, and triggers an alert when targets with such
numbers are accessed.

American Express Policy FortiCASB scans for American Express credit card numbers during
Discovery scans, and triggers an alert when targets with such
numbers are accessed.

Diners Club Card Policy FortiCASB scans for Diners Club credit card numbers during
Discovery scans, and triggers an alert when targets with such
numbers are accessed.

Discover Card Policy FortiCASB scans for Discover credit card numbers during Discovery

FortiCASB 20.4.0 Admin Guide 130

Fortinet, Inc.
Application Specific Features

scans, and triggers an alert when targets with such numbers are
accessed.

JCB Policy FortiCASB scans for JCB credit card numbers during Discovery
scans, and triggers an alert when targets with such numbers are
accessed.

Maestro Card Policy FortiCASB scans for Maestro credit card numbers during Discovery
scans, and triggers an alert when targets with such numbers are
accessed.

Driver license number

UK Driver License Policy FortiCASB scans for UK driver license numbers during Discovery
scans, and triggers an alert when targets with such numbers are
accessed.

US-FL Driver License Policy FortiCASB scans for FL driver license numbers during Discovery
scans, and triggers an alert when targets with such numbers are
accessed.

US-CA Driver License Policy FortiCASB scans for CA driver license numbers during Discovery
scans, and triggers an alert when targets with such numbers are
accessed.

CN Driver License Policy FortiCASB scans for CN driver license numbers during Discovery
scans, and triggers an alert when targets with such numbers are
accessed.

Email address

Email Address Policy FortiCASB scans for email addresses during Discovery
scans, and triggers an alert when targets with email addresses are
accessed.

Insurance number

CA Insurance Number Policy FortiCASB scans for CA insurance numbers during Discovery
scans, and triggers an alert when targets with such numbers are
accessed.

UK Insurance Number Policy FortiCASB scans for UK insurance numbers during Discovery
scans, and triggers an alert when targets with such numbers are
accessed.

FortiCASB 20.4.0 Admin Guide 131

Fortinet, Inc.
Application Specific Features

Passport number

UK Passport Number Policy FortiCASB scans for UK passport numbers during

Discovery scans, and triggers an alert when targets
with such numbers are accessed.

CN Passport Number Policy FortiCASB scans for CN passport numbers during

Discovery scans, and triggers an alert when targets
with such numbers are accessed.

USA/Germany Passport Number Policy FortiCASB scans for USA/Germany passport numbers
during Discovery scans, and triggers an alert when
targets with such numbers are accessed.

AU Passport Number Policy FortiCASB scans for AU passport numbers during

Discovery scans, and triggers an alert when targets
with such numbers are accessed.

JP Passport Number Policy FortiCASB scans for JP passport numbers during

Discovery scans, and triggers an alert when targets
with such numbers are accessed.

CA Passport Number Policy FortiCASB scans for CA passport numbers during

Discovery scans, and triggers an alert when targets
with such numbers are accessed.

FR Passport Number Policy FortiCASB scans for FR passport numbers during

Discovery scans, and triggers an alert when targets
with such numbers are accessed.

Bank account number

China Union Pay Policy FortiCASB scans for China Union Pay account numbers during
Discovery scans, and triggers an alert when targets with such numbers
are accessed.

UK IBAN Policy FortiCASB scans for UK IBANs during Discovery scans, and triggers an
alert when targets with such IBANs are accessed.

Swiss IBAN Policy FortiCASB scans for Swiss IBANs during Discovery scans, and triggers
an alert when targets with such IBANs are accessed.

German IBAN Policy FortiCASB scans for German IBANs during Discovery scans, and
triggers an alert when targets with such IBANs are accessed.

Italian IBAN Policy FortiCASB scans for Italian IBANs during Discovery scans, and triggers
an alert when targets with such IBANs are accessed.

Swedish IBAN Policy FortiCASB scans for Swedish IBANs during Discovery scans, and
triggers an alert when targets with such IBANs are accessed.

Spanish IBAN Policy FortiCASB scans for Spanish IBANs during Discovery scans, and
triggers an alert when targets with such IBANs are accessed.

FortiCASB 20.4.0 Admin Guide 132

Fortinet, Inc.
Application Specific Features

Birthdate

Birthdate Policy FortiCASB scans for birthdates during Discovery scans, and triggers
an alert when targets with birthdates are accessed.

Malware/Ransomware

Ransomware Encrypted File FortiCASB scans for Ransomware Encrypted File during Discovery
Detection Policy scans, and triggers an alert when targets are accessed.

Threat Protection

Threat protection policies track suspicious user behavior. For example, if a user fails to enter his or her
password correctly multiple times in a row and you have the Excessive Login Failures policy active, FortiCASB
will send you an alert.

Threat protection policies

Access

Excessive Login Failures Triggers an alert when the number of failed logins for a user exceeds a set
threshold.

Password Change Triggers an alert when passwords are changed.

Suspicious Movement Triggers an alert when a change in a user's geographic location exceeds
threshold parameters.

Unapproved Login Location Triggers an alert when a user logs in from an unapproved geographic
location.

Suspicious Activity

Restricted User Triggers an alert when a monitored user performs select activities.

Suspicious IP Triggers an alert when there is activity from a suspicious IP.

Suspicious Time Triggers an alert when there is activity outside of work hours.

Suspicious Location Triggers an alert when there is activity from suspicious locations.

FortiCASB 20.4.0 Admin Guide 133

Fortinet, Inc.
Application Specific Features

Sensitive Activity

Sensitive Event Triggers an alert when a sensitive event occurs.

Sensitive File Triggers an alert when a specified sensitive file is accessed.

Ransomware Behavior Triggers an alert when the directory's file(s) had been replaced.
Detection

Abnormal Traffic

Large File Upload Triggers an alert when a file upload exceeds a size threshold.

Compliance Policy

Compliance policies monitor cloud accounts in compliance with various Compliance standards (SOX-COBIT,
PCI, HIPAA, etc.). The main purpose of Compliance Policy is to generate Compliance reports in accordance
with your organization's compliance standard.
For example, if a user accesses a file containing private heath information and you have the corresponding
HIPAA policy enabled, FortiCASB will add the corresponding access logs in the Compliance report.

The prerequisite to generate Compliance report is to enable and configure Compliance

Policies required by your organization. For more details on configuring Compliance
policies, please refer to Policy Configuration on page 136.

List of Compliance policies

See Policy Configuration on page 136 for instructions/examples on setting policies.

SOX-COBIT

SOX-COBIT policies help your organization track and show compliance with the Sarbanes-Oxley (SOX) Act of
2002 using COBIT guidelines. Use these policies to monitor your cloud applications for SOX compliance, then
use the Report feature to print a report detailing compliance specifics.

PCI

PCI policies help your organization track and show compliance with the Payment Card Industry Data Security
Standard (PCI DSS). Use these policies to monitor your cloud applications for PCI DSS compliance, then use
the Report feature to print a report detailing compliance specifics.

FortiCASB 20.4.0 Admin Guide 134

Fortinet, Inc.
Application Specific Features

HIPAA

HIPAA policies help your organization track and show compliance with the Health Insurance Portability and
Accountability Act (HIPAA). Use these policies to monitor your cloud applications for HIPAA compliance, then
use the Report feature to print a report detailing compliance specifics.

GDPR

GDPR policies help your organization track and show compliance with the EU General Data protection
Regulation (GDPR). Use these policies to monitor your cloud applications for GDPR compliance, then use the
Report feature to print a report detailing compliance specifics. Personal data type can be setup inside GDPR
policy configuration for monitoring.

ISO 270001

ISO 270001 is the best-known standard in the family in providing requirements for an information security
management system (ISMS). ISO 270001 policies help your organization manage the security of assets, such
as financial information, intellectual property, employee details, and information entrusted to you by third
parties.

NIST 800-53 V4

NIST 800-53 V4 is the recommended security controls for federal information systems and organizations. It
documents security controls for all federal information systems.

NIST 800-171

NIST 800-171 can help to protect controlled Unclassified Information in Non-federal Information Systems and
Organizations.

Customized Policy

FortiCASB allows you to create personalized policies to suit your organization needs.
To add a custom policy, go to Threat Protection > Customized and click Add.
Custom policies focus on two aspects, content monitoring and activity monitoring. Content monitoring is
primarily used to monitor files for sensitive data. Activity monitoring is primarily used to monitor users and user
activities.

The following examples illustrate how to create some common custom policies.

FortiCASB 20.4.0 Admin Guide 135

Fortinet, Inc.
Application Specific Features

Example 1: To monitor all downloads of a public link containing sensitive data

To receive an alert whenever a file containing sensitive data is downloaded from a public link, use the Exposure
setting along with the Data Pattern setting. For example, to monitor a Salesforce link containing a social
security number:
1. Go to the Content tab.
2. Select Specific Data Patterns, on the right.
3. Click the box labeled Data Pattern, then select DLP SSN.
4. Click the box labeled Exposure, then select SALESFORCE_LINK.
5. Go to the Activity tab.
6. Select Specific Events, on the right.
7. Click the box labeled Event, then select Download File.
8. Configure any other settings as needed.

Example 2: To monitor all activities of a group of users

To receive an alert whenever a specific user or group of users performs any action, use the User setting. For
example, to monitor a group of users:
1. Go to the Activity tab.
2. Select Specific Users, on the right.
3. Click the box labeled User, then select users to monitor. Alternatively, check the Exclude box on the right
to monitor all users besides the ones selected.
4. Configure any other settings as needed.

Policy Configuration

Policy setting allows you to configure each policy to fit the need of your usage. Follow the steps below to
configure policies.
1. Select a cloud application from FortiCASB main dashboard.
2. Click the Policy drop down menu, and select any type of Policy (Data Analysis, Threat Protection or
Compliance)
3. Click on the toggle switch under Status column to turn the Policy On or Off.

FortiCASB 20.4.0 Admin Guide 136

Fortinet, Inc.
Application Specific Features

Only the policy that is turned On can trigger alerts or record data in reports.

4. Click on the right arrow sign > next to the policy to configure.
5. Configure the settings in General and Context tab as described below in Policy Setting Tables. Every
policy has different setting parameters. Follow the setting parameters table below to configure each
policy.
6. Click Save to complete the configuration.

The policy you set should be active after a few minutes.

For Compliance report, only polices with in Alert column will generate alerts. All
other Compliance polices will generate data in Compliance reports.

General Configuration

These are the common parameters in General setting tab in Policy Configuration. Every policy has different
setting parameters. Not all parameters are available in any given policy setting.

FortiCASB 20.4.0 Admin Guide 137

Fortinet, Inc.
Application Specific Features

Parameter Name Configurable Description

Name No The name of the policy.

Status Yes Specify whether or not the policy is enabled to trigger alert.
A policy is active when it is set to true.

Policy Description No The description of the policy

Severity Level Yes The severity level for the policy, you can set the severity
level as Critical, Alert, Warning, or Information.

Policy Type No The specific type of policy within the policy group. For
example, PCI is a type of Compliance policy.

Context Configuration

These are the common parameters in Context tab in Policy Configuration. Every policy has different setting
parameters. Not all parameters are available in any given policy setting.

Parameter Name Type of Policy Description

Matching Threshold Data Analysis Specify the minimum threshold for an alert. For
example, a Credit Card Number policy with threshold
set to two will trigger an alert when two or more
credit card numbers are detected.

Data Pattern Data Analysis, Specify the DLP or customized data pattern to be
Compliance Policy associated with the policy to protect the type of
sensitive data. FortiCASB will search for the selected
DLP data pattern during Discovery scans.

File Path Regex Compliance Policy Specify the targeted regular expression pattern of
the cloud storage files which FortiCASB will run DLP
scan on.

FortiCASB 20.4.0 Admin Guide 138

Fortinet, Inc.
Application Specific Features

Notification Configuration

These are the common parameters in Notification tab of Policy Configuration. Not all policy has notification
function.

Notification Setting Parameters Description

Enable Email Notification Check the box to allow FortiCASB to send an

email whenever an alert is triggered.

Email Receiver Either select a user to receive notifications, or

enter in an email address.

For more details on FortiCASB policy configurations, please see Data Analysis Policy
Configuration on page 140, Threat Protection Policy Configuration on page 143, and
Compliance Policy Configuration on page 161.

FortiCASB 20.4.0 Admin Guide 139

Fortinet, Inc.
Application Specific Features

Data Analysis Policy Configuration

Data Analysis policies have very similar configuration. Here are two examples of configuring Data Analysis
policies.
l DLP CA Driver License Policy on page 140

l DLP Visa Credit Card Policy on page 141

DLP CA Driver License Policy

Description

Data Loss Prevention (DLP) CA Driver License policy identifies United States California driver license number
accessed through cloud account activity. When the number of driver license numbers accessed in any activity
incident reaches the preconfigured threshold, an alert will be triggered.

Policy Configuration

Follow the steps below to enable and configure the policy

1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
2. Click on Policy drop down menu and select Data Analysis.
3. Locate DLP CA Driver License Policy and click on the right arrow key > button to expand the policy.
4. Click on General tab, click Status toggle switch button to enable the policy. The default is always turned
on.

5. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).

FortiCASB 20.4.0 Admin Guide 140

Fortinet, Inc.
Application Specific Features

6. Click Context tab to configure settings.

7. In Matching Threshold, enter threshold of the number of driver license numbers to be detected in an
activity incident for an alert to be generated.
For example, a matching threshold of 2 will trigger an alert when two or more driver license numbers are
detected in the cloud account activity.
8. Click Save to save and update the configuration.

After the policy is enabled and configured, when cloud account activity detects access
of driver license numbers reaches the preconfigured matching threshold, an alert will
be triggered. For more details, please refer to Alert on page 173.

DLP Visa Credit Card Policy

Description

Data Loss Prevention (DLP) Visa Credit Card policy identifies visa credit card numbers accessed through the
cloud account activity, when the number of visa credit card numbers accessed in any activity incident reaches
the preconfigured threshold, an alert will be triggered.

Policy Configuration

Follow the steps below to enable and configure the policy

1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
2. Click on Policy drop down menu and select Data Analysis.

FortiCASB 20.4.0 Admin Guide 141

Fortinet, Inc.
Application Specific Features

3. Locate DLP Visa Credit Card Policy and click on the right arrow key > button to expand the policy.
4. Click on General tab, click Status toggle switch button to enable the policy. The default is always turned
on.

5. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).
6. Click Context tab to configure settings.

7. In Matching Threshold, enter the threshold of the number of credit card numbers to be detected in an
activity incident for an alert to be generated.
For example, a matching threshold of 2 will trigger an alert when two or more credit card numbers are
detected in the cloud account activity.
8. Click Save to save and update the configuration.

After the policy is enabled and configured, when cloud account activity detects access
of visa credit card numbers reaches the preconfigured matching threshold, an alert will
be triggered. For more details, please refer to Alert on page 173.

FortiCASB 20.4.0 Admin Guide 142

Fortinet, Inc.
Application Specific Features

Threat Protection Policy Configuration

List of all Threat Protection Policy Configuration guides

l Excessive Login Failures on page 144

l Suspicious Movement on page 145

l Unapproved Login Location on page 147

l Restricted User on page 149

l Suspicious IP on page 151

l Suspicious Time on page 152

l Suspicious Location on page 154

l Sensitive File on page 156

l Sensitive Event on page 157

l Large File Upload on page 159

FortiCASB 20.4.0 Admin Guide 143

Fortinet, Inc.
Application Specific Features

Excessive Login Failures

Description

Excessive Login Failures monitors for excessive login attempts of unidentified user in a time interval.
Administrators are able to customize the threshold of number of failed login attempts and the time interval
(minutes) before an alert is generated.

Policy Configuration

Follow the steps below to enable and configure the policy

1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
2. Click on Policy drop down menu and select Threat Protection.
3. Locate Excessive Login Failures and click on the right arrow key > button to expand the policy.
4. Click on General tab, click Status toggle switch button to enable the policy.

5.
6. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).
7. Click Context tab to configure settings.

FortiCASB 20.4.0 Admin Guide 144

Fortinet, Inc.
Application Specific Features

8.
9. In Login Attempts, enter the threshold of the number of failed login attempts before an alert is
generated.
10. In Interval (minute), enter the time interval of the first failed login attempt of the same user.
11. Click Save to save and update the configuration.

After the policy is enabled and configured, whenever an unidentified user exceeded the
login attempts threshold within in the given time interval, an alert will be triggered in
the alert page. For more details, please refer to Alert on page 173.

Suspicious Movement

Description

Suspicious Movement policy monitors changes in users geographical location. When the speed (mph) of
traveling between the original and the new location exceeds the maximum threshold, an alert will be generated
to inform on the unidentified cloud account intrusion.
The policy also takes in account of the proximity distance of the new location before checking for the speed in
which the user traveled.
In exception cases, known users can be excluded from being monitored by placing them on the IP allow list.

FortiCASB 20.4.0 Admin Guide 145

Fortinet, Inc.
Application Specific Features

Policy Configuration

Follow the steps below to enable and configure the policy

1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
2. Click on Policy drop down menu and select Threat Protection.
3. Locate Suspicious Movement and click on the right arrow key > button to expand the policy.
4. Click on General tab, click Status toggle switch button to enable the policy.

5. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).
6. Click Context tab to configure settings.

FortiCASB 20.4.0 Admin Guide 146

Fortinet, Inc.
Application Specific Features

7. In Velocity Setting (mph), enter the maximum speed in which a user can travel between two locations in
any given time before being viewed as suspicious movement. The most commonly used value for this
parameter is commercial flight speed, 600 mph.
8. In Distance Tolerance (mile) field, enter a proximity distance that will not be accounted for in monitoring
for suspicious movement.
For example, if you entered 50 miles, any login within 50 miles of the origin will not be taken as suspicious
movement.
9. In IP Allow List, enter sets of IP ranges to be excluded from being monitored for suspicious movements.
This is useful when you know the users who travel periodically.
10. Click Save to update the configuration.

After the policy is enabled and configured, whenever the new user login location
exceeded the maximum speed threshold, an alert will be sent on the illegal login, for
more details, please refer to Alert on page 173.

Unapproved Login Location

Description

Unapproved Login Location policy monitors for logins from block listed country.

Policy Configuration

Follow the steps below to enable and configure the policy

1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
2. Click on Policy drop down menu and select Threat Protection.
3. Locate Unapproved Login Location and click on the right arrow key > button to expand the policy.
4. Click on General tab, click Status toggle switch button to enable the policy.

FortiCASB 20.4.0 Admin Guide 147

Fortinet, Inc.
Application Specific Features

5. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).
6. Click Context tab to configure settings.

7. Click Select Country drop down menu to select a county for Unapproved Location List. This will
generate an alert whenever there is a login attempt from the block listed country. Click Add to finish
adding the country. Repeat this step to add more countries if needed.
8. Click Save to update the configuration.

After the policy is enabled and configured, whenever an unidentified user login from
the block listed location, an alert will be triggered in the alert page. For more details,
please refer to Alert on page 173.

FortiCASB 20.4.0 Admin Guide 148

Fortinet, Inc.
Application Specific Features

Restricted User

Description

Restricted User policy monitors for cloud account activities conducted by targeted users. An alert will be sent
whenever targeted user(s) performs certain activities.

Policy Configuration

Follow the steps below to enable and configure the policy

1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
2. Click on Policy drop down menu and select Threat Protection.
3. Locate Restricted User and click on the right arrow key > button to expand the policy.
4. Click on General tab, click Status toggle switch button to enable the policy.

5.
6. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).
7. Click Context tab to configure settings.

FortiCASB 20.4.0 Admin Guide 149

Fortinet, Inc.
Application Specific Features

8.
9. In Event section, click to select Specific events then click the drop down field under it to select specific
event(s). To select all events instead, click on Select all events.
10. In Suspicious User section, click to select Specify users and click the Select User drop down field to
select user(s). To select all users instead, click Select all users.
11. Click Save to update the configuration.

After the policy is enabled and configured, whenever the targeted users perform certain
activities, an alert will be triggered in the alert page. For more details, please refer to
Alert on page 173.

FortiCASB 20.4.0 Admin Guide 150

Fortinet, Inc.
Application Specific Features

Suspicious IP

Description

Suspicious IP policy monitors cloud account activities conducted by targeted IP addresses. Alerts will be sent
when any activities are performed by the targeted IPs.

Policy Configuration

Follow the steps below to enable and configure the policy

1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
2. Click on Policy drop down menu and select Threat Protection.
3. Locate Suspicious IP and click on the right arrow key > button to expand the policy.
4. Click on General tab, click Status toggle switch button to enable the policy.

5.
6. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).
7. Click Context tab to configure settings.

FortiCASB 20.4.0 Admin Guide 151

Fortinet, Inc.
Application Specific Features

8.
9. In Suspicious IP section, click to enter the beginning and ending IP range, and click + to add. Repeat
this step to enter more IP ranges,
10. Click Save to update the configuration.

After the policy is enabled and configured, whenever a targeted IP performs any
activity, an alert will be triggered in the alert page. For more details, please refer to
Alert on page 173.

Suspicious Time

Description

Suspicious Time policy monitors cloud account activities outside of regular working hours.

Policy Configuration

Follow the steps below to enable and configure the policy

1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
2. Click on Policy drop down menu and select Threat Protection.
3. Locate Suspicious Time and click on the right arrow key > button to expand the policy.
4. Click on General tab, click Status toggle switch button to enable the policy.

FortiCASB 20.4.0 Admin Guide 152

Fortinet, Inc.
Application Specific Features

5. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).
6. Click Context tab to configure settings.

7. In Event section, click to select Specific events then click the drop down field under it to select specific
event(s). To select all events instead, click on Select all events.
8. In Suspicious Time section, click on Select day in week drop down menu to select a day in the week to
monitor for suspicious event. Then enter the beginning and end time of the day to monitor the event.
9. Click Save to update the configuration.

After the policy is enabled and configured, whenever the specific activity is conducted
in the suspicions time frame during the target day of the week, an alert will be triggered
in the alert page. For more details, please refer to Alert on page 173.

FortiCASB 20.4.0 Admin Guide 153

Fortinet, Inc.
Application Specific Features

Suspicious Location

Description

Suspicious Location policy monitors for cloud account activities not shown on location allow list.

Policy Configuration

Follow the steps below to enable and configure the policy

1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
2. Click on Policy drop down menu and select Threat Protection.
3. Locate Suspicious Location and click on the right arrow key > button to expand the policy.
4. Click on General tab, click Status toggle switch button to enable the policy.

FortiCASB 20.4.0 Admin Guide 154

Fortinet, Inc.
Application Specific Features

5. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).
6. Click Context tab to configure settings.

7. In Location Allow List, click Select Country drop down menu to select a country to be added to the
location Allow list. Click Add to finish adding the location. Repeat the same process to add more location.
8. Click Save to update the configuration.

After the policy is enabled and configured, whenever there is any cloud account activity
outside of the allow list locations, an alert will be triggered in the alert page. For more
details, please refer to Alert on page 173.

FortiCASB 20.4.0 Admin Guide 155

Fortinet, Inc.
Application Specific Features

Sensitive File

Description

Sensitive File policy monitors and sends an alert when targeted cloud account files are being accessed. The
location of the cloud account file path is configured through Regex.

Policy Configuration

Follow the steps below to enable and configure the policy

1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
2. Click on Policy drop down menu and select Threat Protection.
3. Locate Sensitive File and click on the right arrow key > button to expand the policy.
4. Click on General tab, click Status toggle switch button to enable the policy.

5. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).
6. Click Context tab to configure settings.

FortiCASB 20.4.0 Admin Guide 156

Fortinet, Inc.
Application Specific Features

7. Enter a valid Regex of the target file path to be monitored. Here are examples of file path Regex:
a. ".*" targets all files in the cloud account.
b. "^(?:[\w]\:|\\)(\\[a-z_\-\s0-9\.]+)+\.(txt|gif|pdf|doc|docx|xls|xlsx)$" targets files begin with x:\ or \\ with
files ending in the following types of extensions: txt, gif, pdf, doc, docx, xls, xlsx. Here are the file
paths that will this file path Regex matches:
i. \\192.168.0.1\folder\file.pdf
ii. c:\my folder\abc abc.docx
Reference: https://www.codeproject.com/Tips/216238/Regular-Expression-to-Validate-File-Path-and-Exten
8. Click Save to update the policy configuration.

After the policy is enabled and configured, whenever any file targeted by the file path
Regex is accessed on the cloud account, an alert will be triggered in the alert page. For
more details, please refer to Alert on page 173.

Sensitive Event

Description

Sensitive Event policy monitors specific cloud account activities and triggers alerts.

Policy Configuration

Follow the steps below to enable and configure the policy

1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
2. Click on Policy drop down menu and select Threat Protection.

FortiCASB 20.4.0 Admin Guide 157

Fortinet, Inc.
Application Specific Features

3. Locate Sensitive Event and click on the right arrow key > button to expand the policy.
4. Click on General tab, click Status toggle switch button to enable the policy.

5. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).
6. Click Context tab to configure settings.

7. In Event section, click to select Specific events then click the drop down field under it to select specific
event(s). To select all events instead, click on Select all events.

FortiCASB 20.4.0 Admin Guide 158

Fortinet, Inc.
Application Specific Features

8. In Threshold (Times), enter the maximum number of times the event or activity is being performed by
the same user before an alert is triggered.
9. In Interval (Minutes), specify the amount of time that the user conducts the targeted activities before
triggering an alert.
10. Click Save to update the configuration.
A typical example for the policy usage is downloading or uploading multiple files in a given amount of time
would trigger an alert.

After the policy is enabled and configured, whenever the specific activity is conducted
repeatedly by the same user in a given time frame, an alert will be triggered in the alert
page. For more details, please refer to Alert on page 173.

Large File Upload

Description

Large File Upload policy monitor and tracks for file size uploaded to the cloud account, an alert will be sent
when the file uploaded exceeded file size threshold.

Policy Configuration

Follow the steps below to enable and configure the policy

1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
2. Click on Policy drop down menu and select Threat Protection.
3. Locate Large File Upload and click on the right arrow key > button to expand the policy.

FortiCASB 20.4.0 Admin Guide 159

Fortinet, Inc.
Application Specific Features

4. Click on General tab, click Status toggle switch button to enable the policy.

5.
1. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).
2. Click Context tab to configure settings.

3.
4. Enter the maximum file size (MB) of the file to be uploaded to the cloud account without triggering an alert.
5. Click Save to update the configuration.

After the policy is enabled and configured, whenever a file larger than the file size
threshold is uploaded to the cloud account, an alert will be triggered in the alert page.
For more details, please refer to Alert on page 173.

FortiCASB 20.4.0 Admin Guide 160

Fortinet, Inc.
Application Specific Features

Compliance Policy Configuration

Here are two typical types of configurations that you will find in Compliance Policy Configuration:
l Data Pattern Configuration on page 161

l File Path Regex Configuration on page 163

Here are some other examples of Compliance Policy Configurations:

l SOX-COBIT - Access to Sensitive Data on page 165

l PCI - Failed Access Attempt Detection on page 167

l PCI - Privileged Account Activity on page 169

l PCI - Retention Violation for Cardholder Data on page 171

Data Pattern Configuration

Description

Data pattern utilizes Data Analysis policies (DLP Policies) to target the specific type of data within the cloud
storage accounts. The benefit of being able to configure data pattern in Compliance policies is only the
targeted data pattern is scope thus eliminate false positives. For more information, please see Data Analysis
on page 129 for more info.

FortiCASB 20.4.0 Admin Guide 161

Fortinet, Inc.
Application Specific Features

Example

GDPR - Personal Data Discovery

Description

GDPR - Personal Data Discovery policy identifies what personal data the company has and where it resides.
You can configure what type of data is considered as personal data and the cloud storage file path. Compliance
report will gather and display info on targeted personal data.

Policy Configuration

Follow the steps below to enable and configure the policy

1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
2. Click on Policy drop down menu and select Compliance, then select GDPR tab.
3. Locate GDPR - Personal Data Discovery and click on the right arrow key > button to expand the policy.
4. Click on General tab, click Status toggle switch button to enable the policy.

5. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).
Note: this policy only generates data in Compliance Report.
6. Click Context tab to configure settings.

FortiCASB 20.4.0 Admin Guide 162

Fortinet, Inc.
Application Specific Features

7. In File Path Regex, enter a valid Regex of the target file path to be monitored.
8. In Data Patterns, click on the field and select the data patterns (financial, personal identity information,
etc.) to be monitored.
9. Click Save to upgrade the configuration.

After the policy is enabled and configured, Compliance report will display records of
files that are considered to be personal data that is residing at the targeted file path.
For more details, please see Compliance Report on page 96.

File Path Regex Configuration

Description

File Path Regex configures the location of the files of interest in the cloud storage account by using Regex.
Regex is regular expression that is used to extract information from documents by searching and matching
using specific search patterns. Here are a couple examples of Regex:
1. ".*" targets all files in the cloud account.
2. "^(?:[\w]\:|\\)(\\[a-z_\-\s0-9\.]+)+\.(txt|gif|pdf|doc|docx|xls|xlsx)$" targets files begin with x:\ or \\ with files
ending in the following types of extensions: txt, gif, pdf, doc, docx, xls, xlsx. Here are the file paths that will
this file path Regex matches:
a. \\192.168.0.1\folder\file.pdf
b. c:\my folder\abc abc.docx
Reference: https://www.codeproject.com/Tips/216238/Regular-Expression-to-Validate-File-Path-and-Exten

FortiCASB 20.4.0 Admin Guide 163

Fortinet, Inc.
Application Specific Features

Example

PCI - Track all cardholder data access

Description

PCI - Track all cardholder data access policy tracks all users access to cloud account data. It collects all activity
logs and send alert regarding those activities. Compliance report also shows logs of all alerts triggered by this
policy.

Policy Configuration

Follow the steps below to enable and configure the policy

1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
2. Click on Policy drop down menu and select Compliance, then select PCI-DSS tab.
3. Locate PCI - Track all cardholder data access and click on the right arrow key > button to expand the
policy.
4. Click on General tab, click Status toggle switch button to enable the policy.

5. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).
Note: this policy generates both alert in Alert page and data in Compliance Report.
6. Click Context tab to configure settings.

FortiCASB 20.4.0 Admin Guide 164

Fortinet, Inc.
Application Specific Features

7. In File Path Regex, enter a valid Regex of the target file path to be monitored. Here are examples of file
path Regex:
8. In Data Patterns, click on the field and select the data patterns (financial, personal identity information,
etc.) to be monitored.
9. Click Save to upgrade the configuration.

After the policy is enabled and configured, whenever anyone accessed the targeted
files with the specific data patterns, an alert will be triggered in the alert page. For
more details, please refer to Alert on page 173.
Compliance report will also record any alerts generated by this policy, for more details,
please see Compliance Report on page 96.

SOX-COBIT - Access to Sensitive Data

Description

Access to Sensitive Data policy monitors and tracks access to sensitive data located in the cloud account.
Sensitive data location can be configured through file path Regex.

FortiCASB 20.4.0 Admin Guide 165

Fortinet, Inc.
Application Specific Features

Policy Configuration

Follow the steps below to enable and configure the policy

1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
2. Click on Policy drop down menu and select Compliance, then select PCI-DSS tab.
3. Locate Access to Sensitive Data and click on the right arrow key > button to expand the policy.
4. Click on General tab, click Status toggle switch button to enable the policy.

5. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).
Note: this policy generates both alert in Alert page and data in Compliance Report.
6. Click Context tab to configure settings.

7. In File Path Regex, enter a valid Regex of the target file path to be monitored. Here are examples of file
path Regex:

FortiCASB 20.4.0 Admin Guide 166

Fortinet, Inc.
Application Specific Features

a. ".*" targets all files in the cloud account.

b. "^(?:[\w]\:|\\)(\\[a-z_\-\s0-9\.]+)+\.(txt|gif|pdf|doc|docx|xls|xlsx)$" targets files begin with x:\ or \\ with
files ending in the following types of extensions: txt, gif, pdf, doc, docx, xls, xlsx. Here are the file
paths that will this file path Regex matches:
i. \\192.168.0.1\folder\file.pdf
ii. c:\my folder\abc abc.docx
Reference: https://www.codeproject.com/Tips/216238/Regular-Expression-to-Validate-File-Path-and-Exten
8. In Data Patterns, click on the field and select the data patterns (financial, personal identity information,
etc.) to be monitored.
9. Click Save to upgrade the configuration.

After the policy is enabled and configured, whenever any targeted sensitive file is
accessed, an alert will be triggered in the alert page. For more details, please refer to
Alert on page 173.
Compliance report will also record any alerts generated by this policy, for more details,
please see Compliance Report on page 96.

PCI - Failed Access Attempt Detection

Description

Privileged Account Activity policy monitors and tracks targeted users' activities on the cloud accounts. The
policy allows configuration on which user and what type of activities to be monitored.

Policy Configuration

Follow the steps below to enable and configure the policy

1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
2. Click on Policy drop down menu and select Compliance, then select PCI-DSS tab.
3. Locate PCI - Failed Access Attempt Detection and click on the right arrow key > button to expand the
policy.
4. Click on General tab, click Status toggle switch button to enable the policy.

FortiCASB 20.4.0 Admin Guide 167

Fortinet, Inc.
Application Specific Features

5. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).
Note: this policy generates both alert in Alert page and data in Compliance Report.
6. Click Context tab to configure settings.

7. In Login Attempts, enter the threshold for the number of failed login attempts before an alert is
generated.
8. In Interval (minute), enter the time frame for all failed login attempts before an alert is generated.
For example, given an interval of 3 minutes and login attempts of 5. If a user had more than 5 failed login
attempts in 3 minutes, an alert will be sent to inform on the suspicious login attempts on the cloud
account.
9. Click Save to update the configuration.

FortiCASB 20.4.0 Admin Guide 168

Fortinet, Inc.
Application Specific Features

After the policy is enabled and configured, whenever there are excessive failed login
attempts on the cloud account, an alert will be triggered in the alert page. For more
details, please refer to Alert on page 173.
Compliance report will also record any alerts generated by this policy, for more details,
please see Compliance Report on page 96.

PCI - Privileged Account Activity

Description

Privileged Account Activity policy monitors and tracks targeted users' activities on the cloud accounts. The
policy allows configuration on which user and what type of activities to be monitored.

Policy Configuration

Follow the steps below to enable and configure the policy

1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
2. Click on Policy drop down menu and select Compliance, then select PCI-DSS tab.
3. Locate PCI - Privileged Account Activity and click on the right arrow key > button to expand the policy.
4. Click on General tab, click Status toggle switch button to enable the policy.

FortiCASB 20.4.0 Admin Guide 169

Fortinet, Inc.
Application Specific Features

5. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).
Note: this policy generates both alert in Alert page and data in Compliance Report.
6. Click Context tab to configure settings.

7. In Event section, click to select Specific events then click the drop down field under it to select specific
event(s). To select all events instead, click on Select all events.
8. In Monitored User section, click Specify users and click the drop down field under it to select user(s) to
be monitored. To select all users, click Select all users.

FortiCASB 20.4.0 Admin Guide 170

Fortinet, Inc.
Application Specific Features

9. Click Save to update the configurations.

After the policy is enabled and configured, whenever there is any specific activity
conducted by targeted user(s), an alert will be triggered in the alert page. For more
details, please refer to Alert on page 173.
Compliance report will also record any alerts generated by this policy, for more details,
please see Compliance Report on page 96.

PCI - Retention Violation for Cardholder Data

Description

Check if the designated cloud storage data has exceeded the retention time set by the cardholder. The
cardholder is able to set the cloud storage file path with the designated retention time.

Policy Configuration

Follow the steps below to enable and configure the policy

1. Click on any Cloud Account drop down menu from FortiCASB dashboard, e.g. Salesforce, Office365, etc.
2. Click on Policy drop down menu and select Compliance, then select PCI-DSS tab.
3. Locate PCI - Retention Violation for Cardholder Data and click on the right arrow key > button to
expand the policy.
4. Click on General tab, click Status toggle switch button to enable the policy.

FortiCASB 20.4.0 Admin Guide 171

Fortinet, Inc.
Application Specific Features

5. Click on Severity level drop down menu to select the severity level (Critical, Alert, Warning, Information).
Note: this policy only generates data in Compliance Report.
6. Click Context tab to configure settings.

7. In File Path Regex, enter a valid Regex of the target file path for the storage data under the retention
restriction. Here are examples of file path Regex:
a. ".*" targets all files in the cloud account.
b. "^(?:[\w]\:|\\)(\\[a-z_\-\s0-9\.]+)+\.(txt|gif|pdf|doc|docx|xls|xlsx)$" targets files begin with x:\ or \\ with
files ending in the following types of extensions: txt, gif, pdf, doc, docx, xls, xlsx. Here are the file
paths that will this file path Regex matches:
i. \\192.168.0.1\folder\file.pdf
ii. c:\my folder\abc abc.docx
Reference: https://www.codeproject.com/Tips/216238/Regular-Expression-to-Validate-File-Path-and-Exten
8. In Retention Time (day), enter the number of days as the retention time for the cloud storage data.
9. In Data Patterns, click on the field and select the data patterns (financial, personal identity information,
etc.) that shall be under the retention restriction.
10. Click Save to upgrade the configuration.

FortiCASB 20.4.0 Admin Guide 172

Fortinet, Inc.
Application Specific Features

After the policy is enabled and configured, when the targeted data exceeded the
maximum retention time, Compliance report will record retention violation generated ,
for more details, please see Compliance Report on page 96.

Alert

FortiCASB sends you alerts when one of your set policies are triggered.
l DLP policies pertain to the types of data stored in the cloud application.
l Threat protection policies pertain to suspicious user activity.
l Compliance policies pertain to specific regulations, such as HIPAA, PCI, and SOX.
To view alerts of each cloud application, click on a cloud application drop down men and click on Alert.

All the alerts are triggered by policies that are setup to trigger alerts when there are any activity that violated the
policies.
Click on the right arrow key of an alert to show the summary of the alert.

FortiCASB 20.4.0 Admin Guide 173

Fortinet, Inc.
Application Specific Features

To activate a policy to trigger alert, please refer to Policy Configuration on page 136.
Daily cloud account alerts can be compiled into Alert reports for export, please see
Alert Report on page 98.

Activity

FortiCASB monitors and tracks user data traffic and activities on your cloud platforms.
The Activity page contains both a map displaying (approximate) geolocations of events and activities list.

Map options

l Activity—Click on an activity indicator on the map to bring up an activity notification from that specific
location.
l Move—Move the map by clicking a point and dragging your mouse.
l Zoom—Use the buttons on the bottom-right corner of the map to zoom in and out.
l Refresh—Click the Refresh button to refresh the map.

FortiCASB 20.4.0 Admin Guide 174

Fortinet, Inc.
Application Specific Features

l Clear Map—Click the Clear Map button to clear the map of activity indicators.
l Filter—Click the Filter button to filter the activity notifications shown.

Raw event list

Events that come directly from a cloud API or web notifications are displayed in Javascript Object Notation
(JSON) format.

Alert correlation

One activity may trigger multiple alerts. Click the event to open the corresponding alert page.

Daily cloud account activities can be compiled into Activity reports for export, please
see Activity Report on page 102.

AV Scan and File Quarantine

FortiCASB conducts active anti-virus and malware detection scan when you press sync in Document page or
when new files are uploaded to the cloud accounts. FortiCASB AV scan supports any type of file in detecting
virus or malware.
If a file is detected to be infected by virus or malware in the cloud account, a notification will be sent to the file
owner and email addresses preconfigured by FortiCASB admin user, and the file will be quarantined for review.
l File Quarantine and Notification Configuration on page 175

l File Quarantine Directory on page 177

File Quarantine and Notification Configuration

When a file is found to be infected by malware or virus, FortiCASB will remove the file from the original
directory and move it to a default quarantine directory in the cloud account. File Quarantine Directory on page
177has details on the location of the quarantine directory.

FortiCASB 20.4.0 Admin Guide 175

Fortinet, Inc.
Application Specific Features

A notification will be sent to notify the file owner to take action on the quarantined file. The default quarantine
directory is preconfigured by FortiCASB.

Salesforce accounts have not yet implemented the file quarantine feature as
Salesforce is undergoing file handling mechanism upgrade. The feature will be added
to Salesforce account in the future release.

Follow the steps below to configure file quarantine and notification:

1. From FortiCASB navigation pane, click on your cloud application (e.g, Office 365).
2. Go to Policy > Data Analysis.

3. Scroll down to find "AV Scan Policy", click on the > sign to expand it.
4. In the General tab, make sure the Status is enabled, if it is not, enable it by clicking the toggle switch
button.

5. Click on the Notification tab, and click on the Enable Email Notification toggle switch button to enable
it.

FortiCASB 20.4.0 Admin Guide 176

Fortinet, Inc.
Application Specific Features

6. In the Email Receivers filed, enter the email addresses that will receive notification when a file is
infected by virus or malware.
Note: The notification will be sent to both the file owner and the email addresses listed in the Email
Receivers field.
7. Click on the Remediation tab, and click Enable Permission toggle switch button to enable file
quarantine function.

8. Click Save to save your setting.

File Quarantine Directory

When a file is detected to be infected with virus or malware, it will be removed from the original directory and
placed in a default file quarantine directory, "forticasb_quarantine_directory~". The quarantine directory will
be placed at the root or top level of the file owner's account.
If the infected file is in a shared account directory, the file will be removed from the shared account directory
and placed at the root level of the file owner's account inside the directory, "forticasb_quarantine_
directory~".

Quarantine directory location by cloud account platform:

Cloud Account Platform Quarantine Directory Location

Google Drive Root or top level of the file owner's account.

Office 365 One Drive Root or top level of the file owner's account.

Office 365 SharePoint Root or top level at the SharePoint Site of the file owner.

Box Root or top level of the file owner's account.

Dropbox Root or top level of the file owner's account.

It is recommended for the file owner to review and remove the infected file from the
quarantine directory.

FortiCASB 20.4.0 Admin Guide 177

Fortinet, Inc.
Application Specific Features

Examples of quarantine directory on different cloud accounts

Quarantine directory on Office 365 One Drive:

Quarantine directory on Dropbox Account:

Quarantine directory on Office 365 SharePoint Site:

FortiCASB 20.4.0 Admin Guide 178

Fortinet, Inc.
Application Specific Features

Yammer Integration Features

FortiCASB Yammer integration allows you to monitor and inspect all the files posted on Yammer by users
within your organization. All users within your organization that is also a Yammer user, will show as "Yammer
Licensed" on FortiCASB.
From FortiCASB control panel, go to Office 365 > Users to see the FortiCASB users that are also on Yammer.
Yammer licensed column would show if the user is also a Yammer licensed user.

FortiCASB 20.4.0 Admin Guide 179

Fortinet, Inc.
Application Specific Features

All Yammer uploaded files by the Yammer Licensed user are able to be viewed in FortiCASB Office 365
Documents. All Yammer files can be distinguished through Apps column in Office 365 > Documents in
FortiCASB.

When clicking on a Yammer uploaded file name, you can view detailed file information such as creator, created
date, last modified, date, file path, and etc. The Sync Now button updates the Yammer file metadata in real
time

FortiCASB 20.4.0 Admin Guide 180

Fortinet, Inc.
Application Specific Features

Prerequisites

Yammer integration in FortiCASB requires enforcing Office 365 identity in Yammer. When turning this setting
on, it may disrupt Yammer users’ access to Yammer, especially those who do not have Office 365 account,
they will be locked out of Yammer. Therefore, before making this change, please inform your Yammer users to
do the following:

FortiCASB 20.4.0 Admin Guide 181

Fortinet, Inc.
Application Specific Features

l Make sure that all Yammer users have Azure AD account. You can figure out who does not have an Azure
AD account by comparing the list of users on Yammer with the list of users in Office 365. From Yammer,
go to Settings > Edit Network Settings > Export Users to export all users.
l Help the Yammer users who do not have Azure AD account to get Azure AD account before enforcing
Office 365 identity.
You need to be a global administrator on Office 365 and be synchronized to Yammer as verified
administrator to enforce Office 365 identity in Yammer.
From your Yammer account, go to Settings > Edit Network Settings > Admins to verify your Yammer
admin account is synchronized to Office 365 global administrator account. Below is a screen shot of a synced
admin in Yammer:

Enforce Office 365 Identity in Yammer

1. Log into Yammer with your Yammer admin account.

2. If you are using the new Yammer, go to Settings > Edit Network Admin Settings in the upper right
hand side.

FortiCASB 20.4.0 Admin Guide 182

Fortinet, Inc.
Application Specific Features

If you are using the old Yammer, go to Settings > Network Admin at the upper left hand side.
3. Click Security Settings under Content and Security.
4. Scroll down to Office 365 Identity Enforcement, click on Enforce Office 365 identity checkbox.

FortiCASB 20.4.0 Admin Guide 183

Fortinet, Inc.
Application Specific Features

5. A confirmation message will ask you to select the appropriate level of enforcement.

6. Select Committed Enforcement and press okay.

Note: Once you made this change, you will not be able to undo it, your users will not be able to log in with
their Yammer user accounts anymore, only Yammer users with Azure Active Directory accounts will be
able to log in to Yammer moving forward.
7. Click Save to save your settings.
8. Go back to Security Settings after at least 15 minutes, and check the status under Office 365
Connected Yammer Groups, it should be enabled.

FortiCASB 20.4.0 Admin Guide 184

Fortinet, Inc.
Application Specific Features

Yammer License Verification

After enforcing Office 365 identity on all Yammer users, you can verify the Yammer user has integrated into
FortiCASB through Microsoft Office Administrator. You must be the Office 365 global administrator in order to
verify the user license info. Follow these steps to verify the user credentials:
1. Log into Office 365 (https://www.office.com/) as the global administrator.
2. Click on Admin to access Microsoft 365 admin center.
3. On the left control panel, expand Users and select Active Users.
4. Click on any licensed user, and the user profile will pop up.

FortiCASB 20.4.0 Admin Guide 185

Fortinet, Inc.
Application Specific Features

5. In the user profile, Select Licenses and Apps tab, and expand Apps section.

6. Scroll all the way down, and you will see Yammer Enterprise checkbox. The user needs to have
Yammer Enterprise checked in order to be integrated with FortiCASB.

FortiCASB 20.4.0 Admin Guide 186

Fortinet, Inc.
Application Specific Features

7. Repeat step 4-6 on all Yammer users.

Yammer File Path

After Office 365 identity is enforced in Yammer, all files uploaded to Yammer will be relocated to the folder
Shared Document/Apps/Yammer/ in the user SharePoint. FortiCASB will retrieve all the files metadata

FortiCASB 20.4.0 Admin Guide 187

Fortinet, Inc.
Application Specific Features

through this file path on SharePoint. Therefore, please keep this file path without changing it to let FortiCASB
obtain file metadata in Yammer. This is the Yammer file path shown in FortiCASB.

FortiCASB 20.4.0 Admin Guide 188

Fortinet, Inc.
FortiCASB APIs

FortiCASB APIs

FortiCASB service endpoints supports HTTP requests through the use of REST APIs. This section contains
documentation for FortiCASB REST API service endpoints. FortiCASB provides one endpoint with single
authentication token to simplify developer experience. All the service endpoints can be accessed through a
single access/bearer token. The HTTP requests provide access to valuable FortiCASB cloud resources. All
FortiCASB REST APIs, such as Get, POST, etc. require access/bearer token in assembling HTTPS requests.

Request Authorization Methods

There are 3 methods of acquiring the access/bearer token from FortiCASB to assemble a REST API request to
access FortiCASB resources.

1. Client Credential

Client credential can be used to generate access/bearer token to form request headers. First, you will need to
log into FortiCASB and generate a FortiCASB credential, please follow the guide in Generate Credential on
page 120. This is only a one-time process, and only one credential is necessary to generate access/bearer
token.
After you have acquired a client credential, it can be used permanently to assemble the request header to
obtain an access/bearer token as long as the client credential is not revoked.
Follow the example in Get Credentials Token on page 193 to use client credential to assemble HTTPS POST
request header to acquire access/bearer token.

2. Username and Password

Another method of acquiring access/bearer token is through your FortiCASB account username and password.
Follow the example in Get Authorization Token on page 191 to assemble HTTPS POST request header to
acquire access/bearer token using your username and password.

3. Refresh Token

The use of refresh token requires one of the two methods above. Once you get the response through client
credential or username/password, you may use the refresh token in the response body to acquire more bearer
tokens without using client credential or user/name password. Follow the example in Get Refresh Token on
page 194 to generate access/bearer token using refresh token. The refresh token will expire 8 hours after
generated.

FortiCASB 20.4.0 Admin Guide 189

Fortinet, Inc.
FortiCASB APIs

Fabricate Request Header and Body

After acquiring access/bearer token, use the bearer token to assemble a REST API request. Like all other REST
APIT requests, FortiCASB operate through a secured channel: URI request with HTTPS protocol. The details of
the request parameters are determined by the specific REST API specification.
You may take a closer look in each REST API specification to determine what additional fields are necessary to
fulfill the request. Request body is an optional field, depending on the API specification, some parameters may
be required and others are optional.

Send Request

There are 5 request headers that are often used in FortiCASB REST API requests. The first 3 are default
request headers.

Request Header Description

Host The domain name of the REST service endpoint or the IP address

Authorization Access/bearer token generated earlier through one of the get token
methods

Content-Type This default header is set as "application/json"

Company ID The company ID of the company which the username or the credential is
originated from. Company ID can be obtained from Get Resource Map on
page 196.

Business Unit ID Business unit ID is the ID of the business unit which the user is entitled to
access. Business unit ID can be obtained through View or Remove
Business User on page 20. Alternatively, it can also be obtained from the
REST API Get Resource Map on page 196

When you have assembled the request header and body, the request is ready to be sent to the REST endpoint.
Here is a GET request example in HTTPS:

GET /api/v1/country/list? HTTP/1.1

Host: www.forticasb.com
Authorization: Bearer
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzY29wZSI6IkFQSSIsImlzcyI6ImZhdXRoLXNlcnZlc
iIsImhvc3QiOlsiRkNXUCJdLCJleHAiOjE1ODY5MTUxNjQsImFpZCI6InFhLmNhc2IxQGdtYWlsLmNvbSJ
9.Hh2yVHEEd73BJ31rEjB2C-iclodmMigEPIwtuRwCObo
Content-Type: application/json

FortiCASB 20.4.0 Admin Guide 190

Fortinet, Inc.
FortiCASB APIs

REST API Response

After you sent the request to FortiCASB service endpoint, you will receive a response header and a response
body. The above request calls for the list of countries, and here is a part of the response in JSON format:

[
{
"id":"US",
"country":"United States of America"
}
]

API Throttling

API throttling refers to the limit that FortiCASB sets on the number of requests in a range of time to prevent the
application sending too many requests. The API throttling of FortiCASB is 100TPM (times per minute),
meaning there can have 100 requests in one minute.

Get Authorization Token

Description

Get FortiCASB access token by the FortiCASB username and password.

URL

/api/v1/auth/token

Method: POST

Request Header

Key Value Type Description

Content-Type application/x-www-form-urlencoded String

FortiCASB 20.4.0 Admin Guide 191

Fortinet, Inc.
FortiCASB APIs

Request Body Parameters

Name Required Value Description

grant_type Required password

username Required <username> FortiCASB account user name

password Required <password> FortiCASB account password

Sample Request

Request URL POST https://www.forticasb.com/api/v1/auth/token

Request Header Content-Type: application/x-www-form-urlencoded

Request Body grant_type: password

username: XXXXXXXXXX
password: XXXXXXXXXX

Response Variable

Name Type Description

access_token String Access token returned

refresh_token String Refresh token returned

token_type String Type of token

expires String Timestamp of when the token will expire

Sample Response
{
"token_type": "bearer",
"expires": 1.585002117836E12,
"access_token":
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzY29wZSI6IkFQSSIsImlzcyI6ImZhdXRoLXNlc
nZlciIsImhvc3QiOlsiRkNXUCJdLCJleHAiOjE1ODUwMDIxMTcsImFpZCI6InFhLmNhc2IxQGdtYWls
LmNvbSJ9.TFfhF3jRDnoj1W96gFOuMnxvAhdwU55IQdO6tpkOpH0",
"refresh_token": "I4WnuRUY0xHEsoNMDvmurq_
J45VHyuxa4DRWq5mevlYB1YT1yL2TUAA8vRRNNyOyy5RwEww62j0cAM8yxa4B5kU8GbTrty2kgSD7nf
bmYEaPNQIBIi5Mv7jq0fHkn0Z-5z43CwI5yWF3pfGygvYoqaL0_YC5np5AKSPP3S49KhA"
}

FortiCASB 20.4.0 Admin Guide 192

Fortinet, Inc.
FortiCASB APIs

Get Credentials Token

Description

Get the FortiCASB OAuth 2.0 bearer token by the credentials generated on FortiCASB. Before using this API,
first generate a credential on FortiCASB through Generate Credential on page 120.

URL

/api/v1/auth/credentials/token/

Method: POST

Request Header

Key Value Type Description

Authorization Basic <FortiCASB credentials> String Authorization credential

generated by FortiCASB

Content-Type application/x-www-form-urlencoded String

Request Body Parameters

Name Required Value Description

grant_ Required client_credentials

type

Sample Request

Request URL POST https://www.forticasb.com/api/v1/auth/credentials/token/

Request Header Authorization: Basic a0eddbf4-6840-4bb7-9789-acffd4ffac02

Content-Type: application/x-www-form-urlencoded

Request Body grant_type=client_credentials

Response Variable

Name Type Description

access_token String Access token returned

refresh_token String Refresh token returned

FortiCASB 20.4.0 Admin Guide 193

Fortinet, Inc.
FortiCASB APIs

Name Type Description

token_type String Type of token

expires String Timestamp of when the token will expire

Sample Response
{
"token_type": "bearer",
"expires": 1.585248581336E12,
"access_token":
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzY29wZSI6IkFQSSIsImlzcyI6ImZhdXRoLXNlc
nZlciIsImhvc3QiOlsiRkNBU0IiXSwiZXhwIjoxNTg1MjQ4NTgxLCJhaWQiOiJxYS5jYXNiMUBnbWFp
bC5jb20ifQ.PVfdrQ7NJYdYTu0PmIQnNUJJTWq3ZmW-iw2ux_8LLCM",
"refresh_token": "I4WnuRUY0xHEsoNMDvmuronKCCut-
9FKHZOT4Pfuancwh46UUz5irXDK98bRmDKREdg05VQmjbN8zrcvsyatl9DvuuSOBfhQ4Kztmwu5Vrho
Ml3tpq1U_feWjs866PcMix9BUO2DYRzLXWucyjiyyT7uHZMwakKhps9vbWm9gzq3XpCej-
yeX7ze0TNrWSG3WLh5n5sydU5NMNI_Stt-WycO05ZQL4FvRmqjn1-8Hz0"
}

Get Refresh Token

Description

Get refresh token uses the short-lived refresh token from past access token requests (Get Authorization
Token or Get Credentials Token) without having to use credentials or username/password.

URL

/api/v1/auth/token/refresh

Method: POST

Request Header

Key Value Type Description

Content-Type application/x-www-form- String

urlencoded

FortiCASB 20.4.0 Admin Guide 194

Fortinet, Inc.
FortiCASB APIs

Request Body Parameters

Name Required Value Description

grant_type Required refresh_token

refresh_token Required <Refresh Token> Refresh

token
generated
from the past
Get
Authorization
Token and
Get
Credentials
Token
request
responses.

Sample Request

Request POST https://www.forticasb.com/api/v1/auth/token/refresh

URL
Request Content-Type: application/x-www-form-urlencoded
Header
Request grant_type: refresh_token
Body refresh_token: 2j0cAM8yxa4B5kU8GbTrty2kgSD7nfbmYEaPNQ

Response Variable

Name Type Description

access_token String Access token returned

token_type String Type of token

expires String Timestamp of when the

token will expire

Sample Response
{
"token_type": "bearer",
"expires": 1.585002361532E12,
"access_token":
"eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzY29wZSI6IkFQSSIsImlzcyI6ImZhdXRoLXNlc

FortiCASB 20.4.0 Admin Guide 195

Fortinet, Inc.
FortiCASB APIs

nZlciIsImhvc3QiOlsiRkNXUCJdLCJleHAiOjE1ODUwMDIzNjEsImFpZCI6InFhLmNhc2IxQGdtYWls
LmNvbSJ9.Y7RGkrRn6hvfqCbPF9LGNchYGMiEIK2WljPqSbffsk0"
}

Get Resource Map

Description

Get the user and account basic information from FortiCASB, including the company ID, user name, bushiness
unit IDs, etc.
Company ID (companyID ) and business unit ID (buId) are the response variables that you will need to call
many other FortiCASB REST APIs.

URL

/api/v1/resourceURLMap

Method: GET

Request Header

Key Value Type Description

Authorization Bearer <Authorization String Authorization credential generated by FortiCASB

Token>

Content-Type application/json String

Sample Request

Request URL GET https://www.forticasb.com/api/v1/resourceURLMap

Request Header Authorization: Bearer <Authorization_Token>
Content-Type: application/json

Response Variable

Name Type Description

resourceURL String API request endpoint

roleId Long Login user identity

FortiCASB 20.4.0 Admin Guide 196

Fortinet, Inc.
FortiCASB APIs

Name Type Description

username String Login user name

buMapSet.companyId Long Company ID (companyId) of which the business unit is

under.

buMapSet.buId Long Business unit ID (buId) of which the user account is under.

buMapSet.buName String Business unit name

Sample Response
[
{
"resourceURL":"https://qa1.staging.forticasb.com",
"roleId":1,
"username":"casb qacasb1",
"buMapSet":[
{
"buName":"research authentication",
"companyId":6,
"buId":238187
},
{
"buName":"aaa",
"companyId":6,
"buId":6384
}
]
}
]

Get Alert List

Description

Get cloud service account alert details.

FortiCASB 20.4.0 Admin Guide 197

Fortinet, Inc.
FortiCASB APIs

URL

/api/v1/alert/list

Request Method: Post

Request Header

Key Value Type Description

companyId <Company ID> Integer Company ID

Authorization Bearer String Authorization credential generated by

<Authorization FortiCASB
Token>

buId <Business Unit Long The targeted business unit ID on FortiCASB.

ID> Business unit ID can be obtained through View
or Remove Business User on page 20.
Alternatively, it can also be obtained from the
REST API Get Resource Map on page 196

service <Cloud Service> String Cloud service name such as

Salesforce,Office365, etc.

Content-Type application/json String

Request Body Parameters

Name Required Type Description

startTime Required long Timestamp, filter to get open alert

time after start date

endTime Required long Timestamp, filter to get open alert

time before start date

skip Required integer Indexes in a result set. Used to

exclude response from the first N
items of a resource collection.

limit Required integer Maximum number of return items

user Optional List<String> Filter to search user email

policy Optional List<String> Filter to search alert id

activity Optional List<String> Filter to search alert by activities

objectIdList Optional List<String> Filter to search alert by object identity

FortiCASB 20.4.0 Admin Guide 198

Fortinet, Inc.
FortiCASB APIs

Name Required Type Description

objectName Optional String Filter to search alert by object name

severity Optional List<String> Filter to search alert by severity

status Optional List<String> Filter to search by status

idList Optional List<String> Filter to search alert by alert IDs

alertType Optional List<String> Filter to search alert by alert types

countryList Optional List<String> Filter to search alert by countries

Sample Request

Request URL POST https://www.forticasb.com/api/v1/alert/list

Request Header Authorization: Bearer <Authorization_Token>

companyId: 6
Content-Type: application/json
buid: 6384
service: Salesforce

Request Body {
"service":"Salesforce",
"startTime":1583792777000,
"endTime":1583879177000,
"id":"",
"user":[
],
"policy":[
],
"activity":[
],
"objectid":[
],
"severity":[
],
"status":[
],
"city":[
],
"idList":[
],
"alertType":[
],
"asc":"severity",
"desc":"",
"end_dt":"2020-03-10T15:26:17-0700",
"start_dt":"2020-03-09T15:26:17-0700",
"id_list":[
],
"skip":0,
"limit":20
}

FortiCASB 20.4.0 Admin Guide 199

Fortinet, Inc.
FortiCASB APIs

Response Variable

Name Type Description

buId Long Business ID

companyId Long Company ID

id String Alert ID

object String Object name that triggered the alert

objectType String Object type of alert

objectId String Object id that triggered the alert

severity String Severity of the alert

serviceId String ID to distinguish different account of the cloud service

violationActivity String Activity violation that triggered alert

displayOperation String Operation that triggered alert

createTime long Timestamp of when the alert is created in UTC

updateTime long Timestamp of when the alert is updated in UTC

policyName String Violation policy name

policyId String Name of the policy that alert is triggered by

policyCode String ID of the policy that alert is triggered by

contextName String Context name of violation policy

userId String ID of the user who trigger the alert

eventId String ID of the event

eventIdList Array List id of the events

service Application Cloud service

resultDesc String Description for violation context

geoLocationList Array Place where the activity occurred.

alertType String Classification of the alert

alertSubType String Sub classification of the alert

defineType String Type of policy, predefined or customized

state String Alert state

totalPage long Total page of alert results

skip integer Indexes in a result set. Used to exclude a response from

the first N items of a resource collection.

limit integer Maximum number of return alerts in one page

FortiCASB 20.4.0 Admin Guide 200

Fortinet, Inc.
FortiCASB APIs

Name Type Description

totaCount integer Total number of activities on file

user String The registered user name of FCASB

userName String The registered user email of FCASB

Sample Response
{
"data":[
{
"buId":6384,
"companyId":"6",
"timestampUUID":"203A8qR797nn390d6CQhOH6DjrdiGx9A",
"id":"203A8qR797nn390d6CQhOH6DjrdiGx9A",
"objectType":"USER",
"objectId":"0050P000006d7J1QAI",
"user":"0050P000006d7J1QAI",
"userName":"0050P000006d7J1QAI",
"severity":"Alert",
"applicationId":"00D0P000000Db1XUAS",
"violationActivity":"SALESFORCE_MODIFY_PERMISSION_SET",
"displayOperation":"Modify Permission Set",
"createTime":1583830347799,
"updateTime":1583830347000,
"policyName":"Restricted User",
"policyId":"16615",
"policyCode":"FC-ACT-010",
"contextName":"Restricted User",
"userId":"0050P000006d7J1QAI",
"eventId":"203A8hk004-akeXpvvQdWBzRhXAwDyJw",
"eventIdList":[
"203A8hk004-akeXpvvQdWBzRhXAwDyJw"
],
"service":"Salesforce",
"resultDesc":"hit the rule: all user include and all event
include",
"matches":0,
"geoLocationList":[
],
"alertType":"Threat protection",
"defineType":"Predefined",
"state":"Open"
},
{
"buId":6384,
"companyId":"6",
"timestampUUID":"203A8qR796Xvf-yGqIQvSPwS7831UnKA",
"id":"203A8qR796Xvf-yGqIQvSPwS7831UnKA",
"objectType":"USER",
"objectId":"0050P000006d7J1QAI",
"user":"0050P000006d7J1QAI",
"userName":"0050P000006d7J1QAI",

FortiCASB 20.4.0 Admin Guide 201

Fortinet, Inc.
FortiCASB APIs

"severity":"Alert",
"applicationId":"00D0P000000Db1XUAS",
"violationActivity":"SALESFORCE_MODIFY_PERMISSION_SET",
"displayOperation":"Modify Permission Set",
"createTime":1583830347798,
"updateTime":1583830347000,
"policyName":"Restricted User",
"policyId":"16615",
"policyCode":"FC-ACT-010",
"contextName":"Restricted User",
"userId":"0050P000006d7J1QAI",
"eventId":"203A8hk003U7DBS8g5ScuSgpxwM_TUTw",
"eventIdList":[
"203A8hk003U7DBS8g5ScuSgpxwM_TUTw"
],
"service":"Salesforce",
"resultDesc":"hit the rule: all user include and all event
include",
"matches":0,
"geoLocationList":[
],
"alertType":"Threat protection",
"defineType":"Predefined",
"state":"Open"
},
{
"buId":6384,
"companyId":"6",
"timestampUUID":"203A8qR661F8irdySGQZ2gT5BxOk3plg",
"id":"203A8qR661F8irdySGQZ2gT5BxOk3plg",
"objectType":"USER",
"objectId":"0050P000006d7J1QAI",
"user":"0050P000006d7J1QAI",
"userName":"0050P000006d7J1QAI",
"severity":"Alert",
"applicationId":"00D0P000000Db1XUAS",
"violationActivity":"SALESFORCE_MODIFY_PERMISSION_SET",
"displayOperation":"Modify Permission Set",
"createTime":1583830347664,
"updateTime":1583830347000,
"policyName":"Restricted User",
"policyId":"16615",
"policyCode":"FC-ACT-010",
"contextName":"Restricted User",
"userId":"0050P000006d7J1QAI",
"eventId":"203A8hk002J2FkUSUIQjaCHtr9UDBLXQ",
"eventIdList":[
"203A8hk002J2FkUSUIQjaCHtr9UDBLXQ"
],
"service":"Salesforce",
"resultDesc":"hit the rule: all user include and all event
include",
"matches":0,
"geoLocationList":[
],
"alertType":"Threat protection",
"defineType":"Predefined",

FortiCASB 20.4.0 Admin Guide 202

Fortinet, Inc.
FortiCASB APIs

"state":"Open"
},
],
"totalPage":0,
"limit":20,
"skip":0,
"totalCount":6
}

Get Business Unit Info

Description

Get details of the business unit.

URL

/api/v1/businessUnit/info

Method: Get

Request Header

Key Value Type Description

Authorization Bearer String Authorization credential generated by FortiCASB

<Authorization
Token>

buId <Business Unit Long The targeted business unit ID on FortiCASB. Business unit
ID> ID can be obtained through View or Remove Business
User on page 20. Alternatively, it can also be obtained
from the REST API Get Resource Map on page 196

Content-Type application/json String

Sample Request

Request URL GET https://www.forticasb.com/api/v1/businessUnit/info

Request Header Authorization: Bearer <Authorization_Token>
Content-Type: application/json
buid: 6384

FortiCASB 20.4.0 Admin Guide 203

Fortinet, Inc.
FortiCASB APIs

Response Variable

Name Required Type Description

companyId Required Long Company ID

companyName Required String The registered parent

company name in FortiCASB

buId Required Long Business unit ID

displayName Required String Business unit display name

region Required String Registered region

companyEmail Optional String Registered email

primary Optional Boolean Is primary or not

users Optional long Number of users

Sample Response
{
"companyId":6,
"companyName":"qa",
"buId":6384,
"displayName":"aaa",
"region":"global",
"companyEmail":"",
"primary":false,
"users":0
}

Get Country List

Description

Get a list of all countries.

FortiCASB 20.4.0 Admin Guide 204

Fortinet, Inc.
FortiCASB APIs

URL

/api/v1/country/list

Method: GET

Request Header

Key Value Type Description

Authorization Bearer String Authorization credential generated by FortiCASB

<Authorization
Token>

Content-Type application/json String

Sample Request

Request URL GET https://www.forticasb.com/api/v1/country/list

Request Header Authorization: Bearer <Authorization_Token>
Content-Type: application/json

Response Variable

Name Type Description

id String The country code, represents "Country" for filtering alerts

country String The country name, represent "Country Name" for filtering alerts

Sample Response
[
{
"id":"AU",
"country":"Australia"
},
{
"id":"CN",
"country":"China"
},
{
"id":"DE",
"country":"Germany"
},
{

FortiCASB 20.4.0 Admin Guide 205

Fortinet, Inc.
FortiCASB APIs

"id":"ES",
"country":"Spain"
},
{
"id":"JP",
"country":"Japan"
},
{
"id":"US",
"country":"United States of America"
},
]

Get Dashboard Risk

Description

Get all risk trend data of all monitoring accounts in the business unit.

URL

/api/v1/dashboard/risk

Method: Post

Request Header

Key Value Type Description

Authorization Bearer String Authorization credential generated by FortiCASB

<Authorization
Token>

buId <Account Long The targeted business unit ID on FortiCASB. Business

Number> unit ID can be obtained through View or Remove
Business User on page 20. Alternatively, it can also be
obtained from the REST API Get Resource Map on page
196

timeZone <Time Zone> String Numeric representation of time zone of the user, ex.
+0800

Content-Type application/json String

FortiCASB 20.4.0 Admin Guide 206

Fortinet, Inc.
FortiCASB APIs

Request Body Parameter

Name Required Type Description

startTime Required long Timestamp, starting time of filtered

open alerts

endTime Required long Timestamp, ending time of filtered

open alerts

Sample Request

Request URL POST https://www.forticasb.com/api/v1/dashboard/risk

Request Header Authorization: Bearer <Authorization_Token>
Content-Type: application/json
buid: 6384
timezone: -0700

Request Body {
"startTime":1585518361548,
"endTime":1585604761548
}

Response Variable

Name Type Description

name String Cloud service name

id String Risk sequence number

key String The time that the risk was detected

value long The risk number on this date

Sample Response
{
"data":[
{
"name":"Box",
"values":[
{
"id":"0",
"key":"2020-03-10T18:00:00+0000",
"value":0
},
{

FortiCASB 20.4.0 Admin Guide 207

Fortinet, Inc.
FortiCASB APIs

"id":"1",
"key":"2020-03-10T18:30:00+0000",
"value":0
}
]
},
{
"name":"Salesforce",
"values":[
{
"id":"0",
"key":"2020-03-10T18:00:00+0000",
"value":0
},
{
"id":"1",
"key":"2020-03-10T18:30:00+0000",
"value":0
}
]
},
{
"name":"Dropbox",
"values":[
{
"id":"0",
"key":"2020-03-10T18:00:00+0000",
"value":0
},
{
"id":"1",
"key":"2020-03-10T18:30:00+0000",
"value":0
}
]
},
{
"name":"Google",
"values":[
{
"id":"0",
"key":"2020-03-10T18:00:00+0000",
"value":0
},
{
"id":"1",
"key":"2020-03-10T18:30:00+0000",
"value":0
}
]
},
{
"name":"Office365",
"values":[
{
"id":"0",
"key":"2020-03-10T18:00:00+0000",

FortiCASB 20.4.0 Admin Guide 208

Fortinet, Inc.
FortiCASB APIs

"value":0
},
{
"id":"1",
"key":"2020-03-10T18:30:00+0000",
"value":0
}
]
}
]
}

Get Dashboard Statistics

Description

Get crucial statistics data from the cloud service in the business unit.

URL

/api/v1/dashboard/statistics

Method: POST

Request Header

Key Value Type Description

Authorization Bearer String Authorization credential generated by FortiCASB

<Authorization
Token>

buId <Business unit ID> Long The targeted business unit ID on FortiCASB. Business
unit ID can be obtained through View or Remove
Business User on page 20. Alternatively, it can also be
obtained from the REST API Get Resource Map on page
196

timeZone <Time Zone> String Numeric representation of time zone of the user, ex.
+0800.

service <Salesforce> String Cloud service account

Content-Type application/json String

FortiCASB 20.4.0 Admin Guide 209

Fortinet, Inc.
FortiCASB APIs

Request Body Parameters

Name Type Description

startTime long Timestamp, starting time of filtered open alerts

endTime long Timestamp, ending time of filtered open alerts

Sample Request

Request URL POST https://www.forticasb.com/api/v1/dashboard/statistics

Request Header Authorization: Bearer <Authorization_Token>

timeZone: +0800
Content-Type: application/json
Service: Salesforce
buid: 6384

Request Body {
"startTime":1583865778729,
"endTime":1583952178729
}

Response Variable

Name Type Description

topRiskUsers List Top risk users in a time period

topRiskObjects List Top risk objects in a time period

topHitPolicies List Top hit policies in a time period

topRiskEventType List Top risk event type in a time period

topRiskPositions List Top risk positions in a time period

topActivityPositions List Top activity positions in a time period

alertTrend List The trend of alert in a time period

usageTrend List The trend of usage in a time period

riskSeverity List The risk severity statistics

name String Position of the alert

id String Corresponding ID number of the event, policy, risk user, risk

object, risk position

key String The event name, risk user name, policy name, activity name,
alert name, risk object name, trend time

value long The number of the statics items

FortiCASB 20.4.0 Admin Guide 210

Fortinet, Inc.
FortiCASB APIs

Sample Response
{
"topRiskUsers":[
{
"id":"0050P000006k18GQAQ",
"key":"yue zhang",
"value":2
}
],
"topRiskObjects":[
{
"id":"0690P000006mwkbQAA",
"key":"SSN2020-03-11T17:00:24.746Z.txt",
"value":4
},
{
"id":"0690P000006mwlPQAQ",
"key":"CA_Driver2020-03-
11T17:00:30.133Z.txt",
"value":4
},
{
"id":"0690P000006mwloQAA",
"key":"CN_Passport2020-03-
11T17:00:32.464Z.txt",
"value":4
},
{
"id":"0690P000006mwkgQAA",
"key":"CNID2020-03-11T17:00:25.632Z.txt",
"value":3
},
{
"id":"0690P000006mwlUQAQ",
"key":"CN_Driver2020-03-
11T17:00:30.566Z.txt",
"value":3
}
],
"topHitPolicies":[
{
"id":"16615",
"key":"Restricted User",
"value":35
},
{
"id":"16598",
"key":"DLP UK Passport Number Policy",
"value":4
},
{
"id":"16601",
"key":"DLP USA/Germany Passport Number
Policy",
"value":4
},

FortiCASB 20.4.0 Admin Guide 211

Fortinet, Inc.
FortiCASB APIs

{
"id":"16599",
"key":"DLP AU Passport Number Policy",
"value":3
},
{
"id":"16603",
"key":"DLP CA Driver License Policy",
"value":3
}
],
"topRiskEventType":[
{
"id":"202",
"key":"Upload File",
"value":76
},
{
"id":"238",
"key":"Post",
"value":4
},
{
"id":"214",
"key":"Login Success",
"value":2
},
{
"id":"239",
"key":"Comment",
"value":1
}
],
"topRiskPositions":[
{
"name":"United States of America",
"key":"US",
"value":83
}
],
"topActivityPositions":[
{
"name":"United States of America",
"key":"US",
"value":35
}
],
"alertTrend":[
{
"id":"0",
"key":"2020-03-10T21:00:00+0000",
"value":0
}
],
"usageTrend":[
{
"id":"0",

FortiCASB 20.4.0 Admin Guide 212

Fortinet, Inc.
FortiCASB APIs

"key":"2020-03-10T21:00:00+0000",
"value":0
}
],
"riskSeverity":[
{
"id":"0",
"key":"Alert",
"value":82
},
{
"id":"1",
"key":"Critical",
"value":1
}
]
}

Get Dashboard Summary

Description

Get dashboard summary.

URL

/api/v1/dashboard/summary

Method: Get

Request Header

Key Value Type Description

Authorization Bearer String Authorization credential generated by FortiCASB

<Authorization
Token>

buId <Business Unit Long The targeted business unit ID on FortiCASB.

ID> Business unit ID can be obtained through View or
Remove Business User on page 20. Alternatively,
it can also be obtained from the REST API Get
Resource Map on page 196

companyId <Company ID> String Company ID

FortiCASB 20.4.0 Admin Guide 213

Fortinet, Inc.
FortiCASB APIs

Key Value Type Description

roleId <User ID> Long Login User ID

Content-Type application/json String

Sample Request

Request URL GET https://www.forticasb.com/api/v1/dashboard/summary

Request Header Authorization: Bearer <Authorization_Token>

companyId: 6
Content-Type: application/json
buid: 6384
roleid: 1

Response Variable

Name Type Description

loginUser String The login user e-mail.

alertCount long Number of alerts in the last 30 days

activitiesCount long Number of activities in the last 30 days

fileScannedCount long Number of files scanned in the last 30 days

Sample Response
{
"loginUser":"[email protected]",
"alertsCount":3220,
"activitiesCount":9514,
"fileScannedCount":340
}

Get Dashboard Usage

Description

Get all activity usage trend data of all the monitoring cloud accounts in the business unit.

FortiCASB 20.4.0 Admin Guide 214

Fortinet, Inc.
FortiCASB APIs

URL

/api/v1/dashboard/usage

Method: Post

Request Header

Key Value Type Description

Authorization Bearer String Authorization credential generated by FortiCASB

<Authorization
Token>

buId <Business Unit Long The targeted business unit ID on FortiCASB. Business
ID> unit ID can be obtained through View or Remove
Business User on page 20. Alternatively, it can also be
obtained from the REST API Get Resource Map on page
196

timeZone <Time Zone> String Numeric representation of time zone of the user, ex.
+0800.

Content-Type application/json String

Request Body Parameters

Name Type Description

startTime long Timestamp, starting time of filtered open alerts

endTime long Timestamp, ending time of filtered open alerts

Sample Request

Request URL POST https://www.forticasb.com/api/v1/dashboard/usage

Request Header Authorization: Bearer <Authorization_Token>

timeZone: +0800
Content-Type: application/json
buid: 6384

Request Body {
"startTime":1583865778729,
"endTime":1583952178729
}

FortiCASB 20.4.0 Admin Guide 215

Fortinet, Inc.
FortiCASB APIs

Response Variable

Name Type Description

name String Cloud service name

id String Usage sequence number

key String The time that the usage was detected

value long The usage number at the date

Sample Response
{
"data": [
{
"name": "Box",
"values": [
{
"id": "0",
"key": "2020-03-10T18:30:00+0000",
"value": 0
}
]
},
{
"name": "Salesforce",
"values": [
{
"id": "0",
"key": "2020-03-10T18:30:00+0000",
"value": 0
}
]
},
{
"name": "Dropbox",
"values": [
{
"id": "0",
"key": "2020-03-10T18:30:00+0000",
"value": 0
}
]
},
{
"name": "Google",
"values": [
{
"id": "0",
"key": "2020-03-10T18:30:00+0000",
"value": 0
}
]

FortiCASB 20.4.0 Admin Guide 216

Fortinet, Inc.
FortiCASB APIs

},
{
"name": "Office365",
"values": [
{
"id": "0",
"key": "2020-03-10T18:30:00+0000",
"value": 0
}
]
}
]
}

Get Event

Description

Get activity events definition from FortiCASB.

URL

/api/v1/event

Method: Get

Request Header

Key Value Type Description

Authorization Bearer String Authorization credential generated by FortiCASB

<Authorization
Token>

service <Cloud Service> String Cloud service name such as Salesforce, Office365, etc.

Content-Type application/json String

Sample Request

Request URL GET https://www.forticasb.com/api/v1/event

Request Header Authorization: Bearer <Authorization_Token>
service: Salesforce
Content-Type: application/json

FortiCASB 20.4.0 Admin Guide 217

Fortinet, Inc.
FortiCASB APIs

Response Variable

Name Type Description

id integer The activity id, represents "Activity ID" for

filtering alerts and activity

name String Name of the activity operation, represents

"Activity Name" for filtering alerts and activity

nameEnum OperationNameEnum The activity operation type, represents

"Activity" enum for filtering alerts and activity

value String The activity ID, represents "Activity" for

filtering alerts and activity

category String The category of activity, represents "Activity

Category" for filtering alerts and activity

searchField String The search field of the filter

Sample Response
[
{
"id":202,
"name":"Upload File",
"nameEnum":"UPLOAD_FILE",
"value":"202",
"category":"FILE",
"searchField":"activity"
},
{
"id":203,
"name":"Download File",
"nameEnum":"DOWNLOAD_FILE",
"value":"203",
"category":"FILE",
"searchField":"activity"
},
{
"id":206,
"name":"Upload New Version",
"nameEnum":"UPLOAD_NEW_VERSION",
"value":"206",
"category":"FILE",
"searchField":"activity"
},
]

FortiCASB 20.4.0 Admin Guide 218

Fortinet, Inc.
FortiCASB APIs

Get Filter List

Description

Get all users created filter lists in the specific cloud service under the targeted business unit.

URL

/api/v1/filter/list

Method: Get

Request Header

Key Value Type Description

Authorization Bearer String Authorization credential generated by FortiCASB

<Authorization
Token>

buId <Business Unit Long The targeted business unit ID on FortiCASB. Business unit
ID> ID can be obtained through View or Remove Business
User on page 20. Alternatively, it can also be obtained
from the REST API Get Resource Map on page 196

service <Cloud Service String Cloud service name such as Salesforce, Office365, etc.
Name>

Content-Type application/json String

Sample Request

Request URL GET https://www.forticasb.com/api/v1/filter/list

Request Header Authorization: Bearer <Authorization_Token>
Content-Type: application/json
buid: 6384
service: Office365

Response Variable

Name Type Description

id String The serial number

FortiCASB 20.4.0 Admin Guide 219

Fortinet, Inc.
FortiCASB APIs

Name Type Description

name String The filter name that user created

filter String The filter that the user saved

source String The filter source page

Sample Response
[
{
"id":36156,
"name":"casb test",
"filter":"{\"selectPolicyObject\":[],\"selectFileTypeObject\":
[],\"selectShareTypeObject\":[],\"selectSensitiveDataObject\":
[],\"selectOwnerObject\":[],\"selectShareToInternalObject\":
[],\"selectShareToGuestObject\":[],\"selectUserObject\":
[],\"selectSharedUserObject\":[],\"selectActivityObject\":
[{\"id\":2,\"name\":\"Upload
File\",\"category\":\"FILE\"}],\"selectSeverityObject\":
[],\"selectAlertTypeObject\":[],\"selectStatusObject\":
[],\"selectCountryObject\":[],\"ipList\":[],\"selectAuditOperateObject\":
[],\"selectAuditModuleObject\":[],\"selectAuditVendorObject\":
[],\"isShare\":false,\"isLink\":false,\"isNewFinding\":false,\"isViolation\":
false,\"isSuccess\":null,\"object\":\"\",\"selectedHistoryPeriod\":
{\"time\":\"Last 24 hours\",\"displayTime\":\"Last 24
hours\"},\"selectedPeriod\":{\"start_dt\":\"2020-03-10T23:38:45.069Z\",\"end_
dt\":\"2020-03-11T23:38:45.069Z\",\"value\":{\"time\":\"Last 24
hours\",\"displayTime\":\"Last 24 hours\"}}}",
"source":"alert"
}
]

Get Policy List

Description

Get all FortiCASB policies which trigger alerts in the business unit.

FortiCASB 20.4.0 Admin Guide 220

Fortinet, Inc.
FortiCASB APIs

URL

/api/v1/alert/policy/list

Method: Get

Request Header

Key Value Type Description

Authorization Bearer String Authorization credential generated by FortiCASB

<Authorization
Token>

buId <Business Unit Long The targeted business unit ID on FortiCASB. Business
ID> unit ID can be obtained through View or Remove
Business User on page 20. Alternatively, it can also be
obtained from the REST API Get Resource Map on page
196

service <Salesforce> String Cloud service account

Content-Type application/json String

Sample Request

Request URL GET https://www.forticasb.com/api/v1/policy/list

Request Header Authorization: Bearer <Authorization_Token>
Content-Type: application/json
buid: 6384
service: Salesforce

Response Variable

Name Type Description

name String Policy name

category String Category of the policy

id String Policy code for identifying the policy

Sample Response
[
{

FortiCASB 20.4.0 Admin Guide 221

Fortinet, Inc.
FortiCASB APIs

"name": "DLP China Resident Identity Policy",

"id": "FC-ACT-029",
"category": "DLP"
},
{
"name": "AV Scan Policy",
"id": "FC-ACT-254",
"category": "DLP"
},
{
"name": "Restricted User Activity",
"id": "FC-ACT-010",
"category": "Threat protection"
},
{
"name": "Password Change",
"id": "FC-ACT-011",
"category": "Threat protection"
}
]

Get Service History

Description

Get cloud service OAuth history of the business unit.

URL

/api/v1/service/history/{service}

Method: GET

Request Header

Key Value Type Description

Authorization Bearer String Authorization credential generated by FortiCASB

<Authorization
Token>

buId <Business Unit Long The targeted business unit ID on FortiCASB. Business unit
ID> ID can be obtained through View or Remove Business
User on page 20. Alternatively, it can also be obtained
from the REST API Get Resource Map on page 196

FortiCASB 20.4.0 Admin Guide 222

Fortinet, Inc.
FortiCASB APIs

Key Value Type Description

service <Cloud Service> String Cloud service name such as Salesforce, Office365, etc.

Content-Type application/json String

Sample Request

Request URL GET https://www.forticasb.com/api/v1/service/history/Salesforce

Request Header Authorization: Bearer <Authorization_Token>
Content-Type: application/json
buid: 6384

Response Variable

Name Required Type Description

id Required long The OAuth history ID

buId Required Long Business unit ID

service Required Application Cloud service name

scanId Optional String Application name + company

name

actionStatusCode Optional String The user name that is

registered with this cloud
service

message Optional String The returned message of cloud

service status history

date Optional long Timestamp, the time that

processed this step

lastStep Optional String The last process step

casbUser Optional String The user email that is used in

FortiCASB

cloudUser Optional String The user name that is

registered in this cloud service
account

Sample Response
[
{
"id":31289,
"scanId":"SALESFORCEVb-gvLgmSLCWw8U_BSh6Vw",

FortiCASB 20.4.0 Admin Guide 223

Fortinet, Inc.
FortiCASB APIs

"buId":6384,
"application":"SALESFORCE",
"actionStatusCode":"Success",
"message":"",
"date":1583432356528,
"lastStep":"Update OAuth Data",
"casbUser":"[email protected]",
"cloudUser":"[email protected]"
},
{
"id":31267,
"scanId":"SALESFORCEVb-gvLgmSLCWw8U_BSh6Vw",
"buId":6384,
"application":"SALESFORCE",
"actionStatusCode":"Success",
"message":"",
"date":1583378643280,
"lastStep":"Update OAuth Data",
"casbUser":"[email protected]",
"cloudUser":"[email protected]"
},
{
"id":24433,
"scanId":"SALESFORCEVb-gvLgmSLCWw8U_BSh6Vw",
"buId":6384,
"application":"SALESFORCE",
"actionStatusCode":"Success",
"message":"",
"date":1582918837831,
"lastStep":"Update OAuth Data",
"casbUser":"[email protected]",
"cloudUser":"[email protected]"
},
{
"id":16572,
"scanId":"SALESFORCEVb-gvLgmSLCWw8U_BSh6Vw",
"buId":6384,
"application":"SALESFORCE",
"actionStatusCode":"Success",
"message":"",
"date":1582585855516,
"lastStep":"Save OAuth Data",
"casbUser":"[email protected]",
"cloudUser":"[email protected]"
}
]

Get Service Status

Description

Get the cloud service information and authentication status under the same business unit.

FortiCASB 20.4.0 Admin Guide 224

Fortinet, Inc.
FortiCASB APIs

URL

/api/v1/service/status/{service}

Method: Get

Request Header

Key Value Type Description

Authorization Bearer String Authorization credential generated by FortiCASB

<Authorization
Token>

buId <Business Unit Long The targeted business unit ID on FortiCASB. Business unit
ID> ID can be obtained through View or Remove Business
User on page 20. Alternatively, it can also be obtained
from the REST API Get Resource Map on page 196

service <Cloud Service> String Cloud service name such as Salesforce, Office365, etc.

Content-Type application/json String

Sample Request

Request URL GET https://www.forticasb.com/api/v1/service/status/Salesforce

Request Header Authorization: Bearer <Authorization_Token>
Content-Type: application/json
buid: 6384

Response Variable

Name Required Type Description

step Required String The

operation
step at this
stage

total Required int The number

of steps

processing Required int Number of

processing
steps

actionStatusCode Required ActionStatusCode The result

FortiCASB 20.4.0 Admin Guide 225

Fortinet, Inc.
FortiCASB APIs

Name Required Type Description

code of this
stage's
operation

code Required String Add cloud

service
status code

stepOrder Required int The order of

the related
operation

casbUser Optional String The user

email that is
used in
FortiCASB

cloudUser Optional String The user

name that is
registered
with the
cloud service

date Optional long Timestamp,

the time that
this cloud
service is
added into
FortiCASB

process Optional List<OAuthProcess> The

processes of
the getting
this cloud
service's
OAuth

message Optional String The

message
with the
process

Sample Response
{
"code": "100",
"casbUser": "[email protected]",
"cloudUser": "[email protected]",
"date": 1583432355315,
"process": [
{

FortiCASB 20.4.0 Admin Guide 226

Fortinet, Inc.
FortiCASB APIs

"step": "OAuth Request",

"total": 1,
"processing": 1,
"actionStatusCode": "100",
"message": "",
"stepOrder": 1
},
{
"step": "Check License",
"total": 1,
"processing": 1,
"actionStatusCode": "100",
"message": "",
"stepOrder": 2
},
{
"step": "Update OAuth Data",
"total": 1,
"processing": 1,
"actionStatusCode": "100",
"message": "",
"stepOrder": 3
},
{
"step": "Initial Data Pulling Logic",
"total": 1,
"processing": 1,
"actionStatusCode": "100",
"message": "",
"stepOrder": 5
},
{
"step": "Remove old OAuth data",
"total": 1,
"processing": 1,
"actionStatusCode": "100",
"message": "",
"stepOrder": 5
}
]
}

Get Severity

Description

Get all alert severity definitions from FortiCASB.

FortiCASB 20.4.0 Admin Guide 227

Fortinet, Inc.
FortiCASB APIs

URL

/api/v1/severity

Method: GET

Request Header

Key Value Type Description

Authorization Bearer <Authorization Token> String Authorization credential

generated by FortiCASB

Content-Type application/json String

Sample Request

Request URL GET https://www.forticasb.com/api/v1/severity

Request Header Authorization: Bearer <Authorization_Token>
Content-Type: application/json

Response Variable

Name Type Description

id String The severity code, represents "Severity" code filter in filtering alerts

name String The severity name, represents "Severity" name filter for filtering
alerts

Sample Response
[
{
"id":"1",
"name":"Critical"
},
{
"id":"2",
"name":"Alert"
},
{
"id":"3",
"name":"Warning"
},
{

FortiCASB 20.4.0 Admin Guide 228

Fortinet, Inc.
FortiCASB APIs

"id":"4",
"name":"Information"
},
{
"id":"5",
"name":"Pass"
}
]

Get Status

Description

Get status definition from FortiCASB system.

URL

/api/v1/status

Method: Get

Request Header

Key Value Type Description

Authorization Bearer <Authorization String Authorization credential generated by FortiCASB

Token>

Content-Type application/json String

Sample Request

Request URL GET https://www.forticasb.com/api/v1/status

Request Header Authorization: Bearer <Authorization_Token>
Content-Type: application/json

Response Variable

Name Type Description

id String Status ID

name String Service Status

FortiCASB 20.4.0 Admin Guide 229

Fortinet, Inc.
FortiCASB APIs

Sample Response
[
{
"id":"1",
"name":"New"
},
{
"id":"2",
"name":"In progress"
},
{
"id":"3",
"name":"Resolved"
},
{
"id":"4",
"name":"Discard"
}
]

Get User List

Description

Get details of all users of the cloud services under the same company and business unit.

URL

api/v1/profile/user/list

Method: Get

Request Header

Key Value Type Description

companyId <Company ID> Integer Company ID

Authorization Bearer String Authorization credential generated by FortiCASB

<Authorization
Token>

FortiCASB 20.4.0 Admin Guide 230

Fortinet, Inc.
FortiCASB APIs

Key Value Type Description

buId <Business Unit Long The targeted business unit ID on FortiCASB. Business unit
ID> ID can be obtained through View or Remove Business
User on page 20. Alternatively, it can also be obtained
from the REST API Get Resource Map on page 196

service <Cloud Service> String Name of the cloud service such as Salesforce, Office365,
etc.

Content-Type application/json String

skip <Skip Number> Integer Indexes in a result set. Used to exclude response from the
first N items of a resource collection.

limit <Limit per Page> Integer Maximum number of return items per page.

Sample Request

Request URL GET https://www.forticasb.com/api/v1/profile/user/list

Request Header Authorization: Bearer <Authorization_Token>
Content-Type: application/json
service: Salesforce
buid: 8
companyid: 7
skip: 0
limit: 2

Response Variable

Name Required Type Description

companyId Required Long Company ID

userId Required String The user identity

origUserId Required String The original user

identity

deleted Required boolean The current user

information deleted or
not

createdDate Required long Timestamp, user

created date

service Required Application Cloud service name

isActive Required boolean User active status

buId optional Long Business unit ID

FortiCASB 20.4.0 Admin Guide 231

Fortinet, Inc.
FortiCASB APIs

Name Required Type Description

createdById optional String The ID which created

this user

lastModifiedDate optional long Timestamp, the last

time that this user has
been modified

lastModifiedById optional String The last user id that

modified this user
information

lastLoginDate optional long Timestamp, the last

time that this user
login into FortiCASB

systemModstamp optional long Timestamp of the

system

email optional String The email of the

registered user

userName optional String The user name of the

registered user

name optional String This user's name

firstName optional String This user's first name

lastName optional String This user's last name

userType optional UserTypeEnum User type

profileId optional String This user's profile ID

userRoleId optional String This user's role ID

Sample Response
[
{
"companyId": "7",
"buId": 8,
"userId": "0050P000006kOBcQAM",
"origUserId": "0050P000006kOBcQAM",
"deleted": false,
"createdDate": 1492555111000,
"createdById": "0050P000006d7J0QAI",
"lastModifiedDate": 1583370489000,
"systemModstamp": 1545262127000,
"email": "[email protected]",
"userName": "[email protected]",
"name": "forti3 net3",
"firstName": "forti3",
"lastName": "net3",
"service": "SALESFORCE",

FortiCASB 20.4.0 Admin Guide 232

Fortinet, Inc.
FortiCASB APIs

"lastLoginDate": 1545262127000,
"userType": "CsnOnly",
"isActive": true,
"profileId": "00e0P000000JYKPQA4"
},
{
"companyId": "7",
"buId": 8,
"userId": "0054U000009GCaMQAW",
"origUserId": "0054U000009GCaMQAW",
"deleted": false,
"createdDate": 1595303943000,
"createdById": "0050P000006d7J1QAI",
"lastModifiedDate": 1595303943000,
"systemModstamp": 0,
"email": "[email protected]",
"userName": "xxxxxx@00d0p000000db1xuas",
"name": "Platform Integration User",
"lastName": "Platform Integration User",
"service": "SALESFORCE",
"lastLoginDate": 0,
"isActive": true,
"profileId": "00e0P000000a7HVQAY"
}
]

FortiCASB 20.4.0 Admin Guide 233

Fortinet, Inc.
Troubleshooting

Troubleshooting

Information and solutions for the following problems are included in this section:

Getting Started

l I have a new account but no license

l I have renewed my license, but cannot use it.

Salesforce

l I get an "OAuth Request" error.

Office 365

l I get an error at the "Add Sites Collection Admin" step.

l I get an error at the "Add Users" step.
l I get an error at the "Add Groups" step.

Dropbox Business

l I get an "OAuth Request" error.

Google

l I can't connect Google Drive to FortiCASB.

FortiCASB 20.4.0 Admin Guide 234

Fortinet, Inc.
Troubleshooting

Getting Started Issues

Information and solutions for the following problems are included in this section:
l New account with No License Error
l Renew License error

New account with No License Error

Please check on your Master FortiCARE account to see if the license is present with these steps:

1. Log into FortiCare https://support.fortinet.com/ with your Master FortiCare account.

2. From the top main menu click on Asset > Manage/View Products.
3. Check and see if the licenses you purchased is shown in the product list.

4. If you find your license on the list, then you can add the license through creating a company. Please see
Basic Setup on page 14.
5. If you do not see the license you purchased is on the list, please contact FortiCARE support.

FortiCASB 20.4.0 Admin Guide 235

Fortinet, Inc.
Troubleshooting

Renew License error

When you have renewed your license but cannot find it on your FortiCASB Dashboard, follow these steps to see
if the license appears in your FortiCARE account.

1. Log into FortiCare https://support.fortinet.com/ with your Master FortiCare account.

2. From the top main menu click on Asset > View Account Service.
3. Check and see if the license/contract you purchased is shown in the product list.

4. If you do not see the license/contract you purchased is on the list, please contact FortiCARE support.
5. If your license is on the list, then it only need to be assigned to the company/business unit on FortiCASB.

Salesforce

OAuth Request errors

If an error occurs, an error message will be displayed on the Salesforce panel.

The following sections show some common error messages, as well as possible solutions:
l If your error message says "Saas application API gateway not accessible", go to Saas application API
gateway not accessible error on page 237

FortiCASB 20.4.0 Admin Guide 236

Fortinet, Inc.
Troubleshooting

Saas application API gateway not accessible error

FortiCASB requires users to have three specific Salesforce permissions. To check your Salesforce permissions,
follow these steps:
1. From your Salesforce menu, go to Setup > Manage Users > Users.
2. Click on the profile of the integrated user.
For example, if the integrated user is listed as a "System Administrator", click on System Administrator
under "Profile".

3. Make sure you have the "API Enabled", "View All Data", and "View All Users" permissions enabled.

If you have all these permissions and still encounter the error, your organization could have reached
Salesforce's daily API request limit. To check if you have reached this limit, follow these steps:
1. From your Salesforce menu, go to Setup > Company Profile > Company Information.
2. Check "API Requests, Last 24 Hours" to see if you have reached your maximum limit.
If you have reached this limit, wait for the next 24 hour period to try again.

Salesforce enforces API call limits based on a per-organization basis, not a per-user
basis. If your organization has multiple applications sharing Salesforce API requests,
please consolidate usage between applications.

FortiCASB 20.4.0 Admin Guide 237

Fortinet, Inc.
 Troubleshooting

Office 365

Add Site Collection Admin errors

The following sections show some common causes for this error, as well as possible solutions.
l If your azure domain does not end in ".onmicrosoft.com", go to Customized SharePoint homepage URL on page
238

Customized SharePoint homepage URL

FortiCASB's "Add Site Collection Admin" feature currently only supports the default azure domain format
(abc.onmicrosoft.com). If you have a custom SharePoint homepage URL, you will have to allow collection manually.
1. From your SharePoint Online Admin Center, click user profiles.
2. Use the "Find profiles" feature to find a user, right-click that user's account name, then click Manage site
collection owners.
3. In the "Site Collection Administrators" box, enter your admin username, then click the icon.
4. Click OK. FortiCASB can now audit this user's OneDrives.
5. Repeat steps one through four for each user you wish to audit.
6. From the FortiCASB Office 365 authentication menu, check "Prefer not to provide".

Add Users errors

Even if such an error occurs, FortiCASB will still monitor users that do not trigger this error. For
example, in this case, FortiCASB will monitor the 37 users that were added successfully, even
if this error is not corrected.

The following sections show some common causes for this error, as well as possible solutions.
l If these users have never logged into their Office 365 accounts before, go to Adding users with new Office 365
accounts on page 238.

Adding users with new Office 365 accounts

Office 365 activates a new user's SharePoint portal when he or she logs in for the first time. For a brand new O365
account, log into the account once to activate the portal, then add the user in FortiCASB.

Add Groups errors

Some groups do not generate or manipulate files. FortiCASB will not monitor these groups. FortiCASB will also not
monitor groups the site administrator does not have permission to monitor.

FortiCASB 20.4.0 Admin Guide 238

Fortinet, Inc.
Troubleshooting

Even if such an error occurs, FortiCASB will still monitor groups that do not trigger this error.

FortiCASB 20.4.0 Admin Guide 239

Fortinet, Inc.
 Troubleshooting

Dropbox Business

OAuth Request error

Please check the user role of the account used to log in to Dropbox Business. This account must have "Team Admin"
Permissions.

FortiCASB 20.4.0 Admin Guide 240

Fortinet, Inc.
 Troubleshooting

Google

Google Drive connection errors

If FortiCASB will not connect to your Google Drive account, one common reason is because your Google account is not
a Super Administrator and does not have the correct permissions.
To check if your Google account is a Super Administrator, go to https://admin.google.com/, and log in with your Google
account.
If your interface is the same as the one shown below, you are a Super Administrator.

If you are not a Super Administrator, either ask the Super Administrator to grant you Super Administrator permissions or
use the Super Administrator's Google account to link to FortiCASB.

If you're unsure who your administrator is, contact your IT department, help desk, or the manager who gave you the
account.

Due to Google requirements, only G Suite accounts with a

business or enterprise license can use FortiCASB. G suite
accounts with a basic license will be unable to use FortiCASB.

FortiCASB 20.4.0 Admin Guide 241

Fortinet, Inc.
Appendix

Appendix

Appendix A: Amazon Policy Usage

Communication between AWS and FortiCASB requires granting FortiCASB with permissions to access AWS account
resource configuration settings. The method is done through creating custom policy on AWS in JSON format in AWS for
.
Below are lists of the AWS services/policies used and the corresponding reasoning to be used in FortiCASB.

FortiCASB Basic Permission

Service Policy in JSON Format Permission Purpose

RDS "rds:Describe*" 1. FortiCASB Resource List

"rds:DownloadDBLogFilePortion" 2. RDS profile
"rds:ListTagsForResource" 3. RDS Topology
4. RDS Risk assessment

"rds:ModifyDBInstance" 1. Allow autofix feature of RDS Risk

assessment policy "RDS instances
should not be publicly accessible".

EFS "elasticfilesystem:Describe*" 1. FortiCASB Resource List

2. EFS profile
3. EFS Risk assessment

ELB "elasticloadbalancing:Describe*" 1. FortiCASB Resource List

2. Listener, Load Balancer, Target
Group profile
3. ELB Topology
4. ELB Risk assessment

"elasticloadbalancing:ModifyLoadBalancer 1. Allow autofix feature of ELB Risk

Attributes" assessment policy "ELB/ALB deletion
protection should be enabled".

Certificate "acm:List*" 1. FortiCASB Resource List

Manager "acm:Describe*" 2. ACM Certificate profile
3. ACM Certificate Risk assessment

CloudFront "cloudfront:List*" 1. FortiCASB Resource List

"cloudfront:Get*" 2. CloudFront profile

FortiCASB 20.4.0 Admin Guide 242

Fortinet, Inc.
Appendix

3. CloudFront Risk assessment

"cloudfront:UpdateDistribution" 1. Allow autofix feature of CloudFront

Risk assessment policy "CloudFront
should use secure ciphers for
distribution".

EKS "eks:ListUpdates" 1. FortiCASB Resource List

"eks:DescribeUpdate" 2. EKS profile
"eks:DescribeCluster" 3. EKS Topology
"eks:ListClusters"

KMS "kms:List*" 1. FortiCASB Resource List

"kms:Describe*" 2. KMS Key profile
"kms:Get*" 3. KMS Risk assessment

"kms:EnableKeyRotation" 1. Allow autofix feature of KMS Risk

assessment policy "KMS key rotation
should be enabled".

Lambda "lambda:List*" 1. FortiCASB Resource List

"lambda:GetPolicy" 2. Lambda profile
3. Lambda Risk assessment

SQS "sqs:ReceiveMessage" 1. FortiCASB Resource List

"sqs:GetQueueUrl" 2. SQS profile
"sqs:GetQueueAttributes" 3. SQS Risk assessment
"sqs:ListQueueTags"
"sqs:ListQueues"
"sqs:ListDeadLetterSourceQueues"

"sqs:TagQueue" 1. FortiCASB Notification’s integration

"sqs:UntagQueue" with AWS SQS service
"sqs:ChangeMessageVisibility
"sqs:ChangeMessageVisibilityBatch"
"sqs:CreateQueue"
"sqs:DeleteMessage"
"sqs:DeleteMessageBatch"
"sqs:DeleteQueue"
"sqs:PurgeQueue"
"sqs:SendMessage"
"sqs:SendMessageBatch"
"sqs:SetQueueAttributes"

IAM "iam:List*" 1. FortiCASB Resource List

"iam:SimulateCustomPolicy" 2. IAM profile
"iam:GenerateCredentialReport" 3. IAM Risk assessment
"iam:Get*"

FortiCASB 20.4.0 Admin Guide 243

Fortinet, Inc.
Appendix

"iam:SimulatePrincipalPolicy"

"iam:UpdateAccountPasswordPolicy" 1. Allow autofix feature of Redshift Risk

assessment policy "Password
requirements should be enforced".

Redshift "redshift:Describe*" 1. FortiCASB Resource List

2. Redshift profile
3. Redshift Risk assessment

"redshift:Describe*" 1. Allow autofix feature of Redshift Risk

"redshift:ModifyClusterParameterGroup" assessment policy "Redshift database
should use SSL for connections".

Elastic Container "ecs:Describe*" "ecs:List*" 1. FortiCASB Resource List

Service 2. ECS profile
3. ECS Topology

EC2 "ec2:Describe* 1. FortiCASB Resource List

"ec2:SearchTransitGatewayRoutes 2. VPC, Route Table, Subnet, Network
"ec2:GetTransitGatewayAttachmentPropagations ACL, Security Group, Machine Image
"ec2:GetTransitGatewayRouteTablePropagations (AMI), EC2, EBS volume, EBS snapshot
profile
"ec2:GetTransitGatewayRouteTableAssociations"
3. VPC, Subnet, Network ACL, Security
Group, EC2 Topology
4. VPC, Subnet, Security Group, AMI,
EC2, EBS Risk assessment

"ec2:ModifySnapshotAttribute" 1. Allow autofix feature of EBS Risk

"ec2:RevokeSecurityGroupEgress assessment policy "EBS snapshots
"ec2:RevokeSecurityGroupIngress" should not be publicly accessible".
2. Allow autofix feature of Security
Group Risk assessment policy "Default
Security Group should block all inbound
traffic".

CloudWatch Logs "logs:Get*" 1. Feature "Traffic" on FortiCASB

"logs:Describe*"
"logs:FilterLogEvents"

Glacier "glacier:ListVaults" 1. FortiCASB Resource List

"glacier:GetVaultAccessPolicy" 2. Glacier profile
3. Glacier Risk assessment

CloudFormation "cloudformation:ListStack*" 1. FortiCASB Resource List

"cloudformation:GetTemplate" 2. CloudFormation profile
"cloudformation:DescribeStack*" 3. CloudFormation Risk assessment

S3 "s3:GetBucket*" 1. FortiCASB Resource List

"s3:GetReplicationConfiguration" 2. S3 bucket profile

FortiCASB 20.4.0 Admin Guide 244

Fortinet, Inc.
Appendix

"s3:GetLifecycleConfiguration" 3. S3 Risk assessment

"s3:GetInventoryConfiguration" 4. Feature "Buckets" on FortiCASB
"s3:ListBucket"
"s3:ListBucketMultipartUploads
"s3:GetAccountPublicAccessBlock"
"s3:ListAllMyBuckets"
"s3:GetObjectVersion"
"s3:GetObjectVersionTagging"
"s3:GetObjectAcl"
"s3:GetObjectVersionAcl"
"s3:HeadBucket"
"s3:ListMultipartUploadParts"
"s3:GetObject"
"s3:GetAnalyticsConfiguration
"s3:GetObjectVersionForReplication"
"s3:ListBucketByTags"
"s3:ListBucketVersions"
"s3:GetAccelerateConfiguration"
"s3:GetObjectVersionTorrent"
"s3:GetEncryptionConfiguration"
"s3:GetObjectTagging"
"s3:GetMetricsConfiguration"
"s3:GetObjectTorrent"

"s3:PutBucketVersioning" 1. Allow autofix feature of S3 Risk

"s3:PutBucketAcl" assessment policy "S3 buckets should
"s3:PutBucketPolicy" not be publicly available".

"s3:PutObjectAcl"
"s3:PutObjectVersionAcl"

Pinpoint Email "ses:List*" 1. FortiCASB Resource List

/SES "ses:Get*" 2. SES profile
3. SES Risk assessment

CloudTrail "cloudtrail:GetTrailStatus" 1. FortiCASB Resource List

"cloudtrail:LookupEvents" 2. CloudTrail profile
"cloudtrail:DescribeTrails" 3. CloudTrail Risk assessment
"cloudtrail:ListTags" 4. Feature "Activity" on FortiCASB
"cloudtrail:GetEventSelectors"

"cloudtrail:StartLogging" 1. Allow autofix feature of CloudTrail

"cloudtrail:UpdateTrail" Risk assessment policy "CloudTrail
bucket should not be publicly
accessible".

FortiCASB 20.4.0 Admin Guide 245

Fortinet, Inc.
Appendix

Elasticsearch "es:List*" 1. FortiCASB Resource List

Service "es:Describe*" 2. ElasticSearch profile
3. ElasticSearch Risk assessment

Route 53 "route53:ListTrafficPolicyVersions" 1. FortiCASB Resource List

"route53:GetHealthCheck" 2. Route53 profile
"route53:ListHostedZonesByName" 3. Route53 Risk assessment
"route53:GetHostedZoneCount"
"route53:GetHealthCheckLastFailureReason"
"route53:ListVPCAssociationAuthorizations"
"route53:GetReusableDelegationSetLimit"
"route53:ListTagsForResources"
"route53:GetAccountLimit"
"route53:GetGeoLocation"
"route53:GetTrafficPolicy"
"route53:ListQueryLoggingConfigs"
"route53:GetCheckerIpRanges"
"route53:ListGeoLocations"
"route53:GetTrafficPolicyInstance"
"route53:ListHostedZones"
"route53:ListTagsForResource"
"route53:ListHealthChecks"
"route53:GetHostedZone"
"route53:ListResourceRecordSets"
"route53:GetHealthCheckCount"
"route53:ListReusableDelegationSets"
"route53:ListTrafficPolicyInstancesByHostedZone"
"route53:GetHostedZoneLimit
"route53:ListTrafficPolicyInstances"
"route53:GetTrafficPolicyInstanceCount"
"route53:GetChange"
"route53:ListTrafficPolicies"
"route53:GetQueryLoggingConfig"
"route53:GetHealthCheckStatus"
"route53:GetReusableDelegationSet"
"route53:ListTrafficPolicyInstancesByPolicy"

SNS "sns:Get*" 1. FortiCASB Resource List

"sns:*" 2. SQS profile
3. SQS Risk assessment

"sns:*" 1. FortiCASB Notification’s integration

with AWS SNS service

CloudWatch "cloudwatch:Describe*" 3. CloudWatch Risk assessment

FortiCASB 20.4.0 Admin Guide 246

Fortinet, Inc.
Appendix

FortiCASB 20.4.0 Admin Guide 247

Fortinet, Inc.
Copyright© 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in
the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be
trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and
other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding
commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s
General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such
event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be
limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or
development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and
guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most
current version of the publication shall be applicable.