Enterprise DLP Admin

Enterprise DLP Administrator’s Guide
October 2023
docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2021-2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
October 18, 2023
Enterprise DLP Administrator’s Guide October 2023 2 ©2023 Palo Alto Networks, Inc.
Table of Contents
Enterprise DLP Overview.................................................................................7
About Enterprise DLP.................................................................................................................8
Setup Prerequisites for Enterprise DLP...............................................................................11
Ports and FQDNs.......................................................................................................... 11
IP Addresses for Evidence Storage........................................................................... 12
What’s Supported with Enterprise DLP?............................................................................ 14
Platform Support............................................................................................................14
Supported Applications................................................................................................ 15
Supported File Types....................................................................................................24
Support for Non-File Based Traffic...........................................................................26
Data Patterns and Data Filtering Profiles................................................................26
Supported Enterprise DLP Data Profile Actions............................................................... 27
Supported Features for Enterprise DLP.............................................................................. 29
Predefined ML-Based Data Patterns....................................................................................30
Predefined Data Filtering Profiles.........................................................................................33
Set Up Enterprise DLP................................................................................... 35

Set Up the Enterprise DLP Plugin on Panorama............................................................... 36
Install the Enterprise DLP Plugin on Panorama..................................................... 36
Enable Enterprise DLP for Managed Firewalls.......................................................38
Edit the Enterprise DLP Settings............................................................................... 43
Uninstall the Enterprise DLP Plugin on Panorama................................................ 51
Register and Activate Enterprise DLP on Prisma Access (Panorama Managed).........53
Preinstallation Requirements...................................................................................... 53
Install the Enterprise DLP Plugin—New DLP Deployments................................ 53
Upgrade to the Enterprise DLP Plugin—Existing Enterprise DLP on Prisma
Access Deployments.....................................................................................................54
Set Up Enterprise DLP on Cloud Management................................................................. 56
Enable Enterprise DLP on Cloud Management......................................................56
Edit the Enterprise DLP Snippet Settings on Cloud Management.....................60
Edit the Enterprise DLP Data Filtering Settings on Cloud Management.......... 60
Edit the Enterprise DLP Snippet Settings on the DLP App............................................ 63
Enable Exact Data Matching (EDM)..................................................................................... 64
Enable Exact Data Matching (EDM) on the DLP App...........................................64
Enable Exact Data Matching (EDM) on Cloud Management.............................. 64
Enable Role Based Access to Enterprise DLP on Cloud Management......................... 66
Enable Optical Character Recognition on Cloud Management......................................68
Enable Optical Character Recognition for Enterprise DLP............................................. 69
Table of Contents
Configure Enterprise DLP..............................................................................71

Enterprise DLP Data Patterns................................................................................................72
Configure Regular Expressions...................................................................................72
Create a Data Pattern on the DLP App................................................................... 77
Create a Data Pattern on Cloud Management.......................................................82
Create a Data Pattern on Panorama.........................................................................90
Enterprise DLP Profiles............................................................................................................92
Create a Data Profile on the DLP App.....................................................................92
Create a Data Profile with EDM Data Sets on the DLP App.............................. 97
Create a Data Profile with Data Patterns and EDM Data Sets on the DLP
App.................................................................................................................................. 103
Create a Data Profile with Nested Data Profiles on the DLP App.................. 108
Create a Data Profile on Cloud Management......................................................111
Create a Data Profile with EDM Data Sets on Cloud Management................113
Create a Data Profile with Data Patterns and EDM Data Sets on Cloud
Management................................................................................................................. 117
Create a Data Profile with Nested Data Profiles on Cloud Management...... 121
Create a Data Filtering Profile on Panorama....................................................... 124
Create a Data Filtering Profile on Panorama for Non-File Detection.............128
Update a Data Profile on the DLP App.................................................................134
Update a Data Profile on Cloud Management.....................................................135
Update a Data Filtering Profile on Panorama...................................................... 136
Configure Enterprise DLP on Cloud Management......................................................... 139
Create a SaaS Security Policy Recommendation to Leverage Enterprise
DLP..................................................................................................................................139
Modify a DLP Rule for Prisma Access on Cloud Management........................ 139
Create a Block Response Page on Cloud Management.....................................142
Enable Existing Data Patterns and Filtering Profiles......................................................143
Configure Exact Data Matching (EDM).............................................................................145
Supported EDM Data Set Formats.........................................................................145
Set Up the EDM CLI Application............................................................................ 149
Configure Connectivity to the DLP Cloud Service..............................................153
Upload an Encrypted EDM Data Set to the DLP Cloud Service Using a
Configuration File........................................................................................................155
Create and Upload an Encrypted EDM Data to the DLP Cloud Service in
Interactive Mode......................................................................................................... 164
Update an Existing EDM Data Set on the DLP Cloud Service......................... 169
Enterprise DLP End User Alerting with Cortex XSOAR................................................ 173
About Enterprise DLP End User Alerting with Cortex XSOAR........................ 173
Setup Prerequisites for Enterprise DLP End User Alerting with Cortex
XSOAR............................................................................................................................174
Table of Contents
Set Up Enterprise DLP End User Alerting with Cortex XSOAR....................... 174
Respond to Blocked Traffic Using Enterprise DLP End User Alerting with
Cortex XSOAR............................................................................................................. 190
View the Enterprise DLP End User Alerting with Cortex XSOAR Response
History............................................................................................................................193
Inspection of Contextual Secrets for Chat Applications............................................... 195
About Inspection of Contextual Secrets............................................................... 195
Contextual Chat Examples........................................................................................196
Configure SaaS Security to Inspect for Contextual Secrets..............................196
Enterprise DLP and AI Apps................................................................................................ 198
How Enterprise DLP Safeguards Against ChatGPT Data Leakage.................. 198
Create a Security Policy Rule for ChatGPT.......................................................... 200
Custom Document Templates for Enterprise DLP......................................................... 209
About Custom Document Templates.....................................................................209
Upload a Custom Document Template................................................................. 210
Test a Custom Document Template.......................................................................213
Create a Data Profile to Detect Custom Documents.........................................215
Email DLP..................................................................................................................................219
How Does Email DLP Work?................................................................................... 219
Activate Email DLP..................................................................................................... 221
Onboard Microsoft Exchange Online.....................................................................222
Add an Enterprise DLP Email Policy.......................................................................257
Review Email DLP Incidents.....................................................................................263
Monitor Enterprise DLP...............................................................................265

Monitor DLP Status with the DLP Health and Telemetry App................................... 266
Access the DLP Health and Telemetry Dashboard on the DLP App.............. 266
Access the DLP Health and Telemetry Dashboard on Cloud
Management................................................................................................................. 266
Monitor DLP Service Status..................................................................................... 266
View Enterprise DLP Log Details on the DLP App........................................................ 268
Manage Enterprise DLP Incidents on the DLP App....................................................... 270
View Enterprise DLP Audit Logs on the DLP App......................................................... 272
View Enterprise DLP Log Details on Cloud Management............................................ 273
Manage Enterprise DLP Incidents on Cloud Management...........................................275
View Enterprise DLP Audit Logs on Cloud Management............................................. 277
View Enterprise DLP Log Details on Panorama..............................................................278
Save Evidence for Investigative Analysis with Enterprise DLP....................................280
Set Up SFTP Storage to Save Evidence for Panorama.......................................280
Set Up SFTP Storage to Save Evidence for Cloud Management..................... 284
Set Up Cloud Storage to Save Evidence for Panorama..................................... 288
Table of Contents
Set Up Cloud Storage to Save Evidence for Cloud Management....................308

Download Files for Evidence Analysis on Panorama..........................................325
Download Files for Evidence Analysis on Cloud Management........................ 327
Enterprise DLP Overview
Learn more about Enterprise Data Loss Prevention (E-DLP) to strengthen your security posture by
enforcing the data security standards of your organization to prevent accidental data misuse, loss,
or theft.
• About Enterprise DLP
• Setup Prerequisites for Enterprise DLP
• What’s Supported with Enterprise DLP?
• Supported Enterprise DLP Data Profile Actions
• Supported Features for Enterprise DLP
• Predefined ML-Based Data Patterns
• Predefined Data Filtering Profiles
7
About Enterprise DLP

Enterprise Data Loss Prevention (E-DLP) is a set of tools and processes that allow you to protect
sensitive information against unauthorized access, misuse, extraction, or sharing.
Enterprise DLP is a cloud-based service that uses supervised machine learning algorithms to
sort sensitive documents into Financial, Legal, Healthcare, and other categories for document
classification to guard against exposures, data loss, and data exfiltration. These patterns can
identify the sensitive information in traffic flowing through your network and protect them from
exposure.
Enterprise DLP allows you to protect sensitive data in the following ways:
• Prevent file uploads and non-file based traffic from leaking to unsanctioned web application—
Discover and conditionally stop sensitive data from being leaked to untrusted web applications.
• Monitor uploads to sanctioned web applications—Discover and monitor sensitive data when
it’s uploaded to sanctioned corporate applications.
To help you inspect content and analyze the data in the correct context so that you can accurately
identify sensitive data and secure it to prevent incidents, Enterprise DLP is enabled through a
cloud service. Enterprise DLP supports over 1,000 data patterns and 400 predefined data profiles.
Enterprise DLP is designed to automatically make new patterns and profiles available to you for
use in Security policy rules as soon they’re added to the cloud service.
Use the following tools to configure Enterprise DLP:
• Data Patterns—Help you detect sensitive content and how that content is being shared or
accessed on your network.
Predefined data patterns and built-in settings make it easy for you to protect data that
contain certain properties (such as document title or author), credit card numbers, regulated
information from different countries (such as driver’s license numbers), and third-party DLP
labels. To improve detection rates for sensitive data in your organization, you can supplement
predefined data patterns by creating custom data patterns that are specific to your content
inspection and data protection requirements. In a custom data pattern, you can also define
regular expressions and data properties to look for metadata or attributes in the file’s custom
or extended properties and use it in a data profile.
• Data Profiles—Power the data classification and monitor capabilities available on your managed
firewalls to prevent data loss and mitigate business risk.
Data profiles are a collection of data patterns that re grouped together to scan for a specific
object or type of content. To perform content analysis, the predefined data filtering profiles
have data patterns that include industry-standard data identifiers, keywords, and built-in logic
in the form of machine learning, regular expressions, and checksums for legal and financial data
patterns. When you use the data profile in a Security policy rule, the firewall can inspect the
traffic for a match and take action.
After you use the data patterns (either predefined or custom), you manage the data profiles
from Panorama. You can use a predefined data profile, or create a new profile, and add data
patterns to it. You then create security policies and apply the profiles you added to the policy
rules you create. For example, if a user uploads a file and data in the file matches the criteria
in the policy rules, the managed firewall either creates an alert notification or blocks the file
upload.
When traffic matches a data profile that a security rule is using, a data filtering log is generated.
The log entry contains detailed information regarding the traffic that match one or more data
pattern in the data profile. The log details enable forensics by allowing you to verify when a
matched data generated an alert notification or was blocked.
You view the snippets in the data filtering logs. By default, data masking partially masks the
snippets to prevent the sensitive data from being exposed. You can completely mask the sensitive
information, unmask snippets, or disable snippet extraction and viewing.
To improve detection accuracy and reduce false positives, you can also specify:
• Proximity keywords—An asset is assigned a higher accuracy probability when a keyword
is within a 200-character distance of the expression. If a document has a 16-digit number
immediately followed by Visa, that's more likely to be a credit card number. But if Visa is the
title of the text and the 16-digit number is on the last page of the 22-page document, that's
less likely to be a credit card number.
Proximity keywords aren’t case-sensitive. Multiple proximity keywords for a single data pattern
are supported.
• Confidence levels—The confidence level reflects how confident Enterprise DLP is when
detecting matched traffic. Enterprise DLP determines confidence level by inspecting the
distance of regular expressions to proximity keywords.
• Low—Proximity keyword included in the custom or predefined regex data pattern isn’t
found within 200 characters of the regular expression match, or if a proximity keyword is
included but is not present in the inspected traffic.
When the match criteria specifies a Low confidence level match criteria, Enterprise DLP still
inspects for up to 3 matches with a High confidence level.
• High—Proximity keyword included in the custom or predefined regex data pattern is within
200 characters of the regular expression match.
When the match criteria specifies a High confidence level match criteria, Enterprise DLP still
inspects for up to 3 matches with a Low confidence level.
Additionally, custom data patterns that don't include any proximity keywords to identify a
match always have both Low and High confidence level detections.
• Basic and weighted regular expressions—A regular expression (regex for short) describes how
to search for a specific text pattern and then display the match occurrences when a pattern
match is found. There are two types of regular expressions—basic and weighted.
• A basic regular expression searches for a specific text pattern. When a pattern match is
found, the service displays the match occurrences.
• A weighted regular expression assigns a score to a text entry. When the score threshold is
exceeded, the service returns a match for the pattern.
To reduce false-positives and maximize the search performance of your regular expressions,
you can assign scores using the weighted regular expression builder when you create
data patterns to find and calculate scores for the information that is important to you.
Scoring applies a match threshold, and when a score threshold is exceeded, such as enough
expressions from a pattern match an asset, the asset will be indicated as a match for the
pattern.
For more information, including a use case and best practices, see Configure Regular
Expressions.
Setup Prerequisites for Enterprise DLP

Where Can I Use This? What Do I Need?
• Panorama (Panorama) Device management license

• Strata Cloud Manager (Panorama) Support license
(Strata Cloud Manager) Prisma Access
license
(Strata Cloud Manager) AIOps for NGFW
Premium license
(Strata Cloud Manager) AIOps for NGFW
Free license
Below are the full qualified domain names (FQDN), network ports, and IP addresses that must be
allowed. These tables describe the network settings required to forward traffic for inspection and
verdict rendering Enterprise Data Loss Prevention (E-DLP), as well as required network settings
for specific Enterprise DLP features.
Ports and FQDNs

Firewalls managed by Panorama or Strata Cloud Manager need to access the following FQDNs
and ports open on the network to successfully forward traffic for inspection by the DLP cloud
service.
FQDNs Ports
• http://ocsp.paloaltonetworks.com TCP 80
• http://crl.paloaltonetworks.com
• http://ocsp.godaddy.com
• http://crl.godaddy.com
• https://api.paloaltonetworks.com TCP 443

• https://apitrusted.paloaltonetworks.com
• certificatetrusted.paloaltonetworks.com
• certificate.paloaltonetworks.com
• hawkeye.services-
edge.paloaltonetworks.com
• dlp.hawkeye.services-
• ace.hawkeye.services-
FQDNs Ports
• urlcat.hawkeye.services-
• enforcer.hawkeye.services-
IP Addresses for Evidence Storage

Allow access to the following IP addressed on the hypervisor where you created the evidence
storage bucket to automatically store files scanned by the DLP cloud service that match your
Enterprise DLP data profile for firewalls managed by Panorama or Strata Cloud Manager.
• You must allow the Default IP addresses to successfully connect your evidence storage
bucket to Enterprise DLP.
• To automatically store inspected files, the IP addresses you need to allow access for are
dependent on region or zone where the file will be scanned by Enterprise DLP.
• To download stored files from your evidence storage bucket, you may also need to allow the
specific user IP addresses as well.
Region IP Address
APAC 13.228.151.58
52.74.82.77
Australia 13.54.198.248
52.63.9.154
Canada 15.222.125.234
99.59.186.42
E.U 3.123.172.116
52.59.186.42
India 15.207.246.3
3.108.103.214
U.K 13.43.141.10
18.169.44.228
35.177.5.4
52.56.54.90
(Default) U.S.A 3.230.176.219

3.226.106.173
Region IP Address
18.16.224.253
3.16.224.253
34.223.123.78
52.27.148.95
What’s Supported with Enterprise DLP?

Learn about the products that support Enterprise Data Loss Prevention (E-DLP) and its features:
• Platform Support
• Supported Applications
• Supported File Types
• Support for Non-File Based Traffic
• Data Patterns and Data Filtering Profiles
Platform Support
Enterprise Data Loss Prevention (E-DLP) is supported on the following platforms. Enterprise DLP
data patterns and data filtering profiles are designed to work across all supported platforms to
provide consistent data security across all locations.
All PA-Series firewalls and VM-Series firewalls (but not CN-Series firewalls).
• Requires PAN-OS 10.0.2 or a later version.
• Requires an M-Series or Panorama virtual appliance running PAN-OS 10.0.2 or later version.
Enterprise DLP supports adding a data filtering profile to a Security policy rule or security
profile group configured on Panorama only. To successfully use Enterprise DLP, you must
configure your Security policy rule and Security Profile Group on Panorama and push these
configurations to your managed firewalls.
Enterprise DLP doesn’t support pushing an Enterprise DLP data filtering profile to your
managed firewall and referencing the data filtering profile in a Security policy rule or Security
Profile Group created locally on the firewall.
• Requires minimum Application and Threats content release version 8334 or a later version.
Upgrade to PAN-OS 10.0.3 and install Application and Threats content release version
8413 or later version for additional application support.
Prisma Access (Panorama Managed)
• Requires Prisma Access 2.0 Innovation or a later version.
• Requires an M-Series or Panorama virtual appliance running PAN-OS 10.0.2 or later version.
• Requires minimum Application and Threats content release version 8334 or a later version.
Install Application and Threats content release version 8413 or later version for
additional application support.
• DLP is an add-on license on Prisma Access (Panorama Managed). You can either start with a
60-day trial or you can purchase a license to use Enterprise DLP on Prisma Access (Panorama
Managed).
Cloud Management
• Enterprise DLP is supported on Cloud Management when using Prisma Access (Cloud
Management), SaaS Security, or both.
• DLP is an add-on license on Cloud Management when using Cloud Management from a Single
Prisma SASE Platform or Multitenant Prisma SASE Platform.
Enterprise DLP is included by default and doesn’t require a separate license when using Cloud
Management from the CASB-X Platform.
• Important: Install Panorama plugin for Enterprise DLP 1.0.6 or later release if you’re using
Enterprise DLP on Cloud Management and managing the Enterprise DLP configuration from
Panorama for Palo Alto Networks Next-Generation Firewalls (NGFW) and Prisma Access
(Panorama Managed). This is required to ensure Enterprise DLP configurations are successfully
synchronized across all your security platforms.
DLP policy enforcement on Cloud Management is supported when using Panorama to manage
your Enterprise DLP configuration.
Supported Applications
The following table displays the supported web applications and operational parameters that you
can use with Enterprise Data Loss Prevention (E-DLP). See the Supported File Types for more
information on which file types Enterprise DLP can inspect and render a verdict on across all
applications. Refer to the Palo Alto Networks Applipedia for more information on each application
App-ID.
Some application support might have a Minimum Version Requirement. The minimum version
requirement to support inspection of an application might require a minimum PAN-OS version or
an Apps & Threats content release version installed.
Some Enterprise DLP functionality is dependent on a PAN-OS release.
• Any application that supports the Non-File Inspection Inspection Type requires PAN-OS
10.2.3 or later PAN-OS release.
• Any application that supports a Max File Size larger than 20 MB requires PAN-OS 10.2.4 or
later PAN-OS 10.2 release, or PAN-OS 11.0.2 or later release.
• Any application that supports the Download Direction requires PAN-OS 10.2.4 or later PAN-
OS 10.2 release, or PAN-OS 11.0.2 or later release.
• To upgrade Panorama or Cloud Management.
• For Panorama, upgrade Panorama and managed firewalls to the Minimum Version
Requirement or later release.
• For Prisma Access (Panorama Managed), you must upgrade Panorama to the Minimum
Version Requirement and ensure your Prisma Access tenants are running the Minimum
Version Requirement or later release.
• For Cloud Management, a PAN-OS software upgrade in the Cloud Management
infrastructure to the Minimum Version Requirement or later release is required. You can
view the Software Version in the Cloud Management Overview.
• Review the Compatibility Matrix for the minimum plugin versions required for your target
upgrade version.
To use Gmail, you must disable the Quick UDP Internet Connection (QUIC) protocol.
Palo Alto Networks recommends that you disable QUIC in Chrome. To do so, specify
chrome://flags/ in the Chrome Experimental QUIC Protocol, and select Disabled.
Application App-ID Inspection Direction Max File Minimum

Type Size Version
Requirement
(File and Non-
File)
Amazon Cloud amazon- File Upload 20 MB None

Drive Web cloud-drive Inspection
Amazon S3 web- File Upload 20 MB None

REST API browsing Inspection
Apple iCloud icloud File Upload 20 MB None

Web Inspection
Asana Web asana File Upload 20 MB None

Inspection
Basecamp Web basecamp File Upload 20 MB None

Inspection
Bitrix24 Web bitrix24 File Upload 20 MB None

Inspection
Blackboard blackboard File Upload 20 MB None

Web Inspection
Blogs (e.g blog-posting File Upload 20 MB None

Wordpress, Inspection
Medium)
Non-File
Inspection
Box Desktop - boxnet File Upload 100 MB Version

Business Inspection 8413
Download
Box Web boxnet File Upload 100 MB Version

Inspection 8413
Download

Type Size Version
Requirement
(File and Non-
File)
Canvas Web canvas File Upload 20 MB None

Inspection
Confluence confluence- Non-File Upload N/A 10.2.3

Web base Inspection
web-
browsing
DocSend Web docsend File Upload 20 MB None

Inspection
Dropbox Web dropbox File Upload 100 MB 11.1.0

Inspection
Egnyte Web egnyte File Upload 20 MB None

Inspection
Evernote Web evernote Non-File Upload N/A 10.2.3

Inspection
(Images only) facebook- File Upload 10 MB 10.2.3

Facebook Web uploading Inspection
Facebook facebook- File Upload 25MB None

Messenger chat Inspection
Download
Web
FilesAnywhere filesanywhere File Upload 20 MB None

Web Inspection
Freshdesk Web freshdesk File Upload 20 MB None

Inspection
GitHub Web github File Upload 20 MB Version

Inspection 8413
Gitlab - Web- gitlab File Upload 100 MB Version

based File Inspection 8413
Attachment
Non-File
and Standard
Inspection
Traffic

Type Size Version
Requirement
(File and Non-
File)
Glassdoor Web web- Non-File Upload N/A 10.2.3

browsing Inspection
Gmail Web gmail File Upload 25 MB Version

- Mail Inspection 8413
Attachments
Google Chat google-chat Non-File Upload N/A 10.2.3

Web Inspection
Google Cloud google- File Upload 100 MB None

Platform cloud- Inspection
Download
storage-base
Google Drive google-base File Upload 100 MB 10.2.4

Web Inspection
google-docs
Google Docs google-docs- Non-File Upload N/A 10.2.3

Web editing Inspection
Google Forms google-docs- Non-File Upload N/A 10.2.3

Google Meet google-meet Non-File Upload N/A 10.2.3

Web Inspection
Version
8726-8134
Google Photos google- File Upload 10 MB 10.2.3

Web photos Inspection
Version
8745-8229
Google Sheets google-docs- Non-File Upload N/A 10.2.3

Google Slides google-docs- Non-File Upload N/A 10.2.3

GSuite (Export google-base File Download 25 MB 10.2.4

via link) Inspection
Version
8684-7912

Type Size Version
Requirement
(File and Non-
File)
Hubspot Web hubspot File Upload 20 MB None

Inspection
LinkedIn Web linkedin Non-File Upload N/A 10.2.3

Inspection
Version
8739-17204
Mendeley Web mendeley File Upload 20 MB None

Inspection
Microsoft windows- File Download 100 MB 10.2.4 or

Azure Storage azure Inspection 11.0.2
Version
8742-8215
Microsoft Excel web- File Download 26 MB 10.2.4

Desktop browsing Inspection
Non-File
Inspection
Microsoft Excel web- File Download 26 MB 10.2.4

Web browsing Inspection
Non-File
Inspection
Microsoft office365- File Upload 100 MB 10.2.4

OneDrive Web enterprise- Inspection
(Large file)
- Business access
11.1.0
sharepoint-
online
Microsoft office365- File Download 100 MB 10.2.4

OneDrive enterprise- Inspection
Version
Desktop - access
8684-7912
Business
sharepoint-
online
Microsoft ms-onedrive File Upload 100 MB 10.2.4

OneDrive Inspection

Type Size Version
Requirement
(File and Non-
File)
Desktop - Version
Personal 8684-7912
Microsoft ms-onenote File Upload 20 MB Version

OneNote Web Inspection 8413
Download
Non-File
Inspection
Microsoft ms- File Upload 100 MB Version

Outlook office365 Inspection 8673-7845
Web - Mail
(Large file)
Attachments
11.1.0
Microsoft web- File Upload 20 MB None

Power BI Web browsing Inspection
Microsoft ms- File Download 100 MB 10.2.4

PowerPoint powerpoint- Inspection
Desktop online
Non-File
Inspection
Microsoft ms- File Download 100 MB 10.2.4

PowerPoint powerpoint- Inspection
Web online
Non-File
Inspection
Microsoft office365- File Upload 100 MB None

SharePoint enterprise- Inspection
Download
Desktop access
Non-File
sharepoint- Inspection
online
Microsoft office365- File Upload 100 MB None

SharePoint enterprise- Inspection
Download
Web access
Non-File
sharepoint- Inspection
online
Microsoft ms- File Download 100 MB Version

Teams Web office365 Inspection 8742-8215

Type Size Version
Requirement
(File and Non-
File)
ms-teams Non-File
Inspection
Microsoft ms- Non-File N/A N/A 10.2.3

Teams Desktop office365 Inspection
ms-teams
Miro Web realtimeboard File Upload 30 MB 10.2.3

Inspection
Version
8756-8298
Monday.com monday File Upload 20 MB None

Web Inspection
Naver Mail naver-mail File Upload 100 MB None

Web Inspection
Download
Naverworks web- File Upload 20 MB Version

browsing Inspection 8711-8058
Prezi Web prezi File Upload 20 MB None

Inspection
Pastebin Web pastebin Non-File Upload 20 MB 10.2.3

Inspection
Quip quip File Upload 100 MB Version

Inspection 8735-8187
Download
Salesforce Web salesforce File Upload 100 MB Version

Inspection 8413
Download
ServiceNow service-now File Upload 100 MB Version

Web Inspection 8413
Download
Non-File
Inspection
Slack Web slack File Upload 20 MB None

Inspection

Type Size Version
Requirement
(File and Non-
File)
Non-File
Inspection
Smartsheet smartsheet- Non-File Upload N/A 10.2.3 or

Web web Inspection 11.0.0
Splunk Web web- File Upload 20 MB None

browsing Inspection
splunk
Syncplicity syncplicity File Upload 20 MB None

Web Inspection
Trello Web trello File Upload 20 MB None

Inspection
Twitter Web twitter File Upload 20 MB None

Inspection
Non-File
Inspection
Udemy Web udemy-base Non-File Upload N/A 10.2.3 or

Inspection 11.0.0
udemy-
business
Web Browsing web- File Upload 100 MB None

browsing Inspection
Non-File
Inspection
Webex webex Non-File Upload N/A Version

Desktop Inspection 8735-8187
Workday Web workday File Upload 30 MB Version

Inspection 8702-8012
Download
Workplace by workplace File Upload 20 MB None

Facebook Web Inspection
App

Type Size Version
Requirement
(File and Non-
File)
Yahoo Web yahoo-mail- File Upload 25 MB Version

App Mail uploading Inspection 8413
Attachments
Non-File
Inspection
Yammer Web yammer File Upload 20 MB None

Inspection
Zendesk Web zendesk File Upload 50 MB 10.2.3 or

Inspection 11.0.0
Download
Non-File (Upload)
Inspection 10.2.5
Version
8757-8277
Supported AI Applications
The following table displays the supported AI web applications and operational parameters that
you can use with Enterprise Data Loss Prevention (E-DLP). Refer to the Palo Alto Networks
Applipedia for more information on each application App-ID.
• All AI app support require PAN-OS 10.2.3 or later release.
• All AI apps support only non-file inspection unless otherwise specified.
Application App-ID Notes
ChatGPT Web and API openai-chatgpt Minimum Content Version

—8699
Google Bard google-bard None
Hugging Face API web-browsing None
Microsoft Azure OpenAI Studio azure-openai-studio None
Microsoft Bing bing-ai None
Supported File Types

Enterprise Data Loss Prevention (E-DLP) supports the following file operations, upload
parameters, file types, and actions.
• File operations—You can upload files using HTTP and HTTPS (no FTP or SMTP) using:
• (DLP 3.0.1 and earlier releases) HTTP/1.1
Some applications, such as SharePoint and OneDrive, use HTTP/2 by default. To

use HTTP/2 files with HTTP/1.1, you need to create a decryption profile and a
Security policy rule to strip out the application-layer protocol negotiation (ALPN)
extension in headers. See Enable Enterprise DLP for Managed Firewalls for more
information.
• (DLP 3.0.2 and later releases) HTTP/1.1 and HTTP/2
• Data flow—File uploads and downloads are supported. Review the supported applications to
learn the data flow direction supported for each application.
Enterprise DLP doesn’t support maintaining a session connection to continue

inspection if a file download is paused. The DLP cloud service inspection is terminated
for the file if the download operation is paused.
• Concurrent file uploads—25 concurrent file uploads are supported.
• File size—Files of up to 20 MB are supported. The maximum file size also applies to extracted
files.
(DLP 3.0.3 and later releases) Box Web App and Web Browsing applications support file of up
to 100 MB. All other supported applications support files of up to 20 MB.
If you use Box to upload multiple files and one or more of the files are larger than 20 MB, the
upload of all files will stall. To continue, find the files in Box that are larger than 20 MB and
click X to stop the upload of those files.
• File types—Enterprise DLP supports inspection of the following file types.

• Microsoft Office (.doc, .docx, .ppt, .pptx, .xls, .xlsx)
• Microsoft Visio (.vsd, .vsdm, .vsdx)
Requires Application and Threats content release 8656-7766 or later versions

installed on Panorama and managed firewalls, or Cloud Management deployment.
• .csv
• .pdf
• .rtf
• .txt
• iWork (Keynote, Numbers, Pages)
Requires Application and Threats content release 8529 or later versions installed
on Panorama and managed firewalls, or Cloud Management deployment.
• Image files (.jpg, .jpeg, .png, .tif, .tiff)
Detection of image files requires you to enable Optical Character Recognition (OCR) on the
DLP app or Cloud Management.
• Source Code File Types—Enterprise DLP supports inspection of the following source code
file types.
• Cfamily—C, C++, C+, C#, Objective C
• Generic
• java
• javascript
• perl
• powershell
• python
• r
• ruby
• vbs
• verilog
• vhd1
• x86_assembly
• ZIP Files—Enterprise DLP supports inspection of ZIP and 7Z (7-ZIP file archiver) files
containing the supported file types listed above.
The Enterprise DLP cloud service supports single level compression of files only.
The Enterprise DLP cloud service doesn’t support scanning multilevel compressed files. For
example, the DLP cloud service can’t scan and render a verdict on the file contents of a zip file
if it's been compressed more than once.
• Response—Block and Alert actions are supported for HTTP and HTTPS files. However, the
Block page doesn’t display the name of the file that the managed firewall blocked.
Support for Non-File Based Traffic

Enterprise Data Loss Prevention (E-DLP) supports inspection of non-file based traffic for sensitive
data. A data filtering profile configured for non-file based traffic detection allows you to configure
URL and application exclusion lists to exclude specific URL and application traffic from Enterprise
DLP inspection.
Inspection of non-file based traffic is supported on Panorama running PAN-OS 10.2.1 and
later releases and Enterprise DLP plugin 3.0.1 and later releases.
To upgrade to PAN-OS 10.2.1, you must install Application and Threats content release
version 8552-7333 or later version on Panorama and managed firewalls using Enterprise
DLP. This is required to support non-file based traffic inspection.
Data Patterns and Data Filtering Profiles

Use predefined or create your own data patterns and data filtering profiles. You can duplicate
predefined and custom data patterns and data filtering profiles if you want to add, remove, or
modify data identifiers in the existing pattern or profile. However, duplication of ML-based data
patterns isn’t supported.
• Panorama running PAN-OS 10.2.3 or earlier release and DLP plugin 3.0.3 or earlier release—
A data filtering profile supports up to 10 data patterns for a Block rule and 50 data patterns for
an Alert rule.
• Panorama running PAN-OS 10.2.4 or later release and DLP plugin 3.0.4 or later release—No
limit for the number of data patterns that can be included in a data filtering profile.
• Panorama running PAN-OS 11.0.2 or later release and DLP plugin 4.0.1 or later release—No
limit for the number of data patterns that can be included in a data profile.
• Cloud Management—No limit for the number of data patterns that can be included in a data
profile.
Predefined data patterns use machine learning (ML) or regex-based detection for scanned files.
All predefined data patterns include Relevant Geographies tags provided by Palo Alto Networks.
These tags provide descriptive information to indicate whether a predefined data pattern applies
to a specific geographic region or is globally supported. For example, the predefined Source
Code - go data pattern has the Global tag because Go is a programming language used across
the globe. Conversely, the predefined ID Card - USA - Driving License data pattern has
the USA and North America tags because the match criteria is specific to this geographic region.
For the full list of all predefined ML-based patterns and all predefined data filtering profiles, see:
• Predefined ML-Based Data Patterns
• Predefined Data Filtering Profiles
Supported Enterprise DLP Data Profile Actions

Enterprise Data Loss Prevention (E-DLP) supports creating, reading, updating, and deleting data
profiles on Panorama, Prisma Access (Panorama Managed), Cloud Management, and the DLP app
on the hub.
Review the tables below to understand where a data profile can be created, viewed, updated, and
deleted based on the types of data patterns defined in the data profile.
Data Profiles containing data patterns only.
Platform Create Read Update Delete
DLP app on the Not Supported

hub
Cloud Not Supported

Management
Prisma
Access (Cloud
Managed) and
SaaS Security
Prisma Access
(Panorama
Managed)
Panorama
Data Profiles containing only EDM datasets or EDM data sets and data patterns.
DLP app on the Not Supported

hub
Cloud Not Supported

Management
Prisma
Access (Cloud
Managed) and
SaaS Security
Prisma Access Not Supported Not Supported Not Supported

(Panorama
Managed)
Panorama Not Supported Not Supported Not Supported
Supported Features for Enterprise DLP

Review the list of supported Enterprise Data Loss Prevention (E-DLP) features for the
Panorama™ management server, Prisma Access (Panorama managed), Prisma Access (Cloud
Management), and SaaS Security.
Some Enterprise DLP features supported on Panorama and Prisma Access (Panorama
Managed) require access to the DLP app on the hub to enable and configure.
See Supported Enterprise DLP Data Profile Actions for more information on data
profile actions supported on Panorama, Prisma Access (Panorama Managed), Prisma
Access (Cloud Management), and SaaS Security.
• Data Profiles with data patterns only

• Data Profiles with EDM data sets and data patterns
• Data Profiles with EDM data sets only
• Non-Filed Based data profiles
• Optical Character Recognition (OCR)
• Exact Data Matching (EDM)
• Enterprise DLP End User Alerting with Cortex XSOAR
• Evidence Storage
• (Data Security only) Inspection of Contextual Secrets for Chat Applications
• (Data Security, CASB, and CASB-X only) Email DLP
Predefined ML-Based Data Patterns

The following are the predefined data patterns available with Enterprise Data Loss Prevention
(E-DLP) that use machine learning (ML) detection for scanned files. Review the Supported
Applications to learn more about the maximum file sizes Enterprise DLP supports.
• API Access Token
• Bank - Bankruptcy Filings
• Bank - Statements
• Application Credential
• Cloud DB Credential
• Driver License - US
All predefined Drive License - US are regex data patterns augmented by ML detection
methods.
• Encoded - Arabic
• Encoded - Chinese
• Encoded - Japanese
• Encoded - Korean
• Encrypted - Microsoft AIP
• Encrypted - Standard
• Financial - Financial Accounting
• Financial - Form 1040
• Financial - Form W-2
• Financial - Generic
• Financial - Paystubs
• Financial - Personal Finance
• Health - Generic
• Financial - Invoice
• Health - ICD9
• Health - ICD10
• Health - NPI
• Health - Unstructured PHI
• (OCR Required) ID Card - Austria - Driving License
• (OCR Required) ID Card - Bulgaria - Driving License
• (OCR Required) ID Card - Canada - Driving License

• (OCR Required) ID Card - Canada - Social Insurance Number
• (OCR Required) ID Card - Czech Republic - Driving License
• (OCR Required) ID Card - Denmark - Driving License
• (OCR Required) ID Card - Finland - Driving License
• (OCR Required) ID Card - Germany - Driving License
• (OCR Required) ID Card - India - Aadhar Card
• (OCR Required) ID Card - India - PAN Card
• (OCR Required) ID Card - Italy - Driving License
• (OCR Required) ID Card - Lithuania - Driving License
• (OCR Required) ID Card - Luxembourg - Driving License
• (OCR Required) ID Card - Malta - Driving License
• (OCR Required) ID Card - Netherlands - Driving License
• (OCR Required) ID Card - Poland - Driving License
• (OCR Required) ID Card - Spain - Driving License
• (OCR Required) ID Card - Sweden - Driving License
• (OCR Required) ID Card - UK - Driving License
• (OCR Required) ID Card - UK - National Insurance Number
• (OCR Required) ID Card - US - Passport
• (OCR Required) ID Card - USA - Credit Card
• (OCR Required) ID Card - USA - Driving License
• (OCR Required) ID Card - USA - Social Security Number
• Legal - Contractual Agreements
• Legal - Generic
• Legal - Lawsuits
• Legal - Merger and acquisition
• Legal - Patent Filings
• Legal - Standard Business Agreements
• Password Protected - file
• Private Key
• Source Code - Cfamily
• Source Code - Generic
• Source Code - go
• Source Code - java
• Source Code - javascript
• Source Code - perl

• Source Code - powershell
• Source Code - python
• Source Code - r
• Source Code - ruby
• Source Code - swift
• Source Code - vbs
• Source Code - verilog
• Source Code - vhd1
• Source Code - x86_assembly
Predefined Data Filtering Profiles

The following table describes the predefined data filtering profiles provided with Enterprise Data
Loss Prevention (E-DLP):
Predefined Data Filtering Scans For

Profile
Bulk CCN Credit card numbers or Voyager Credit card numbers (more
than 100).
CCPA California Consumer Privacy Act compliance.
Commonwealth of Australia Detects medical conditions or diseases and lifestyle keywords

- The Privacy Act of 1988 that relate to medical conditions when found with PII data
such as TFN and Passport.
Corporate Financial Docs Financial accounting and generic financial information.
Financial Information Bank statements, bank routing numbers, credit card numbers
(strict checking), bankruptcy filings.
GDPR Driver's License numbers, Tax IDs, National IDs, Passport

numbers.
Gramm-Leach-Bliley Act Credit card numbers, Voyager credit card numbers, Magnetic
(GLBA) stripe information, Tax Id-US (TIN), National ID-US, Social
Security Number (SSN).
Healthcare Clinical Laboratory Improvement Amendments (CLIA)

numbers, Drug Enforcement Administration (DEA) numbers,
and other healthcare documents.
HIPAA Scans for National ID - US, Social Security Number - SSN, US -

Name, Date of Birth, Medical Condition, Address - US.
Identifies medical conditions or diseases, impairments lists
under social security for the purposes of disability evaluation,
and lifestyle keywords that relate to medical conditions.
Intellectual Property Source code, AWS secret keys, access keys, company
confidential.
Intellectual Property - Basic Source code, AWS secret keys, access keys, company
confidential.
The Intellectual Property - Basic data filtering profile contains
a subset of data patterns included in the Intellectual Property
data filtering profile.
Predefined Data Filtering Scans For

Profile
Legal Legal documents including lawsuits, M&A, standard business

agreements, patents, bankruptcy filings.
Personal Health Information Medical codes; ICD-9, ICD-10, NPI codes, Clinical Laboratory
(PHI) Improvement Amendments (CLIA) number, Drug Enforcement
Administration (DEA) number, and more.
PHIPA Identifies medical conditions or diseases and lifestyle keywords

that relate to medical conditions. Detects if Healthcare ID is
present with other medical or PII data.
PIPEDA Detects highly sensitive information such as SIN, Passport,

CCN exist with other PII or PCI.
Personally-Identifiable Tax IDs, National IDs, Passport numbers, and Driver’s License
Information (PII) numbers.
Personally-Identifiable Tax IDs and National IDs.

Information (PII) - Basic
POPIA Detects personally identifiable information such as Driver's

License, National ID, Passport Number, and Tax ID for South
Africa.
Profanity Censored, personal, includes/excludes, homophobic, sexual.
Secrets and Credentials Cloud database credentials, Application credentials, API access
tokens, Private keys, miscellaneous secret keys.
Self Harm Suicidal intentions.
Sensitive Content National ID, Bank information, AWS Secret keys or access
keys, company confidential, CCN.
SOX Identifies financial content such as invoice, personal finance,

financial accounting.
U.K. PIOCP Tax IDs or National IDs.
Set Up Enterprise DLP
Install and configure the Enterprise Data Loss Prevention (E-DLP) on your Panorama™
management server and Prisma Access (Panorama Managed). Additionally, define access
privileges for Enterprise DLP on Cloud Management.
Review the Enterprise DLP Limitations before you set up Enterprise DLP on Panorama or
Cloud Management, or register and activate Enterprise DLP on Prisma Access (Panorama
Managed).
• Set Up the Enterprise DLP Plugin on Panorama

• Register and Activate Enterprise DLP on Prisma Access (Panorama Managed)
• Set Up Enterprise DLP on Cloud Management
• Edit the Enterprise DLP Snippet Settings on the DLP App
• Enable Exact Data Matching (EDM)
• Enable Role Based Access to Enterprise DLP on Cloud Management
• Enable Optical Character Recognition on Cloud Management
• Enable Optical Character Recognition for Enterprise DLP
35
Set Up the Enterprise DLP Plugin on Panorama

Install and enable the Enterprise Data Loss Prevention (E-DLP) plugin on your Panorama
management server to successfully use Enterprise DLP for your managed firewalls.
• Install the Enterprise DLP Plugin on Panorama
• Enable Enterprise DLP for Managed Firewalls
• Edit the Enterprise DLP Settings
• Uninstall the Enterprise DLP Plugin on Panorama
Install the Enterprise DLP Plugin on Panorama

To install the Enterprise Data Loss Prevention (E-DLP) plugin on your Panorama™ management
server and managed firewalls, first download the plugin from the Palo Alto Networks Customer
Support Portal, upload the plugin to Panorama, and then install it. You must install the plugin on
Panorama and your managed firewalls before you can use Enterprise DLP.
Your existing data patterns (Objects > Custom Objects > Data Patterns) and data filtering
profiles (Objects > Security Profiles > Data Filtering) are automatically hidden after you
successfully install the Enterprise DLP plugin on your Panorama management server. To
display your existing data patterns and filtering profiles when you need to reference them,
you can temporarily Enable Existing Data Patterns and Filtering Profiles.
STEP 1 | (Best Practices) Before you install the plugin and activate your Enterprise DLP license, select
Assets > Devices to locate your Panorama management server and your managed firewalls
to verify that they all belong to the same CSP account.
Panorama and any managed firewalls on which you want to use Enterprise DLP must belong
to the same CSP account, which enables you to share data profiles and maintain consistent
Security policy rule enforcement.
STEP 2 | Install the Panorama Device Certificate.
STEP 3 | Install the Device Certificate for Managed Firewalls.

The device certificate is required for all managed firewalls using Enterprise DLP.
STEP 4 | Install the plugin on Panorama.

1. Log in to the Panorama web interface.
2. Select Panorama > Plugins and search for the latest version of the Enterprise DLP plugin.
3. Download and Install the Enterprise DLP plugin on Panorama.
STEP 5 | Commit and push the new configuration to your managed firewalls to complete the
Enterprise DLP plugin installation.
This step is required for Enterprise DLP data filtering profile names to appear in Data Filtering
logs.
The Commit and Push command isn’t recommended for Enterprise DLP configuration
changes. Using the Commit and Push command requires the additional and
unnecessary overheard of manually selecting the impacted templates and managed
firewalls in the Push Scope Selection.
1. Select Commit > Commit to Panorama and Commit.

2. Select Commit > Push to Devices and Edit Selections.
3. Select Device Groups and Include Device and Network Templates.
4. Click OK.
5. Push your configuration changes to your managed firewalls that are using Enterprise
DLP.
STEP 6 | Activate your Enterprise DLP license on the Palo Alto Networks Customer Support Portal
(CSP).
Repeat this step for all managed firewalls using Enterprise DLP.
1. Log in to the Palo Alto Networks Customer Support Portal.
2. Select Assets > Devices and edit ( in the Actions column) the appropriate asset.
3. In the Device Licenses window, Activate Auth-Code and then enter the Authorization
Code (auth code).
The auth code is automatically provided to you by Palo Alto Networks in an email after
you complete your purchase of the Enterprise DLP plugin license.
4. Agree and Submit your auth code .
STEP 7 | (Optional) Create a Palo Alto Networks Support ticket to enable your Enterprise DLP license
to transfer between firewalls.
Requesting that the Enterprise DLP license is transferable enables you to transfer your DLP
license to other managed firewalls.
In the support ticket, include the following information:
• The request for a firewall transfer for the Enterprise DLP license.
• Your CSP account ID and the email associated with your CSP account.
• The managed firewall serial number. If you activated the Enterprise DLP license on multiple
managed firewalls, include the serial numbers for all the managed firewalls in a single
support ticket.
• The auth codes used to activate the Enterprise DLP license on your managed firewalls.
• Also provide the CSP account ID with which additional managed firewalls are associated if
you have managed firewalls that belong to a different CSP account.
STEP 8 | Activate the Enterprise DLP plugin on your managed firewalls.

1. Select Panorama > Device Deployment > License and Activate the Enterprise DLP
plugin.
2. Enter the Auth Code for the target managed firewalls.
The auth code is automatically provided to you by Palo Alto Networks in an email after
you complete your purchase of the Enterprise DLP plugin license.
3. Activate the Enterprise DLP plugin license on your managed firewalls.
STEP 9 | Select Objects > DLP > Data Filtering Profiles and verify that the predefined data filtering
profiles are displayed.
Panorama is automatically populated with predefined data filtering profiles when the
Panorama management server successfully connects to the DLP cloud service.
STEP 10 | Verify that the Enterprise DLP license is successfully activated on your managed firewalls.
1. Launch the firewall web interface.
2. Select Device > Licenses and verify that the license is successfully activated.
STEP 11 | After you successfully install the Enterprise DLP plugin on the Panorama management
server, you must create Security policy rules to enable your managed firewalls to leverage
Enterprise DLP.
Enable Enterprise DLP for Managed Firewalls

Some applications, such as SharePoint and OneDrive, use HTTP/2 by default. When running
PAN-OS 10.2.2 and earlier releases, you must create a decryption profile and a Security policy
rule to strip out the application-layer protocol negotiation (ALPN) extension in headers. Complete
these steps to configure your managed firewalls to successfully use Enterprise Data Loss
Prevention (E-DLP).
STEP 1 | Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full
qualified domain names (FQDN), and IP addresses on your network.
STEP 2 | Log in to the Panorama web interface.
STEP 3 | Configure the proxy server settings to enable Panorama to successfully communicate with
the Enterprise DLP cloud service.
This step is required if using a proxy server for your Panorama management server.
Continue to the next step if you aren’t using a proxy server or have already configured
your Panorama proxy server settings.
1. Select Panorama > Setup > Services and edit the Services settings.
2. Configure the proxy server settings.
• Server—IP address or hostname of the proxy server.
• Port—Port for the proxy server.
• User—Administrator username to access the proxy server.
• Password—Password for the user to access the proxy server. Reenter the password
why you Confirm Password.
• (Optional) Use proxy to fetch logs from Cortex Data Lake—If you’re using Cortex
Data Lake for log storage, enable this setting.
3. Click OK.
STEP 4 | (Best Practices) Create a service route to enable firewalls to connect to the internet.
Palo Alto Networks recommends configuring a service route to ensure a high level of
performance for Next-Gen firewalls using Enterprise DLP.
By default, matched traffic is sent to the DLP cloud service for inspection through the
management interface. Configuring a service route allows you to dedicate a specific Ethernet
interface from which to send matched traffic to the DLP cloud service.
For a multi-vsys firewall, the service route is a global configuration and is applied to all vsys of
a multi-vsys firewall regardless of which vsys the service route belongs to.
Create a service route for all supported firewall models running PAN-OS 10.1 or a
later release.
1. Select Device > Setup > Services and select the template that contains the Enterprise
DLP configuration.
2. Select Service Route Configuration in the Service Features and select Customize.
3. Select Data Services and configure the Source Interface and Source Address.
The source interface must have internet connectivity. See Configure Interfaces and
Create an Address Object for more information on creating the source interface and
address.
4. Enable Data Services and click OK.
5. Select Device > Setup > Content-ID and copy the Content Cloud Settings FQDN in the
Service URL section.
6. Select Policies > Security and Add a Security policy rule that allows addresses to the
Content Cloud Settings FQDN.
STEP 5 | Add a Security policy rule for dataplane service route traffic from the 127.168.0.0/16
source address to allow traffic originating from the firewall dataplane.
You’re required to create this Security policy rule to enable the DLP cloud service to
successfully scan files in specific scenarios. You can skip this step if these two scenarios below
regarding the intrazone-default Security policy rule don’t apply to your configuration.
• If you created a cleanup Deny Security policy rule that precedes the intrazone-default
Security policy rule. In this scenario, the intrazone-default action is set to Allow.
• If you modified the intrazone-default Security policy rule action from Allow to Deny.
STEP 6 | (Required for DLP 3.0.1 and earlier releases only) Create a decryption profile to remove
application-layer protocol negotiation (ALPN) headers from uploaded files.
Enterprise DLP supports HTTP/1.1. Some applications, such as SharePoint and OneDrive,
support HTTP/2 for uploads by default. Strip ALPN is required to force application using
HTTP/2 to use HTTP/1.1 to make them compatible with Enterprise DLP.
1. Select Objects > Decryption > Decryption Profile and specify the Device Group.
2. Add a new decryption profile.
3. Specify a descriptive Name.
4. (Optional) Enable the Shared option to make this decryption profile available across all
device groups.
5. Select SSL Decryption > SSL Forward Proxy and enable Strip ALPN in the Client
Extension.
6. Click OK.
STEP 7 | (Required for DLP 3.0.1 and earlier releases only) Create a policy rule to remove ALPN
headers from uploaded files.
1. Select Policies > Decryption and specify the Device Group.
2. Add a new decryption policy rule and configure as appropriate.
3. Select Options.
4. For the Action, select Decrypt.
5. Select the Decryption Profile you created.
6. Click OK.
STEP 8 | Disable the Quick UDP Internet Connection (QUIC) protocol to deny traffic on ports 80 and
443.
Many supported web applications, such as Gmail, require that you disable the QUIC protocol
for Enterprise DLP to function correctly.
1. Select Policies > Security and specify the Device Group.
2. Add a Security policy rule that denies traffic that uses the quic application.
3. Select Objects > Services and specify the Device Group.
4. Add two services: one for UDP on port 80 and one for UDP on port 443.
Newer versions of QUIC might be misidentified as unknown-udp. To account for this,
Palo Alto Networks recommends that you add an additional Security policy rule to deny
UDP traffic on those ports.
6. Add a Security policy rule that includes the services you created to deny traffic to UDP
ports 80 and 443.
When complete, you will have two Security policy rules; one that blocks the QUIC
protocol and one that blocks UDP traffic on ports 80 and 443.
STEP 9 | Create a Data Pattern on Panorama.
STEP 10 | Create a Data Filtering Profile on Panorama.
STEP 11 | Attach the data filtering profile to a Security policy rule. If needed, create a Security policy
rule.
To downgrade your Panorama management server to an earlier PAN-OS version that doesn’t
support Enterprise DLP, you must remove all Enterprise DLP data patterns and data filtering
profiles referenced in your Security policy rules. Consider this when creating and organizing
your policy rules that reference Enterprise DLP data patterns and filtering profiles.
For example, create a device group to contain all your Security policy rules that contain
references to Enterprise DLP data patterns and filtering profiles. This enables you to quickly
modify relevant policy rules should you need to downgrade your Panorama management
server to PAN-OS 10.0.1 or an earlier PAN-OS version.
1. Select Policies > Security > Pre Rules and specify the Device Group.
2. Select the Security policy rule to which you want to add the data filtering profile.
3. Select Actions and set the Profile Type to Profiles.
4. Select the Data Filtering profile you created.
5. Click OK.-
STEP 12 | Commit and push your configuration changes to your managed firewalls using Enterprise
DLP.

4. Click OK.
DLP.
Edit the Enterprise DLP Settings

Edit the Enterprise Data Loss Prevention (E-DLP) settings to edit the Cloud Content Settings
for file scanning, configure the data filtering settings, and configure how much sensitive data is
masked in DLP snippets.
• Edit the Cloud Content Settings
• Edit the Enterprise DLP Data Filtering Settings
• Edit the Enterprise DLP Non-File Data Filtering Settings
• Edit the Enterprise DLP Snippet Settings
• Edit the Enterprise DLP Action on Error Setting
Edit the Cloud Content Settings

By default, Enterprise Data Loss Prevention (E-DLP) is configured using a Cloud Content Fully
Qualified Domain Name (FQDN) that automatically resolves to the closet Cloud Services server
to inspect matching traffic. If you have specific data residency requirements, you can specify
a regional Cloud Services server by editing the Cloud Content FQDN to which to send your
Enterprise DLP traffic for inspection.
STEP 2 | Select Device > Setup > Content-ID and select the Template associated with the managed
firewalls using Enterprise DLP.
STEP 3 | Edit the Cloud Content FQDN.

1. Edit the Cloud Content Settings.
2. Modify the Public Cloud Server based on your data residency requirements.
Enterprise DLP data and data processing, including Incidents, reports, and DLP verdicts,
are generated in the specified Public Cloud Server region. Enterprise DLP is configured
to resolve to the closest Public Cloud Server by default.
• Default—hawkeye.services-edge.paloaltonetworks.com
The default Public Cloud Server automatically resolves to the closest Public Cloud
Server to where the inspected traffic originated. If a new Public Cloud Server is
deployed in a region closer to where the inspected traffic originated, Enterprise DLP
data and data processing is generated in that new region.
• APAC—apac.hawkeye.services-edge.paloaltonetworks.com
• Australia—au.hawkeye.services-edge.paloaltonetworks.com
• Canada—ca.hawkeye.services-edge.paloaltonetworks.com
• Europe—eu.hawkeye.services-edge.paloaltonetworks.com
• India—in.hawkeye.services-edge.paloaltonetworks.com
• Japan—jp.hawkeye.services-edge.paloaltonetworks.com
• United States—us.hawkeye.services-edge.paloaltonetworks.com
• United Kingdom—uk.hawkeye.services-edge.paloaltonetworks.com
3. Click OK.
DLP.

4. Click OK.
DLP.
Edit the Enterprise DLP Data Filtering Settings

Configure the network settings for files scanned to the Enterprise Data Loss Prevention (E-DLP)
cloud service and specify the actions the firewall using Enterprise DLP takes if the data filtering
settings are exceeded.
STEP 2 | Select Device > Setup > DLP and select the Template associated with the managed firewalls
using Enterprise DLP.
STEP 3 | Edit the Data Filtering Settings.

1. Specify the Max Latency (sec) for a file upload before an action is taken by the firewall.
For inspection of files greater than 20 MB, Palo Alto Networks recommends
setting the max latency to greater than 60 seconds.
2. Specify the Action on Max Latency (Block or Allow) the firewall takes if no verdict was
received for a file upload due to the upload time exceeding the Max Latency.
Selecting Block applies only to Enterprise DLP data filtering profiles

configured to block files. This setting doesn’t impact Enterprise DLP data
filtering profiles configured to alert when traffic containing sensitive data is
scanned.
3. Specify the Max File Size (MB) to enforce a maximum file size for files uploaded to the
DLP cloud service for inspection.
4. Specify the Action on Max File Size (Block or Allow) the firewall takes if no verdict was
received for a file upload due to the file size being larger than the configured Max File
Size.

configured to block files. This setting doesn’t impact Enterprise DLP data
scanned.
(DLP 3.0.3 only) Increasing the max file size for the Enterprise DLP data filtering
settings to 21 MB or greater when Panorama has the Enterprise DLP 3.0.3
plugin installed is supported only from the Panorama CLI.
admin>configure
admin#set template <template_name> config shared dlp-

settings max-file-size <1 - 100>
5. Check (enable) Log Files Not Scanned to generate an alert in the data filtering log when
a file can’t be scanned to the DLP cloud service.
6. Click OK to save your configuration changes.
STEP 4 | Edit the Enterprise DLP Action on Error Setting to configure the action the firewall takes if
any error is encountered during non-file traffic data upload.
DLP.
While a performing a Commit and Push is supported, it isn’t recommended for

Enterprise DLP configuration changes and requires you to manually select the
impacted templates and managed firewalls in the Push Scope Selection.
1. Select Commit > Commit to Panorama and Commit your configuration changes.
4. Click OK.
5. Push your configuration changes to your managed firewalls.
Edit the Enterprise DLP Non-File Data Filtering Settings

Configure the network settings for non-file based traffic scanned to the Enterprise Data Loss
Prevention (E-DLP) cloud service and specify the actions the firewall using Enterprise DLP
takes. Editing the Enterprise DLP non-file data filtering settings is supported on the Panorama™
management server running PAN-OS 10.2.1 or later release with Panorama plugin for Enterprise
DLP 3.0.1 or later release.
STEP 3 | Edit the Non-File Data Filtering Settings.

1. Verify that Enable Non File DLP is checked (enabled).
Non-File DLP is enabled by default when you install Panorama plugin for Enterprise DLP
3.0.1.
2. Specify the Max Latency (sec) to configure the allowable time for non-file data uploads
to determine the allowable time before an action is taken by the firewall.
3. Specify the Action on Max Latency (Allow or Block) the firewall takes if no verdict
was received for a non-file traffic data upload due to the upload time exceeding the
configured Max Latency.

configured to block non-file data. This setting doesn’t impact Enterprise DLP
scanned.
4. Specify the Min Data Size (B) to enforce a minimum size for non-file data to be scanned
by the DLP cloud service.
5. Specify the Max Data Size (KB) to enforce a maximum size for non-file data to be
scanned by the DLP cloud service.
6. Specify the Action on Data File Size (Allow or Block) the firewall takes if no verdict was
received for a non-file traffic data upload due to the traffic data size being larger than
the configured Max Data Size.

configured to block non-file data. This setting doesn’t impact Enterprise DLP
data filtering profiles configured to alert when traffic containing sensitive data is
scanned.
7. Check (enable) Log Data Not Scanned to generate an alert in the data filtering log when
non-file data can’t be scanned by the DLP cloud service.
8. Click OK to save your configuration changes.
STEP 4 | Edit the Enterprise DLP Action on Error Setting to configure the action the firewall takes if
any error is encountered during non-file traffic data upload.
DLP.

4. Click OK.
Edit the Enterprise DLP Snippet Settings

Configure firewalls to store snippets of sensitive data that match your Enterprise DLP data
patterns in the DLP cloud service and configure how to mask the sensitive data if stored.
STEP 2 | Select Panorama > DLP > Configuration and edit the Snippet Settings.
STEP 3 | Check (enable) Store Snippets of Sensitive Data to store the snippets of sensitive data that
match your Enterprise DLP data patterns in the DLP cloud service.
STEP 4 | Configure how to Mask Sensitive Field for storage in the DLP cloud service.
• no-mask—Matched sensitive data snippet isn’t masked and entirely visible when stored in
the DLP cloud service.
• partial-mask—Matched sensitive data snippet is partially masked displaying four characters
when stored in the DLP cloud service.
• full-mask—Matched sensitive data snippet is fully masked when stored in the DLP cloud
service.
STEP 5 | Click OK to save your configuration changes.
DLP.

4. Click OK.
Edit the Enterprise DLP Action on Error Setting

Configure the action the firewall using Enterprise Data Loss Prevention (E-DLP) takes if an error
is encountered when a file is scanned by the DLP cloud service. Editing the Enterprise DLP action
on error settings is supported on the Panorama™ management server running PAN-OS 10.2.1 or
later release with Panorama plugin for Enterprise DLP 3.0.1 or later release.
STEP 3 | Edit the DLP Settings.
STEP 4 | Specify the Action on any Error the firewall takes if an error is encountered during
upload to the DLP cloud service.
• Select Allow (default) to continue uploading if the firewall experiences any type of error.
• Select Block to stop uploading if the firewall experiences any type of error.
STEP 5 | Click OK.
DLP.

4. Click OK.
Uninstall the Enterprise DLP Plugin on Panorama

To uninstall the Enterprise Data Loss Prevention (E-DLP) plugin, you must remove all Enterprise
DLP data filtering profile references from all your Security policy rules before you can uninstall
the plugin from your Panorama™ management server.
STEP 2 | Select Policies > Security and remove all Enterprise DLP data filtering profiles from your
Security policy rules.
This step is required to successfully uninstall the Enterprise DLP plugin.
DLP.

4. Click OK.
DLP.
STEP 4 | In the Panorama web interface, select Panorama > Plugins and Uninstall the Enterprise DLP
plugin.
STEP 5 | Commit and push your configuration changes to your managed firewalls that are using
Enterprise DLP.

4. Click OK.
DLP.
Register and Activate Enterprise DLP on Prisma Access

(Panorama Managed)
Enterprise Data Loss Prevention (E-DLP) on Prisma Access enables you to secure remote
networks and users, and requires an add-on license.
To register and activate the Enterprise DLP plugin to use with Prisma Access, complete one of the
following procedures:
• To register and activate the Enterprise DLP plugin for a new Enterprise DLP deployment,
follow the procedure in Install the Enterprise DLP Plugin—New DLP Deployments.
• To upgrade to the Enterprise DLP plugin for a Prisma Access deployment that uses Enterprise
DLP on Prisma Access, follow the procedure in Upgrade to the Enterprise DLP Plugin—Existing
Enterprise DLP on Prisma Access Deployments.
Preinstallation Requirements
Before you install the Enterprise DLP plugin, make sure that your Prisma Access deployment has
the following requirements:
• Make sure that you have purchased the Enterprise DLP add-on license for Prisma Access.
You use the Enterprise DLP plugin to activate the Enterprise DLP functionality for use
with Prisma Access, but it requires an Enterprise DLP add-on license, which includes the
Authorization code (auth code) you need when you activate your license on the Palo Alto
Networks Customer Support Portal (CSP).
• On the Panorama appliance that manages Prisma Access, make sure that you have the
minimum Panorama, content release versions, Enterprise DLP plugin, and Prisma Access
versions.
• The minimum required Panorama version is 10.0.5.
• The minimum required content version is 8334-6362.
• The minimum required DLP plugin version is 1.0.3.
• The minimum required Prisma Access version is 2.0 Innovation and the minimum Cloud
Services plugin version is version 2.0.0.h3-innovation.
If you need to upgrade the Panorama or content release version install the content and
software updates on Panorama.
• Make sure that you have installed the device certificate on Panorama.
• If you manage on-premises firewalls with Prisma Access, you should install the device
certificate for managed firewalls.
• Make sure that your Prisma Access dataplane has been upgraded.
Install the Enterprise DLP Plugin—New DLP Deployments

After you have completed the Preinstallation Steps, complete the following steps to install the
Enterprise DLP plugin on Panorama.
STEP 1 | From the Panorama that manages Prisma Access, select Panorama > Plugins and search for
the latest version of the Enterprise DLP plugin.
Prisma Access requires a minimum Enterprise DLP plugin version of 1.0.3.
STEP 2 | Download and Install the Enterprise DLP plugin on Panorama.
STEP 3 | Commit your changes to Panorama by selecting Commit > Commit to Panorama and
Commit your configuration changes.
STEP 4 | (Optional) if your Panorama manages on-premise firewalls as well as Prisma Access, commit
and push the changes to your managed firewalls.
This step is required for Enterprise DLP data filtering profile names to appear in Data Filtering
logs.
3. Select Device Groups and Include Device and Network Templates and click OK.
Upgrade to the Enterprise DLP Plugin—Existing Enterprise DLP on

Prisma Access Deployments
If you have an existing Enterprise DLP plugin on Prisma Access deployment, complete the
following steps.
STEP 1 | Make sure that you have completed the following actions before installing the Enterprise
DLP plugin:
• You have had your Prisma Access dataplane upgraded to a minimum version of 10.0.
To find your dataplane version, select Panorama > Cloud Services > Configuration >
Service Setup and view the Current Dataplane version in the DataPlane PAN-OS version
area. If the DataPlane PAN-OS version is 10.0 or later, your dataplane is compatible with
the Enterprise DLP plugin.
If your deployment is a dataplane version that is earlier than 10.0, use this document to
register and activate Enterprise DLP on Prisma Access.
• You have upgraded and installed the Cloud Services plugin for your Prisma Access release,
and your plugin version is 2.0 Innovation, 2.1. Innovation, 2.2 Preferred, or a later Preferred
or Innovation version.
2.0 Preferred and 2.1 Preferred Prisma Access releases don’t support using the Enterprise
DLP plugin with Prisma Access.
STEP 2 | Install and activate the DLP plugin. Make a note of the following caveats during installation:
• You don’t have to verify that the Panorama and Prisma Access belong to the same CSP
account; you have already associated the Panorama serial number with the CSP account
when you installed Prisma Access.
• You don’t have to activate the Enterprise DLP plugin on Prisma Access. However, if you
have managed firewalls, you should complete the steps to enter the auth code for the target
managed firewalls.
STEP 3 | (Optional) If you have existing data patterns and data filtering profiles that you use for
Enterprise DLP on Prisma Access, verify that the installation process completed successfully
by checking that the data patterns and data filtering profiles moved to the following
locations in Panorama:
• Data patterns move from Objects > Custom Objects > Data Patterns to Objects > DLP >
Data Filtering Patterns.
• Data filtering profiles move from Objects > Security Profiles > Data Filtering to Objects >
DLP > Data Filtering Profiles.
Set Up Enterprise DLP on Cloud Management

Enable theEnterprise Data Loss Prevention (E-DLP) for Prisma Access (Cloud Management) and
SaaS Security on Cloud Management, and configure how Cloud Management stores snippets of
sensitive data.
• Enable Enterprise DLP on Cloud Management
• Edit the Enterprise DLP Snippet Settings on Cloud Management
• Edit the Enterprise DLP Data Filtering Settings on Cloud Management
Enable Enterprise DLP on Cloud Management

Enable your Enterprise Data Loss Prevention (E-DLP) license for Prisma Access (Cloud
Management) and SaaS Security, and create a decryption policy rule to strip application-layer
protocol negotiation (ALPN) headers from uploaded files.
STEP 1 | Enable Enterprise DLP.
• Single Prisma SASE Platform Tenant License Activation
Activate a License for Cloud-Managed Prisma Access Through the Prisma SASE Platform
for a single tenant deployment. Follow this procedure to activate Enterprise DLP when your
tenant has no subtenants or tenant hierarchy of any kind.
• Multitenant Prisma SASE Platform License Activation
Activate a License for Prisma Access Multitenant Through the Prisma SASE Platform to
activate Enterprise DLP for a parent tenant or a subtenant.
• CASB-X Platform License Activation
By default, the Enterprise DLP license is included as part of the CASB-X license. To activate
Enterprise DLP for your CASB-X tenants, you only need to activate CASB-X. There’s no
individual Enterprise DLP license you need to activate when using CASB-X.
To use Enterprise DLP for a CASB-X tenant, you must Activate a Next Generation CASB
License on Cross Platforms (CASB-X) Through the Prisma SASE Platform.
STEP 2 | Launch the Cloud Management Console.
STEP 3 | Verify that the DLP license is active.

1. Select Manage > Overview and navigate to the Licenses widget.
2. Click the license Quantity and confirm that the Data Loss Prevention license is active.
Confirm the Data Loss Prevention license Type displays PAID and that an expiration
date is displayed.
3. Select Manage > Configuration > Security Services and verify Data Loss Prevention is
displayed.
4. Select Activity > Logs and verify DLP Incidents is displayed.
STEP 4 | Create the decryption profile required for Enterprise DLP to inspect traffic.
1. Select Manage > Configuration > Security Services > Decryption and Add Profile.
2. Enter a descriptive Name for the decryption profile.
3. Review the predefined decryption profile settings.
The predefined decryption profile settings enable Enterprise DLP to inspect traffic.
Modifying the predefined decryption profile settings isn’t required unless you need to
enable Strip ALPN.
4. (Software Version 10.2.2 or earlier versions) Configure the decryption profile to remove
Application-Layer Protocol Negotiation (ALPN) headers from uploaded files.
Remove the ALPN headers from files if any Cloud Management deployment is running
software version 10.2.2 or earlier version. If your entire Cloud Management deployment
is running software version 10.2.3 or later version, stripping ALPN headers isn’t required.
A web security admin can also strip ALPN headers in the Web Security
decryption settings(Manage > Web Security > Security Settings > Decryption
and edit the Action Options). Web Security admins don’t need to create a
decryption policy rule and can push the setting to Remote Networks and Mobile
Users.
1. In the SSL Forward Proxy, click Advanced.

2. Check (enable) Strip ALPN and Save.
5. Save the Decryption profile group.
STEP 5 | Create a decryption policy rule to decrypt traffic for Enterprise DLP inspection.
Cloud Management includes the predefined Exclude Microsoft O365

Optimized Endpoints - IPs and Exclude Microsoft O365
Optimized Endpoints - URLs decryption rules that exclude Microsoft Office
365 from decryption.
For Enterprise DLP to successfully inspect traffic for Microsoft Office 365, you must
position this new decryption rule before the predefined decryption exclusion rules.
Alternatively, you can Disable these rules or Delete them.
1. Select Manage > Configuration > Decryption and Add Rule.

2. Enter a descriptive Name and configure the decryption policy rule as needed.
3. In the Action and Advanced Inspection section, configure the policy rule to Decrypt
traffic that matches this rule.
4. For the Type, select SSL Forward Proxy.
5. Select the Decryption Profile you created to strip ALPN headers.
6. Save the decryption policy rule.
STEP 6 | Push your data filtering profile.

1. Push Config and Push.
2. Select (enable) Remote Networks and Mobile Users.
3. Push.
STEP 7 | Enable Role Based Access to Enterprise DLP on Cloud Management.
Edit the Enterprise DLP Snippet Settings on Cloud Management

patterns in the DLP cloud service and configure how to mask the sensitive data if stored.
STEP 1 | Enable Enterprise DLP on Cloud Management.
STEP 3 | Select Manage > Configuration > Security Services > Data Loss Prevention > Settings.
STEP 4 | Enable Snippets Viewing to store the snippets of sensitive data that match your Enterprise
DLP data patterns in the DLP cloud service.
STEP 5 | Configure how to Snippets Masking for storage in the DLP cloud service.
• Do not mask—Matched sensitive data snippet isn’t masked and entirely visible in cleartext.
• Partial mask—Matched sensitive data snippet is partially masked, displaying the last two
characters in cleartext.
• Full mask—Matched sensitive data snippet is fully masked.
STEP 6 | Push the snippet settings.

3. Push.
Edit the Enterprise DLP Data Filtering Settings on Cloud

Management
Edit the Enterprise Data Loss Prevention (E-DLP) data filtering settings for Prisma Access (Cloud
Management) and SaaS Security. These network settings are applied for files scanned by the DLP
cloud service and specify the actions Prisma Access (Cloud Management) and SaaS Security take
when using Enterprise DLP.
STEP 2 | Select Manage > Configuration > Security Services > Data Loss Prevention > Settings >
Data Transfer and edit the Data Transfer settings.
STEP 3 | Edit the File Based Settings.

1. Specify the Max Latency (sec) for a file upload before an action is taken by Cloud
Management.
For inspection of files greater than 20 MB, Palo Alto Networks recommends
setting the max latency to greater than 60 seconds.
2. Specify the Action on Max Latency(Allow or Block) Cloud Management takes if no
verdict was received for a file upload due to the upload time exceeding the configured
Max Latency.
Selecting Block applies only to Enterprise DLP data profiles configured to block
files. This setting doesn’t impact Enterprise DLP data profiles configured to alert
when traffic containing sensitive data is scanned.
3. Specify the Max File Size (MB) to enforce the maximum file size for files uploaded to the
DLP cloud service for inspection.
4. Specify the Action on Max File Size (Block or Allow) Cloud Management takes if no
verdict was received for a file upload due to the file size being larger than the configured
Max File Size.
Selecting Block applies only to Enterprise DLP data profiles configured to block
files. This setting doesn’t impact Enterprise DLP data filtering profiles configured
to alert when traffic containing sensitive data is scanned.
5. Check (enable) Log Files Not Scanned to generate an alert in the DLP incident when a
file can’t be scanned to the DLP cloud service.
6. Save.
STEP 4 | Edit the Non-File Based Settings.

1. Enable non-file based DLP.
Enable this setting to prevent exfiltration of sensitive data in non-file format traffic for
collaboration applications, web forms, cloud and SaaS applications, and social media on
your network
2. Specify the Max Latency (sec) to configure the allowable time for a non-file data uploads
to determine the allowable time before an action is taken by Cloud Management.
3. Specify the Action on Max Latency (Allow or Block) Cloud Management takes if no
verdict was received for a non-file traffic data upload due to the upload time exceeding
the configured Max Latency.
Selecting Block applies only to Enterprise DLP data profiles configured to

block non-file data. This setting doesn’t impact Enterprise DLP data profiles
configured to alert when traffic containing sensitive data is scanned.
4. Specify the Min Data Size (B) to enforce a minimum size for non-file data to be scanned
by the DLP cloud service.
5. Specify the Max Data Size (KB) to enforce a maximum size for non-file data to be
scanned by the DLP cloud service.
6. Specify the Action on Data File Size (Allow or Block) Cloud Management takes if no
verdict was received for a non-file traffic data upload due to the traffic data size being
larger than the configured Max Data Size.
Selecting Block applies only to Enterprise DLP data profiles configured to

block non-file data. This setting doesn’t impact Enterprise DLP data profiles
configured to alert when traffic containing sensitive data is scanned.
7. Check (enable) Log Data Not Scanned to generate an alert in the DLP incident when
non-file data can’t be scanned by the DLP cloud service.
8. Save.
STEP 5 | In the DLP Settings, specify the action Cloud Management takes when an error is
encountered while being scanned by the DLP cloud service.
Select Allow to allow the file upload to continue when an error is encountered or Block to
block the upload.
Save to apply the setting.

3. Push.
Edit the Enterprise DLP Snippet Settings on the DLP

App
patterns in the DLP cloud service and configure how to mask the sensitive data if stored on the
DLP app on the hub.
STEP 1 | Log in to the DLP app on the hub.
If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide.
Only Superusers can access the hub.
STEP 2 | Select Settings > Sensitive Data.
STEP 3 | Check (enable) Store Snippets of Sensitive Data for Cloud Management or NGFW to store
the snippets of sensitive data that match your Enterprise DLP data patterns in the DLP cloud
service.
STEP 4 | Configure how to Mask sensitive fields in snippets for Cloud Management or NGFW for
storage in the DLP cloud service.
• no-mask—Matched sensitive data snippet isn’t masked and entirely visible when stored in
• partial-mask—Matched sensitive data snippet is partially masked displaying four characters
when stored in the DLP cloud service.
• full-mask—Matched sensitive data snippet is fully masked when stored in the DLP cloud
service.
Enable Exact Data Matching (EDM)

Enable exact data matching (EDM) on the DLP app on the hub and Cloud Management.
• Enable Exact Data Matching (EDM) on the DLP App
• Enable Exact Data Matching (EDM) on Cloud Management
Enable Exact Data Matching (EDM) on the DLP App

Enable exact data matching (EDM) on the DLP app on the hub to upload hash encrypted EDM
data sets to the DLP cloud services to use in data profiles for firewalls managed by a Panorama
management server and Prisma Access (Panorama Managed).
It might take 24-48 hours for Palo Alto Networks to enable EDM functionality for your
DLP app.

STEP 2 | Select Detection Methods > Exact Data Matching.
STEP 3 | Request Enablement.
STEP 4 | When prompted, click Send Request to confirm your request to enable EDM.
STEP 5 | The DLP app on the hub displays Enable Request Sent while your enablement request
is pending.
STEP 6 | Set Up the EDM CLI Application after EDM is enabled on the DLP app.
EDM functionality is enabled when you can download the EDM CLI application and view the
table where uploaded EDM data sets will be displayed.
Enable Exact Data Matching (EDM) on Cloud Management

Enable exact data matching (EDM) on the DLP app on the hub to upload hash encrypted EDM
data sets to the DLP cloud services to use in Prisma Access (Cloud Management) and SaaS
Security data profiles on Cloud Management.
It might take 24-48 hours for Palo Alto Networks to enable EDM functionality on Cloud
Management.
STEP 2 | Select Manage > Configuration > Data Loss Prevention > Detection Methods > Exact Data
Matching.
STEP 3 | Enable EDM.

Review and Close the EDM confirmation that your OCR enablement request was successfully
submitted.
STEP 4 | Cloud Management displays Enablement Request Sent while your enablement request
is pending.
STEP 5 | Set Up the EDM CLI Application after EDM is enabled on Cloud Management.
EDM functionality is enabled when you can download the EDM CLI application and view the
table where uploaded EDM data sets will be displayed.
Enable Role Based Access to Enterprise DLP on Cloud

Management
Configure and assign administrative privileges on the hub to grant read and write access for
Enterprise Data Loss Prevention (E-DLP) on Cloud Management. The hub role you configure and
assign signifies the read and write access privileges granted to the user. You can assign a role for
All Apps & Services active on your Cloud Management tenant, a role for the Enterprise DLP app,
or assign a role for both. For the app, When a user is assigned a role for both All Apps & Services
and the Enterprise DLP app, the access privileges granted by the app-specific role take priority
over the access privileges granted by the All Apps & Services role.
For example, you have both Prisma Access (Cloud Management) and Enterprise DLP active on
your tenant. For Prisma Access, you assign a user the View Only Administrator role. Later,
you assign the same user the DLP Policy Manager for Enterprise DLP. In this instance, the
user has read-only access to Prisma Access (Cloud Management) but both read and write access
to the majority of Enterprise DLP for configuration purposes.
Cloud Management supports the following roles to grant access privileges for the Enterprise DLP
app specifically.
Predefined Enterprise DLP Role Privileges
DLP Incident Manager Read and Write Access — Alerts, Incidents,

health and telemetry, reports, and Audit Logs
Read Only Access—Data patterns, profiles,
DLP Rules, EDM data sets, OCR setting, and
all DLP settings
DLP Policy Manager Read and Write Access — Data patterns,

profiles, DLP Rules, EDM data sets, OCR
setting, health and telemetry, audit logs,
alerts, and all DLP settings
No Access— Incidents and reports
Multitenant Superuser Full read and write privileges to Enterprise

DLP for all tenants in the particular
multitenant hierarchy where the role is
assigned
Superuser Full read and write privileges for Enterprise

DLP
View Only Administrator Read-only privileges for Enterprise DLP
STEP 1 | Log in to the hub.
STEP 2 | Add Access to your tenant where Enterprise DLP is active.

This step is required only if the user for which you’re granting Enterprise DLP access isn’t
already registered with the Palo Alto Networks Customer Support Portal (CSP).
STEP 3 | Assign role-based access for Enterprise DLP.
You don’t need to configuring a tenant role for a user if access to only Enterprise DLP
is required.
1. For Apps & Services, select Enterprise DLP.

2. Select an Enterprise DLP Role.
3. Submit.
STEP 4 | Continue based on your Enterprise DLP access privileges.

• Set Up Enterprise DLP on Cloud Management
• Create Enterprise DLP Data Patterns
• Create Enterprise DLP Profiles
• Monitor Enterprise DLP
Enable Optical Character Recognition on Cloud

Management
Strengthen your security posture to prevent accidental data misuse, loss, or theft by enabling
optical character recognition (OCR) for Enterprise Data Loss Prevention (E-DLP). Enabling OCR
allows the DLP cloud service to scan files with images containing sensitive information that match
your Enterprise DLP data profiles.
The DLP cloud service supports scanning the following image file types:
• .jpg, .jpeg, .png, .tif, .tiff
The DLP cloud service supports scanning of images present in the following file types for OCR.
• PDF, PPT(X), DOC(X)
OCR isn’t supported for Microsoft Visio XML drawing (.vdx) files that need to be rendered
in order to displayed. For example, OCR can’t inspect a .vdx file if the XML is the drawing
representation.
STEP 2 | Select Manage > Configuration > Security Services > Data Loss Prevention > Detection
Methods > Optical Character Recognition.
STEP 3 | Enable Optical Character Recognition (OCR).
Enable Optical Character Recognition for Enterprise DLP

Strengthen your security posture to prevent accidental data misuse, loss, or theft by enabling
optical character recognition (OCR) for Enterprise Data Loss Prevention (E-DLP) on the
Panorama™ management server for Panorama and Prisma Access (Panorama Managed). Enabling
OCR allows the DLP cloud service to scan files with images containing sensitive information that
match your Enterprise DLP data profiles.
The DLP cloud service supports scanning the following image file types:
• .jpg, .jpeg, .png, .tif, .tiff
The DLP cloud service supports scanning of images present in the following file types for OCR.
• PDF, PPT(X), DOC(X)
OCR isn’t supported for Microsoft Visio XML drawing (.vdx) files that need to be rendered
in order to display. For example, OCR can’t inspect a .vdx file if the XML is the drawing
representation.
STEP 1 | If you haven’t already, Configure Enterprise DLP.

Access to evidence storage settings and files on the hub is allowed only for an
account administrator or app administrator roles with a valid Enterprise DLP license
associated with that support account. This is to ensure that only the appropriate users
have access to report data and evidence.
STEP 3 | Select Detection Methods > Optical Character Recognition and enable Optical Character
Recognition (OCR).
OCR is disabled by default. Manually enable OCR in order for the DLP cloud service to scan
images and documents containing images for sensitive information.
Configure Enterprise DLP
Create and configure Enterprise Data Loss Prevention (E-DLP) data patterns and filtering profiles
for use in Security policy rules to enforce your organization’s data security standards to prevent
accidental data misuse, loss, or theft.
• Enterprise DLP Data Patterns
• Enterprise DLP Profiles
• Configure Enterprise DLP on Cloud Management
• Enable Existing Data Patterns and Filtering Profiles
• Configure Exact Data Matching (EDM)
• Enterprise DLP End User Alerting with Cortex XSOAR
• Inspection of Contextual Secrets for Chat Applications
• Enterprise DLP and AI Apps
• Custom Document Templates for Enterprise DLP
• Email DLP
71
Enterprise DLP Data Patterns

Enterprise Data Loss Prevention (E-DLP) data patterns specify what content is sensitive and
needs to be protected—this is the content you’re filtering.
Predefined data patterns and built-in settings make it easy for you to protect files that contain
certain file properties (such as document title or author), credit card numbers, regulated
information from different countries (such as driver’s license numbers), and third-party DLP labels.
To improve detection rates for sensitive data in your organization, you can supplement predefined
data patterns by creating custom data patterns that are specific to your content inspection and
data protection requirements. In a custom data pattern, you can also define regular expressions
and file properties to look for metadata or attributes in the file’s custom or extended properties
and use it in a data filtering profile.
• Configure Regular Expressions
• Create a Data Pattern on the DLP App
• Create a Data Pattern on Cloud Management
• Create a Data Pattern on Panorama
Configure Regular Expressions

The regular expression builder in Enterprise Data Loss Prevention (E-DLP) provides an easy
mechanism to configure regular expressions (regex for short), which you define when you create
a custom data pattern. You can use the regular expression builder to construct a data pattern
expression, view matches, filter occurrences and weight thresholds, and assess match results to
determine if the content poses a risk to your organization.
There are two types of regular expressions:
• Basic—Searches for a specific text pattern. When a pattern match is found, the service displays
the match occurrences.
• Weighted—Assigns a score to a text entry. When the score threshold is exceeded, such as
enough expressions from a pattern match an asset, the service returns a match for the pattern.
To reduce false-positives and maximize the search performance of your regular expressions,
you can assign scores using the weighted regular expression builder in Enterprise DLP to find
and calculate scores for the information that is important to you. Scoring applies a match
threshold, and when a threshold is exceeded, such as enough words from a pattern are found
in a document, the document will be indicated as a match for the pattern.
Use Case: Calculating and Scoring a weighted regular expression
For example, Joe is an employee at a water treatment plant and needs to compile user data on
a proprietary pH additive that is used when source water arrives at the plant. If Joe initiated a
regular expression search with just the term "tap water" thousands of match results display, as
the matched tap water documents list the additive, but Joe is searching for the first use of the
additive, not every document the additive is listed in, making it difficult for Joe to find the usage
data he needs.
To get more accurate results, Joe can initiate a weighted regular expression to assign weight
and occurrence scores to the expression, or indicate the information to exclude by assigning a
negative weight value.
Joe enters a negative weight value to exclude tap water and higher values to source water and
the proprietary water additive. The results are filtered and counted to a more manageable list,
meaning that a document containing 10 occurrences of water counts as one when all files and
folders are scanned. This enables Joe to view the match results, adjust the totals for weight
and occurrences, and calculate an adjusted score to determine if the content poses a risk to his
organization.
Weighted Regex Item Occurrence Adjusted Occurrence Adjusted Total

Score
Water; 1 50 50 (1 Occurrence X 110 minus 100 for

1) tap water = 10 regex
weight
IP pH; 2 30 60 (30 occurrences X
2)
Tap Water; -10 10 -100 (10 occurrences

x -10)
STEP 1 | Consider the best practices for using regular expression matches.
• Use predefined data patterns instead of regular expressions. Use Enterprise DLP
predefined data patterns instead of regular expressions where possible. Data patterns
are more efficient than regular expressions because the predefined data patterns are
tuned for accuracy and the data is validated. For example, if you want to search for social
security numbers, use the US Social Security Number (SSN) data pattern instead of a regular
expression.
• Use regular expressions sparingly. Regular expressions can be computationally expensive.
If you add a regular expression condition, observe the system for 1 hour for efficient
performance. Make sure that the system doesn’t slow down and there are no false
positives.
• Test regular expressions. If you implement regular expression matching, consider using
a third-party tool to test the regular expressions before you enable the policy rules. The
recommended tool is RegexBuddy. Another good tool for testing your regular expressions is
RegExr. If your expression is incorrect, the service can’t match or will match incorrectly.
STEP 2 | Understand expression terminology.

Expression Terminology:
Term Description
Literal A literal is any character you use in a search or

matching expression, for example, to find dlp
in Enterprise DLP, dlp is a literal string - each
Term Description
character plays a part in the search, it’s literally
the string we want to find.
Metacharacter A metacharacter is one or more special

characters that have a unique meaning and are
NOT used as literals in the search expression,
for example, the character < > (caret) is a
metacharacter.
Regular Expression This term describes the search expression

data pattern that you will be using to search in
Enterprise DLP.
Escape Sequence An escape sequence is a way of indicating that

you want to use one of the metacharacters
as a literal. In a regular expression an escape
sequence involves placing the metacharacter \
(backslash) in front of the metacharacter that
you use as a literal, for example, if you want
to find (dlp) in Enterprise DLP then use the
search expression $dlp$, and if you want to
find \\file in the target string c:\\file then you
would need to use the search expression \\\
\file (each \ to search for a literal (there are 2)
that is preceded by an escape sequence \).
STEP 3 | Understand expression constructs.

Enterprise DLP implements Perl Compatible Regular Expressions (PCRE) syntax for policy rule
condition matching. Enterprise DLP provides some common reference constructs for writing
regular expressions to match or exclude characters in content.
Regular expression constructs:
Construct Description
. A dot, any single character, except newline

(line ending, end of line, or line break)
characters.
\ Escape the next character (the character

becomes a normal/literal character.)
\d Any digit (0-9.)
\s Any white space.
Construct Description
\W Any word character (a-z, A-Z, 0-9.)
\D Anything other than a digit.
\S Anything other than a white space.
[] Elements inside brackets are a character class

(for example, [abc] matches 1 character [a. b. or
c.]
^ At the beginning of a character class, negates it

(for example, [^abc] matches anything except
(a, b, or c.)
$ At the end of a character class, or before

newline at the end.
+ Following a regular expression means 1 or

more (for example, \d+ means 1 more digit.)
? Following a regular expression means 0 or 1

(for example, \d? means 1 or no digit.)
* Following a regular expression means any

number (for example \d* means 0, 1, or more
digits.)
(?i) At the beginning of a regular expression makes

it case-insensitive (regular expressions are
case-sensitive by default.)
() Groups regular expressions together.
(?u) Makes a period ( . ) match to even newline

characters.
| Means OR (for example, A|B means regular

expression A or regular expression B.)
STEP 4 | Understand expression qualifiers.

Quantifiers can be used to specify the number or length that part of a pattern should match or
repeat. A quantifier will bind to the expression group to its immediate left.
Regular expression quantifiers:
Quantifier Description
* Match 0 or more times.
+ Match 1 or more times.
? Match 1 or 0 times.
{n} Match exactly n times.
{n, } Match at least n times.
{n, m} Match at least n but not more than m times.
STEP 5 | Enter one regular expression per line, up to 100 lines of expressions.
STEP 6 | (Weighted expressions only): Assign a regular expression for each line entry between -9999
(lowest importance) to 9999 (highest importance) by entering the regular expression, the
delimiter, and the weight score. You must enter a weight threshold score of one (1) of more.
STEP 7 | (Optional) Customize your delimiter.

By default, the delimiter for all weighted regular expressions is semicolon ( ; ). You can
customize your delimiter to copy and paste existing expressions instead of entering them
manually. A delimiter is used to specify separate strings of data when configuring regular
expressions. For example, you can configure a weighted regular expression using a delimiter to
separate the string of text you’re matching from the weight threshold value. If you have large
amounts of existing expressions to match, you can customize your delimiter to copy and paste
the expressions instead of entering them manually. A delimiter can be any nonalphanumeric,
nonbackslash, non-whitespace character.
Regular expression delimiters:
Delimiter Note
; Semicolon — If the delimiter isn’t customized,

the semicolon is the default delimiter in
Enterprise Data Loss Prevention (E-DLP).
: Colon.
| Pipe.
Delimiter Note
/ Forward Slash — If the delimiter needs to

be matched inside the pattern it must be
escaped using a backslash ( \ ). If the delimiter
appears often inside the pattern, it’s a good
idea to choose another delimiter to increase
readability.
+ Plus — Include phrase for matching.
- Minus — Ignore phrase for matching.
# Hash — Can be used to denote a number.
~ Tilde
{ } Curly Brackets are used to find a range of characters.

Bracket style delimiters don’t need to be
[ ] Square escaped when they’re used as meta characters
within the pattern, but they must be escaped
( ) Parenthesis when they’re used as literal characters.
< > Caret
Create a Data Pattern on the DLP App

Create an Enterprise Data Loss Prevention (E-DLP) custom or file property data pattern on the
DLP app on the hub.
• Create a Custom Data Pattern on the DLP App
• Create a File Property Data Pattern on the DLP App
Create a Custom Data Pattern on the DLP App

Create an Enterprise Data Loss Prevention (E-DLP) custom data pattern on the DLP app on the
hub using regular expressions. Create data patterns to specify the match criteria and identify
patterns using regular expressions and keywords that represent sensitive information on your
network. All data patterns you create are shared across all device groups on the DLP app. After
you successfully create a custom data pattern, it’s automatically synchronized to the Panorama
management server managing your Enterprise DLP firewalls and to Cloud Management. All
custom data patterns created on the DLP app can be edited and copied as needed.
STEP 2 | Select Detection Methods > Data Patterns and Add Data Patterns.
You can also create a new custom data pattern by copying an existing custom data
pattern. To copy a custom data pattern, expand the Actions column for the data
pattern you want to copy and Clone the data pattern. You can then configure the
custom data pattern you copied as needed.
STEP 3 | Select the Custom data pattern.
STEP 4 | Enter a descriptive Data Pattern Name.
STEP 5 | (Optional) Enter a Description for the data pattern.
STEP 6 | Select the type of Regular Expression.

You can choose Basic or Weighted data patterns. Use the Weighted data pattern to create
a basic or weighted regular expression. With weighted regular expressions, each text entry is
assigned a score and when the score threshold is exceeded, such as when enough expressions
from a pattern match an asset, Enterprise DLP will indicate that the asset is a match for the
pattern.
Then use the query builder in the Regular Expressions field to add either regular (Basic) or
Weighted expressions.
STEP 7 | (Optional) Enter one or more Proximity Keywords.

Proximity keywords aren’t case-sensitive. You can enter one or more proximity keywords
to increase the probability Enterprise DLP accurately detects a regular expression match.
Proximity keywords impact the Enterprise DLP confidence level, which reflects how confident
Enterprise DLP is when detecting matched traffic. Enterprise DLP determines confidence level
by inspecting the distance of regular expressions to proximity keywords.
STEP 8 | Save the data pattern.
STEP 9 | Create a data profile on the DLP app.

• Create a Data Profile on the DLP App
• Create a Data Profile with Data Patterns and EDM Data Sets on the DLP App
Create a File Property Data Pattern on the DLP App

Create an Enterprise Data Loss Prevention (E-DLP)file property data pattern to specify the
match criteria for sensitive information based on the metadata or attributes that are part of your
custom files. After you successfully create a custom data pattern, it’s automatically synchronized
to the Panorama management server managing your Enterprise DLP firewalls and to Cloud
Management. All file property data patterns created on the DLP app can be edited and copied as
needed.
STEP 2 | Select Detection Methods > Data Patterns and Add Data Patterns.
pattern. To copy a custom data pattern, expand the Actions column for the data
pattern you want to copy and Clone the data pattern. You can then configure the
custom data pattern you copied as needed.
STEP 3 | Select the File Property data pattern.
STEP 5 | Define the file property data pattern.

Enterprise DLP supports file property data patterns in MS Office and PDF documents and
supports both the OLE (.doc/.ppt) and XML (.docx/.pptx) formats of MS Office.
1. Select the File Property Type.
Leave the File Property Type empty if you plan to use keyword as the file
property Name. This is required to successfully match traffic against the
keyword file property.
Enterprise DLP supports the following file property types.

• AIP Tags—Microsoft Azure Information Protection (AIP) labels used to classify and
protect documents and emails.
Only one AIP Tag entry is supported per data pattern. However, you
can add up to 10 AIP Tag values to an AIP Tag entry using ; as a
separator. For example, msip_label_defa4170-0d19-0005-000b-
bc88714345d2_contentbits=10;msip_label_defa4170-0d19-0005-000b-
bc76701345f1_contentbits=10.
• Asset Name—File name for files you want to prevent exfiltration.
Only one Asset Name entry is supported per data pattern. However, you can add
up to 100 Asset Name values to an Asset Name entry using ; as a separator. For
example, notes; billing-info;customer-data.
Fully formed regex expressions are supported for the Asset Name value. Wildcards
are not supported. For example, (?i)(\W|^)(ssn|social|security
\security|credit\card|phone|credit\card)(\W|$).
• Author—File owner first and last name in the asset metadata.
Only one Author entry is supported per data pattern. However, you can add up to
100 Author values to an Author entry using ; as a separator. For example, Bill
Smith; john doe; leslieBarnes.
The Author values are case and space insensitive.
The Author file property type is not supported for source code files.
• File Extension—Specify one or more file types supported by Enterprise DLP.

Only one File Extension entry is supported per data pattern. However, you can add
up to 100 File Extension values to a File Extension entry using ; as a separator. For
example, .pdf;.csv;.rtf.
To scan files based on a specific file extension, the file extension must be included in
the file name.
• File SHA—String of letters and numbers that represent a long checksum. Only
SHA-256 are supported.
Only one File SHA entry is supported per data pattern. However, you can add up
to 100 File SHA values to an File SHA entry using ; as a separator. For example,
CA4D03E8F8A495AA671930184A04275E050D096B9E7E3CF693E0AB12898F3A46;5C4753E
• Extended Properties—Unique Advanced properties added to Microsoft Suite (Word,
Excel, PPT, PDF) file properties that are not the default General properties.
Multiple Extended Properties entries are supported per data pattern.
• Custom—Unique Custom properties added to Microsoft Suite (Word, Excel, PPT,
PDF) file properties that are not the default General properties.
Multiple Custom entries are supported per data pattern.
2. Select the file property Name.
For files protected with AIP labels, you must enter the full AIP
label Name that you want to take action on. This must be the
MSIP_Label_<GUID>_Enabled label name.
3. Enter the file property Value.
4. (Optional) Add File Property to define additional file property patterns.
STEP 7 | Create a data profile on the DLP app.

Create a Data Pattern on Cloud Management

Create an Enterprise Data Loss Prevention (E-DLP) custom or file property data pattern for Prisma
Access (Cloud Management) and SaaS Security on Cloud Management.
• Create a Custom Data Pattern on Cloud Management
• Create a File Property Data Pattern on Cloud Management
• Add Custom Match Criteria to a Predefined Data Pattern
Create a Custom Data Pattern on Cloud Management

Create an Enterprise Data Loss Prevention (E-DLP) custom data pattern for Prisma Access
(Cloud Management) and SaaS Security on Cloud Management using regular expressions. Create
data patterns to specify the match criteria and identify patterns using regular expressions and
keywords that represent sensitive information on your network. All data patterns you create
are shared across all Prisma Access (Cloud Management) and SaaS Security deployments
associated with the tenant. After you successfully create a custom data pattern, it’s automatically
synchronized to the DLP app on the hub. All custom data patterns created on Cloud Management
can be edited and copied as needed.
Methods > Data Patterns.
STEP 3 | Add Data Patterns and select Custom.
pattern. To copy a custom data pattern, select the data pattern name to view the data
pattern details and copy ( ). You can then configure the custom data pattern you
copied as needed.
STEP 6 | Select the type of Regular Expression.

You can choose Basic or Weighted data patterns. Use the Weighted data pattern to create
a basic or weighted regular expression. With weighted regular expressions, each text entry is
assigned a score and when the score threshold is exceeded, such as when enough expressions
from a pattern match an asset, Enterprise DLP will indicate that the asset is a match for the
pattern.
Weighted expressions.
STEP 7 | (Optional) Enter one or more Proximity Keywords.

Proximity keywords impact the Enterprise DLP confidence level, which reflects how confident
Enterprise DLP is when detecting matched traffic. Enterprise DLP determines confidence level
by inspecting the distance of regular expressions to proximity keywords.
STEP 9 | Create a data profile.Create a Data Profile on Cloud Management.

• Create a Data Profile on Cloud Management
• Create a Data Profile with Data Patterns and EDM Data Sets on Cloud Management
• Create a Data Profile with Nested Data Profiles on Cloud Management
Create a File Property Data Pattern on Cloud Management

Create an Enterprise data loss prevention (DLP) data pattern using file properties for Prisma
Access (Cloud Managed) and SaaS Security on Cloud Management to specify the match criteria
and identify patterns that represent sensitive information on your network. All data patterns
you create are shared across all Prisma Access (Cloud Managed) and SaaS Security deployments
associated with the tenant. After you successfully create a custom data pattern, it is automatically
synchronized to the DLP app on the hub. All file property data patterns created on Cloud
Management can be edited and copied as needed.
Methods > Data Patterns.
STEP 3 | Add Data Patterns and select File Property.
You can also create a new file property data pattern by copying an existing file
property data pattern. To copy a custom data pattern, select the data pattern name to
view the data pattern details and copy ( ). You can then configure the file property
data pattern you copied as needed.
STEP 6 | Define the file property data pattern.

1. Select the File Property Type.
Leave the File Property Type empty if you plan to use keyword as the file
property Name. This is required to successfully match traffic against the
keyword file property.
Enterprise DLP supports the following file property types.

• AIP Tags—Microsoft Azure Information Protection (AIP) labels used to classify and
protect documents and emails.
Only one AIP Tag entry is supported per data pattern. However, you
can add up to 10 AIP Tag values to an AIP Tag entry using ; as a
separator. For example, msip_label_defa4170-0d19-0005-000b-
bc88714345d2_contentbits=10;msip_label_defa4170-0d19-0005-000b-
bc76701345f1_contentbits=10.
• Asset Name—File name for files you want to prevent exfiltration.
Only one Asset Name entry is supported per data pattern. However, you can add
up to 100 Asset Name values to an Asset Name entry using ; as a separator. For
example, notes; billing-info;customer-data.
Fully formed regex expressions are supported for the Asset Name value. Wildcards
are not supported. For example, (?i)(\W|^)(ssn|social|security
\security|credit\card|phone|credit\card)(\W|$).
• Author—File owner first and last name in the asset metadata.
Only one Author entry is supported per data pattern. However, you can add up to
100 Author values to an Author entry using ; as a separator. For example, Bill
Smith; john doe; leslieBarnes.
The Author values are case and space insensitive.
The Author file property type is not supported for source code files.
• File Extension—Specify one or more file types supported by Enterprise DLP.

Only one File Extension entry is supported per data pattern. However, you can add
up to 100 File Extension values to a File Extension entry using ; as a separator. For
example, .pdf;.csv;.rtf.
To scan files based on a specific file extension, the file extension must be included in
the file name.
• File SHA—String of letters and numbers that represent a long checksum. Only
SHA-256 are supported.
Only one File SHA entry is supported per data pattern. However, you can add up
to 100 File SHA values to an File SHA entry using ; as a separator. For example,
CA4D03E8F8A495AA671930184A04275E050D096B9E7E3CF693E0AB12898F3A46;5C4753E
• Extended Properties—Unique Advanced properties added to Microsoft Suite (Word,
Excel, PPT, PDF) file properties that are not the default General properties.
Multiple Extended Properties entries are supported per data pattern.
• Custom—Unique Custom properties added to Microsoft Suite (Word, Excel, PPT,
PDF) file properties that are not the default General properties.
Multiple Custom entries are supported per data pattern.
2. Select the file property Name.
For files protected with AIP labels, you must enter the full AIP
label Name that you want to take action on. This must be the
MSIP_Label_<GUID>_Enabled label name.
3. Enter the file property Value.
4. (Optional) Add File Property to define additional file property patterns.
STEP 8 | Create a data profile.

Add Custom Match Criteria to a Predefined Data Pattern
• Strata Cloud Manager Either one of these licenses:

Prisma Access license
AIOps for NGFW Premium
With this license:

• Enterprise DLP
Clone a predefined regex data pattern to add specific inclusion or exclusion and provide custom
match criteria to enhance detection and prevention of data exfiltration of sensitive data. This
allows users to enhance predefined regex data pattern with more customized match criteria.
STEP 1 | Log in to the Strata Cloud Manager.
STEP 2 | Select Manage > Configuration > Data Loss Prevention > Detection Methods > Data
Patterns.
STEP 3 | Locate the predefined regex data pattern.
STEP 4 | Expand the Actions and Clone.
STEP 5 | Add the custom match criteria to specify data to include or exclude from inspection and
verdict rendering.
Up to 50,000 characters are supported in each field. You can add multiple custom data match
criteria requirements in a single field separated by a semicolon (;). You specify one, some, or all
custom data match criteria.
• Include Matches Starting With—Inclusive match criteria to inspect for and trigger
Enterprise DLP enforcement for only data matches starting with one or more of the criteria
added.
This field is an AND operator.
• Include Matches End With—Inclusive match criteria to inspect for and trigger Enterprise
DLP enforcement for only data matches ending with one or more of the criteria added.
This field is an AND operator.
• Exclude Matches Starting With—Exclude match criteria from Enterprise DLP inspection and
enforcement for data matches starting with one or more of the criteria added.
This field is an OR operator.
• Exclude Matches Ending With—Exclude match criteria from Enterprise DLP inspection and
enforcement for data matches ending with one or more of the criteria added.
This field is an OR operator.
STEP 6 | Save.
STEP 7 | Add the data pattern to a data profile.

• Create a Data Profile with EDM Data Sets on Cloud Management
Create a Data Pattern on Panorama

After you set up Enterprise Data Loss Prevention (E-DLP) on Panorama or Prisma Access
(Panorama Managed), create data patterns to specify the match criteria and identify patterns
using regular expressions, file properties, and keywords that represent sensitive information
on your network. All data patterns you create are shared across all device groups. After you
successfully commit a custom data pattern to Panorama, it’s automatically synchronized to the
DLP app on the hub.
STEP 2 | Select Objects > DLP > Data Filtering Patterns and specify the Device Group.
STEP 3 | Add a new data pattern.
STEP 4 | Specify a Type and criteria for the data pattern and specify a Name.
Use any of the following data pattern types:
• Regular Expression—Create regular expressions to use in the data pattern.
You can choose Basic or Advanced data patterns. Use the Advanced data pattern to create
a basic or weighted regular expression. With weighted regular expressions, each text
entry is assigned a score and when the score threshold is exceeded, such as when enough
expressions from a pattern match an asset, Enterprise DLP will indicate that the asset is a
match for the pattern.
weighted (Advanced) expressions.
You can enter one or more Proximity Keywords to use with the data filtering pattern.
Proximity keywords impact the Enterprise DLP confidence level, which reflects how
confident Enterprise DLP is when detecting matched traffic. Enterprise DLP determines
confidence level by inspecting the distance of regular expressions to proximity keywords.
• File Property—Add a file property pattern on which to match.
For data governance and protection of information, if you use classification labels or embed
tags in MS Office and PDF documents to include more information for audit and tracking
purposes, you can create a file property data pattern to match on the metadata or attributes
that are part of the custom or extended properties in the file. Regardless whether you use
an automated classification mechanism, such as Titus, or whether require users to add a tag,
you can specify a name-value pair on which to match on a custom or extended property
embedded in the file.
Then add a Tag Name and Tag Value.
A Tag Name and Tag Value are an associated pair that specifies the property for which
you want to look (for example, you can specify a Tag Name of Label and a Tag Value
of Confidential). You can add as many file properties as you’d like and when you later
reference the file property data pattern in a data filtering profile, Enterprise DLP will use a
boolean OR match in the match criteria.
For files protected with Microsoft Azure Information Protection (AIP), you must
enter the full AIP label Name that you want to take action on. This can be either the
MSIP_Label_<GUID>_Enabled label name or the Sensitivity label name.
STEP 5 | Click OK to save the data pattern.
Enterprise DLP.

4. Click OK.
DLP.
STEP 7 | Create a Data Filtering Profile on Panorama using one or more data patterns.
Enterprise DLP Profiles

To get started, you’ll first create a data pattern that specifies the information types and fields
that you want the firewall to filter. Then, you attach that pattern to a data filtering profile, which
specifies how you want to enforce the content that the firewall filters. Add the data filtering
profile to a Security policy rule to start filtering traffic matching the rule.
Enterprise Data Loss Prevention (E-DLP) profiles specify how you want to enforce the sensitive
content that you’re filtering. Predefined data filtering profiles have data patterns that include
industry-standard data identifiers, keywords, and built-in logic in the form of machine learning,
regular expressions, and checksums for legal and financial data patterns.
Enterprise DLP profiles are active only when they’re attached to a Security policy rule; they
scan traffic that matches the rule. If a user uploads a file that matches a data pattern, an alert is
triggered or the file is blocked (depending on the action you define in the DLP profile).
• Create a Data Profile with EDM Data Sets on the DLP App
• Create a Data Profile with Nested Data Profiles on the DLP App
• Create a Data Profile to Detect Custom Documents
• Create a Data Filtering Profile on Panorama
• Create a Data Filtering Profile on Panorama for Non-File Detection
• Update a Data Profile on the DLP App
• Update a Data Profile on Cloud Management
• Update a Data Filtering Profile on Panorama
Create a Data Profile on the DLP App

After you create a data pattern on Panorama or the DLP app on the hub, create a data profile to
add multiple data patterns and specify matches and confidence levels. All predefined and custom
data profiles are available across all device groups. Custom data profiles created in the DLP app
that contain no EDM dataset patterns are viewable and can be modified on Panorama, Prisma
Access (Panorama Managed), Cloud Management, and the DLP app on the hub. Viewing a data
profile created on the DLP on Panorama requires Panorama plugin for Enterprise DLP 1.0.4 or
later release.
When you create a data profile using predefined data patterns, be sure to consider the detection
types used by the predefined data patterns because the detection type determines how
Enterprise Data Loss Prevention (E-DLP) arrives at a verdict for scanned files.
Updating a data profile to include an EDM data set isn’t supported if the data profile did
not include an EDM data set when it was initially created.
If you want to create a data profile that combines a predefined or custom data pattern
and an EDM data set, see Create a Data Profile with Data Patterns and EDM Data
Sets on the DLP App.

STEP 2 | Select Data Profiles > Add Data Profile > Classic Data Profile.
You can also create a new data profile by copying an existing data profile. This allows you
to quickly modify an existing data profile with additional match criteria while preserving the
original data profile from which the new data profile was copied.
Data profiles created by copying an existing data profile are appended with Copy -
<name_of_original_data_profile>. This name can be edited as needed.
Adding an EDM data set to a copied data profile is supported only if the original data
profile had an EDM data set to begin with. Adding an EDM data set to a data profile
that doesn’t already have an EDM data set isn’t supported.
STEP 3 | Configure the Primary Rule for the data profile.
Data pattern match criteria for traffic that you want to allow must be added to the
Primary Rule. Data pattern match criteria for traffic that you want to block can be
added to either Primary Rule or Secondary Rule.
1. Enter a descriptive Data Profile Name.

2. Add Pattern Group and Add Data Pattern.
3. Define the match criteria.
• Data Pattern—Select a custom or predefined data pattern.
• Occurrence Condition—Specify the occurrences condition required to trigger a
Security policy rule action.
• Any—Security policy rule action triggered if Enterprise DLP detects at least one
instance of matched traffic.
• Less than or equal to—Security policy rule action triggered if Enterprise DLP
detects instances of matched traffic, with the maximum being the specified Count.
• More than or equal to—Security policy rule action triggered if Enterprise DLP
detects instances of matched traffic, with a minimum being the specified Count.
• Between (inclusive)—Security policy rule action triggered if Enterprise DLP detects
any number of instances of matched traffic between the specific Count range.
• Count—Specify the number of instances of matched traffic required to trigger a
Security policy rule action. Range is 1 - 500.
For example, to match a pattern that appears three or more times in a file, select
More than or equal to as the Occurrence Condition and specify 3 as the Threshold.
• Confidence—Specify the confidence level required for a Security policy rule action to
be taken (High or Low).
4. (Optional) Add Data Pattern to add additional data pattern match criteria to the Primary
rule.
5. (Optional) Add Data Pattern Group to add additional data pattern conditions using AND
or OR operators to the Primary Rule.
Refer to the descriptions above to configure any additional data pattern conditions as
needed.
6. (Optional) Configure a Secondary Rule.
Data pattern match criteria added to the Secondary Rule block all traffic that
meets the match criteria for the data patterns by default and can’t be modified.
If you want to allow traffic that matches a data pattern match criteria, add it to
the Primary Rule.
7. Review the Data Profile Preview to verify the data profile match criteria.
8. Save the data profile.
After you save the data profile, it’s viewable on Panorama, Prisma Access (Panorama
Managed), and Cloud Management.
STEP 4 | Verify that the data profile you created.

• DLP App on the hub—Log in to the DLP app on the hub as a Superuser and select Data
Profiles to view the data profile you created.
• Cloud Management
1. Launch the Cloud Management Console.
2. Select Manage > Configuration > Security Services > Data Loss Prevention and search
for the data profile you created.
• Panorama and Prisma Access (Panorama Managed)
See Update a Data Filtering Profile on Panorama for more information on which data profile
settings are editable on Panorama for a data profile created on Cloud Management.
2. Select Objects > DLP > Data Filtering Profiles and navigate to the data profile you
created.
3. (Optional) Edit the data profile Action to block traffic.
The Action for a data profile created on Cloud Management is configured to Alert by
default.
If the data profile has both Primary and Secondary Patterns, changing the data
profile Action on Panorama deletes all Secondary Pattern match criteria.
1. Select the data profile created on Cloud Management.

2. Set the data profile Action to Block traffic that matches the data profile match
criteria.
4. Click OK.
DLP.
STEP 5 | Attach the data profile to a Security policy rule.

• SaaS Security— Add a new asset rule and specify the match criteria using data profile you
created.
• Prisma Access (Cloud Management)—Modify a DLP Rule for Prisma Access on Cloud
Management.
3. Select the Security policy rule to which you want to add the data profile.
6. Click OK.
7. Select Commit and Commit and Push.
Create a Data Profile with EDM Data Sets on the DLP App
Create a data profile with exact data matching (EDM) data sets in the DLP app on the hub. Data
profiles with EDM data sets created in the DLP app are automatically synchronized with your
Panorama™ management server so you can use the data profile in your Security policy rules.
In order for the DLP cloud service to render a match verdict using on the data profile, scanned
files containing primary and secondary field values must be within 100 character of each other.
Otherwise, the DLP cloud service is unable to render a match verdict. Data profiles with an EDM
data set can only be created on the DLP app on the hub and are viewable on Panorama, Prisma
Access (Panorama Managed), Cloud Management, and the DLP app on the hub. Viewing a data
profile created on the DLP app on Panorama requires Panorama plugin for Enterprise DLP 1.0.4 or
later release.
After you set up the EDM CLI application and configure connectivity to the DLP cloud service,
you must upload an encrypted EDM data set to the DLP cloud service using a configuration file or
in Interactive mode before you can create a data profile with EDM data sets.
Updating a data profile to include only data patterns isn’t allowed if the data profile
includes at least one EDM data set when it was initially created. However, updating a
data profile that includes only EDM data sets to include EDM data sets and data patterns
is supported.
See Create a Data Profile on the DLP App to create a data profile containing only
predefined or custom data patterns.

STEP 2 | Select Data Profiles > Add Data Profile > Advanced Data Profiles.
STEP 3 | Create the Primary Rule for the data profile.

2. Select the match criteria operator (AND or OR).
3. Add EDM Dataset.
• EDM Dataset—Select an EDM data set uploaded to the DLP cloud service.
• Unique Occurrences—Check (enable) to detect only unique instances of traffic
matches. Only unique occurrences of traffic matches are counted toward the
specified Count.
This setting is disabled by default. Keep Unique Occurrences disabled if you want all
instances of traffic matches to count toward the specified Count.
5. Configure the EDM data set Primary Fields values.
1. Configure whether a Security policy rule action is taken if Any (OR) or All (AND)
primary fields are matched and if Any (OR) or All (AND) secondary fields are matched.
2. (Any(OR) only) Enter the Count to specify the number of instances of matched traffic
required to trigger a Security policy rule action. Range is 1 - 500.
When you select Any (OR), the maximum Count setting is one less than the
total number of fields included in the Primary Field or Secondary Field.
3. Select the Primary Fields values.
The list of available values is populated from the selected EDM data set. You must
select at least one primary field value.
You’re required to add at least one column where the column values occurs up to
12 times in the selected EDM data set for the Primary Field. For example, if the
EDM data set contains columns for first name, last name, social security number, and
credit card number, add social security number and credit card in the primary field.
6. (Optional) Select the Secondary Field values.
The list of available fields is populated from the selected EDM data set.
For the best results for exact data matching, include any columns that could
be repeated in the secondary field. For example, if the EDM data set contains
columns for first name, last name, social security number, and credit card
number, add first name and last name in the secondary field.
7. (Optional) Add EDM Dataset to add additional data pattern conditions using AND or OR
operators to the Primary Rule.
needed.
8. (Optional) Add Group to nest additional match criteria for an EDM data set so you can
more accurately define your compliance rules.
When you click Add Group, the new match criteria group is nested under the most
recently added EDM data set. You can’t nest a new match criteria group between
existing EDM data sets. If multiple EDM data sets are added, you must remove the EDM
data sets that follow the EDM data set for which you want to add the nested match
criteria. For example, you added EDM_Dataset1, EDM_Dataset2, and EDM_Dataset3
to the Primary Rule. If you wanted to added nested match criteria to EDM_Dataset2,
you must first remove EDM_Dataset3 from the Primary Rule.
You can select the same EDM data set or a different EDM data set to more accurately
define your compliance rules. Nesting match criteria is supported only when the data
profile includes an EDM data set. Enterprise DLP supports up to three level of additional
nesting groups for each EDM data set. You can nest additional EDM data sets under an
EDM data set added to the Primary or Secondary Rule.
Nested match criteria support the AND, OR, and NOT operators. Refer to the
descriptions above to configure the nested match criteria.
STEP 4 | (Optional) Configure a Secondary Rule for the data profile.
Data pattern match criteria added to the Secondary Rule block all traffic that meets
the match criteria for the data patterns by default and can’t be modified. If you want
to allow traffic that matches a data pattern match criteria, add it to the Primary Rule.
STEP 5 | Review the Data Profile Preview to verify the data profile match criteria.
STEP 6 | Save the data profile.

Saved profiles are automatically synchronized to Panorama so you can apply the profile to a
Security policy rule.

• Prisma Access (Cloud Management)
1. Launch Prisma Access.
See Update a Data Filtering Profile on Panorama for more information on which data
profile settings are editable on Panorama for a data profile created on Prisma Access (Cloud
Management).
created.
The Action for a data profile created on the DLP app is configured to Alert by default.
1. Select the data profile created on DLP app.

criteria.
4. Click OK.
DLP.

Management.
6. Click OK.
Create a Data Profile with Data Patterns and EDM Data Sets on
the DLP App
Enterprise Data Loss Prevention (E-DLP) supports creation of data profiles that contains at least
one predefined or custom Enterprise DLP data pattern and at least one EDM dataset pattern.
Data profiles with a data pattern and an EDM data set can only be created on the DLP app on the
hub and are viewable on Panorama, Prisma Access (Panorama Managed), Cloud Management, and
the DLP app on the hub. Viewing a data profile created on the DLP app on Panorama requires
Panorama plugin for Enterprise DLP 1.0.4 or later release.
Enterprise DLP arrives at a verdict for scanned files.
Updating a data profile to include only data patterns isn’t allowed if the data profile
includes at least one EDM data set when it was initially created. However, updating a
data profile that includes only EDM data sets to include EDM data sets and data patterns
is supported.
See Create a Data Profile on the DLP App to create a data profile containing only
predefined or custom data patterns.

STEP 2 | Select Data Profiles > Add Data Profile > Advanced Data Profile.

2. Select the data pattern operator (AND or OR).
3. Add Data Pattern.
4. Define the data pattern match criteria.
specified Count.
5. Add EDM Dataset and define the match criteria.
See Create a Data Profile with EDM Data Sets on the DLP App for more information on
configuring EDM data set match criteria in a data profile.
7. (Optional) Add Group to nest additional match criteria for a data pattern or EDM data
set so you can more accurately define your compliance rules.
recently added data pattern or EDM data set. You can’t nest a new match criteria group
between existing data patterns or EDM data sets. If multiple data patterns or EDM data
sets are added, you must remove the data patterns or EDM data sets that follow the
data pattern or EDM data set for which you want to add the nested match criteria. For
example, you added EDM_Dataset1, Data_Pattern2, and EDM_Dataset3 to the
Primary Rule. If you wanted to added nested match criteria to Data_Pattern2, you
must first remove EDM_Dataset3 from the Primary Rule.
You can select the same data pattern or EDM data set or a different data pattern EDM
data set to more accurately define your compliance rules. Nesting match criteria is
supported only when the data profile includes an EDM data set. Enterprise DLP supports
up to three level of additional nesting groups for each data pattern or EDM data set. You
can nest additional data patterns or EDM data sets under a data pattern or EDM data set
added to the Primary or Secondary Rule.
meets the match criteria for the data patterns by default and can’t be modified.
If you want to allow traffic that matches a data pattern match criteria, add it to
the Primary Rule.

• Prisma Access (Cloud Management)
See Update a Data Filtering Profile on Panorama for more information on which data
profile settings are editable on Panorama for a data profile created on Prisma Access (Cloud
Management).
created.
The Action for a data profile created on the Prisma Access (Cloud Management) is
configured to Alert by default.
1. Select the data profile created on Prisma Access (Cloud Management).

criteria.
4. Click OK.
DLP.

Management.
6. Click OK.
Create a Data Profile with Nested Data Profiles on the DLP App
Enterprise Data Loss Prevention (E-DLP) supports creating a single data profile that contains
multiple nested data profiles. Creating a single data profile that contains multiple nested data
profiles allows you to consolidate match criteria to prevent exfiltration of sensitive data to a
single data profile that can be used in a single Security policy rule. This allows you to simplify the
management of sensitive data leaving your network and reduces the need to manage multiple
Security policy rules and data profiles. A data profile that contains multiple nested data profiles
created on the DLP app on the hub is viewable on Panorama, Prisma Access (Panorama Managed),
Cloud Management, and the DLP app on the hub. Viewing a data profile created on the DLP app
on Panorama requires Panorama plugin for Enterprise DLP 1.0.4 or later release.
When you create a data profile that contains predefined data profiles and patterns, be sure to
consider the detection types used by the predefined data patterns because the detection type
determines how Enterprise DLP arrives at a verdict for scanned files.
• Adding, deleting, or otherwise modifying the nested data profiles you add to data
profile is supported only from the DLP app on the hub and Cloud Management, but
not from Panorama.
• Adding a nested data profile to another nested data profile is not supported.
• Nesting a data profile that includes an EDM data set to an existing data profile if one
wasn’t included when the data profile was originally created is supported.

STEP 2 | (Optional) Create your data profiles on the DLP app.

You can create a data profile that contains multiple data profiles using both predefined data
profiles and custom data profiles you create.
• Create a Data Profile with EDM Data Sets on the DLP App
STEP 3 | Select Data Profiles > Add Data Profile > Nested Data Profiles.
You can also create a new data profile by copying an existing data profile that already contains
multiple data profiles. This allows you to quickly modify an existing data profile with additional
data profile match criteria while preserving the original data profile from which the new data
profile was copied.
<name_of_original_data_profile>.
STEP 4 | Enter the Data Profile Name.

Add Data Profile to add predefined or custom data profiles. Repeat this step to include
additional data profiles.
Data profile match criteria for traffic that you want to allow must be added to the Primary
Rule. Data profiles match criteria for traffic that you want to block can be added to either
Primary Rule or Secondary Rule.
A data profile containing multiple data profiles support any combination of data profiles with
data patterns only, data patterns and EDM data sets, and EDM data sets only.
Only the OR operator is supported.
STEP 6 | (Optional) Configure a Secondary Rule.

Data profile match criteria added to the Secondary Rule block all traffic that meets the match
criteria for the data profile by default and can’t be modified. If you want to allow traffic that
matches a data profile match criteria, add it to the Primary Rule.

settings are editable on Panorama for a data profile created on the DLP app.
created.
The Action for a data profile created on the DLP app is configured to Alert by default.
1. Select the data profile created on the DLP app.

criteria.
4. Click OK.
DLP.

• Cloud Management—Modify a DLP Rule for Prisma Access on Cloud Management.
6. Click OK.
Create a Data Profile on Cloud Management

After you create a data pattern on Cloud Management, create a data profile to add multiple data
patterns and specify match criteria and confidence levels. All predefined and custom data profiles
are available across all device groups. Data profiles created on Cloud Management that contain no
EDM dataset patterns are viewable and can be modified on Panorama, Prisma Access (Panorama
Managed), Cloud Management, and the DLP app on the hub.
Enterprise data loss prevention (DLP) arrives at a verdict for scanned files.
Updating a data profile to include an EDM data set isn’t supported if the data profile
didn’t include an EDM data set when it was initially created.
If you want to create a data profile that combines a predefined or custom data pattern
and an EDM data set, see Create a Data Profile with Data Patterns and EDM Data
Sets on Cloud Management.
STEP 2 | Select Manage > Configuration > Security Services > Data Loss Prevention > Data Profiles
and Add Data Profile > Classic Data Profile.

2. Add Pattern Group and Add Data Pattern.
3. Configure the match criteria.
4. (Optional) Add Data Pattern to add additional data pattern match criteria to the Primary
rule.
5. (Optional) Add Data Pattern Group to add additional data pattern conditions using AND
or OR operators to the Primary Rule.
needed.
meets the match criteria for the data pattern conditions. If you want to allow
traffic that matches a data pattern match criteria, add it to the Primary Rule.
Managed), Cloud Management, and the DLP app.

STEP 5 | Modify a DLP Rule for Prisma Access on Cloud Management.
Create a Data Profile with EDM Data Sets on Cloud Management

Create a data profile with Exact Data Matching (EDM) data sets on Cloud Management. Data
profiles with EDM data sets created on Cloud Management are automatically synchronized with
your Panorama™ management server so you can use the data profile in your Security policy rules.
In order for the DLP cloud service to render a match verdict using on the data profile, scanned
files containing primary and secondary field values must be within 100 character of each other.
Otherwise, the DLP cloud service is unable to render a match verdict. Data profiles with EDM
data sets created on Cloud Management are viewable on Panorama, Prisma Access (Panorama
Managed), Cloud Management, and the DLP app on the hub. Viewing a data profile created on
Cloud Management on Panorama requires Panorama plugin for Enterprise DLP 1.0.4 or later
release.
After you set up the EDM CLI application and configure connectivity to the DLP cloud service,
you must upload an encrypted EDM data set to the DLP cloud service using a configuration file or
in Interactive mode before you can create a data profile with EDM data sets.
Updating a data profile to include only data patterns isn’t supported if the data profile
includes at least one EDM data set when it was initially created. However, update a data
profile that includes only EDM data sets to include data patterns is supported.
See Create a Data Profile on Cloud Management to create a data profile containing
only predefined or custom data patterns.
and Add Data Profile > Advanced Data Profile.
You can also create a new data profile by copying an existing data profile. This allows you to
modify an existing data profile with additional match criteria while preserving the original data
profile from which the new data profile was copied.
STEP 3 | Create the Primary Rule for the data profile.

2. Select the match criteria operator (AND or OR).
3. EDM Dataset.
specified Count.
5. Configure the Primary Field values.
6. (Optional) Select the Secondary Field values.
The list of available fields is populated from the selected EDM data set.
For the best results for exact data matching, include any columns that could
be repeated in the secondary field. For example, if the EDM data set contains
columns for first name, last name, social security number, and credit card
number, add first name and last name in the secondary field.
7. (Optional) Add EDM Dataset to add additional data pattern conditions.
needed.
8. (Optional) Add Group to nest additional match criteria for an EDM data set so you can
more accurately define your compliance rules.
recently added EDM data set. You can’t nest a new match criteria group between
existing EDM data sets. If multiple EDM data sets are added, you must remove the EDM
data sets that follow the EDM data set for which you want to add the nested match
criteria. For example, you added EDM_Dataset1, EDM_Dataset2, and EDM_Dataset3
to the Primary Rule. If you wanted to added nested match criteria to EDM_Dataset2,
you must first remove EDM_Dataset3 from the Primary Rule.
You can select the same EDM data set or a different EDM data set to more accurately
define your compliance rules. Nesting match criteria is supported only when the data
profile includes an EDM data set. Enterprise DLP supports up to three level of additional
nesting groups for each EDM data set. You can nest additional EDM data sets under an
EDM data set added to the Primary or Secondary Rule.
STEP 4 | (Optional) Configure a Secondary Rule for the data profile.
the match criteria for the data pattern conditions. If you want to allow traffic that
matches a data pattern match criteria, add it to the Primary Rule.
STEP 5 | Review the Data Profile Preview to verify the data profile match criteria.

Managed), Cloud Management, and the DLP app.

Create a Data Profile with Data Patterns and EDM Data Sets on
Cloud Management
Enterprise Data Loss Prevention (E-DLP) supports creation of data profiles that contains at least
one predefined or custom Enterprise DLP data pattern and at least one EDM dataset pattern.
Data profiles with a data pattern and an EDM data set created on Cloud Management are
viewable on Panorama, Prisma Access (Panorama Managed), Cloud Management, and the DLP
app on the hub. Viewing a data profile created on Cloud Management on Panorama requires
Panorama plugin for Enterprise DLP 1.0.4 or later release.
Enterprise DLP arrives at a verdict for scanned files.
Updating a data profile to include only data patterns isn’t supported if the data profile
includes at least one data pattern and one EDM data set when it was initially created.
However, updating a data profile that includes both EDM data sets and data patterns to
only include EDM data sets is supported.
See Create a Data Profile on Cloud Management to create a data profile containing
only predefined or custom data patterns. See Create a Data Profile with EDM Data Sets
on Cloud Management to create a data profile containing only EDM data sets.
and Add Data Profile > Advanced Data Profile.

2. Select the data pattern operator (AND or OR).
3. Add Data Pattern.
4. Define the data pattern match criteria.
specified Count.
5. Add EDM Dataset and define the match criteria.
See Create a Data Profile with EDM Data Sets on Cloud Management for more
information on configuring EDM data set match criteria in a data profile.
7. (Optional) Add Group to nest additional match criteria for a data pattern or EDM data
set so you can more accurately define your compliance rules.
recently added data pattern or EDM data set. You can’t nest a new match criteria group
between existing data patterns or EDM data sets. If multiple data patterns or EDM data
sets are added, you must remove the data patterns or EDM data sets that follow the
data pattern or EDM data set for which you want to add the nested match criteria. For
example, you added EDM_Dataset1, Data_Pattern2, and EDM_Dataset3 to the
Primary Rule. If you wanted to added nested match criteria to Data_Pattern2, you
must first remove EDM_Dataset3 from the Primary Rule.
You can select the same data pattern or EDM data set or a different data pattern EDM
data set to more accurately define your compliance rules. Nesting match criteria is
supported only when the data profile includes an EDM data set. Enterprise DLP supports
up to three level of additional nesting groups for each data pattern or EDM data set. You
can nest additional data patterns or EDM data sets under a data pattern or EDM data set
added to the Primary or Secondary Rule.
meets the match criteria for the data pattern conditions. If you want to allow
traffic that matches a data pattern match criteria, add it to the Primary Rule.
Create a Data Profile with Nested Data Profiles on Cloud

Management
Enterprise Data Loss Prevention (E-DLP) supports creating a single data profile that contains
multiple nested data profiles. Creating a single data profile that contains multiple nested data
profiles allows you to consolidate the match criteria to prevent exfiltration of sensitive data to a
single data profile that can be used in a single Security policy rule. This allows you to simplify the
management of sensitive data leaving your network and reduces the need to manage multiple
Security policy rules and data profiles. A data profile that contains multiple nested data profiles
created on Cloud Management is viewable on Panorama, Prisma Access (Panorama Managed),
Cloud Management, and the DLP app on the hub. Viewing a data profile created on the DLP app
on Panorama requires Panorama plugin for Enterprise DLP 1.0.4 or later release.
When you create a data profile that contains predefined data profiles and patterns, be sure to
consider the detection types used by the predefined data patterns because the detection type
determines how Enterprise DLP arrives at a verdict for scanned files.
• Adding, deleting, or otherwise modifying the nested data profiles you add to data
profile is supported only from the DLP app on the hub and Cloud Management, but
not from Panorama.
• Adding a nested data profile to another nested data profile is not supported.
• Nesting a data profile that includes an EDM data set to an existing data profile if one
wasn’t included when the data profile was originally created is supported.
STEP 2 | (Optional) Create your data profiles on Cloud Management.

You can create a data profile that contains multiple data profiles using both predefined data
profiles and custom data profiles you create.
and Add Data Profiles > Nested Data Profiles.
You can also create a new data profile by copying an existing data profile that already contains
multiple data profiles. This allows you to quickly modify an existing data profile with additional
data profile match criteria while preserving the original data profile from which the new data
profile was copied.
<name_of_original_data_profile>.
STEP 4 | Enter the Data Profile Name.

Data profile match criteria for traffic that you want to allow must be added to the Primary
Rule. Data profiles match criteria for traffic that you want to block can be added to either
Primary Rule or Secondary Rule.
STEP 6 | (Optional) Configure a Secondary Rule.

Data profile match criteria added to the Secondary Rule block all traffic that meets the match
criteria for the data profile by default and can’t be modified. If you want to allow traffic that
matches a data profile match criteria, add it to the Primary Rule.

settings are editable on Panorama for a data profile created on Cloud Management.
1. Select the data profile created on Cloud Management.

2. Set the data profile Action to Block traffic that matches the data profile match criteria.
4. Click OK.
DLP.
Create a Data Filtering Profile on Panorama

After you create a data pattern on Panorama or Prisma Access (Panorama Managed), create a
data filtering profile to add multiple data patterns and specify matches and confidence levels. All
predefined and custom data filtering profiles are available across all device groups.
When you create a data filtering profile using predefined data patterns, be sure to consider the
detection type used by the predefined data patterns because the detection type determines how
Enterprise Data Loss Prevention (E-DLP) arrives at a verdict for scanned files.
STEP 2 | Edit the Enterprise DLP Data Filtering Settings to configure the minimum and maximum data
size limits and the actions the firewall takes when uploading files to the DLP cloud service.
STEP 3 | (Optional) Create one or more Enterprise DLP data patterns.
STEP 4 | Select Objects > DLP > Data Filtering Profiles and specify the Device Group.
STEP 5 | Add a new data filtering profile.
STEP 6 | Define the match criteria.

• If you select Basic, configure the following:
• Primary Pattern—Add one or more data patterns to specify as the match criteria.
If you specify more than one data pattern, the managed firewall uses a boolean OR
match in the match criteria.
• Match—Select whether the pattern you specify should match (include) or not match
(exclude) the specified criteria.
• Operator—Select a boolean operator to use with the Threshold parameter. Specify Any
to ignore the threshold.
• Less than or equal to—Security policy rule action triggered if Enterprise DLP detects
instances of matched traffic, with the maximum being the specified Threshold.
• More than or equal to—Security policy rule action triggered if Enterprise DLP detects
instances of matched traffic, with a minimum being the specified Threshold.
any number of instances of matched traffic between the specific Threshold range.
• Threshold—Specify the number of instances of matched traffic required to trigger a
more_than_or_equal_to as the Operator and specify 3 as the Threshold.
• Confidence—Specify the confidence level required for a Security policy rule action to be
taken (High or Low).
• If you select Advanced, you can create expressions by dragging and dropping data patterns,
Confidence levels, Operators, and Occurrence values into the field in the center of the
page.
Specify the values in the order that they’re shown in the following screenshot (data pattern,
Confidence, and Operator or Occurrence).
STEP 7 | Select an Action (Alert or Block) to perform on the file.
If the data filtering profile has both Primary and Secondary Patterns, changing the
data profile Action on Panorama deletes all Secondary Pattern match criteria.
STEP 8 | Specify the file types the DLP cloud service takes action against.
• DLP plugin 4.0.0 and earlier releases
Select the File Type. By default, any is selected and inspects all supported file types.
• DLP plugin 4.0.1 and later releases
1. Select File Types.
2. Select the Scan Type to create a file type include or exclude list.
• Include—DLP cloud service inspects only the file types you add to the File Type Array.
• Exclude—DLP cloud service inspects all supported file types except for those added
to the File Type Array.
3. Click Modify to add the file types to the File Type Array and click OK.
STEP 9 | Select upload as the Direction.
Downloads aren’t supported.
STEP 10 | (Optional) Set the Log Severity recorded for files that match this rule.
The default severity is Informational.
STEP 11 | Click OK to save your changes.
STEP 12 | Attach the data filtering profile to a Security policy rule.

4. Select the Data Filtering profile you created previously.
5. Click OK.
Enterprise DLP.

4. Click OK.
DLP.
Create a Data Filtering Profile on Panorama for Non-File

Detection
Create a data filtering profile on the Panorama management server to scan for sensitive data
outside of file-based traffic. After you create a data pattern on Panorama, create a data filtering
profile to add multiple data patterns and specify matches and confidence levels for all non-file
traffic you need to inspect. All predefined and custom data filtering profiles are available across all
device groups.
A data filtering profile configured for detection of non-file traffic allows you to configure URL
and application exclusion lists. The URL and application exclusion lists allow you to select Shared
URL and application traffic to exclude from inspection. For the application exclusion list, at least
one application exclusion is required to create a data filtering profile for inspecting non-file
traffic. The predefined DLP App Exclusion Filter is provided containing commonly used
applications that can be safely excluded from inspection. When you create a data filtering profile
using predefined data patterns, be sure to consider the detection type used by the predefined
data patterns because the detection type determines how Enterprise Data Loss Prevention (E-
DLP) arrives at a verdict for scanned files.
Creating a data filtering profile on Panorama for non-file detection is supported on Panorama and
managed firewalls running PAN-OS 10.2.1 or later release and Panorama plugin for Enterprise
DLP 3.0.1 or later release. If you downgrade from PAN-OS 10.2.1 or later release and Enterprise
DLP plugin 3.0.1 or late release to PAN-OS 10.1 and Enterprise DLP plugin 1.0, data filtering
profiles created on Panorama for non-file inspection are automatically converted into file-based
data filtering profiles.
STEP 2 | (Optional) Create one or more Enterprise DLP data patterns.
STEP 3 | Edit the Enterprise DLP Non-File Data Filtering Settings to configure the minimum and
maximum data size limits and the actions the firewall takes when uploading non-file data to
Palo Alto Networks recommends verifying that Enable Non File DLP is enabled after
you install Panorama plugin for Enterprise DLP 3.0.1.
STEP 4 | (Optional) Create a custom application filter or application group to define predefined or
custom application traffic you want to exclude from inspection.
The application filter and application group must be Shared to be used in the data filtering
profile application exclusion list. Data filtering profiles for non-file traffic inspection support
either both custom application filters and application groups. You aren’t required to add both.
• Create a Custom Application Filter
• Create an Application Group
STEP 5 | (Optional) Create a custom URL category to define URL traffic you want to exclude from
inspection.
The URL category must be Shared to be used in the data filtering profile URL exclusion list.
To include the custom URL category in the URL exclusion list of a data filtering profile,
adding the custom URL category to a URL Filtering profile isn’t required.
STEP 7 | Add a new data filtering profile.
STEP 8 | (Optional) Configure the data filtering profile to scan File Based traffic.
Data filtering profiles support scanning both file based and non-file based traffic. Select Yes
to scan for both file based and non-file based traffic. Select No to only scan for non-file based
traffic. Configuring the data filtering profile not to scan for file based traffic has no impact on
scanning non-file based traffic.
STEP 9 | Configure the data filtering profile to scan Non-File Based traffic.
Select Yes to scan for non-file based traffic.
STEP 10 | Define the match criteria.

• If you select Basic, configure the following:
• Primary Pattern—Add one or more data patterns to specify as the match criteria.
If you specify more than one data pattern, the managed firewall uses a boolean OR
match in the match criteria.
• Match—Select whether the pattern you specify should match (include) or not match
(exclude) the specified criteria.
• Operator—Select a boolean operator to use with the Threshold parameter. Specify Any
to ignore the threshold.
• Less than or equal to—Security policy rule action triggered if Enterprise DLP detects
instances of matched traffic, with the maximum being the specified Threshold.
• More than or equal to—Security policy rule action triggered if Enterprise DLP detects
instances of matched traffic, with a minimum being the specified Threshold.
any number of instances of matched traffic between the specific Threshold range.
• Threshold—Specify the number of instances of matched traffic required to trigger a
more_than_or_equal_to as the Operator and specify 3 as the Threshold.
• Confidence—Specify the confidence level required for a Security policy rule action to be
taken (High or Low).
• If you select Advanced, you can create expressions by dragging and dropping data patterns,
Confidence levels, Operators, and Occurrence values into the field in the center of the
page.
Specify the values in the order that they’re shown in the following screenshot (data pattern,
Confidence, and Operator or Occurrence).
STEP 11 | Select an Action (Alert or Block) to perform on matching traffic.
If the data filtering profile has both Primary and Secondary Patterns, changing the
data profile Action on Panorama deletes all Secondary Pattern match criteria.
STEP 12 | (Optional) Configure the URL category list to exclude URL traffic from inspection.
The URL category list can only be configured when Non-File Based traffic inspection is
enabled.
1. Select URL Category List Excluded From Non-File.
2. Add a new URL category list.
3. Select a predefined URL category, custom URL category or EDL.
STEP 13 | Configure the application exclusion list to exclude application traffic from inspection.
The application list can only be configured when Non-File Based traffic inspection is enabled.
At least one application list or application group is required to create a data filtering profile for
inspecting non-file traffic.
1. Select Application List Excluded From Non-File.
2. Add an application filter or application group.
If you didn’t create a custom application filter or application group, you must add the
DLP App Exclusion Filter.
STEP 14 | Select upload as the Direction.
Downloads aren’t supported.
STEP 15 | (Optional) Set the Log Severity recorded for files that match this rule.
The default severity is Informational.
STEP 16 | Click OK to save your changes.

4. Select the Data Filtering profile you created previously.
5. Click OK.
Enterprise DLP.

4. Click OK.
DLP.
Update a Data Profile on the DLP App

From the DLP app on the hub, you can edit and modify an existing data profile you created on
Panorama, Prisma Access (Panorama Managed), Prisma SaaS, and the DLP app. Any changes you
make to an existing data profile from the DLP app on the hub is automatically synchronized to
Panorama, Prisma Access (Panorama Managed), Prisma Access (Cloud Managed), and Prisma SaaS
where the data profile is supported.
If you update a data profile to include a predefined data pattern, be sure to consider the
detection types used by the predefined data patterns because the detection type determines how
Enterprise Data Loss Prevention (E-DLP) arrives at a verdict for scanned files. For example, when
you create a data profile that includes three machine learning (ML)-based data patterns and seven
regex-based data patterns, Enterprise DLP will return verdicts based on the seven regex-based
patterns whenever the scanned file exceeds 1 MB.
Data profiles with EDM datasets and Data profiles with data patterns and EDM
datasets can only be modified from the DLP app on the hub.
Any changes to the data profile match criteria made on the DLP app are synchronized to
Panorama but don’t display in the Panorama web interface. Security policy rules using
a data profile updated on the DLP app inspect traffic using the new or modified match
criteria.
(Panorama only) Updating the data profile Name is supported but you must manually
update the existing Security policy rules (Policies > Security to reassociate the renamed
data filtering profile. Commits on Panorama fail if you do not reassociate the renamed
data filtering profile with the Security policy rule after the updated data profile name is
synchronized to Panorama.

STEP 2 | Select Data Profiles and select a data profile to display the data profile preview window.
STEP 3 | Edit ( ) the data profile.
STEP 4 | Modify the data profile as needed.
Modifying the data profile to include an EDM data set isn’t supported if the data
profile did not include an EDM data set when it was initially created.
Modifying a data profile to only include data patterns isn’t supported if the data profile
included both data patterns and EDM data sets when it was initially created.
• See Create a Data Profile on the DLP App for details on configuring data pattern criteria
using predefined or custom data patterns only.
• See Create a Data Profile with EDM Data Sets on the DLP App for details on configuring
data pattern criteria using EDM data sets.
• See Create a Data Profile with Data Patterns and EDM Data Sets on the DLP App for
details on configuring data pattern criteria using both data patterns and EDM data sets.
• See Create a Data Profile with Nested Data Profiles on the DLP App for details on
configuring a single data profile that contains multiple data profiles.
Adding a data profile that includes an EDM data set to an existing data profile if
one wasn’t included when the data profile was originally created is supported.
STEP 5 | Save your changes.
Update a Data Profile on Cloud Management

From Cloud Management, you can edit and modify an existing data profile you created on
Panorama, Prisma Access (Panorama Managed), Cloud Management, and the DLP app. Any
changes you make to an existing data profile from the DLP app on the hub is automatically
synchronized to Panorama, Prisma Access (Panorama Managed), and Cloud Management where
the data profile is supported.
If you update a data profile to include a predefined data pattern, be sure to consider the
detection types used by the predefined data patterns because the detection type determines how
you create a data profile that includes three machine learning (ML)-based data patterns and seven
regex-based data patterns, Enterprise DLP will return verdicts based on the seven regex-based
patterns whenever the scanned file exceeds 1 MB.
Data profiles with EDM datasets and Data profiles with data patterns and EDM
datasets can be modified from both Cloud Management and the DLP app on the hub.
Any changes to the data profile match criteria made on Cloud Management are
synchronized to Panorama but don’t display in the Panorama web interface. Security
policy rules using a data profile updated on Cloud Management inspect traffic using the
new or modified match criteria.
(Panorama only) Updating the data profile Name is supported but you must manually
update the existing Security policy rules (Policies > Security to reassociate the renamed
data filtering profile. Commits on Panorama fail if you do not reassociate the renamed
data filtering profile with the Security policy rule after the updated data profile name is
synchronized to Panorama.
and navigate to the data profile you want to modify.
STEP 3 | Edit ( ) the data profile.
STEP 4 | Modify the data profile as needed.
Modifying the data profile to include an EDM data set isn’t supported if the data
profile did not include an EDM data set when it was initially created.
Modifying a data profile to only include data patterns isn’t supported if the data profile
included both data patterns and EDM data sets when it was initially created.
• See Create a Data Profile on Cloud Management for details on configuring data pattern
criteria using predefined or custom data patterns.
• See Create a Data Profile with EDM Data Sets on Cloud Management for details on
configuring data pattern criteria using EDM data sets.
• See Create a Data Profile with Data Patterns and EDM Data Sets on Cloud Management for
details on configuring data pattern criteria using both data patterns and EDM data sets.
• See Create a Data Profile with Nested Data Profiles on Cloud Management for details on
configuring a single data profile that contains multiple data profiles.
Adding a data profile that includes an EDM data set to an existing data profile if
one wasn’t included when the data profile was originally created is supported.
• See Create a Data Profile to Detect Custom Documents for details on configuring data
pattern match criteria that contains predefined or custom document templates.
Enterprise DLP includes predefined document templates that were converted

from ML-based data patterns. Palo Alto Networks recommends modifying the
match criteria in the event your existing data profile references the list ML-based
data patterns that were converted.
STEP 5 | Save your changes.
Update a Data Filtering Profile on Panorama

From the Panorama management server, you can edit and modify an existing data filtering profile
you created on Panorama, SaaS Security, or the DLP app on the hub. Any changes you make to
an existing data filtering profile from the DLP app on the hub is automatically synchronized to
Panorama, Prisma Access (Panorama Managed), and Prisma SaaS where the data filtering profile is
supported.
You can’t update or modify the data pattern match criteria for an EDM dataset or a data
profile with data patterns and EDM datasets from Panorama. You can only update
or modify the data filtering profile action from Panorama. Any changes you make to an
EDM filtering profile or a hybrid data filtering profile commit successfully on Panorama
aren’t reflected in the DLP app on the hub. See Update a Data Profile on the DLP App
to update the match criteria for an EDM data filtering profile or a data profile with data
patterns and EDM data sets.
If you update a data filtering profile to include a predefined data patterns, be sure to consider the
detection type used by the predefined data patterns because the detection type determines how
you create a data filtering profile that includes three machine learning (ML)-based data patterns
and seven regex-based data patterns, Enterprise DLP will return verdicts based on the seven
regex-based patterns whenever the scanned file exceeds 1 MB.
Updating the data filtering profile Name is supported but you must manually update the
existing Security policy rules (Policies > Security to reassociate the renamed data filtering
profile. Commits on Panorama fail if you do not reassociate the renamed data filtering
profile with the Security policy rule.
STEP 3 | Select a data filtering profile to edit.
STEP 4 | Edit the data filtering profile as needed.

1. Modify the data filtering profile scan for File Based traffic, Non-File Based traffic, or
both.
2. Modify the Primary Pattern and Secondary Pattern match criteria.
Modifying the data filtering profile match criteria on Panorama is supported only for
Enterprise DLP data filtering profiles created on Panorama. See Create a Data Filtering
Profile on Panorama for details on configuring data pattern criteria using predefined or
custom data patterns.
3. (Data Filtering Profile for Non-File Traffic Inspection Only) Modify the URL Category
Excluded List from Non-File and Application List Excluded from Non-File to configure
which URL and application traffic is excluded from Enterprise DLP inspection.
See Create a Data Filtering Profile on Panorama for Non-File Detection for more
information.
4. Edit the data filtering profile settings.
Enterprise DLP supports editing the following data profile settings for a data profile with
EDM datasets and a data profile with data patterns and EDM datasets from Panorama.
• Select the data filtering profile Action (Alert or Block)
If the data profile has both Primary and Secondary Patterns, changing the
data filtering profile Action on Panorama deletes all Secondary Pattern
match criteria.
• Specify a File Type.
Leave the file type as any to match any of the supported file types.
• Set the Log Severity recorded for files that match this data filtering profile.
STEP 5 | Click OK.
Enterprise DLP.

4. Click OK.
DLP.
STEP 7 | Verify the changes you made to the data filtering profile.
1. Log in to the DLP app on the hub.
If you don’t already have access to the DLP app on the hub, see the hub Getting Started
Guide. Only Superusers can access the hub.
2. Select Data Profiles and search for the data filtering profile you updated.
Configure Enterprise DLP on Cloud Management

Modify Enterprise Data Loss Prevention (E-DLP) rules for Cloud Management using predefined
DLP data profiles and custom DLP data profiles created on Panorama, Prisma Access (Panorama
Managed), Cloud Management, or the DLP app on the hub.
• Create a SaaS Security Policy Recommendation to Leverage Enterprise DLP
• Modify a DLP Rule for Prisma Access on Cloud Management
• Create a Block Response Page on Cloud Management
Create a SaaS Security Policy Recommendation to Leverage

Enterprise DLP
A SaaS policy rule recommendation is required to leverage the Enterprise Data Loss Prevention
(E-DLP) data profile in SaaS Security. In order to scan for and render a verdict on sensitive data
you for which you want to prevent exfiltration, you must assign the data profile to the SaaS
Security policy rule recommendation.
STEP 2 | Create data patterns and a data profile to define the match criteria for sensitive data you
want to detect.
STEP 3 | Select Manage > Configuration > Security Services > SaaS Security > Discovered Apps >
Policy Recommendations and Add Policy.
STEP 4 | Create the SaaS Security policy rule recommendation.

1. Configure the policy rule recommendation as needed.
See Create SaaS Security Policy Rule Recommendations for more details.
See Supported Applications for more information on which applications Enterprise DLP
supports.
2. For the Data Profile, select the data profile you created in the previous step.
Only one data profile can be associated with a policy rule recommendation.
3. Save.
Modify a DLP Rule for Prisma Access on Cloud Management

A DLP rule, otherwise referred to as a data filtering profile, is a data profile for which you have
specified the file type, action, and log severity for an existing data profile. Data filtering profiles
are automatically created when you create a new data profile. To create an entirely new data
filtering profile, you must create an entirely new data profile that automatically creates the new
data filtering profile.
Modify an Enterprise Data Loss Prevention (E-DLP) data filtering profile on Prisma Access (Cloud
Management) on Cloud Management to enforce your organization’s data security standards and
prevent exfiltration of sensitive information. After you configure the data filtering profile, you
must create a Profile Group containing the data filtering profile and attached it to a Security policy
so Prisma Access can enforce your data security standards.
STEP 2 | Create a data profile.

STEP 3 | Select Manage > Configuration > Security Services > Data Loss Prevention > DLP Rules and
in the Actions column, Edit the DLP rule.
The DLP rule has an identical name as the data profile from which it was automatically created.
STEP 4 | (Optional) Enter a Description for the DLP rule.
STEP 5 | Modify the DLP rule Match Criteria.

Modifying the DLP rule automatically created for the data profile isn’t required.
Skip to the next step to if you want to apply the DLP rule to a Security policy without
modifying the DLP rule match criteria and use the default values.
The default DLP rule Direction is Upload. Downloads aren’t supported. This field can’t
be edited.
1. Specify the type of traffic the DLP rule applies to.

You can enable either or both match criteria traffic types for a DLP rule.
• File Based Match Criteria—DLP rule match criteria is applied to file-based based
traffic.
• Non-File Based Match Criteria—DLP rule match criteria is applied to non-file formats
that use collaboration and cloud applications, web forms, and social media.
2. Specify a File Type.
The default file type is Any and matches any of the supported file types. Otherwise, you
can Select one or more file types to filter.
3. Specify the File Direction.
The default file direction is Both and allows inspection of uploads and downloads for
supported applications.
4. Select an Action (Alert and Block, Alert, or Block) to perform on the file.
The Action is set to Alert and Block by default if the data profile has both
Primary and Secondary Patterns. Changing the data filtering profile Action isn’t
supported if both Primary and Secondary patterns are defined.
5. (Optional) Set the Log Severity recorded for files that match this rule.
The default severity is Low.
6. Save the data filtering profile.
STEP 6 | Create a Shared Profile Group for the Enterprise DLP data filtering profile.
1. Select Manage > Configuration > Security Services > Profile Groups and Add Profile
Group.
2. Enter a descriptive Name for the Profile Group.
3. For the Data Loss Prevention Profile, select the Enterprise DLP data profile.
4. Add any other additional profiles as needed.
5. Save the profile group.
STEP 7 | Create a Security policy and attached the Profile Group.

1. Select Manage > Configuration > Security Policy and Add Rule.
You can also update an existing Security policy to attach a Profile Group for Enterprise
DLP filtering.
2. Configure the Security policy as needed.
3. Navigate to the Action and Advanced Inspection section, and select the Profile Group
you created in the previous step.
4. Save the Security policy.

3. Push.
Create a Block Response Page on Cloud Management

Create a custom block response page to display when traffic that matches your Enterprise Data
Loss Prevention (E-DLP) data profiles for Prisma Access (Cloud Management) and SaaS Security
on Cloud Management. Enterprise DLP supports custom block response pages in HTML format.
After you successfully create and upload a custom block response page, you can Revert to
Inherited Template to display the default custom block page.
STEP 2 | Select Manage > Configuration > Security Services > Data Loss Prevention > Settings and
click the Data Filtering Page.
Cloud Management allows you to Export HTML Template of the default block
response page to help you create a custom block page.
STEP 3 | Choose File and select the custom block response page.
STEP 4 | Save the block response page.

3. Push.
Enable Existing Data Patterns and Filtering Profiles

After you successfully install the Enterprise data loss prevention (DLP) plugin on Panorama,
existing data patterns and filtering profiles are no longer displayed but you can still reference
them in your Security policy rules. If you have existing data filtering patterns and profiles
configured that you need to edit after installing the Enterprise DLP plugin, you can display them
again in your Panorama web interface.
Existing data patterns and data filtering profiles aren’t hidden if you’re using Enterprise
DLP for Panorama-managed Prisma Access.
STEP 1 | Enable existing data patterns and filtering profiles on Panorama.

1. Log in to the Panorama CLI.
2. Enable the existing data patterns and filtering profiles.
admin> request plugins dlp hide-old-config no
Panorama returns a pass message to confirm the existing data patterns and filtering
profiles are now displayed.
Enter the following command to disable the displaying of existing data patterns
and filtering profiles.
admin> request plugins dlp hide-old-config yes
STEP 2 | (Optional) Enable existing data patterns and filtering profiles on the managed firewall if you
have any Security policy rules configured locally on the firewall.
1. Log in to the firewall CLI.
2. Enable the existing data patterns and filtering profiles.
admin> request plugins dlp hide-old-config no
The firewall returns a pass message to confirm the existing data patterns and filtering
profiles are now displayed.
Enter the following command to disable the displaying of existing data patterns
and filtering profiles.
admin> request plugins dlp hide-old-config yes
STEP 4 | Edit your existing data patterns and filtering profiles.

1. Select Objects > Custom Objects > Data Patterns and edit your data patterns.
2. Select Objects > Security Profiles > Data Filtering and edit your data filtering profiles.
STEP 5 | Select Policies > Security and select the Device Group to modify your Security policy rules
as needed.
Enterprise DLP.

4. Click OK.
DLP.
Configure Exact Data Matching (EDM)

Exact data matching (EDM) for Enterprise DLP is an advanced detection tool to monitor and
protect sensitive data from exfiltration. Use EDM to detect sensitive and personally identifiable
information (PII) such as social security numbers, Medical Record Numbers, bank account
numbers, and credit card numbers, in a structured data source such as databases, directory
servers, or structured data files (CSV and TSV), with high accuracy.
To use EDM, the DLP cloud service relies on the encrypted hash of the sensitive data you upload
to the DLP cloud service. The DLP cloud service indexes the encrypted hash of uploaded EDM
data sets. To prevent the exfiltration of sensitive data, the DLP cloud service uses the indexed
hash data set in the Security policy rule for matching outbound traffic.
Data filtering using EDM is supported for Panorama, Prisma Access (Panorama Managed), Prisma
Access (Cloud Management), and SaaS Security.
• Supported EDM Data Set Formats
• Set Up the EDM CLI Application
• Configure Connectivity to the DLP Cloud Service
• Upload an Encrypted EDM Data Set to the DLP Cloud Service Using a Configuration File
• Create and Upload an Encrypted EDM Data to the DLP Cloud Service in Interactive Mode
• Update an Existing EDM Data Set on the DLP Cloud Service
Supported EDM Data Set Formats

The Exact Data Matching (EDM) CLI application supports CSV and TSV as source files for an
encrypted EDM data set upload to the DLP cloud service. Before you upload an encrypted
EDM data set to the DLP cloud service, review the supported CSV file, TSV file, and data type
formatting.
The DLP cloud service uses an Exact Match for values that do not follow the supported data type
format below or data types that have no unique formatting requirements. If a data type follows
the supported format, the DLP cloud service can match other instances of the data type in the
scanned file. For example, if you configure an EDM filtering profile to block files that contains
the social security number 456-12-7890, the DLP cloud service also matches instances of social
security numbers that are formatted as 456 12 7890 and 456.12.7890. However, if the EDM
filtering profile is configured to block files containing the social security number 456127890, only
files containing an exact match to this social security number are blocked.
When preparing an EDM data set for upload, considering the following:
• A header row is supported.
• Data sets in CSV and TSV formats are supported.
CSV format is recommended to adhere to the RFC-4180 standard.
• Atomic columns are recommended to ensure accurate matching of sensitive data.
Atomic columns are columns containing cells that are expected to contain a discrete or unique
Data Type value. For example, in your data set you have the SSN column. One of the cells
in this column contains the value "123456789;098765432. In this example, the DLP cloud
service inspects for all incidents of 123456789;098765432 as a singular SSN rather than
inspecting for 123456789 and 098765432 as unique incidents.
• Up to 50 individual Data Type values are supported in a single cell.
The Data Types are data values recognized by the DLP cloud service. If a cell has more than 50
Data Type values recognized by the DLP cloud service, only the first 50 values are processed
and the remaining are ignored.
For example, Today is August 02, 2020 contains three data type values; Today and is
are Alphabet data types and August 02, 2020 is a Date data type.
• Only English (Latin script) is supported.
• Only the “,” and tab (t) delimiters are supported.
• A maximum of 120 rows and 30 columns are supported per EDM data set.
For example, you have one EDM data set containing 30 columns and 4 million rows and a
second EDM data set containing six columns and 120 million rows. Both EDM data sets are
supported because they each have contain up to the maximum number of rows and columns
supported.
• By default, up to 500 million cells are supported for a single Enterprise DLP tenant across all
EDM data sets uploaded to the DLP cloud service.
Contact Palo Alto Networks Customer Support to increase the maximum number of cells
supported for your Enterprise DLP tenant. Up to 1 billion cells are supported for your
Enterprise DLP tenant.
• The supported file encoding schemes are UTF-8, UTF-16, ISO-8859-1, and US-ASCII.
• The EDM CLI application removes all punctuation from data contained in the EDM data set.
The EDM CLI application supports the following data type formats for EDM data sets.
Data Type Format Example
Date • DD-MM-YYYY • 2-Aug-2020

DD/MM/YYYY • 02-Aug-2020
DD.MM.YYYY • 02.08.2020
• 02 Aug 2020
DD,MM,YYYY
• 2 August, 2020
DD MM YYYY
• 2 Aug, 2020
• MM-DD-YYYY
• 02 August 2020
MM/DD/YYYY
• 2. August 2020
MM.DD.YYYY • August 2, 2020
MM,DD,YYYY • Aug 2, 2020
MM DD YYYY • Sunday, August 2, 2020
• Sunday, August 02, 2020

• YYYY-MM-DD • Sunday, 2 August, 2020
YYYY/MM/DD • Sunday 02 August 2020
YYYY.MM.DD Exact Data Matching is

performed for ambiguous
YYYY,MM,DD dates.
YYYY MM DD • 20-08-02
A space, dashes (-), slash (/), • 02.08.20
comma (,), period (.), and • 08/02/20
any combination of these
separators are supported. • 08 2, 20
• 02/08/20
• 8/2/20
• 2020/08/02
• 2020-08-02
• 02/08/2020
• 2/08/2020
USA Social Security Number • XXX-XX-XXXX • 123-45-6789

• XXX XX XXXX • 123 45 6789
• XXX.XX.XXXX • 123.45.6789
• XXXXXXXXX • 123456789
A space, dashes (-), period (.)
are supported separators.
Country Name • Country full name US

• Country name USA
abbreviation
United States
An Exact Match is performed
for a country name. United States of America
The United States of America
First Name Uppercase and lowercase. Bill

Last Name bill
Middle Name Bill’s
Full Name bill’s
Bill Smith
bill smith
Bill Smith’s

bill smith’s
Medical Record Number An Exact Match is performed N/A

for a Medical Record
Number.
Member ID An Exact Match is performed N/A

for a Medical Record
Reward ID
Number.
Alphanumeric Numbers, uppercase, and ABCDEFG

lowercase letters.
Alphabet abcdefg
AB123CG
AB123cdab123cd
USA Driver License Alphanumeric. E1234567

e1234567
Email RFC5322— bill@business.com

<emailprefix>@<emaildomain>
BILL@BUSINESS.COM
BILL@business.com
bill@BUSINESS.com
Bank Routing Number An Exact Match is performed N/A

for a bank routing number
Bank Account Number
and bank account number.
IP Address (IPv4 and IPv6) An Exact Match is performed N/A

for an IPv4 and IPv6 IP
address.
Numbers An Exact Match is performed • SI Numbers - 1234,

for all numbers. +1234, or -1234
A positive signed integer • Formatted Numbers—9.00
(+) is removed and treated • Indian Number System—
the same as nonsigned 12, 34, 567.89
integer. A negative signed
integer (-) isn’t removed as
to differentiate between
positive and negative signed
integers.
Phone Number Ten-digit US phone number 8001234567

format only.
(800)1234567
Country code, parentheses,
1.800.123.4567
dash, space, and dots are
removed. +1 (800)123-4567
1 800 123 4567
+1 800 123 4567
+1 800 123-4567
1-800-123-4567
1 (800) 123-4567
(800)123-4567
(800) 123 4567
800-123-4567
UUID RFC4122—32 hexadecimal 123e4567e89b12d3a45642661417400

(base-16) digits. If you’re
123e4567-e89b-12d3-
using hyphens, the total is 36
a456-42661417400
digits.
Credit Card Between 13 to 23 digits 4739-5402-9061-0638

including dashes.
4739540290610638
Set Up the EDM CLI Application

The exact data matching (EDM) CLI application is a secure CLI tool used to upload hash encrypted
EDM data sets to the DLP cloud service. The EDM CLI application accepts a source file in CSV
or TSV format. The EDM CLI application then generates an encrypted hash EDM data set with
AES-256 encryption of the source file which is saved as zip file that can be uploaded to the DLP
cloud service. The EDM CLI application applies a one-way hash to each field in the CSV or TSV
file that is then encoded in Base64. After securing the file, the EDM CLI application generates a
zip file containing the secured data set.
The EDM CLI application is supported on Microsoft Windows and Linux operating systems such
as Ubuntu, Debian, and CentOS.
The EDM CLI application is downloaded from the DLP app on the hub and includes the following:
• README.TXT—Quick overview of the EDM CLI application functionality, including
descriptions of data types and column values.
• edm-secure-cli-<version>.jar—The executable Java application.
• config.properties—Configuration file you can prepopulate to upload a file to the DLP cloud
service.
• upload_config.properties—Configuration file for the connectivity settings to connect to the

DLP cloud service.
• lib—Directory containing all the dependency libraries required by the EDM Secure CLI
application.
• log4j2.xml—Configuration files for debugging and logging.
• sample_dataset.csv—Sample CSV file you can use a template for upload to the DLP cloud
service.
• (Windows) edm-secure-cli.bat—Windows batch file used to create and upload an EDM data set
to the DLP cloud service.
(Linux) edm-secure-cli.sh—Bash script used to create and upload an EDM data set to the DLP
cloud service.
STEP 1 | Deploy the device you will use to upload EDM data sets to the DLP cloud services.
You can upload EDM data sets to the DLP cloud service using any physical or virtual device
running a Windows or Linux operating system.
If you plan to deploy a dedicated virtual machine to upload EDM data sets to the DLP
cloud service, Palo Alto Networks recommends you allocate a minimum of four CPUs
and 8 GB memory to the virtual machine.
STEP 2 | Log in to the DLP app on the hub or Launch Cloud Management Console.
If you’re leveraging Enterprise DLP from the Panorama management server for Next-
Generation and VM-Series firewall or are using Prisma Access (Panorama Managed), the EDM
CLI application is available only from the DLP app on the hub.
If using Enterprise DLP for Prisma Access (Cloud Management), the EDM CLI application is
available from Prisma Access Cloud Management or from the DLP app on the hub.
STEP 3 | Enable Exact Data Matching (EDM).
It might take up to 24 hours for Palo Alto Networks to enable EDM functionality for
your DLP app.
Continue to the next step after Palo Alto Networks has successfully enabled EDM for
your DLP app. You can verify that EDM is enabled when have the ability to download
the EDM CLI application to your local device.
STEP 4 | Download the EDM CLI application.

The entire contents of the EDM CLI application are downloaded as a .zip file.
1. Navigate to the download location.
• DLP app on the hub—Select Detection Methods > Exact Data Matching and expand
the EDM Setup Guide.
• Prisma Access (Cloud Management)— Select Manage > Configuration > Data Loss
Prevention > Detection Methods and select Exact Data Matching.
2. Click Download CLI Tool and Download the latest version of the EDM CLI application.
• Select Windows 64-bit if you’re installing the EDM CLI application on a Microsoft
Windows device.
• Select Linux 64-bit if you are installing the EDM CLI application on a Linux
device.
• Select the latest version available.
(SASE Platform) If you’re using Enterprise DLP from the SASE Platform, you must
select version 3.0 or later release.
If you use an older unsupported version of the CLI, the CLI will display an
error message: Please use the latest version of cli tool.
Latest version: <latest-version>.
STEP 5 | (Optional) Create a new folder for EDM on your local device.
The EDM CLI application generates secured versions of all EDM data sets uploaded to the DLP
cloud service and logs for EDM CLI application activity. As a best practice, create a folder just
for the EDM CLI application to contain all EDM-specific files to a single folder.
Refer to the documentation for Microsoft Windows or your specific Linux OS for more
information on creating a new folder.
STEP 6 | Extract the EDM zip file contents.

1. On your local device, navigate to the downloaded package-edm-secure-cli-
<version>-<platform>.zip file.
2. Right-click the package-edm-secure-cli-<version>-<platform>.zip file and
click Extract To.
3. Select a folder and Extract.
(Best Practices) Select the folder you created for your EDM CLI application files.
STEP 7 | Verify the extracted .zip file contains all the required EDM CLI application files.
STEP 8 | Install Java on your local device.

A 64-bit Java version, such as JDK 64-Bit, is required to run the EDM CLI application.
1. Open the terminal and view the Java version currently installed.
admin: java -version
2. Install version of Java.

Skip this step if you already have a 64-bit Java version, such as JDK 64-Bit, already
installed. Refer to the Microsoft Windows or your Linux OS documentation for the
command to install the latest version of Java.
STEP 9 | (Linux only) Make the EDM CLI application script readable, writable, and executable.
1. Navigate to the directory where the EDM CLI application .zip contents were extracted.
In this example, the package-edm-secure-cli-<version>-<platform>.zip
contents were extracted to the EDM directory.
2. Make the EDM CLI application script readable, writable, and executable.
admin: chmod 777 ./edm-secure-cli.sh
Configure Connectivity to the DLP Cloud Service

To configure connectivity to the DLP cloud service, you must create an access token
and then configure the upload_config.properties file included with the EDM CLI
application. The access token you create is how the DLP cloud service authenticates you and
understands which DLP user is uploading an EDM data set to the DLP cloud service. If you
use a proxy server to connect to the internet, you must enter the proxy server details in the
upload_config.properties file as well to successfully upload an EDM data set.
STEP 1 | Access the Common Services Identity and & Access settings and add a Service Account to
generate the Client ID and Client Secret.
If you already have a Service Account created, you can Reset Client Secret to recover
a lost Client Secret.
The Client ID and Client Secret are used to authenticate and connect the EDM CLI
application to the DLP cloud service.
When you create the Service Account, the Client ID and Client Secret are displayed in
the Client Credentials. You can manually copy the Client Credentials or Download CSV File to
download the Client Credentials in plaintext locally to your device.
STEP 2 | Set Up the EDM CLI Application.
You must download EDM CLI application 2.2 or later version to upload an EDM data
set to a TSG-supported tenant.
STEP 3 | On the local device where you downloaded the EDM CLI application, navigate to and open
the upload configuration file.
The upload configuration file is bundled with the package-edm-secure-cli-<version>-
<platform>.zip file contents you extracted when you set up the EDM CLI application.
The name of the upload configuration for Linux and Windows versions of the EDM CLI display
as:
• Linux—upload_config.properties
• Windows—upload_config
STEP 4 | Configure the upload configuration file to enable connectivity to the DLP cloud service.
1. In the have_access_token_refresh_token, enter no.
2. Add the client_id andclient_secret.
3. Specify whether the local device uploading the EDM data set to the DLP cloud service
requires a proxy server to the connect to the internet.
If a proxy server isn’t required, enter no (default).
If a proxy server is required, enter yes.
4. (Proxy server only) Enter the proxy_host_name and proxy_port_number.
Skip this step if a proxy server isn’t required for the local device to connect to the
internet.
5. (Proxy server only) Enter the proxy_user_name and proxy_password.
Skip this step if a proxy server isn’t required for the local device to connect to the
internet.
6. Enter the dataset_name for the EDM data set you want to upload. The data set name
entered here is used in the DLP app for the uploaded EDM data set.
7. Save the changes to the upload configuration file.
Upload an Encrypted EDM Data Set to the DLP Cloud Service

Using a Configuration File
You can use the exact data matching (EDM) CLI application using a configuration file to create and
upload an encrypted EDM data set as two individual jobs or create and upload an encrypted EDM
data set in a single job.
• Create an Encrypted EDM Data Set Using a Configuration File
• Upload an Encrypted EDM Data Set to the DLP Cloud Service
• Create and Upload an Encrypted EDM Data Set Using a Configuration File
Create an Encrypted EDM Data Set Using a Configuration File

Create an encrypted hash Exact Data Matching (EDM) data set using a configuration file included
with the EDM CLI application. The configuration file allows you to configure the file parameters
for upload ahead of time rather than manually entering each parameter at the time of creation.
You can also quickly update an existing EDM data set on the DLP cloud service when you
configure the config.properties and upload_config.properties files.
STEP 2 | Configure Connectivity to the DLP Cloud Service.

In the upload_config.properties file, you must enter a unique data set name for EDM
data set you want to create as the dataset_name. Upload to the DLP cloud service fails if
you upload an EDM data set with a data set name that already exists in the DLP app.
STEP 3 | Review the Supported EDM Data Set Formats and prepare the EDM data set you want to
create.
STEP 4 | Navigate to the package-edm-secure-cli-<version>-<platform> directory and

open the config.properties file.
STEP 5 | Configure the EDM data set upload parameters.

1. Enter the path of the EDM data set for upload.
2. Enter the delimiter used to specify boundaries between values in the EDM data set.
The “,” and tab (t) delimiters are supported for EDM data set uploads. An EDM data set
might only use one delimiter.
3. Enter the EDM data set encoding method.
4. Enter the error threshold percentage for the EDM data set.
A secured version of the EDM data set isn’t created if the DLP cloud service encounters
errors exceeding the specified error threshold percentage.
5. Specify whether the EDM data set has a header row.
Enter true if the EDM data set includes a header row.
Enter false if the EDM data set doesn’t include a header row.
6. Specify whether to allow uploads of EDM data sets that include empty or blank cells.
Enter true to allow rows that include empty or blank rows in an EDM data set.
Enter false to reject rows that include empty or blank cells in an EDM data set.
7. Specify whether the EDM CLI application should abort the EDM data set upload if the
EDM data set includes more than the maximum number of cells supported.
Enter true to upload the maximum number of data set cells supported.
Enter false to abort EDM CLI application if the EDM data set has more than the
maximum number of data set cells supported.
8. Map your columns using the supported Data Types Value to accurately map each
column in your EDM data set to a specific Data Type.
Refer to the README.txt file packaged with the EDM CLI application for the table to
map your EDM data set columns to the correct Data Type value.
When you create a data profile with EDM data sets on the DLP app or a data
profile with EDM data sets on Cloud Management, you’re required to add at
least one column where the column values occurs up to 12 times in the selected
EDM data set for the Primary Field.
When mapping your columns to a specific Data Type, be sure to include at
least one column with up to 12 occurrences across the entire EDM data set.
Otherwise, the DLP cloud service is unable to match traffic against the EDM
data filtering profile you create using this EDM data set.
9. Select File and Save the configuration file.
STEP 6 | Create the EDM data set to the DLP cloud service.
1. Open a terminal and navigate to the package-edm-secure-cli-<version>-
<platform> directory where the EDM CLI application is located.
2. Create the encrypted EDM data set.
• Windows
admin: edm-secure-cli.bat create
• Linux
admin: ./edm-secure-cli.sh create
Entering this command creates a secured copy of the EDM data set in the package-
edm-secure-cli-<version>-<platform> directory.
3. Verify that the EDM data set is uploaded to the DLP cloud service successfully.
A progress bar and success message are displayed to notify you whether the upload is
successful.
STEP 7 | Verify that the encrypted EDM data set is successfully created.
The EDM CLI application only supports upload of the encrypted EDM data sets it creates to
A secured copy of the EDM data set specified is created in the package-edm-secure-cli-
<version>-<platform> directory. In the directory, a new folder is created with the name
of the EDM data set appended with the date and time it was created. Inside this folder is the
encrypted output.zip file containing your EDM data set that is uploaded to the DLP cloud
service.
STEP 8 | Upload an Encrypted EDM Data Set to the DLP Cloud Service.
Upload an Encrypted EDM Data Set to the DLP Cloud Service

Upload encrypted EDM data sets to the Enterprise Data Loss Prevention (E-DLP) cloud service
using the EDM CLI application. The EDM CLI application supports a single EDM data set upload at
a time.
STEP 1 | Create and encrypted EDM data set.
• Create an Encrypted EDM Data Set Using a Configuration File
• Create an Encrypted EDM Data Set in Interactive mode
Enter n when prompted to deny uploading to the DLP cloud service in order to create the
encrypted EDM data set.
STEP 2 | Configure Connectivity to the DLP Cloud Service if not already configured.
If you’ve already configured the upload_config.properties file, navigate to
the package-edm-secure-cli-<version>-<platform> directory where the
upload_config.properties is located to modify the dataset_name value for the
encrypted EDM data set you want to upload.
STEP 3 | Obtain the path for the encrypted EDM data set you created.
In the package-edm-secure-cli-<version>-<platform> directory, open the folder
containing the EDM data set and right-click the output.zip file to view the Properties. Copy
the file Location.
STEP 4 | Open the terminal and navigate to the package-edm-secure-cli-<version>-

STEP 5 | Upload the encrypted EDM data set to the DLP cloud service.
• Windows
admin: edm-secure-cli.bat upload --dataset-zip-file <outpit.zip-

file-location>
• Linux
admin: ./edm-secure-cli.sh upload --dataset-zip-file <outpit.zip-

file-location>
STEP 6 | Verify that the EDM data set is uploaded to the DLP cloud service successfully.
successful.
STEP 7 | Monitor the upload status of the DLP data set.

The time it takes for an EDM data set uploaded to DLP cloud service to be available on the
DLP app or Prisma Access (Cloud Managed) depends on the EDM data set size and internet
connectivity speed. For example, a 4GB EDM data set upload typically takes about 30 minutes
to display in the DLP app and be usable in a data profile with EDM data sets.
1. Log in to the DLP app on the hub or Launch Prisma Access Cloud Management.
2. Navigate to the list of uploaded EDM data sets.
• DLP app on the hub—Select Detection Methods > Exact Data Matching.
• Prisma Access (Cloud Managed)— Select Manage > Configuration > Data Loss
3. The EDM data set upload is complete when the Indexing Status column displays
Complete.
Create and Upload an Encrypted EDM Data Set Using a Configuration File
Create and upload an encrypted hash Exact Data Matching (EDM) data set using a configuration
file included with the EDM CLI application. The configuration file allows you to configure the
upload parameters for upload ahead of time rather than manually entering each parameter at the
time of upload. You can also quickly update an existing EDM data set on the DLP cloud service
when you configure the config.properties and upload_config.properties files.
STEP 2 | Configure Connectivity to the DLP Cloud Service.

In the upload_config.properties file, you must enter a unique data set name for EDM
data set you want to create and upload as the dataset_name. Upload to the DLP cloud
service fails if you upload an EDM data set with a data set name that already exists in the DLP
app.
STEP 3 | Review the Supported EDM Data Set Formats and prepare the EDM data set for upload to
STEP 4 | Navigate to the package-edm-secure-cli-<version>-<platform> directory and

open the config.properties file.
STEP 5 | Configure the EDM data set upload parameters.

1. Enter the path of the EDM data set for upload.
2. Enter the delimiter used to specify boundaries between values in the EDM data set.
The “,” and tab (t) delimiters are supported for EDM data set uploads. An EDM data set
may only use one delimiter.
3. Enter the EDM data set encoding method.
4. Enter the error threshold percentage for the EDM data set.
A secured version of the EDM data set is not created if the DLP cloud service
encounters errors exceeding the specified error threshold percentage.
5. Specify whether the EDM data set has a header row.
Enter true if the EDM data set includes a header row.
Enter false if the EDM data set does not include a header row.
6. Specify whether to allow uploads of EDM data sets that include empty or blank cells.
Enter true to allow rows that include empty or blank rows in an EDM data set.
7. Specify whether the EDM CLI application should abort the EDM data set upload if the
EDM data set includes more than the maximum number of cells supported.
Enter false to abort EDM CLI application if the EDM data set has more than the
maximum number of data set cells supported.
8. Map your columns using the supported Data Types Value to accurately map each
column in your EDM data set to a specific Data Type.
Refer to the README.txt file packaged with the EDM CLI application for the table to
map your EDM data set columns to the correct Data Type value.
profile with EDM data sets on Cloud Management, you are required to add at
least one column where the column values occurs up to 12 times in the selected
EDM data set for the Primary Field.
When mapping your columns to a specific Data Type, be sure to include at
least one column with up to 12 occurrences across the entire EDM data set.
Otherwise, the DLP cloud service is unable to match traffic against the EDM
data filtering profile you create using this EDM data set.
STEP 6 | Upload the EDM data set to the DLP cloud service.
2. Upload the EDM data set to the DLP cloud service.
• Windows
admin: edm-secure-cli.bat create -u
• Linux
admin: ./edm-secure-cli.sh create -u
A secured copy of the EDM data set specified is created and the EDM data set begins
uploading to the DLP cloud service.
A progress bar and success message is displayed to notify you whether the upload is
successful.
STEP 7 | Monitor the upload status of the EDM data set.

DLP app or Prisma Access (Cloud Managed) depends on the EDM data set size and internet
connectivity speed. For example, a 4GB EDM data set upload typically takes about 30 minutes
to display in the DLP app and be usable in a data profile with EDM data sets.
1. Log in to the DLP app on the hub or Launch Prisma Access Cloud Management.
• Prisma Access (Cloud Managed)— Select Manage > Configuration > Data Loss
Complete.
Create and Upload an Encrypted EDM Data to the DLP Cloud

Service in Interactive Mode
Upload an encrypted hash Exact Data Matching (EDM) data set to the DLP cloud service using
the EDM CLI application in Interactive mode to successfully create an EDM filtering profile. In
Interactive Mode, you must specify the EDM data set path for upload and configure the upload
parameters directly through the EDM CLI application.
STEP 1 | Access the Common Services Identity and & Access settings and add a Service Account to
If you already have a Service Account created, you can Reset Client Secret to recover
a lost Client Secret.
The Client ID and Client Secret are used to authenticate and connect the EDM CLI
application to the DLP cloud service.
When you create the Service Account, the Client ID and Client Secret are displayed in
the Client Credentials. You can manually copy the Client Credentials or Download CSV File to
download the Client Credentials in plaintext locally to your device
You must download EDM CLI application 2.2 or later version to upload an EDM data
set to a TSG-supported tenant.
STEP 3 | Review the Supported EDM Data Set Formats and prepare the EDM data set for upload to
STEP 4 | Enter Interactive mode in the EDM CLI application to begin the EDM data set upload.
1. Open the terminal and navigate to the package-edm-secure-cli-<version>-
2. Enter Interactive mode in the EDM CLI application.
• Windows
admin: edm-secure-cli.bat interactive
• Linux
admin: ./edm-secure-cli.sh interactive
Entering this command begins the interactive upload process for EDM data sets to the
DLP cloud service.
STEP 5 | Enter the path of the EDM data set for upload.
STEP 6 | Enter the delimiter used to specify boundaries between values in the EDM data set.
The “,” and “tab (t) delimiters are supported for CSV or TSV files. The EDM CLI application
uses the delimiter “,” by default. The EDM data set might only use one delimiter.
STEP 7 | Enter the EDM data set file encoding method.
STEP 8 | Enter the error threshold percentage for the EDM data set.
A secured version of the EDM data set is not created if the DLP cloud service encounters
errors exceeding the specified error threshold percentage.
STEP 9 | Specify whether the EDM data set has a header row.
STEP 10 | Specify whether to allow uploads of EDM data sets that include empty or blank cells.
Enter true to allow rows that include empty or blank cells in an EDM data set.
STEP 11 | Specify whether the EDM CLI application should abort the EDM data set upload if the EDM
data set includes more than the maximum number of cells supported.
Enter false to abort EDM CLI application if the EDM data set has more than the maximum
number of data set cells supported.
STEP 12 | Enter the number of columns in your EDM data set.

This step is required to accurately map your CSV or TSV columns to the supported data types
to allow the DLP cloud service to accurately ingest your EDM data set.
STEP 13 | Map your columns using the supported Data Types Value to accurately map each column in
your EDM data set to a specific Data Type.
The EMD CLI application presents a table with each Data Type Name and the corresponding
Data Type Value. You can also view this table in the README.txt file packaged with the EDM
CLI application.
profile with EDM data sets on Cloud Management, you’re required to add at least
one column where the column values occurs up to 12 times in the selected EDM data
set for the Primary Field.
When mapping your columns to a specific Data Type, be sure to include at least one
column with up to 12 occurrences across the entire EDM data set. Otherwise, the
DLP cloud service is unable to match traffic against the EDM data filtering profile you
create using this EDM data set.
STEP 14 | Specify whether to upload the EDM data set to the DLP cloud service. Enter y to continue
uploading the EDM data set or n to upload the EDM data set later.
Entering n creates a secured copy of the EDM data set in the package-edm-
secure-cli-<version>-<platform> directory for you to review.
You can skip the remaining steps below and Upload an Encrypted EDM Data Set to
the DLP Cloud Service later.
STEP 15 | Enter y to create a new EDM data set and enter the data set name.
If you enter n and are uploading to the DLP cloud service, you’re still prompted to
enter an EDM data set name. This updates the existing EDM data set you previously
uploaded to the DLP cloud service.
STEP 16 | (EDM CLI application 2.2 and later) Specify the authentication mechanism used to upload the
EDM data set to the DLP cloud service.
1. When prompted about whether you have access and refresh token, enter n.
The is required to enter the Client ID and Client Secret.
2. Enter the Client ID and Client Secret.
STEP 17 | (Proxy server only) When prompted, enter y if the local device from which you’re uploading
requires a proxy server to connect to the internet.
You’re required to provide the following information for your proxy server.
• Proxy hostname
• Proxy port number
• Proxy username
• Proxy password
STEP 18 | Enter Y or y to confirm the EDM data set upload configuration is correct and begin uploading
to the DLP cloud service.
A secured copy of the EDM data set specified is created in the package-edm-secure-cli-
<version>-<platform>. In the directory, a new folder is created with the name of the
EDM data set you appended with the date and time it was created. Inside this folder is the
encrypted output.zip file containing your EDM data set that is uploaded to the DLP cloud
service.
successful.
STEP 19 | Monitor the upload status of the EDM data set.

DLP app or Cloud Management depends on the EDM data set size and internet connectivity
speed. For example, a 4GB EDM data set upload typically takes about 30 minutes to display in
the DLP app and be usable in a data profile with EDM data sets.
1. Log in to the DLP app on the hub or Launch the Cloud Management Console.
• Cloud Management— Select Manage > Configuration > Data Loss Prevention >
Detection Methods and select Exact Data Matching.
Complete.
Update an Existing EDM Data Set on the DLP Cloud Service

Update an existing EDM data set you already uploaded to the DLP cloud service.
To quickly update an existing EDM data set on the DLP cloud service, configure the
upload_config.properties and config.properties files. To update an existing EDM
data set, you must upload the entire encrypted EDM data set to the DLP cloud service. Updating
an existing data set on the DLP cloud service overwrites the existing data set with the same data
set name.
If you prefer using Interactive mode to upload an EDM data set to the DLP cloud service, see
Create and Upload an Encrypted EDM Data to the DLP Cloud Service in Interactive Mode for
more information. You must still go through the Interactive mode upload process, but you must
enter n when prompted whether to create a new EDM data set on the DLP cloud service.
STEP 1 | On the local device where you downloaded the EDM CLI application, navigate to and open
the upload_config.properties file.
The upload_config.properties file is bundled in the package-edm-secure-cli-
<version>-<platform>.zip file you extracted when you set up the EDM CLI application.
STEP 2 | Edit the upload_config.properties file.

1. Enter the dataset_name of the existing EDM data set on the DLP cloud service you
want to update.
2. Save the changes to the upload_config.properties file.
STEP 3 | Modify the config.properties file.

1. Navigate to the package-edm-secure-cli-<version>-<platform> directory
and open the config.properties file.
2. Enter the path of the EDM data set for upload that you want to overwrite the existing
EDM data set on the DLP cloud service.
3. Modify the rest of the config.properties file as needed.
See Create an Encrypted EDM Data Set Using a Configuration File for more information.
STEP 4 | Update the EDM data set on the DLP cloud service.
2. Upload the existing EDM data set to the DLP cloud service.
• Windows
admin: edm-secure-cli.bat update
• Linux
admin: ./edm-secure-cli.sh update
Entering this command creates a secured copy of the EDM data set specified in the
config.properties file and begins uploading to the DLP cloud service.
successful.
Enterprise DLP End User Alerting with Cortex XSOAR

Integrate Enterprise Data Loss Prevention (E-DLP) with Cortex XSOAR to use Enterprise DLP End
User Alerting, granting your team members the ability to self-service temporary exemptions for
file uploads that match your Enterprise DLP data profiles.
• About Enterprise DLP End User Alerting with Cortex XSOAR
• Setup Prerequisites for Enterprise DLP End User Alerting with Cortex XSOAR
• Set Up Enterprise DLP End User Alerting with Cortex XSOAR
• Respond to Blocked Traffic Using Enterprise DLP End User Alerting with Cortex XSOAR
• View the Enterprise DLP End User Alerting with Cortex XSOAR Response History
About Enterprise DLP End User Alerting with Cortex XSOAR

Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR allows your
team members to understand why a file upload was blocked by Enterprise DLP and enables self-
service temporary exemptions for file uploads that match your Enterprise DLP data profiles.
Enterprise DLP End User Alerting with Cortex XSOAR provides an audit trail to better understand
the upload and response history for every file scanned by the DLP cloud service. Additionally,
enabling End User Alerting with Cortex XSOAR prevents malware triggered uploads because an
affirmative action is required to request an exemption.
Enterprise DLP End User Alerting with Cortex XSOAR requires an active XSOAR license and
integration with the Enterprise DLP application. You can view responses to file uploads that
match your data filtering profiles and data profiles on supported applications only. For some
applications, End User Alerting with Cortex XSOAR requires IP mapping to email addresses to
furnishing exemption queries to your team members. After you successfully integrate Enterprise
DLP with XSOAR and configure the exemption duration, the team member who uploads a
matched file is presented with an automated message to confirm if the file includes sensitive data
that triggers a block verdict from the DLP cloud service. If the team member responds that the
file does contain sensitive data, they’re given the option request a temporary exception for the
specific file.
If the team member responds that the file doesn’t contain sensitive information, the DLP
cloud service flags the file as a false positive. However, Enterprise DLP continues to block
the file upload.
The Enterprise DLP cloud service preserves the response history for all scanned files after
End User Alerting with Cortex XSOAR is enabled. For example, your team member uploads
file_A.pdf that matches a data profile match criteria. The team member is prompted to
confirm if the file contains sensitive information, to which they answer Yes and request an
exemption. A few days later, the team member uploads file_A.pdf again. This time they’re
only prompted to request an exemption because the DLP cloud service is already aware of the file
response history.
Setup Prerequisites for Enterprise DLP End User Alerting with

Cortex XSOAR
Review the Palo Alto Networks product portfolio integration, supported application, and
configuration prerequisites required to use Enterprise Data Loss Prevention (E-DLP) End User
Alerting with Cortex XSOAR .
Table 1:
Requirements Panorama (Palo Alto Prisma Access Prisma Access (Cloud

Networks Next- (Panorama Managed) Management)
Generation Firewalls)
PAN-OS Release • All PAN-OS versions that support N/A

Enterprise DLP
• All Enterprise DLP plugin versions
Palo Alto Networks Cortex XSOAR

Product Portfolio
Integration
Supported Slack, Microsoft Teams, Email

Applications
(Slack only) IP Cloud Identity Engine Cloud Identity Engine Cloud Identity Engine
Mapping to Email
Addresses
Set Up Enterprise DLP End User Alerting with Cortex XSOAR

Integrate Enterprise Data Loss Prevention (E-DLP) with Cortex XSOAR to use the Enterprise DLP
End User Alerting.
• Set Up Enterprise DLP End User Alerting with Cortex XSOAR for Slack
• Set Up Enterprise DLP End User Alerting with Cortex XSOAR for Microsoft Teams
• Set Up Enterprise DLP End User Alerting with Cortex XSOAR for Email
Set Up Enterprise DLP End User Alerting with Cortex XSOAR for Slack
To set up Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR and set
up automatic Slack alerts, you need to configure the Cloud Identity Engine to map IP addresses to
emails to allow for automatic messages to be sent on Slack. After you configure the Cloud Identity
Engine, you must enable Slack, email send integration, and Enterprise DLP with Cortex XSOAR
. This chain of integration allows the DLP cloud service to automate sending Slack messages to
team members who upload a file that matches your data profiles.
After you successfully integrate Slack, email send, and Enterprise DLP with Cortex XSOAR , you
need to enable End User Alerting with Cortex XSOAR functionality on the DLP app on the hub or
on Cloud Management and configure the End User Alerting settings as needed.
STEP 1 | Configure the platform on which you’re using Enterprise DLP to map IP addresses to email
addresses.
This is required to use Enterprise DLP End User Alerting with Cortex XSOAR . If Panorama,
Prisma Access (Panorama Managed), or Prisma Access (Cloud Management) aren’t configured
to map IP addresses to email addresses, Enterprise DLP can’t send automated messages using
Slack.
• Panorama (Next-Gen Firewalls)
2. Configure the Cloud Identity Engine as a Mapping Source on the Firewall.
When you configure the User Attributes, you must set the Primary Username as Mail.
• Prisma Access (Panorama Managed) - Get User and Group Information Using the Cloud
Identity Engine
1. Launch Cloud Management.
2. Enable the Cloud Identity Engine.
3. Set up the Cloud Identity Engine.
4. Select Manage > Configuration > Cloud Identity Engine and edit the Cloud Identity
Engine Settings.
5. For the Primary User Name, select Mail.
Configure the rest of the Cloud Identity Engine settings as needed.
6. Save.
STEP 2 | Enable Slack Integration with XSOAR.
STEP 3 | Enable Mail Send Integration with XSOAR.
STEP 4 | Configure Enterprise DLP authentication.

• Cloud Management and Prisma Access (Panorama Managed) (TSG-enabled)
Access the Common Services Identity and & Access settings and add a Service Account to
If you already have a Service Account created, you can Reset Client Secret to
recover a lost Client Secret.
The Client ID and Client Secret are used for authentication.

When you create the Service Account, the Client ID and Client Secret are displayed
in the Client Credentials. You can manually copy the Client Credentials or Download CSV
File to download the Client Credentials in plaintext locally to your device.
• Panorama (Not TSG-enabled)

2. Select API and Create Token.
3. Enter a descriptive Token Name and Create the access token.
4. Copy the Access Token and Refresh Token and save them in a secure location.
STEP 5 | Enable Enterprise DLP on Cortex XSOAR .

1. Add the Client Credentials to Cortex XSOAR .
1. On Cortex XSOAR , select Settings > Integrations > Credentials and add a New
credential.
2. Enter a descriptive Credential Name.
3. For the Username, enter the Client ID created in the previous step.
4. For the Password, enter the Client Secret created in the previous step.
5. Save.
2. Select Marketplace > Browse and search for Enterprise DLP.
3. Install the Enterprise DLP content pack.
4. Select Settings > Integrations > Instances and search for Enterprise DLP.
Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR
for more information.
1. Select a descriptive Name.
2. For the Incident Type, verify Data Loss Prevention is selected.
If Data Loss Prevention is not displayed, hover your mouse over the field to display
the list of available incident types to search for and select Data Loss Prevention.
3. for the Mapper, verify that Data Loss Prevention is selected.
4. Click Switch to credentials.
5. Enter the Client Credentials generated in the previous step.
6. Check (enable) Long running instance.
7. (Optional) Modify the automated Slack Bot Message.
8. Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
A Success is displayed when Cortex XSOAR successfully integrates with Enterprise
DLP.
1. On Cortex XSOAR , select Marketplace > Browse and search for Enterprise DLP.

4. Add the Access Token and Refresh Token you created in the previous step.
DLP.
STEP 6 | Confirm the Cortex XSOAR integration with Enterprise DLP.

2. Select Manage > Configuration > Data Loss Prevention > Settings > Alerts > XSOAR
Integration Setup and check (enable) Confirm the status for XSOAR Integration.
2. Select Settings and check (enable) Confirm the status for XSOAR Integration.
STEP 7 | Configure the End User Alerting with Cortex XSOAR exemption settings.
1. Select Manage > Configuration > Data Loss Prevention > Settings > Alerts >
Configuration and configure the Exemption Duration.
The file that prompted the End User Alerting with Cortex XSOAR notification that was
exempted can be uploaded for the duration of the exemption duration. The default is 12
hours.
Configuration and configure whether to Include Snippets in Message.
You can select Off (default) to not include a snippet of the sensitive data or On to
include a snippet of the sensitive data in the automated message on Slack.
Set Up Enterprise DLP End User Alerting with Cortex XSOAR for Microsoft Teams
To set up Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR and set
up automatic Microsoft Teams alerts, you need to set up integration with Microsoft Teams and
Enterprise DLP with Cortex XSOAR . This is integration allows the DLP cloud service to automate
sending Microsoft Teams messages to team members who upload a file that matches your data
profiles.
After you successfully integrate Microsoft Teams and Enterprise DLP with Cortex XSOAR , you
STEP 1 | Set up the prerequisites needed to begin integrating Microsoft Teams with Cortex XSOAR .
1. Integrate Active Directory using one of the following procedures based on your needs.
• Integrate Active Directory Query v2
• Integrate Azure Active Directory Users
2. Create the Demisto Bot in Microsoft Teams.
3. Grant the Demisto Bot Permissions in Microsoft Graph.
4. Configure Microsoft Teams on Cortex XSOAR.
5. Add the Demisto Bot to a Team.
STEP 2 | Integrate Microsoft Teams with Cortex XSOAR .

You can use one of the following methods based on your preferences.
• Using Cortex XSOAR Rerouting
• Using NGINX as Reverse Proxy
• Using Apache Reverse Proxy and Cortex XSOAR Engine
• Using Cloudflare




credential.
5. Save.
DLP.
DLP.

hours.
include a snippet of the sensitive data in the automated message on Microsoft Teams.
Set Up Enterprise DLP End User Alerting with Cortex XSOAR for Email
• Cloud Management Enterprise DLP license

• Panorama Cortex XSOAR license
To set up Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR and
set up automatic email alerts, you need to set up integration with Active Directory and Enterprise
DLP with Cortex XSOAR . This is integration allows the DLP cloud service to automate sending
email messages to team members who upload a file that matches your data profiles.
After you successfully integrate Microsoft Teams and Enterprise DLP with Cortex XSOAR , you
STEP 1 | Integrate Active Directory using one of the following procedures based on your needs.
• Integrate Active Directory Query v2
• Integrate Azure Active Directory Users




credential.
5. Save.
DLP.
DLP.

• Cloud Management and and Prisma Access (Panorama Managed) (TSG-enabled)
hours.
include a snippet of the sensitive data in the automated message on Microsoft Teams.
Respond to Blocked Traffic Using Enterprise DLP End User

Alerting with Cortex XSOAR
After you Set Up Enterprise DLP End User Alerting with Cortex XSOAR and a file upload matches
your data profile, the team member who uploaded the file is automatically alerted on Slack to
confirm whether the file they uploaded contains sensitive information.
The DLP cloud service maintains a response history for all files that trigger End User Alerting with
Cortex XSOAR based on your response.
• Confirmed Sensitive - End user confirmed that Yes,, the file contains sensitive data but
No, the end user didn’t request an exemption.
For all future uploads of the file, the file upload remains blocked and end users aren’t prompted
to request for an exemption.
• Exception Requested - End user confirmed that Yes, the file contains sensitive data and
Yes, the end user requested an exemption.
For all future uploads of the file, end users aren’t prompted to confirm the file contains
sensitive data but are prompted to request for an exemption.
• Confirmed False Positive - End user confirmed that No, the file doesn’t contain
sensitive data.
For all future uploads of the file, the file uploads remain blocked and end users aren’t prompted
to confirm if the file contains sensitive data.
This procedure assumes you have already created a data profile and have successfully set up
Enterprise DLP End User Alerting with Cortex XSOAR .
STEP 1 | Upload a file containing sensitive data that matches a data profile.
STEP 2 | On Slack, the Enterprise DLP Bot sends an automated message to the team member who
uploaded the file containing sensitive data.
Select Yes to confirm that the uploaded file containing sensitive data and to request an
exemption.
Select No to confirm that the uploaded files doesn’t contain sensitive data and flag the file as
a false positive. If you select No, the file remains as blocked for any future upload of the
same file. You will receive confirmation for the Enterprise DLP Bot that your response was
successfully received.
STEP 3 | If you selected Yes and the file contains sensitive information, select Yes when prompted to
request a temporary exemption for the uploaded file.
Select No if you don’t want to request a temporary exemption for the file. The file upload
remains blocked.
Skip this step if you selected No in the previous step and the file doesn’t contain sensitive data.
STEP 4 | The Enterprise DLP Bot confirms that the exemption was granted.
You can now reupload the file as needed for the length of the Exemption Duration.
View the Enterprise DLP End User Alerting with Cortex XSOAR
Response History
The Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR response
history provides an audit trail for administrators to understand which end user uploaded a file
containing sensitive data and how they responded to the Enterprise DLP Bot on Slack.
The possible response statuses are:
• Pending Response - The automated Enterprise DLP Bot message was sent and is pending a
response.
• Confirmed Sensitive - End user confirmed that Yes, the file contains sensitive data but
No, the end user didn’t request an exemption.
For all future uploads of the file, the file upload remains blocked and end users aren’t prompted
to request for an exemption.
• Exception Requested - End user confirmed that Yes, the file contains sensitive data and
Yes, the end user requested an exemption.
For all future uploads of the file, end users aren’t prompted to confirm the file contains
sensitive data but are prompted to request for an exemption.
• Confirmed False Positive - End user confirmed that No, the file doesn’t contain
sensitive data.
For all future uploads of the file, the file uploads remain blocked and end users aren’t prompted
to confirm if the file contains sensitive data.
STEP 1 | Log in based on the platform on which you’re using Enterprise DLP.
• Panorama (Next-Gen Firewalls) and Prisma Access (Panorama Managed) - Log in to the
DLP app on the hub.
• Prisma Access (Cloud Management) - Launch the Cloud Management Console.
STEP 2 | Navigate to the Enterprise DLP Incidents.

• Panorama (Next-Gen Firewalls) and Prisma Access (Panorama Managed) - In the DLP app,
select Incidents.
• Prisma Access (Cloud Management) - Select Logs > DLP Incidents.
STEP 3 | In the Incidents section, view the Response Status for all file uploads.
You can also Add New Filter to filter Enterprise DLP Incidents based on the Response
Status.
STEP 4 | Click on the File name to view the detailed Response History for that specific file.
The detailed response history includes the team member who uploaded the file and how they
responded to the Enterprise DLP Bot.
Inspection of Contextual Secrets for Chat Applications

Use Enterprise Data Loss Prevention (E-DLP) to inspect contextual chat messages for chat-based
applications to identify and alert administrators when passwords are shared.
• About Inspection of Contextual Secrets
• Contextual Chat Examples
• Configure SaaS Security to Inspect for Contextual Secrets
About Inspection of Contextual Secrets

SaaS Security on Cloud Management supports inspection of contextual chat messages to monitor
sharing of sensitive passwords over chat-based applications. Enterprise Data Loss Prevention
(E-DLP) uses contextual messages to understand instances where a password might have been
shared. When Enterprise DLP detects that a password was shared, a DLP Incident is generated
that displays a snippet of the response containing the password.
Which Chat Applications Are Supported?

The Slack V2 chat application is currently supported for inspection of contextual secrets.
Which Data Patterns and Profiles Detect Passwords?

Data Patterns:
• Application Credential
Data Profiles
• Secrets and Credentials
• Custom data profile containing the Application Credentials data pattern.
What Kind of Contextual Messages Are Supported?

Enterprise DLP supports inspection of one contextual message and one immediate response
message containing a password in a private channel or public channel, and includes inspection
of threaded replies. For Enterprise DLP to detect a shared password, the response message
containing the password must be sent within 60 minutes of the contextual message. Review the
Contextual Chat Examples for more information on the types of contextual messages that trigger
inspection by Enterprise DLP.
For example, James asks Justin for a password. At 8:45 AM, Justin responds with the password
James requested. At 10:11 AM, Justin again replies but this time in a threaded response to the
contextual message and shares a second password. In this example, Enterprise DLP is able to
detect and generate a DLP Incident when Justin shares with James the first password at 8:45
AM. However, Enterprise DLP can’t detect the second password Justin shared with James because
the contextual message was already associated with the first response message and the second
threaded response exceeds the 60-minute time limit.
The contextual message, and password shared in response to a contextual message, must be in
text format for Enterprise DLP to detect and generate a DLP Incident. Enterprise DLP can’t detect
if a password was shared in a response to a contextual message if:
• The contextual message is a text or image attachment
• The response to the contextual message is a text or image attachment
Contextual Chat Examples

The table below shows various examples of combinations of contextual statements formats that
would trigger inspection by the DLP cloud service, as well as examples of passwords with varying
complexity that would be blocked by the DLP cloud service.
Contextual Statement Response
@<user> what is the password for the password is password123

database?
Can you please share Virus DB credentials Alex, here it is: pA$$w0rd!23
with Alex?
What is the password it is P@$$W0rd!23
Please share the credntial password123
@<user> what is the passwrd for the password is password123

database?
Configure SaaS Security to Inspect for Contextual Secrets

To configure SaaS Security to inspect for contextual secrets, you must leverage an Enterprise
Data Loss Prevention (E-DLP) data profile containing data pattern match criteria that looks for
passwords and credentials. After the data profile is enabled, it must be associated with a policy
rule recommendation.
STEP 2 | Connect the Slack Enterprise V2 application to SaaS Security.
STEP 3 | Select Manage > Configuration > SaaS Security > Settings > Data Profiles and verify that the
predefined Secrets and Credentials data profile is enabled.
(Optional) Instead of using the predefined data profile, you can create a custom
data profile and add the predefined ML-based Application Credential data pattern.
Adding a custom data pattern with regex match criteria to a custom data profile is not
supported for inspection for contextual secrets.
STEP 4 | Create a SaaS Security Policy Recommendation to Leverage Enterprise DLP.
STEP 5 | View Enterprise DLP Log Details on Cloud Management.
Enterprise DLP and AI Apps

Use Enterprise Data Loss Prevention (E-DLP) to safeguard against GPT language model data
leakages.
• How Enterprise DLP Safeguards Against ChatGPT Data Leakage
• Create a Security Policy Rule for ChatGPT
How Enterprise DLP Safeguards Against ChatGPT Data Leakage

Learn more about using Enterprise DLP in your Security policy rules to prevent data exfiltration to
ChatGPT.
With the rise of generative Artificial Intelligence (AI), new Natural Language Processing and
Generation (NPL/NLG) interface-based apps have seen unprecedented adoption. ChatGPT is a
popular generative pre-trained transformer (GPT) language model application and presents an
ever increasing risk of exfiltration of sensitive data. Palo Alto Networks maintains its commitment
to a holistic approach on data security.
Enterprise Data Loss Prevention (E-DLP) deployed on Panorama managed firewalls, Prisma Access
(Panorama Managed), Prisma Access (Cloud Management), and SaaS Security offers immediate
prevention of sensitive data exfiltration to AI apps like ChatGPT.
Existing ChatGPT Traffic - Discovery

Before you use Enterprise DLP to prevent data exfiltration to ChatGPT, it is important to
understand by who and how often ChatGPT is accessed on your network. Panorama, Prisma
Access (Panorama Managed), Cloud Management, and Next-Generation CASB for Prisma Access
and NGFW allows users to monitor all egress activity and easily identify new AI app usage by
employees on your network.
Panorama
Use the Unified Log View for Panorama managed firewalls and Panorama Managed Prisma
Access.
• Use the Unified Log View (Monitor > Logs > Unified) to discover traffic to ChatGPT.
• ChatGPT traffic is captured through the App ID openai-chatgpt and can be found with the
following filter query:
(app eq openai-chatgpt)
Cloud Management
Use the Log Viewer for Prisma Access (Cloud Management) and SaaS Security.
• Use Log Viewer (Activity > Logs > Logs Viewer) to discover traffic to ChatGPT.
• ChatGPT traffic is captured through the App ID openai-chatgpt and can be found with the
following app filter query:
app = 'openai-chatgpt'
Next-Generation CASB
• Use the Discovered Apps (Discovered Apps > Applications) to discover traffic to ChatGPT.
• Add Filter to narrow down the Category to Artificial Intelligence applications and Tag as
Unknown.
This filter allows you to narrow down all traffic to uncategorised AI applications on your
network. Uncategorised applications display as unknown but can be manually recategorized
as sanctioned, unsanctioned, or tolerated once the initial discovery is completed
based on your organization's risk posture.
• Alternatively, you can search for ChatGPT in the Search Application Name search
bar.
Block or Allow ChatGPT

How to Block ChatGPT
You can choose to block access to ChatGPT entirely using the App ID if the risk of employees
having access to ChatGPT messaging and API features is too high. For Next-Generation CASB
for Prisma Access and NGFW , you can block access to ChatGPT through the Artificial
Intelligence category.
• Panorama — Create an Application Block Rule to explicitly block traffic to ChatGPT.

The application block rule applies to Panorama managed firewalls and Panorama Managed
Prisma Access
• Cloud Management—In Discovered Apps (Manage > Configuration > SaaS Security >
Discovered Apps > Applications) and filter for ChatGPT to block access (Actions > Block
Access).
Additionally, you can select Actions > Tag to apply existing unsanctioned, tolerated, or
sanctioned app policies for egress traffic to ChatGPT.
This applies to Prisma Access (Cloud Management) and SaaS Security.
• Next-Generation CASB—In Discovered Apps (Visibility > Discovered Apps > Applications) and
filter for ChatGPT to block access (Actions > Block Access).
Additionally, you can select Actions > Tag to apply existing unsanctioned, tolerated, or
sanctioned app policies for egress traffic to ChatGPT.
Allow ChatGPT and Prevent Exfiltration of Sensitive Data
With Enterprise DLP you can create new or leverage existing data detection logic for data sent to
ChatGPT through chat or API. Enterprise DLP can perform in-line content inspection to identify
and stop sensitive data loss to generative AI apps such as ChatGPT without completely blocking
access. This will allow your employees to continue to access ChatGPT while ensuring no sensitive
data is mishandled and leaves your network.
To allow access to ChatGPT on your network while preventing data leakage, you must create a
Security policy rule using an Enterprise DLP data profile.
• Create a Security Policy Rule for ChatGPT on Prisma Access (Cloud Management)
• Create a Security Policy Rule for ChatGPT on SaaS Security
• Create a Security Rule Policy for ChatGPT on Panorama
Create a Security Policy Rule for ChatGPT

Use Enterprise Data Loss Prevention (E-DLP) in a Security policy rule to prevent exfiltration of
sensitive data to ChatGPT.
• Create a Security Policy Rule for ChatGPT on Prisma Access (Cloud Management)
• Create a Security Policy Rule for ChatGPT on SaaS Security
• Create a Security Rule Policy for ChatGPT on Panorama
Create a Security Policy Rule for ChatGPT on Prisma Access (Cloud Management)
Use Enterprise Data Loss Prevention (E-DLP) for Prisma Access (Cloud Management) on Cloud
Management to prevent exfiltration of sensitive data to ChatGPT in a new or existing Security
policy rule.
Your Prisma Access tenants must be running Software Version 10.2.3 or later release.
Support for non-file based HTTP/2 traffic inspection is required to successfully prevent
exfiltration to ChatGPT.
Data Transfer and Enable Non-File Inspection.
STEP 3 | Select Manage > Configuration > Security Services > Decryption and create the decryption
profile and policy rule required to enable Enterprise DLP on Cloud Management.
Do not enable Strip ALPN in the decryption profile. Enterprise DLP cannot inspect
egress traffic to ChatGPT if you remove application-layer protocol negotiation (ALPN)
headers from decrypted traffic.
STEP 4 | (Optional) Create a Custom Data Pattern on Cloud Management.

Create a custom regex data pattern to define your own match criteria. You can skip this step
if you plan to use predefined or existing data patterns to define match criteria in your data
filtering profile.
STEP 5 | Create a data profile on Cloud Management or use an existing data profile.
1. Enable Non-File Based Match Criteria.
DLP rules configured for non-file detection are required to prevent exfiltration of
sensitive data to ChatGPT. You can further modify the DLP rule to enforce your
organization’s data security standards. The DLP rule has an identical name as the data
profile from which it was automatically created.
You can keep File Based Matched Criteria enabled or disable as needed. Enabling this
setting has no impact on detection of egress traffic to ChatGPT as long as Non-File
Based Match Criteria is enabled.
2. Modify the Action and Log Severity.

3. Modify the rest of the DLP rule as needed.
4. Save.
STEP 7 | Create a Shared Profile Group for the Enterprise DLP data filtering profile.
1. Select Manage > Configuration > Security Services > Profile Groups and Add Profile
Group.
2. Enter a descriptive Name for the Profile Group.
3. For the Data Loss Prevention Profile, select the Enterprise DLP data profile.
4. Add any other additional profiles as needed.
5. Save the profile group.
STEP 8 | Create a Security policy and attach the Profile Group.
Alternatively, you can select Manage > Configuration > Web Security to create or
add ChatGPT to a Web Security Policy. You can skip this step if you create a Web
Security Policy for ChatGPT.
1. Select Manage > Configuration > Security Services > Security Policy and Add Rule.
You can also update an existing Security policy to attach a Profile Group for Enterprise
DLP filtering.
2. In the Applications, Services, and URLs section, Add Applications to search for and select
openai-chatgpt.
3. Navigate to the Action and Advanced Inspection section, and select the Profile Group
you created in the previous step.
4. Configure the Security policy as needed.
The Action you specify in the data profile determines whether egress traffic to
ChatGPT is blocked. The Security policy rule Action does not impact whether
matched traffic is blocked.
For example, you configured the data filtering profile to Block matching egress
traffic but configure the Security policy rule Action to Allow. In this scenario, the
matching egress traffic to ChatGPT is blocked.
5. Save the Security policy.

3. Push.
Create a Security Policy Rule for ChatGPT on SaaS Security

Use Enterprise Data Loss Prevention (E-DLP) for Prisma Access (Cloud Management) on Cloud
Management to prevent exfiltration of sensitive data to ChatGPT in a new or existing Security
policy rule.
If you would rather block access to ChatGPT on your network, you can do so from the SaaS
Security Applications dashboard (Manage > Configuration > Security Services > SaaS Application
Management > Discovered Apps > Applications). Using the Saas Security Application dashboard
to Block Access allows you to quickly generate a policy rule recommendation, rather than
manually creating one on your own.
exfiltration to ChatGPT. Your Cloud Management tenant must be running Software
Version 10.2.3 or later release.
Data Transfer and Enable Non-File Inspection.
STEP 3 | Select Manage > Configuration > Security Services > Decryption and create the decryption
profile and policy rule required to enable Enterprise DLP on Cloud Management.
Do not enable Strip ALPN in the decryption profile. Enterprise DLP cannot inspect
egress traffic to ChatGPT if you remove application-layer protocol negotiation (ALPN)
headers from decrypted traffic.
STEP 4 | (Optional) Create a Custom Data Pattern on Cloud Management.

Create a custom regex data pattern to define your own match criteria. You can skip this step
if you plan to use predefined or existing data patterns to define match criteria in your data
filtering profile.
STEP 5 | Create a data profile on Cloud Management or use an existing data profile.
1. Enable Non-File Based Match Criteria.
DLP rules configured for non-file detection are required to prevent exfiltration of
sensitive data to ChatGPT. You can further modify the DLP rule to enforce your
organization’s data security standards. The DLP rule has an identical name as the data
profile from which it was automatically created.
You can keep File Based Matched Criteria enabled or disable as needed. Enabling this
setting has no impact on detection of egress traffic to ChatGPT as long as Non-File
Based Match Criteria is enabled.
2. Modify the Action and Log Severity.

3. Modify the rest of the DLP rule as needed.
4. Save.
STEP 7 | Select Manage > Configuration > Security Services > SaaS Security > Discovered Apps >
Policy Recommendations to create a Security policy rule recommendation.
A SaaS policy rule recommendation is required to leverage the Enterprise Data Loss
Prevention (E-DLP) data profile in SaaS Security.
1. In the Select Applications section, search for and select ChatGPT.
2. In the Data Profile section, search for and select the data profile you enabled in the
previous step.
3. Configure the policy rule recommendation as needed.
4. Save.
Create a Security Rule Policy for ChatGPT on Panorama

Use Enterprise Data Loss Prevention (E-DLP) to prevent exfiltration of sensitive data to ChatGPT
in a new or existing Security policy rule. This is supported for Panorama and Prisma Access
(Panorama Managed).
exfiltration to ChatGPT. You must upgrade Panorama and all managed firewalls to PAN-
OS 10.2.3 or later release. Additionally, you must upgrade the Panorama plugin for
Enterprise DLP to 3.0.2 or later release.
STEP 1 | Upgrade Panorama, managed firewalls, and the Enterprise DLP plugin to the minimum
required versions.
1. Upgrade Panorama to PAN-OS 10.2.3 or later release.
2. Upgrade the Enterprise DLP plugin to 3.0.2 or later release.
3. Upgrade managed firewalls to PAN-OS 10.2.3 or later release.
STEP 3 | Create the decryption policy rule required for Enterprise DLP.
1. Select Objects > Decryption > Decryption Profile and specify the Device Group.
Add a new decryption profile. The default decryption profile configuration is all that is
required for Enterprise DLP to inspect traffic.
Do not enable Strip ALPN in the decryption profile. Enterprise DLP cannot
inspect egress traffic to ChatGPT if you remove application-layer protocol
negotiation (ALPN) headers from decrypted traffic.
2. Select Policies > Decryption and specify the Device Group.
Add a new decryption policy rule. Select Options and assign the decryption profile.
1. For the Action, select Decrypt.
2. Select the Decryption Profile you created.
3. Click OK.
STEP 4 | (Optional) Create a Data Pattern on Panorama or the DLP app.

Create a custom regex data pattern to define your own match criteria. Skip this step if you plan
to use predefined or existing custom data data patterns to define match criteria in your data
filtering profile.
STEP 5 | Create a Data Filtering Profile on Panorama for Non-File Detection.

Data filtering profiles configured for non-file detection are required to prevent exfiltration
of sensitive data to ChatGPT. You can create a new data filtering profile or use existing data
filtering profiles as needed. You can add any combination of custom or predefined data
patterns to define the match criteria.

1. Select Policies > Security.
You can select an existing Security policy rule or Add a new Security policy rule.
2. Configure the General and Source as needed.
3. Configure the Destination as needed.
4. For the Application, Add and search for openai-chatgpt.
Skip this step if your Security policy rule applies to Any application. ChatGPT is
automatically included for a Security policy rule that applies to Any application.
5. Select Actions and configure the Profile Settings.
Select Profiles and select the Data Filtering profile you created in the previous step.
If the data filtering profile is part of a Security Profile Group (Objects > Security Profile
Groups), select Group and select the Security Profile Group the data filtering profile is
associated with.
6. Configure the rest of the Security policy rule as needed.
The Action you specify in the data filtering profile determines whether egress
traffic to ChatGPT is blocked. The Security policy rule Action does not impact
whether matched traffic is blocked.
For example, if you configured the data filtering profile to Block matching egress
traffic but configure the Security policy rule Action to Allow, the matching
egress traffic to ChatGPT will be blocked.
7. Click OK.
Enterprise DLP.

4. Click OK.
DLP.
Custom Document Templates for Enterprise DLP

Upload your custom documents that contain intellectual property or sensitive information to
Enterprise Data Loss Prevention (E-DLP) to create custom document templates. Your custom
document templates are used as match criteria in advanced data profile to detect and prevent
exfiltration.
• About Custom Document Templates
• Upload a Custom Document Template
• Test a Custom Document Template
• Create a Data Profile to Detect Custom Documents
About Custom Document Templates

Enterprise Data Loss Prevention (E-DLP) supports upload and detection of custom documents
containing intellectual property for which you want to prevent exfiltration. You can upload a
custom document type to Enterprise DLP to classify and detect standardized documents and
prevent exfiltration of sensitive data. Custom document templates uploaded to Enterprise
DLP are used in data profiles as match criteria and can be used along with predefined Machine
Learning-based data patterns to apply additional ML-based detection algorithms complimented by
confidential or sensitive data specific to your organization.
Enterprise DLP uses Indexed Document Matching to fingerprint and index uploaded custom
documents to scan for and detect documents that completely or partially match what you have
already uploaded.
• Indexed Document Matching (IDM)—Used to fingerprint documents and create a template for
documents commonly used by your organization. Uploading multiple documents allows you to
create a custom document repository that you can use in a data profile.
Using IDM for detection of sensitive data is powerful enables Enterprise DLP to continuously
improve its detection capabilities by indexing unstructured text in your documents. Examples of
different types of custom documents where IDM can be successfully applied are:
• Standardized forms or documents specific to your business or organization
• Patent documents
• Specific business agreements
• Specific intellectual property documents
Custom documents templates are less effective if uploaded custom documents are too generic or
not specific to your organization, such as:
• Generic whitepapers
• Generic datasheets
• Image or graphic-heavy documents with little text.
For example, your organization both buys and sells software. You want to only detect instances
of sensitive customer data contained in invoices for software that you sell. In this case, you can
upload a copy of your organization's invoice as a custom document template for fingerprinting.
However, custom document templates will be less effective if you wanted to detect receipts
for software your organization purchases. This is because there is too much variance in format
between the various software vendors your organization purchases from. Greater document
variance results in less accurate detection of matched traffic.
Predefined Document Templates

Enterprise DLP provides the following predefined document templates.
The predefined document templates listed below were originally predefined ML-based
data patterns. If you have data profiles using any of the following predefined document
templates converted from ML-based data patterns:
• All existing data profile inspection will continue to function as expected.
• All basic data profiles referencing the converted predefined ML-based data patterns
listed below should be recreated to detect the predefined document templates.
A basic data profile is a data profile that includes only data pattern match criteria.
Basic data profiles cannot be edited and must be recreated.
• All advanced data profiles referencing the converted predefined ML-based data
patterns should be edited to reference the appropriate predefined document
template instead of the predefined ML-based data pattern.
An advanced data profile is a data profile that includes any combination of data
pattern, EDM, and document template match criteria.
• Bank - Bankruptcy Filings

• Bank - Statements
• Financial - Invoice
• Legal - Lawsuits
• Legal - Merger and acquisition
• Legal - Patent Filings
• Legal - Standard Business Agreements
Upload a Custom Document Template

Upload a custom document to Enterprise Data Loss Prevention (E-DLP) to create a custom
document template. Custom documents templates are used to classify and detect your
standardized documents and prevent exfiltration of sensitive data.
A custom document template cannot be deleted after it's added to a data profile.
STEP 1 | Log in to the security platform using Enterprise DLP.

• Launch the Cloud Management Console
• DLP app on the hub
STEP 2 | Navigate to the Enterprise DLP Document Types.

• Cloud Management—Select Manage > Configuration > Security Services > Data Loss
Prevention > Document Types
• DLP app—Select Document Types
STEP 3 | Add New to upload a new custom document.
STEP 4 | Define the new custom document.

1. Enter a Name for the custom document.
2. Select the document Category.
The document category is used to group together similar types of documents for
administrative purposes.
You can specify one of the following predefined categories—Academia, Confidential,
Employment, Financial, Government, Legal, Marketing, or Source Code.
3. (Optional) Enter a Description for the custom document.
Up to 300 characters are supported.
4. For the Source File, drag and drop a file or Browse Files to select the custom document.
Before you upload a custom document, review the upload requirements:
• Document must contain at least 250 characters.
• Documents containing images are supported but all images are ignored.
Documents containing images must still meet the minimum character requirement.
• Document up to 1 MB in size are supported.
• Only one document can be uploaded at a time.
• Document must be one of the file types supported by Enterprise DLP.
5. Generate.
STEP 5 | In Document Types, verify that your custom document successfully uploaded to Enterprise
DLP.
To quickly find the document, you can search for the custom document Name. After you have
located the custom document, confirm the Status is Completed.
Test a Custom Document Template

Run a test for your custom document templates to verify that Enterprise Data Loss Prevention (E-
DLP) can successfully detect a custom document before they leave your network.
STEP 2 | Upload a custom document template to Enterprise DLP.
STEP 3 | Navigate to the Enterprise DLP Document Types.

Prevention > Document Types
• DLP App—Select Document Types
STEP 4 | Search for the custom document template you want to test and expend the Actions to
Test the custom document template.
STEP 5 | Browse Files and select the documents you want to test against the custom document
template.
You can test up to five documents at once. Document must be one of the file types supported
by Enterprise DLP.
The Overlapping Score is displayed for each of the documents you tested. The
overlapping score represents how much content in the tested document matches the custom
document template. A score of 0 represents no commonalities between the test document and
the custom document template. A score of 100 represents a near-total match between the
test document and the custom document template.
Create a Data Profile to Detect Custom Documents

Create a data profile using one or more custom document templates you uploaded to Enterprise
Data Loss Prevention (E-DLP).l
STEP 2 | Upload a Custom Document Template.

The custom document template is used as the match criteria in the data profile.
STEP 3 | Test a Custom Document Template.

It is recommended you run a test for your custom document templates to verify that
Enterprise DLP can successfully detect a custom document before they leave your network.
The custom document template test generates an overlapping score used in the data
profile to define the match criteria required to trigger a Security policy rule action.
STEP 4 | Add a new data profile.

Prevention > Data Profiles and select Add Data Profile > Advanced Data Profile.
• DLP app—Select Data Profiles > Advanced Data Profile.
STEP 5 | Configure the Primary Rule data profile.
A custom document template cannot be deleted after it's added to a data profile. You
must remove the custom document template from the data profile to delete it from
Enterprise DLP.

2. Select the match criteria operator (AND or OR) to specify how Enterprise DLP evaluates
inspected traffic if you add multiple custom document templates.
3. Select Add > Document Types.
• Document Type—Select a custom document template you uploaded to Enterprise
DLP.
• Overlapping Score Condition—Specify the custom document overlapping score
required to trigger a Security policy rule action.
• Greater Than or Equal To—Security policy rule triggered if Enterprise DLP detects
an instance of matched traffic with the specified minimum overlapping score.
• Between (Inclusive)—Security policy rule action triggered if Enterprise DLP detects
an instance of matched traffic with an overlapping score between the specified
min and max overlapping scores.
5. Repeat these steps to add additional custom document templates as needed.
6. Save.
STEP 6 | (Optional) Configure the Secondary Rule for the data profile.
the match criteria for the data pattern conditions. If you want to allow traffic that
matches a data pattern match criteria, add it to the Primary Rule.
STEP 7 | Create a Security policy rule and associate the data profile.
Management
• SaaS Security—Create a SaaS Security Policy Recommendation to Leverage Enterprise DLP
Email DLP
Enterprise DLP prevents exfiltration of emails containing sensitive information with AI/ML
powered data detections. For example, Enterprise DLP can prevent exfiltration of sensitive data
over an outbound email sent from a salesperson within your organization to their personal email.
• How Does Email DLP Work?
• Activate Email DLP
• Onboard Microsoft Exchange Online
• Add an Enterprise DLP Email Policy
• Review Email DLP Incidents
How Does Email DLP Work?

To prevent sensitive data exfiltration, Enterprise Data Loss Prevention (E-DLP) needs to perform
inline inspection of all outbound emails. To do this, an inbound and outbound connectors are used
to transport outbound emails to and from Enterprise DLP for inspection and verdict rendering.
You must also create allow, block, and quarantine transport rules to specify the actions Microsoft
Exchange takes based on the verdicts rendered by Enterprise DLP.
When Enterprise DLP inspects an email, an email header is added to indicate that Enterprise DLP
has already inspected the email. If Enterprise DLP renders a Block or Quarantine verdict for
inspected email, an email header to indicate the verdict is added as well. Emails that are already
inspected are not transported to Enterprise DLP a second time and Microsoft Exchange takes
action based on the existing email headers.
After Enterprise DLP inspects an email, it is returned back to Microsoft Exchange for further
action based on the rendered verdict.
The email flow for inline inspection of emails using Enterprise DLP is as follows:
1. An email is sent from within your organization to a recipient outside your organization.
The outbound email can be sent from a desktop mail client, a web-based mail client, or a
mobile device.
2. The email transport rule instructs Microsoft Exchange to forward the outbound email to
Enterprise DLP for inspection using the outbound connector.
3. Enterprise DLP inspects the email subject line, body, and attachments against your Email DLP
policies and renders a verdict.
Enterprise DLP adds email headers to mark that it's been inspected and what verdict was
rendered.
Enterprise DLP supports inspection and detection of documents containing sensitive

data that are attached to an email. Enterprise DLP does not support inspection of
document links.
4. The email is returned back to Microsoft Exchange using the inbound connector.
5. Microsoft Exchange takes action based on the hosted quarantine, admin approval, manager
approval, encrypt, or block transport rules.
6. Microsoft Exchange sends the allowed email to the intended recipient if allowed.
An email is allowed if Enterprise DLP did not detect any sensitive data or if the email was
quarantined and approved.
What Microsoft Exchange Online Licenses are Required for Email DLP?
Email DLP supports any Microsoft Exchange Online license, including Microsoft 365 Defender,
Microsoft 365, and Office 365 E5 licenses for inline inspection of outbound emails using
Enterprise DLP.
The type of Microsoft Exchange Online license you have activate determines the supported Email
DLP functionality available to your Microsoft Exchange Online deployment.
The MSDN license is not supported for Email DLP. MSDN does not support the use of
inbound connectors to route emails, which is required for Enterprise DLP to forward
outbound emails back to Microsoft Exchange after inspection.
What Functionality Do Microsoft Exchange Licenses Support?

Email DLP supports the following functionality based on your active Microsoft Exchange license.
• Any Microsoft Exchange Online licenses except MSDN
• Inspect outbound emails
• Block outbound emails containing sensitive data
• Send outbound emails containing sensitive data for admin approval
• Send outbound emails containing sensitive data for manager approval
• Microsoft 365 Defender license
See the Microsoft 365 Defender prerequisites for more information.
• Send outbound emails containing sensitive data to hosted quarantine for approval
• Microsoft 365 or Office 365 E5 license

• Send outbound emails containing sensitive data to hosted quarantine for approval
• Encrypt outbound emails containing sensitive data before they are sent to the recipient
Activate Email DLP

Learn how to activate Email DLP prevents sensitive data exfiltration contained in outbound emails
using AI powered Enterprise Data Loss Prevention (E-DLP).
Activate Email DLP if Enterprise DLP is Already Active

You must contact your Palo Alto Networks sales representative to purchase Email DLP if
Enterprise DLP is already activated on your Data Security, CASB, or CASB-X tenant. Email DLP is
activated automatically after purchase of Email DLP and does not require any further actions by
you to activate.
Learn more how Email DLP works and continue to connect Microsoft Exchange and Enterprise
DLP.
Activate Email DLP for New Cloud Management Deployments

You activate Email DLP for Enterprise DLP during the tenant activation.
• Data Security—After you purchase Email DLP, activation occurs by default when you activate
your Data Security license.
Verify that Email DLP is included in the list of Add-Ons.
• CASB and CASB-X—After you purchase Email DLP, activation occurs by default when you
activate your CASB-X license through Common Services.
Verify that Email DLP is included in the list of Add-Ons.
Convert Eval Email DLP to Production Email DLP

You must contact your Palo Alto Networks sales representative to convert your evaluation Email
DLP add-on to a production Email DLP add-on. Email DLP is converted automatically and does
not require you to take any further actions.
Learn more how Email DLP works and continue to connect Microsoft Exchange and Enterprise
DLP.
Onboard Microsoft Exchange Online

You must onboard the Microsoft Exchange Online to prevent sensitive data exfiltration contained
in outbound emails using Enterprise Data Loss Prevention (E-DLP).
• Connect Microsoft Exchange and Enterprise DLP
• Create a Microsoft Exchange Outbound Connector
• Create a Microsoft Exchange Inbound Connector
• Create Microsoft Exchange Transport Rules
• Create an Email DLP Sender Alert Policy
• Obtain Your Microsoft Exchange Domain and Relay Host
Connect Microsoft Exchange and Enterprise DLP

Connect Microsoft Exchange to Enterprise Data Loss Prevention (E-DLP) through SaaS Security
on Cloud Management to complete the onboarding.
Before you begin connecting Microsoft Exchange to Enterprise DLP, ensure that the admin
performing the connection has at least Email Administrator access for Microsoft
Exchange. This is required to allow Enterprise DLP API access to Microsoft Exchange.
STEP 1 | (Best Practices) Confirm that Active Directory is properly configured so email senders have a
manager to approve or reject quarantined emails.
Microsoft Exchange Active Directory is required to assign a manager to a sender. You can
create a transport rule to quarantine and send the email for approval by the sender's manager.
To successfully quarantine a sender's email if sensitive data is detected by Enterprise DLP, a
sender must have a manager assigned.
If no manager is assigned to a user, then the quarantined email is sent to the recipient because
no manager is assigned to approve or reject the email.
STEP 2 | (Best Practices) Save Evidence for Investigative Analysis with Enterprise DLP.
Palo Alto Networks recommends configuring evidence storage so you can download emails for
investigative analysis when your review Email DLP incidents.
STEP 3 | Set up the Cloud Identity Engine (CIE).

CIE is recommended so you can create targeted Email DLP policies.
STEP 4 | Obtain Your Microsoft Exchange Domain and Relay Host.
STEP 5 | Launch your Cloud Management platform.
STEP 6 | Select Manage > Configuration > SaaS Security > Settings > Apps Onboarding.
STEP 7 | Search for Exchange and click Microsoft Exchange.
STEP 8 | In the Email DLP Instance, click Add Instance.
STEP 9 | In the Setup Connectors and Rules page, click Continue to Next Section since you
have already configured the outbound connector, inbound connector, and transport rules.
STEP 10 | In the Configure Smart Host page, add the email domains and relay hosts.
Adding one or more email domains and relay hosts is required to ensure emails inspected by
Enterprise DLP are successfully forwarded back to Microsoft Exchange.
1. Enter an Email Domain and its corresponding Relay Host you obtained in the previous
step.
Obtain Your Microsoft Exchange Domain and Relay Host if you don't have the Microsoft
Exchange email domain and relay host immediately available.
2. (Optional) Add any additional email domains and relay hosts as needed.
3. Connect.
STEP 11 | Microsoft Exchange is now successfully connected and onboarded.
STEP 12 | Add a Enterprise DLP Email Policy.
STEP 13 | Create the Microsoft Exchange connectors and transport rules.

The outbound connector controls the flow of emails forwarded from Microsoft Exchange to
Enterprise DLP.
The inbound connector controls the flow of emails forwarded to Enterprise DLP back to
Microsoft Exchange.
• Create Microsoft Exchange Transport Rules
Transport rules allows Microsoft Exchange to forward emails to Enterprise DLP and
establishes the actions Microsoft Exchange takes based on the hosted quarantine, admin
approval, manager approval, encrypt, or block transport rules verdicts rendered by
Enterprise DLP.
Create a Microsoft Exchange Outbound Connector

To prevents sensitive data exfiltration contained in outbound emails using Enterprise Data
Loss Prevention (E-DLP), you must create an outbound connector to control the flow of emails
forwarded from Microsoft Exchange Online to Enterprise DLP.
STEP 1 | Log in to the Microsoft Exchange Admin Center.
STEP 2 | Select Mail flow > Connectors and Add a connector to launch the Microsoft Exchange
Connector wizard.
STEP 3 | Specify the connector source and destination.

1. For Connection from, select Office 365.
2. For Connection to, select Partner organization.
A partner can be any third-party cloud service that provides services such as services,
such as data protection. In this case, the third-party partner organization is Palo Alto
Networks.
3. Click Next.
STEP 4 | Name the Microsoft Exchange connector.

1. Enter a descriptive Name for the connector.
2. (Optional) Enter a Description for the connector.
3. (Best Practices) For What do you want to do after connector is saved?,
check (enable) Turn it on.
Enable this to automatically turn on the connector after you have finished creating and
saved the new Microsoft Exchange connector.
4. Click Next.
STEP 5 | To specify when the connector should be used, select Only when I have a transport rule set
up that redirects messages to this connector and click Next.
Using the connector only when a transport rule exists enables fine-grained control of what
action to take when an email contains sensitive data. By select this option, Microsoft Exchange
enforces action on emails based on the action specified in theEnterprise DLP data profile.
STEP 6 | To configure the route settings for emails, check (enable) Route email through these smart
hosts to add the following smart host Fully Qualified Domain Name (FQDN) and click Next.
The FQDN specifies the region where emails are forwarded to the DLP cloud service for
inspection and verdict rendering. This also generates and displays Email DLP incidents in
the specified region. All processes and data related to Email DLP occur and are stored in this
region.
• United States—
mail.us-west1.email.dlp.paloaltonetworks.com
• Europe—
mail.europe-west3.email.dlp.paloaltonetworks.com
• APAC—
mail.asia-southeast1.email.dlp.paloaltonetworks.com
STEP 7 | Specify the security restrictions for the connector.

1. Check (enable) Always use Transport Layer Security (TLS) to secure the connection.
This is required to successfully forward emails for inspection. Disabling this setting
causes the connector connection to be rejected.
2. Select Issued by a trusted certificate authority (CA).
3. Check (enable) Add the subject name or subject alternative (SAM) matches to this
domain: and add the following domain name.
Adding the subject name is required for positive identification of the Palo Alto Networks
DLP cloud service. The CA issuer FQDN you add must match the email routing FQDN
you added in the previous step.
• United States—
mail.us-west1.email.dlp.paloaltonetworks.com
• Europe—
mail.europe-west3.email.dlp.paloaltonetworks.com
• APAC—
mail.asia-southeast1.email.dlp.paloaltonetworks.com
4. Click Next.
STEP 8 | Add a validation email.

A valid email address associated with the email domain used by your organization. This is
required to validate connectivity between the Microsoft Exchange Admin Center and the Palo
Alto Networks smart host, and that emails can be successfully delivered.
1. Add a valid email address for validation.
2. Validate.
The Microsoft Exchange validation tests take a few minutes to complete.
3. Under the Task, verify that the Check connectivity validation test status to the
Enterprise DLP FQDN displays Succeed.
It is expected that the following errors occur when adding the validation email.
• Validation failed error is displayed.
• The Send test email validation test status displays Failed.
These do not prevent you from creating the outbound connector and do not
impact email forwarding to Enterprise DLP.
4. Click Done.
5. When prompted to confirm whether to proceed without successful validation, click Yes,
proceed.
STEP 9 | Review the connector details and Create Connector.

Click Done when prompted that the outbound connector was successfully created.
STEP 10 | Back in the Connectors page, verify the outbound connector is displayed and that the
Status is On.
STEP 11 | Create a Microsoft Exchange Inbound Connector if not already created.

The inbound connector is required to return emails forwarded to Enterprise DLP for inspection
back to Microsoft Exchange.
Skip this step if you have already created the inbound connector.
STEP 12 | Create Microsoft Exchange Transport Rules.

After you successfully created the Microsoft Exchange connector, you must create Microsoft
Exchange transports rule to forward emails to and from Enterprise DLP, and to specify what
actions Microsoft Exchange takes based on the Enterprise DLP verdicts.
Create a Microsoft Exchange Inbound Connector

Create an inbound connector to return emails forwarded to Enterprise DLP back to Microsoft
Exchange.
STEP 2 | Select Mail flow > Connectors and Add a connector to launch the Microsoft Exchange
Connector wizard.
STEP 3 | Specify the connector source and destination.

1. For Connection from, select Yout organization's email server.
2. Click Next.
STEP 4 | Name the Microsoft Exchange connector.

1. Enter a descriptive Name for the connector.
2. (Optional) Enter a Description for the connector.
3. (Best Practices) For What do you want to do after connector is saved?,
check (enable) Turn it on.
Enable this to automatically turn on the connector after you have finished creating and
saved the new Microsoft Exchange connector.
4. Click Next.
STEP 5 | Specify the authentication IP addresses that Microsoft Exchange uses to verify Enterprise
DLP.
The authentication IP addresses are required so that Enterprise DLP can forward emails back
to Microsoft Exchange.
1. Select By verifying that the IP address of the sending server matches one of the
following IP address, which belong to your partner organization.
2. Add the following to IP addresses.
34.168.197.200
34.83.143.116
STEP 6 | Review the connector details and Create Connector.

Click Done when prompted that the inbound connector was successfully created.
STEP 7 | Back in the Connectors page, verify the inbound connector is displayed and that the Status
is On.
STEP 8 | Create a Microsoft Exchange Outbound Connector if not already created.

The outbound connector is required to control the flow of emails forwarded from Microsoft
Exchange Online to Enterprise DLP for inline inspection.
Skip this step if you have already created the outbound connector.
STEP 9 | Create Microsoft Exchange Transport Rules.

After you successfully created the Microsoft Exchange connector, you must create Microsoft
Exchange transports rule to forward emails to Enterprise DLP, and to specify what actions
Microsoft Exchange takes based on the Enterprise DLP verdicts.
Create Microsoft Exchange Transport Rules

Create Microsoft Exchange email transport rules to forward emails from Microsoft Exchange to
the Enterprise Data Loss Prevention (E-DLP) cloud service for inspection to prevent exfiltration
of sensitive data. Additionally, you must create transport rules to specify the actions Microsoft
Exchange takes based on the verdicts rendered by Enterprise DLP.
• Create an Email Transport Rule
• Create a Quarantine Transport Rule for Hosted Quarantine
• Create a Transport Rule for Admin Approval
• Create a Transport Rule for Manager Approval
• Create an Encrypt Transport Rule
• Create a Block Transport Rule
Create an Email Transport Rule
The Microsoft Exchange email transport rule is required to forward all outbound emails from
Microsoft Exchange to the Enterprise Data Loss Prevention (E-DLP) cloud service for inline email
inspection and verdict rendering. The email transport rule is required in all cases regardless of the
verdict Enterprise DLP renders.
Enterprise DLP adds x-panw-inspected - true to the email header for all inspected emails.
If an outbound email already includes this header, it will not be forwarded to Enterprise DLP
again. Instead, Microsoft Exchange will take the action specified in the hosted quarantine, admin
approval, manager approval, encrypt, or block transport rules based on the verdict already
rendered by Enterprise DLP.
STEP 2 | Create the outbound and inbound connectors.

Skip this step if you have already created both the outbound and inbound connectors.
STEP 3 | Select Mail flow > Rules > Add a rule > Create a new rule to create a new email transport
rule.
STEP 4 | Configure the email transport rule conditions.

1. Enter a Name for the email transport rule.
2. Specify the email recipient.
This instructs Microsoft Exchange to forward the email to Enterprise DLP before it
leaves your network when the email recipient is outside your organization.
1. For Apply this rule if, select The recipient.
2. For the recipient, select is external/internal. When prompted to select the recipient
location, select Outside the organization
Click Save to continue.
3. Specify Microsoft Exchange Connector you created as the transport target for email
inspection.
1. For Do the following, select redirect the message to.
2. For the transport target, select the following connector. When prompted, select the
outbound connector.
4. Add an exception for emails that exceed the maximum message size supported by
Enterprise DLP.
Enterprise DLP supports inspection of email messages up to 20 MB in size. Larger email
messages are not supported and should not be forwarded to Enterprise DLP.
1. In the s Except If field, select The message.
2. Select size is greater than or equal to. When prompted, enter the following
maximum-supported message size KB:
20480
5. Add an exception for emails that were already inspected by Enterprise DLP.
1. In the Except if condition, click the add symbol ( ) to add a new Or condition.
2. Select the The message headers condition.

3. For the Or condition action, select matches any of these words.
4. Click Enter text to set the message header to x-panw-inspected.
5. Click Enter words and enter true.
Click Add and select the word you added. Click Save to continue.
6. Click Next to continue.
STEP 5 | Configure the email transport rule settings.

1. For the Rule mode, ensure Enforce is selected.
This setting is enabled by default when a new transport rule is created.
2. (Optional) Configure the rest of the email transport rule settings as needed.
4. Save.
STEP 6 | Review the email transport rule configuration and click Finish.
Click Done when prompted that the email transport rule was successfully created. You are
redirected back to the Microsoft Exchange Rules page.
STEP 7 | Modify the email transport rule priority as needed.

To change the priority of a transport rule, select the transport rule and Move Up or Move
Down as needed.
A proper rule hierarchy is recommended to ensure emails successfully forward to

Enterprise DLP.
• The email transport rule should always be the highest priority rule relative to the
other transport rules required for Email DLP.
• Any email encryption rules not created as part of the email DLP configuration must
be ordered below the transport rules created for Email DLP. Enterprise DLP cannot
inspect encrypted emails.
• There is no impact in regards to priority between the quarantine transport rules,
block transport rule, encrypt transport rule, or any other transport rules that exist.
After Enterprise DLP inspects and returns the email back to Microsoft Exchange,
the appropriate transport rule action will occur based on the email header.
Create a Quarantine Transport Rule for Hosted Quarantine

The Microsoft Exchange quarantine transport rule for hosted quarantine instructs Microsoft
Exchange to quarantine and forward the email to the spam quarantine mailbox hosted by
Microsoft Exchange when Enterprise Data Loss Prevention (E-DLP) cloud service returns a
Quarantine verdict for an email that contains sensitive data. An email administrator must review
and take action on quarantined emails after Enterprise DLP inspection.
Enterprise DLP adds x-panw-action - quarantine to the email header for inspected emails
if Enterprise DLP renders a Quarantine verdict. The email is transported back to Microsoft
Exchange and forwarded to the hosted quarantine spam inbox so an email administrator can
review the email contents and decide whether to approve or block the email. Any future emails
with this header already included will not be forwarded to Enterprise DLP again. Instead,
Microsoft Exchange will take the action specified in the quarantine transport rule.
Microsoft supports email approvals on the web browser-based Microsoft Exchange only.
Approving or rejecting emails on the Microsoft Exchange mobile application or desktop
client is not supported.

rule.
STEP 4 | Configure the quarantine transport rule conditions.

1. Enter a Name for the quarantine transport rule.
2. Add the quarantine email message header.
The quarantine header is added by the DLP cloud service when an email contains
sensitive information that needs to be approved by your email administrator.
1. For Apply this rule if, select The message headers....
2. Select match these text patterns.
3. Click Enter Text. When promoted, enter the following.
x-panw-action

4. Click Enter words. When prompted, enter the following and Add:
quarantine
Select the word you added. Click Save to continue.
3. Specify the action Microsoft Exchange takes when an email header includes the
quarantine header added by Enterprise DLP.
1. For Do the following, select Redirect the message to.
2. Select hosted quarantine.
STEP 5 | Configure the quarantine transport rule settings.

2. (Optional) Configure the rest of the quarantine transport rule settings as needed.
STEP 6 | Review the quarantine transport rule configuration and click Finish.
Click Done when prompted that the quarantine transport rule was successfully created. You
are redirected back to the Microsoft Exchange Rules page.

Down as needed.

Enterprise DLP.
STEP 8 | An email administrator must review and approve or reject quarantined emails forwarded to
the hosted quarantine mailbox.
Create a Transport Rule for Admin Approval

The Microsoft Exchange transport rule for admin approval instructs Microsoft Exchange to
forward the email to the specified email administrator when Enterprise Data Loss Prevention (E-
DLP) cloud service returns a Forward email for approval admin verdict for an email that
contains sensitive data.
Enterprise DLP adds x-panw-action - fwd_to_admin to the email header for inspected
emails if Enterprise DLP renders a Forward email for approval admin verdict. The
email is transported back to Microsoft Exchange so an email administrator can review the email
contents and decide whether to approve or block the email. Any future emails with this header
already included will not be forwarded to Enterprise DLP again. Instead, Microsoft Exchange will
take the action specified in the transport rule.
Microsoft supports email approvals on the web browser-based Microsoft Exchange only.
Approving or rejecting emails on the Microsoft Exchange mobile application or desktop
client is not supported.

rule.
STEP 4 | Configure the transport rule conditions.

1. Enter a Name for the transport rule.
2. Add the email message header.
The fwd_to_admin email header is added by the DLP cloud service when an email
contains sensitive information requiring email administrator approval.
x-panw-action

fwd_to_admin
3. Specify the action Microsoft Exchange takes when an email header includes the header
added by Enterprise DLP.
1. For Do the following, select Forward the message for approval.
2. Select to these people.
STEP 5 | Configure the transport rule settings.

2. (Optional) Configure the rest of the transport rule settings as needed.
STEP 6 | Review the transport rule configuration and click Finish.

Click Done when prompted that the transport rule was successfully created. You are
STEP 7 | Modify the transport rule priority as needed.

Down as needed.

Enterprise DLP.
Create a Transport Rule for Manager Approval

The Microsoft Exchange transport rule for manager approval instructs Microsoft Exchange to
forward the email to the sender's manager when Enterprise Data Loss Prevention (E-DLP) cloud
service returns a Forward email for approval by end user's manager verdict for an
email that contains sensitive data.
Enterprise DLP adds x-panw-action - fwd_to_manager to the email header for inspected
emails if Enterprise DLP renders a Forward email for approval by end user's
manager verdict. The email is transported back to Microsoft Exchange so a manager can review
the email contents and decide whether to approve or block the email. Any future emails with
this header already included will not be forwarded to Enterprise DLP again. Instead, Microsoft
Exchange will take the action specified in the transport rule.
Microsoft Exchange Active Directory is required to assign a manager to a user. To

successfully send an email for manager approval if sensitive data is detected by Enterprise
DLP, the sender must have a manager assigned.
If no manager is assigned to the sender, then the email is sent to the recipient because no
manager is assigned to approve or reject the email.
Additionally, Microsoft supports email approvals on the web browser-based Microsoft
Exchange only. Approving or rejecting emails on the Microsoft Exchange mobile
application or desktop client is not supported.

rule.
STEP 4 | Configure the transport rule conditions.

1. Enter a Name for the transport rule.
2. Add the email message header.
The fw_to_manager header is added by the DLP cloud service when an email contains
sensitive information requiring manager approval.
x-panw-action

fwd_to_manager
3. Specify the action Microsoft Exchange takes when an email header includes the header
added by Enterprise DLP.
Microsoft Exchange Active Directory is required to assign a manager to a

user. To successfully forward a sender's email if sensitive data is detected by
Enterprise DLP, a user must have a manager assigned.
If no manager is assigned to a user, then the email is sent to the recipient
because no manager is assigned to approve or reject the email.
1. For Do the following, select Forward the message for approval.

2. Select to the sender's manager.
STEP 5 | Configure the transport rule settings.

2. (Optional) Configure the rest of the transport rule settings as needed.
STEP 6 | Review the transport rule configuration and click Finish.

Click Done when prompted that the transport rule was successfully created. You are

Down as needed.

Enterprise DLP.
Create an Encrypt Transport Rule

Enterprise DLP adds x-panw-action - encrypt to the email header for inspected emails if
Enterprise DLP renders a encrypt verdict, the email is transported back to Microsoft Exchange
so an email administrator can review the email contents and decide whether to approve or block
the email. Any future emails with this header already included will not be forwarded to Enterprise
DLP again. Instead, Microsoft Exchange will take the action specified in the encrypt transport rule.

rule.
STEP 4 | Configure the encrypt transport rule conditions.

1. Enter a Name for the encrypt transport rule.
2. Add the encrypt email message header.
The encrypt header is added by the DLP cloud service when an email contains
sensitive information that should be encrypted.
x-panw-action

encrypt
3. Specify the action Microsoft Exchange takes when an email header includes the encrypt
header added by Enterprise DLP.
1. For Do the following, select Modify the message security.
2. Select Apply Office 365 Message Encryption and rights protection.
3. Select the RMS template you want to use for outbound email encryption and Save.
STEP 5 | Configure the encrypt transport rule settings.

2. (Optional) Configure the rest of the encrypt transport rule settings as needed.
STEP 6 | Review the encrypt transport rule configuration and click Finish.
Click Done when prompted that the encrypt transport rule was successfully created. You are

Down as needed.

Enterprise DLP.
Create a Block Transport Rule

The Microsoft Exchange Block transport rule instructs Microsoft Exchange on the action to take
when Enterprise Data Loss Prevention (E-DLP) cloud service returns a Block verdict for an email
that contains sensitive data.
Enterprise DLP adds x-panw-action - block to the email header for all inspected emails.
Any future emails with this header already included will not be forwarded to Enterprise DLP for
inspection. Instead, Microsoft Exchange will take the action specified in the Block transport rule.

rule.
STEP 4 | Configure the Block transport rule conditions.

1. Enter a Name for the Block transport rule.
2. Add the Block email message header.
The Block header is added by the DLP cloud service when an inspected email contains
sensitive information that is blocked.
2. Select includes any of these words.
x-panw-action

block
3. Specify the action Microsoft Exchange takes when an email header includes the Block
header added by Enterprise DLP.
1. For Do the following, select Block the message.
2. Select reject the message and include an explanation. When prompted, enter the
explanation for why the email was blocked.
This is the response members of your organization receive when an outbound email is
blocked.
STEP 5 | Configure the Block transport rule settings.

2. (Optional) Configure the rest of the Block transport rule settings as needed.
4. Save.
STEP 6 | Review the Block transport rule configuration and click Finish.
Click Done when prompted that the Block transport rule was successfully created. You are

Down as needed.

Enterprise DLP for inspection.
other transport rules required for Enterprise DLP inspection.
• Any email encryption rules not created as part of the email DLP configuration
must be ordered below the transport rules created for Enterprise DLP inspection.
Enterprise DLP cannot inspect encrypted emails.
Create an Email DLP Sender Alert Policy

Create an Email DLP sender alert policy on Microsoft Exchange Online to send an email alert
when a sender's email is sent to hosted quarantine for review.
STEP 1 | Log in to the Microsoft Exchange Online Compliance portal.
STEP 2 | Select Policies > Data loss prevention > Policies and Create policy.
STEP 3 | Create the a custom DLP policy.

1. For Categories, select Custom.
2. For Templates, select Custom policy.
3. Click Next.
STEP 4 | Enter a Name and Description, and click Next.
STEP 5 | For the Assign admin units, leave the default Full directory and click Next.
STEP 6 | When you Choose location to apply the policy, verify that the Exchange email
Status is On.
Set the Status to Off for all other locations and click Next.
STEP 7 | To Define policy settings, select Create or customize advanced DLP rules and click
Next.
You are redirected to the Customize advanced DLP rules to a sender alert policy rules
for the hosted quarantine transport rule.
STEP 8 | Create the Email DLP sender alert policy rule when an email is sent to hosted quarantine.
1. Create rule.
2. Enter a Name and Description.
3. In Conditions, select Add condition > Header contains words or phrases.
4. In the Enter header name field, enter x-panw-action.
5. In the Enter words and then click 'Add' field, enter quarantine.
6. Add.
7. Turn On (enable) User notifications.

8. Verify Notify the user who sent, shared, or last modified the content is enabled.
9. (Optional) Check (enable) Customize the email text to provide a custom response to the
sender when an email is sent to hosted quarantine for review.
10. (Optional) Check (enable) Policy Types to provide customized data compliance tips.
11. Turn Off (disable) Incident reports.

12. Save.
13. Verify the policy rule Status is On.
14. Click Next.
STEP 9 | For the Policy mode, select Turn it on right away and click Next.
STEP 10 | Review the Email DLP sender alert policy and Submit.
Click Done when prompted that the new policy was successfully created.
STEP 11 | Back in the Policies, verify that the Email DLP sender alert policy is displayed and that the
Status is On.
Obtain Your Microsoft Exchange Domain and Relay Host

You must obtain your Microsoft Exchange domain and relay host to connect Microsoft Exchange
and Enterprise Data Loss Prevention (E-DLP) for inline inspection and prevention of sensitive data
exfiltration contained in outbound emails.
STEP 1 | Log in to the Microsoft Office 365 Admin Portal.
STEP 2 | Select Settings > Domains.
STEP 3 | Make note of the Microsoft Exchange domains lists in the Domain name list.
Enterprise DLP supports inline inspection of emails from multiple domains if you use multiple
Microsoft Exchange domains make sure to make note of all email domains for which you want
inline inspection of emails.
STEP 4 | Obtain the relay host for the Microsoft Exchange domain.
Repeat this step for all Microsoft Exchange domains you want to connect to Enterprise DLP.
1. Click the Microsoft Exchange domain.
2. Select DNS records.
3. In the Microsoft Exchange section, locate the MX record.
The Value column for the MX record lists the relay host for the domain. An example of
a relay host is shown below.
The MX record displays a 0 before the relay host. This character is not required
to connect Microsoft Exchange to Enterprise DLP.
Add an Enterprise DLP Email Policy

Add and configure an Enterprise Data Loss Prevention (E-DLP) email policy so Enterprise DLP to
prevent sensitive data exfiltration contained in outbound emails. The DLP email policy to specify
the incident severity and the action Enterprise DLP takes when matching traffic is inspected and
sensitive data is detected.
Enterprise DLP supports inspection and detection of documents containing sensitive data
that are attached to an email. Enterprise DLP does not support inspection of document
links.
STEP 2 | (Optional) Create custom data patterns and data profiles to specify custom match criteria.
Skip this step if you want to use the predefined Enterprise DLP data profiles available by
default.
1. Create custom data patterns and custom document templates on Cloud Management.
2. Create a data profile on Cloud Management.
STEP 3 | Select Manage > Configuration > SaaS Security > Data Security > Policies > Email DLP
Policies and Add Policy.
STEP 4 | Configure the Basic Information of the email DLP policy.

1. Enter a descriptive Name.
2. Specify the Evaluation Priority of the email DLP policy.
This Evaluation Priority determines the order email DLP policies are evaluated.
Select whether the new email DLP policy goes before or after an existing email DLP
policy.
1. For the Email Application, select Microsoft Exchange.
2. Select the Enterprise DLP incident severity for when Enterprise DLP detects matching
traffic.
3. Select the DLP Data Profile to associate with the email DLP policy.
The DLP data profile you select is used as the traffic match criteria that Enterprise DLP
evaluates inspected traffic against. The data profile can be either a predefined data
profile or a custom data profile.
4. Verify that Enable Policy is toggled on.
This setting is enabled by default when you add a new email DLP policy.
STEP 5 | (Optional) Configure the DLP email policy Conditions.

The DLP email policy conditions determine the email sender and recipient criteria for when
inline inspection of email traffic should or should not be performed by Enterprise DLP. The
Email DLP policy conditions have an AND relationship. This means that all email sender and
recipient Conditions you configure must be met for Enterprise DLP to take action.
You can configure all or only some of the DLP email policy conditions settings as needed. If no
email sender or recipient conditions are configured, then all outbound email traffic is inspected
by Enterprise DLP and evaluated against the data profile you selected in the previous step.
For example, you configure the Email DLP policy conditions to inspect for the
yourcompany.com Sender Email Domain and gmail.com Recipient Email Domain only.
For Enterprise DLP to take action, the email sender domain and recipient email domain must
match what you have configured. In this instance, Enterprise DLP does not take action if the
Recipient Email Domain is yahoo.com.
1. Configure the email sender conditions.
To configure the email sender conditions you must specify whether the conditions are
inclusive or exclusive of the specified email domains, user groups, or specific users.
• Is one of—Inclusion condition to evaluate emails sent from an email associated with
the selected email domains, user groups, or specified users against the data profile
specified in the DLP email policy.
Any emails that are not a part of the selected email domains, user groups, or specified
users are not evaluated against the data profile associated with the DLP email policy.
• Is not one of—Exclusion condition to evaluate emails sent from an email not
associated with the selected email domains, user groups, or specified users against
the data profile specified in the DLP email policy.
Any emails that are part of the selected email domains, user groups, or specified users
are not evaluated against the data profile associated with the DLP email policy.
1. Specify the Sender Email Domain condition and select one or more email domains.
The sender email domains available to select are those you added when you
connected Microsoft Exchange and Enterprise DLP.
2. Specify the Sender User Group condition and select one or more user groups.
The sender user groups are obtained from your Client Identity Engine (CIE)
configuration. Skip this step if you do not have CIE active on Cloud Management.
3. Specify the Sender User condition and enter an email.
Click add ( ) to include additional sender emails.
2. Configure the email recipient conditions.
To configure the email recipient conditions, you must specify whether the conditions are
inclusive or exclusive of the specified email domains or specific users.
• Is one of—Inclusion condition to evaluate emails to be received by an email associated
with the selected email domains or specified users against the data profile specified in
the DLP email policy.
Any emails that are not a part of the selected email domains or specified users are not
evaluated against the data profile associated with the DLP email policy.
• Is not one of—Exclusion condition to evaluate emails to be received by an email not
associated with the selected email domains or specified users against the data profile
specified in the DLP email policy.
Any emails that are part of the selected email domains or specified users are not
evaluated against the data profile associated with the DLP email policy.
1. Specify the Recipient Email Domain condition and enter a valid email domain.
Enterprise DLP supports all valid email domains. The email domain is the web
address that follows the @ symbol in an email address. For example, gmail.com or
yahoo.com.
Click add ( ) to include additional email domains.

2. Specify the Recipient User condition and enter an email.
Click add ( ) to include additional recipient emails.
STEP 6 | Configure the DLP email policy Response.

The DLP email policy response configuration specifies the action Enterprise DLP takes when
inspected traffic matches the data profile associated with the policy.
1. Specify the Action Enterprise DLP takes when inspected traffic matches the data profile
associated with the policy.
• Monitor—Outbound email is allowed to leave your organization and is transported
back to Microsoft Exchange to continue its path to the intended recipient.
• Block—Outbound email is blocked from leaving your organization's network and is
transported back to Microsoft Exchange.
The action Microsoft Exchange takes on a Block verdict rendered by Enterprise DLP
is based on the block transport rule you created.
• Quarantine—Outbound email is transported back to Microsoft Exchange and
quarantined. The email is forwarded to the hosted quarantine spam folder and
requires review by an email administrator before the email is allowed to leave your
organization's network.
The action Microsoft Exchange takes on a Quarantine verdict rendered by
Enterprise DLP is based on the quarantine transport rule for hosted quarantine rule
you created.
• Forward email for approval by end user's manager—Outbound email is transported
back to Microsoft Exchange and sent to the sender's manager for approval.
Independent review is required by the sender's manager before the email is allowed
to leave your organization's network.
The action Microsoft Exchange takes on a Forward email for approval
by end user's manager verdict rendered by Enterprise DLP is based on the
transport for manager approval rule you created.
• Forward email for approval admin—Outbound email is transported back to Microsoft
Exchange and sent to the specified email admin for approval. Independent review is
required by the specified email administrator before the email is allowed to leave your
organization's network.
The action Microsoft Exchange takes on a Forward email for approval
admin verdict rendered by Enterprise DLP is based on the transport for admin
approval rule you created.
• Encrypt—Outbound email is allowed to leave your organization and is transported
back to Microsoft Exchange to be encrypted before continuing its path to the
intended recipient.
The action Microsoft Exchange takes on a Encrypt verdict rendered by Enterprise
DLP is based on the encrypt transport rule you created.
2. (Optional) Automatically assign an Incident Assignee when Enterprise DLP renders a
Block or Quarantine verdict on matching traffic.
Strength your security posture by assigning an incident assignee to follow up on and
resolve events where Enterprise DLP detects outbound emails that contain sensitive
information.
3. (Optional) Add emails to send Notifications to receive alerts when Enterprise DLP
renders Block or Quarantine verdicts on inspected outbound traffic.
Click add ( ) to include additional emails to receive notifications.
STEP 7 | Save Policy.
Review Email DLP Incidents

Review your Enterprise Data Loss Prevention (E-DLP) Email DLP incidents to understand which
outbound emails were inspected, review which were blocked, quarantined, or sent for approval,
and to download files inspected by Enterprise DLP.
STEP 2 | Select Manage > Configuration > SaaS Security > Data Security > Incidents > Email DLP
Incidents.
STEP 3 | Review your Email DLP incidents.

• Severity—Severity of the DLP incident specified in the Email DLP policy.
• Updated On—Date the Email DLP incident status or assignee was updated.
• Created On—Date the Email DLP incident occurred.
• Sender—Email of the sender who generated the Email DLP incident.
• Subject—Subject line for the email that generated the Email DLP incident.
• Policy—Email DLP policy that the email matched against.
• Action—Action taken by Enterprise DLP based on the Email DLP policy the outbound email
matched against.
• Assigned to—Incident assignee responsible to review and address the Email DLP incident.
• Status—Resolution status of the Email DLP incident.
STEP 4 | Click the Email DLP incident Subject to view the Incident Details.
• The From and To fields display the email sender and recipient for the email that generated
the DLP incident.
• The Email content field allows you to download the email in .eml format.
To successfully download an email, you must have configured evidence storage before the
outbound email was inspected by Enterprise DLP. Emails of existing Email DLP incidents
cannot be downloaded if you configure evidence storage after the Email DLP incident
occurred.
• The Matching Data Patterns shows snippets of the sensitive data Enterprise DLP
detected and the data pattern that it matched.
• The Message ID can be used to create a message trace on Microsoft Exchange Online.
Monitor Enterprise DLP
View the log details, snippets, and Insights for traffic that matches your Enterprise Data Loss
Prevention (E-DLP) data patterns or filtering profiles and check the health of Enterprise DLP cloud
service.
• Monitor DLP Status with the DLP Health and Telemetry App
• View Enterprise DLP Log Details on the DLP App
• Manage Enterprise DLP Incidents on the DLP App
• View Enterprise DLP Audit Logs on the DLP App
• View Enterprise DLP Log Details on Cloud Management
• Manage Enterprise DLP Incidents on Cloud Management
• View Enterprise DLP Audit Logs on Cloud Management
• View Enterprise DLP Log Details on Panorama
• Save Evidence for Investigative Analysis with Enterprise DLP
265
Monitor DLP Status with the DLP Health and Telemetry

App
With an Enterprise Data Loss Prevention (E-DLP) license, you can access the DLP Health &
Telemetry app, which provides visibility into the health of the Enterprise DLP service. Enterprise
DLP service insights are available for any Palo Alto Networks product where you purchased an
Enterprise DLP license. Monitoring the DLP status is supported for Enterprise DLP leveraged on
Next-Generation Firewalls (NGFW) managed by Panorama, Prisma Access (Panorama Managed),
and Cloud Management.
• Access the DLP Health and Telemetry Dashboard on the DLP App
• Access the DLP Health and Telemetry Dashboard on Cloud Management
• Monitor DLP Service Status
Access the DLP Health and Telemetry Dashboard on the DLP App
DLP Health and Telemetry Dashboard is accessible from Enterprise DLP app on the hub. All you
need is an account administrator role or app administrator role on the hub and a valid Enterprise
DLP license associated with that support account.
STEP 1 | Log in to the hub with your SSO credentials.
STEP 2 | Select Enterprise DLP.
Access the DLP Health and Telemetry Dashboard on Cloud

Management
DLP Health and Telemetry Dashboard is accessible from Cloud Management. All you need is an
account administrator or app administrator role and a valid Enterprise DLP license.
STEP 2 | Select Manage > Configuration > Security Services > Data Loss Prevention > Health &
Telemetry.
Monitor DLP Service Status

The Dashboard displays real-time DLP status. If you experience issues with DLP (for example, the
Prisma Access (Cloud Management) web interface doesn’t display data patterns or data profiles),
verify that the DLP service status is Operational.
STEP 1 | Log in to the Enterprise DLP app or Prisma Access (Cloud Management).
STEP 2 | Observe the DLP Service Status and the Last Updated timestamp.
Status Description
Operational DLP services are up and running.
Degraded Experience DLP services are up and running, but not operating at optimally.
Service Unavailable DLP services are down.
Planned Maintenance DLP services are down due to scheduled maintenance.
View Enterprise DLP Log Details on the DLP App

An Enterprise data loss prevention (DLP) Incident is generated when traffic matches your
Enterprise data loss prevention (DLP) data profiles for Panorama, Prisma Access (Panorama
Managed), and Cloud Management. You can filter and view the DLP Incident for the detected
traffic, such as matched data patterns, the source and destination of the traffic, the file and file
type. Additionally, the DLP Incident displays the specific data pattern that the traffic matched and
also displays the total number of unique and total occurrences of those data pattern matches.
You can then view this sensitive content called a snippet. A snippet is evidence or identifiable
information associated with a pattern match. For example, if you specified a data pattern of Credit
Card Number, the managed firewall returns the credit card number of the user as the snippet that
was matched. By default, the managed firewall returns snippets.
Enterprise DLP uses data masking to mask the data in the snippets. By default, the DLP Incident
displays the last four digits of the value in cleartext (partial masking). For example, a DLP Incident
displays a snippet of a credit card number as XXXX-XXXX-XXXX-1234. You can also specify the
data to be completely displayed in clear text or to fully mask the data and hide all values.
Snippets are available for regular expression (regex)-based patterns only.

STEP 2 | View the DLP Incidents.
STEP 3 | Select a Scan Date and Region to filter the DLP Incidents.
Enterprise DLP Incidents are generated in the Region where the Public Cloud Server is located.
For Panorama and Prisma Access (Panorama Managed), the region is determined by the
currently configured Public Cloud Server. By default, the Enterprise DLP plugin is configured to
resolve to the closest Public Cloud Server to where the inspected traffic originated but you can
configure a static Public Cloud Server.
For cloud management, Enterprise DLP automatically resolves to the closest Public Cloud
Server to where the inspected traffic originated.
When a new Public Cloud Server is introduced, Enterprise DLP begins to automatically
resolve to it if it’s closer to where the inspected traffic originated. For Panorama and
Prisma Access (Panorama Managed), this happens only if you keep the default Public
Cloud Server FQDN. For cloud management, this happens by default.
This might mean that new DLP Incidents generated after the release of a new Public
Cloud Server are generated in a different Region.
STEP 4 | Review the DLP Incidents summary information to help focus your incident investigation.
These lists are updated hourly.
• Top Data Profiles to Investigate—Lists data profiles with the highest number of incidents in
descending order.
• Top Sources to Investigate—Lists up to seven source IP addresses and Fully Qualified
Domain Names (FQDN) with the highest number of incidents in descending order.
• Sensitive Files by Action—Lists the number of incidents based on the Action taken in
descending order.
STEP 5 | Review the Incidents and click a File name to review a specific incident.
You can filter the DLP incidents by File Name or Report ID to search for a specific incident you
want to review.
STEP 6 | Review the Incident Details to review specific file upload details.
Make note of the Report ID for the DLP incident if you haven’t already done so. The Report ID
is used to view additional Traffic log details regarding the DLP incident.
STEP 7 | Review the Matches within Data Profiles to review snippets of matching traffic and the data
patterns that matched the traffic to better understand what data was detected.
For data profiles with nested data profiles created on the DLP app or Cloud
Management, the data profile displayed is the specific nested data profile that
matched the scanned traffic. For example, you create a DataProfile, with the
nested profiles Profile1, Profile2, and Profile3 and scanned traffic matches
the nested Profile2 and is blocked. In this scenario, the data profile displayed for
the incident is Profile2.
• In the snippet, Enterprise DLP only masks traffic that matches the data pattern match
criteria. Other sensitive data captured in the snippet are not masked if they do not match
the data pattern where the snippet is displayed.
• Data pattern match criteria configured to inspect for Any occurrence of matched traffic
display up to 3 High and 3 Low confidence level matches if detected.
• Data pattern match criteria configured to inspect for High confidence level matches display
up to 3 Low confidence level matches if detected.
• Data pattern match criteria configured to inspect for Low confidence level matches display
up to 3 High confidence level matches if detected.
STEP 8 | Manage Enterprise DLP Incidents on the DLP App.
Manage Enterprise DLP Incidents on the DLP App

Manage your Enterprise Data Loss Prevention (E-DLP) incidents to investigate and resolve
incidents when traffic matches your Enterprise DLP data profiles.
STEP 2 | View the Enterprise DLP Incidents.
STEP 3 | View your Enterprise DLP incidents.
STEP 4 | (Optional) Add New Filter to filter the Enterprise DLP incidents.
STEP 5 | Select one or more Incidents and Assign To a team member.

You can search and assign an incident to an existing user or type a new name to Create User. If
you create a new user, the user must have access to the DLP app on the hub.
STEP 6 | Change Resolution as your team works to resolve the incident that triggered Enterprise DLP
enforcement.
You can select one of the predefined incident resolution statues or type a new resolution
status to Create Tag.
STEP 7 | For additional auditing and clarity for your team members, you can Edit Notes to provide
further details.
Save after you finish providing the additional information in your notes. The existing note is
overwritten if you save a new note.
Delete the note if no longer needed.
View Enterprise DLP Audit Logs on the DLP App

Review your Enterprise Data Loss Prevention (E-DLP) audit logs for a comprehensive history of
the changes that occurred across your Enterprise DLP security service.Enterprise DLP audit logs
maintain a history of when data patterns and data filtering profiles or data profiles are created,
updated, or deleted.
STEP 2 | View the Audit Log.
STEP 3 | (Optional) Filter the audit logs as needed.

• Enter an email in the search bar to filter the audit logs by user.
• Add New Filter to filter the audit logs based on:
• Time Select a predefined time frame or specify a Custom time frame.
• Channel Select a supported platform, including SaaS Security and Prisma Cloud, using
Enterprise DLP.
• Event Select the type of audit log event (Create, Update, or Delete) to view.
STEP 4 | Show More to view additional audit log information.

You can view additional audit log details to review what traffic match criteria was configured
when the data pattern, data filtering profile, or data profile was created or to better
understand what changes were made.
View Enterprise DLP Log Details on Cloud Management

An Enterprise Data Loss Prevention (E-DLP) Incident is generated when traffic matches your
Enterprise data loss prevention (DLP) data profiles for Prisma Access (Cloud Management) and
SaaS Security on Cloud Management. You can then filter and view the DLP Incident for the
detected traffic, such as matched data patterns, the source and destination of the traffic, the
file and file type. Additionally, the DLP Incident displays the specific data pattern that the traffic
matched and also displays the total number of unique and total occurrences of those data pattern
matches.
You can then view this sensitive content called a snippet. A snippet is evidence or identifiable
information associated with a pattern match. For example, if you specified a data pattern of Credit
Card Number, the managed firewall returns the credit card number of the user as the snippet that
was matched. By default, the managed firewall returns snippets.
Cloud Management uses data masking to mask the data in the snippets. By default, the DLP
Incident displays the last four digits of the value in cleartext (partial masking). For example, a
DLP Incident displays a snippet of a credit card number as XXXX-XXXX-XXXX-1234. You can
also specify the data to be completely displayed in cleartext or to fully mask the data and hide all
values.
STEP 2 | Select Logs > DLP Incidents.
STEP 3 | Select a Scan Date and Region to filter the DLP Incidents.
Enterprise DLP Incidents are generated in the Region where the Public Cloud Server is located.
For Cloud Management, Enterprise DLP automatically resolves to the closest Public Cloud
Server to where the inspected traffic originated.
When a new Public Cloud Server is introduced, Enterprise DLP begins to automatically
resolve to it if it’s closer to where the inspected traffic originated.
This might mean that new DLP Incidents generated after the release of a new Public
Cloud Server are generated in a different Region.
STEP 4 | Review the DLP Incidents summary information to help focus your incident investigation.
These lists are updated hourly.
• Top Data Profiles to Investigate—Lists up to seven data profiles with the highest number of
incidents in descending order.
• Top Sources to Investigate—Lists up to seven source IP addresses and Fully Qualified
Domain Names (FQDN) with the highest number of incidents in descending order.
• Sensitive Files by Action—Lists the number of incidents based on the Action taken by
Prisma Access (Cloud Management) in descending order.
STEP 5 | Review the Incidents and click a File name to review a specific incident.
You can filter the DLP incidents by File Name or Report ID to search for a specific incident you
want to review.
STEP 6 | Review the Incident Details to review specific file upload details.
Make note of the Report ID for the DLP incident if you haven’t already done so. The Report ID
is used to view additional Traffic log details regarding the DLP incident.
STEP 7 | Review the Matches within Data Profiles to review snippets of matching traffic and the data
patterns that matched the traffic to better understand what data was detected.
matched the scanned traffic. For example, you create a DataProfile, with the
nested profiles Profile1, Profile2, and Profile3 and scanned traffic matches
the nested Profile2 and is blocked. In this scenario, the data profile displayed for
the incident is Profile2.
STEP 8 | Review the file log to learn about the traffic data for the DLP incident.
1. Select Activity > Logs > Log Viewer.
2. From the Firewall drop-down, select File.
3. Filter to view the file log for the DLP incident using the Report ID.
report_id=<report-id>
4. Review the file log to learn more about the traffic data for the DLP incident.
For example, you might want to review the application and source username to better
understand where the DLP incident originated.
STEP 9 | Manage Enterprise DLP Incidents on Cloud Management.
Manage Enterprise DLP Incidents on Cloud

Management
Manage your Enterprise Data Loss Prevention (E-DLP) incidents to investigate and resolve
incidents when traffic matches your Enterprise DLP data profiles.
STEP 2 | Select Logs > DLP Incidents.
STEP 3 | View your Enterprise DLP incidents.
STEP 4 | (Optional) Add New Filter to filter the Enterprise DLP incidents.
STEP 5 | Select one or more Incidents and Assign To a team member.

You can search and assign an incident to an existing user or type a new name to Create User. If
you create a new user, the user must have access to the DLP app on the hub.
STEP 6 | Change Resolution as your team works to resolve the incident that triggered Enterprise DLP
enforcement.
You can select one of the predefined incident resolution statues or type a new resolution
status to Create Tag.
STEP 7 | For additional auditing and clarity for your team members, you can Edit Notes to provide
further details.
Save after you finish providing the additional information in your notes. The existing note is
overwritten if you save a new note.
Delete the note if no longer needed.
View Enterprise DLP Audit Logs on Cloud Management

Review your Enterprise Data Loss Prevention (E-DLP) Audit logs for a comprehensive history of
the changes that occurred across your Enterprise DLP security service. Enterprise DLP audit logs
maintain a history of when data patterns and data filtering profiles or data profiles are created,
updated, or deleted.
STEP 2 | Select Manage > Configuration > Security Services > Data Loss Prevention > Audit Log.
STEP 3 | (Optional) Filter the audit logs as needed.

• Enter an email in the search bar to filter the audit logs by user.
• Add New Filter to filter the audit logs based on:
• Time Select a predefined time frame or specify a Custom time frame.
• Channel Select a supported platform.
• Event Select the type of audit log event (Create, Update, or Delete) to view.
STEP 4 | Show More to view additional audit log information.

You can view additional audit log details to review what traffic match criteria was configured
when the data pattern, data filtering profile, or data profile was created or to better
understand what changes were made.
View Enterprise DLP Log Details on Panorama

When a managed firewall detects sensitive content during a file upload and you created an Alert
or Block action for that type of content, the firewall generates a data filtering log. You can then
filter and view the detailed log data for the detected traffic, such as policy rule information,
the source and destination of the traffic, and the data profile with which the data pattern is
associated. Additionally, the detailed log view displays the specific data pattern that the traffic
matched and also displays the total number of unique and total occurrences of those data pattern
matches. You can view the detailed logs only on the Panorama management server or on Prisma
Access (Panorama Managed).
When the managed firewall detects sensitive content during a file upload and you have created an
Alert or Block action, the firewall generates a log. You can then view this sensitive content, called
a snippet, from the data filtering logs. A snippet is evidence or identifiable information associated
with a pattern match. For example, if you specified a data pattern of Credit Card Number, the
managed firewall returns the credit card number of the user as the snippet that was matched. By
default, the managed firewall returns snippets.
The managed firewall uses data masking to mask the data in the snippets. By default, the data
filtering log displays the last four digits of the value in cleartext (partial masking). For example,
data filtering log displays a snippet of a credit card number as XXXX-XXXX-XXXX-1234. You can
also specify the data to be completely displayed in clear text or to fully mask the data and hide all
values.
STEP 1 | Enable Enterprise DLP for Managed Firewalls.
STEP 2 | Select Monitor > Logs > Data Filtering and Filter the data filtering logs by entering
( subtype eq dlp ).
STEP 3 | View more details about the file including file snippets.
1. Click to the left of the specific log entry for which you want to view more details.
2. Select DLP to view the pattern details.
3. Show Snippet to view a snippet of the data that matched the specific data pattern.
matched the scanned traffic. For example, you create a DataProfile, with
the nested profiles Profile1, Profile2, and Profile3 and scanned traffic
matches the nested Profile2 and is blocked. In this scenario, the data profile
displayed for the incident is Profile2.
4. Review the masked snippet to understand what data was detected.
Save Evidence for Investigative Analysis with Enterprise

DLP
Connect an AWS storage bucket, Azure storage bucket, or SFTP server to Enterprise Data Loss
Prevention (E-DLP) to automatically store files scanned by the DLP cloud service that match your
Enterprise DLP data profiles. After a file is successfully stored, you can download the file for
further investigation. Saving evidence for investigative analysis is supported for Enterprise DLP
deployed on Panorama, Prisma Access (Panorama Managed), and Cloud Management.
• Set Up SFTP Storage to Save Evidence for Panorama
• Set Up SFTP Storage to Save Evidence for Cloud Management
• Set Up Cloud Storage to Save Evidence for Panorama
• Set Up Cloud Storage to Save Evidence for Cloud Management
• Download Files for Evidence Analysis on Panorama
• Download Files for Evidence Analysis on Cloud Management
Set Up SFTP Storage to Save Evidence for Panorama

You connect your SFTP server on the DLP app to automatically upload all files that match an
Enterprise Data Loss Prevention (E-DLP) data filtering profile for Enterprise DLP deployed on
Panorama, Prisma Access (Panorama Managed), and Cloud Management.
To store your files scanned by the DLP cloud service, you must specify the SFTP server
connectivity information to successfully upload and write files to a target location on the SFTP
server. When the DLP cloud service uploads a file to your SFTP server, a reportId folder
is created by default. All files uploaded to your SFTP server by the DLP cloud service are
uploaded to the reportId folder within your folder path. Files uploaded to your SFTP server
are automatically named using the SFTP target folder location, default reportId folder, and
filename.
In case of connection issues to your SFTP server due to configuration error or change in settings
on the SFTP server, an email is automatically generated and sent to the admin that originally
connected the DLP app to the SFTP server and to the user who last modified the storage bucket
connection settings on the DLP app. This email is sent out every 48 hours until the connection is
restored.
Files that are scanned by the DLP cloud service while the DLP app is disconnected from
your storage bucket can’t be stored and are lost. This means that all impacted files aren’t
available for download. However, all snippet data is preserved and can still be viewed on
the DLP app on the hub.
File storage automatically resumes after the connection status is restored.
This procedure assumes you have already set up an SFTP server to save evidence for investigative
analysis.

account administrator or app administrator roles with a valid Enterprise DLP license
associated with that support account. This is to ensure that only the appropriate users
STEP 3 | Select Settings > Sensitive Data and select Configure Bucket > SFTP as the Public Cloud
Storage Bucket.
STEP 4 | Review the Instructions - SFTP and click Next.
STEP 5 | Input Bucket Details to configure the SFTP server connection settings.
1. Enter the Username of the SFTP server user used for secure file uploads.
The user is required to have read and write access to the SFTP server.
2. Enter the Private Key for the SFTP server.
This is required to authenticate the SSH connection to the SFTP server. The Private
Key must include both the BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY
prompts.
3. (Optional) Enter the public PGP Key to sign and encrypt files uploaded to the SFTP
server.
Pretty Good Privacy (PGP) is an encryption program providing privacy and
authentication for data communication, and used for signing, encrypting, and decrypting
files. The PGP Key must include both the BEGIN RSA PRIVATE KEY and END RSA
PRIVATE KEY prompts.
4. Enter the Hostname of the SFTP server.

The Hostname can be a Fully Qualified Domain Name (FQDN) or an IPv4 address.
5. (Optional) Enter the Folder Path for uploaded files to specify the target location where
files are uploaded to on the SFTP server.
If no Folder Path is specified, the DLP cloud service creates the default reportId folder
at the top-most folder the Username has read and write access to. The folder path for
uploaded files depends on whether a Folder Path is specified.
• Folder Path Specified—<folder path>/reportId/<file name>
• Folder Path Not Specified—/reportId/<file name>
6. Enter the Port number through which files are uploaded to the SFTP server.
Palo Alto Networks recommends using Port 22 for file uploads to your SFTP server.
For uncommon ports, Enterprise DLP needs to open the egress port for connection and
upload.
STEP 6 | Connect to the SFTP server.

As part of the setup process, a file called
Palo_Alto_Networks_DLP_Connection_Test.txt is uploaded to the target Folder
Path on your SFTP server. Connectivity between the DLP cloud service and your SFTP server
is successful if DLP cloud service successfully uploads the test file.
The Connection Status displays whether the initial connection test was successful. Continue to
the next step when the Bucket connected successfully.
Click Previous if the connection isn’t successful to modify the SFTP server and connection
settings as needed.
STEP 7 | Save the SFTP server connectivity settings.
STEP 8 | Download Files for Evidence Analysis on Panorama.
Set Up SFTP Storage to Save Evidence for Cloud Management

You connect your SFTP server on Cloud Management to automatically upload all files that match
an Enterprise Data Loss Prevention (E-DLP) data filtering profile for Enterprise DLP deployed on
Cloud Management.
To store your files scanned by the DLP cloud service, you must specify the SFTP server
connectivity information to successfully upload and write files to a target location on the SFTP
server. When the DLP cloud service uploads a file to your SFTP server, a reportId folder
is created by default. All files uploaded to your SFTP server by the DLP cloud service are
uploaded to the reportId folder within your folder path. Files uploaded to your SFTP server
are automatically named using the SFTP target folder location, default reportId folder, and
filename.
In case of connection issues to your SFTP server due to configuration error or change in settings
on the SFTP server, an email is automatically generated and sent to the admin that originally
connected Cloud Management to the SFTP server and to the user who last modified the storage
bucket connection settings on Cloud Management. This email is sent out every 48 hours until the
connection is restored.
Files that are scanned by the DLP cloud service while Cloud Management is disconnected
from your storage bucket can’t be stored and are lost. This means that all impacted files
aren’t available for download. However, all snippet data is preserved and can still be
viewed on Cloud Management on the hub.
This procedure assumes you have already set up an SFTP server to save evidence for investigative
analysis.
Access to evidence storage settings and files on Cloud Management is allowed only for
an account administrator or app administrator role with Enterprise DLP read and
write privileges. This is to ensure that only the appropriate users have access to report
data and evidence.
Sensitive Data and select Configure Bucket > SFTP as the Public Cloud Storage Bucket.
STEP 4 | Review the Instructions - SFTP and click Next.
STEP 5 | Input Bucket Details to configure the SFTP server connection settings.
1. Enter the Username of the SFTP server user used for secure file uploads.
The user is required to have read and write access to the SFTP server.
2. Enter the Private Key for the SFTP server.
This is required to authenticate the SSH connection to the SFTP server. The Private
Key must include both the BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY
prompts.
3. (Optional) Enter the public PGP Key to sign and encrypt files uploaded to the SFTP
server.
Pretty Good Privacy (PGP) is an encryption program providing privacy and
authentication for data communication, and used for signing, encrypting, and decrypting
files. The PGP Key must include both the BEGIN RSA PRIVATE KEY and END RSA
PRIVATE KEY prompts.
4. Enter the Hostname of the SFTP server.

The Hostname can be a Fully Qualified Domain Name (FQDN) or an IPv4 address.
5. (Optional) Enter the Folder Path for uploaded files to specify the target location where
files are uploaded to on the SFTP server.
If no Folder Path is specified, the DLP cloud service creates the default reportId folder
at the top-most folder the Username has read and write access to. The folder path for
uploaded files depends on whether a Folder Path is specified.
• Folder Path Specified—<folder path>/reportId/<file name>
• Folder Path Not Specified—/reportId/<file name>
6. Enter the Port number through which files are uploaded to the SFTP server.
Palo Alto Networks recommends using Port 22 for file uploads to your SFTP server.
For uncommon ports, Enterprise DLP needs to open the egress port for connection and
upload.
STEP 6 | Connect to the SFTP server.

As part of the setup process, a file called
Palo_Alto_Networks_DLP_Connection_Test.txt is uploaded to the target Folder
Path on your SFTP server. Connectivity between the DLP cloud service and your SFTP server
is successful if DLP cloud service successfully uploads the test file.
The Connection Status displays whether the initial connection test was successful. Continue to
the next step when the Bucket connected successfully.
Click Previous if the connection isn’t successful to modify the SFTP server and connection
settings as needed.
STEP 7 | Save the SFTP server connectivity settings.
Set Up Cloud Storage to Save Evidence for Panorama

Set up cloud storage on Amazon Web Services (AWS) or Microsoft Azure and connect it to the
DLP cloud service on the DLP app on the hub to save evidence for investigative analysis with
Enterprise Data Loss Prevention (E-DLP).
• Configure Cloud Storage on AWS for Panorama
• Configure Cloud Storage on AWS Using AWS KMS for Panorama
• Configure Cloud Storage on Microsoft Azure for Panorama
Configure Cloud Storage on AWS for Panorama

Amazon Web Services (AWS) users can configure an S3 storage bucket to automatically upload all
files that match an Enterprise Data Loss Prevention (DLP) data filtering profile for Enterprise DLP
deployed on Panorama, Prisma Access (Panorama Managed), and Cloud Management.
To store your files scanned by the DLP cloud service, you must create an S3 storage bucket
and Identity and Access Management (IAM) role that allows the DLP cloud service access to
automatically store files. Palo Alto Networks provides you with a JSON data containing the
required policy permissions to create the IAM role. Files uploaded to your S3 storage bucket are
automatically named using a unique Report ID for each file. The Report ID is used to search and
download specific files for more in-depth investigation.
In case of connection issues to your S3 storage bucket due to configuration error or change in
settings on the bucket, an email is automatically generated and sent to the admin that originally
connected the DLP app to the storage bucket and to the user who last modified the storage
bucket connection settings on the DLP app. This email is sent out every 48 hours until the
your storage bucket can't be stored and are lost. This means that all impacted files are not
STEP 2 | Create a public S3 storage bucket to store files scanned by the Enterprise DLP cloud service.
1. Log in to the Amazon AWS console.
2. Select Services > Storage > S3 > Buckets and Create bucket.
3. Enter a descriptive Bucket name.
4. Select the AWS Region for the S3 storage bucket.
5. In the Default encryption section, select Amazon S3 managed keys (SSE-S3) as the
Encryption key type.
You can Create a KMS Key if one does not already exist. Refer to AWS Documentation
for more information on creating a new KMS key.
6. Create bucket.
7. Obtain the ARN for the S3 storage bucket.
After creating the S3 storage bucket, you're redirected back to the Buckets page. Search
for and click the storage bucket you created.
Click Properties. The storage bucket ARN is displayed in the Bucket overview.
STEP 3 | Enable the AWS KMS setting for the storage bucket and locate the trust relationship and
access policy JSONs provided by Palo Alto Networks.
2. Select Settings > Sensitive Data.
3. In Evidence Storage, select Configure Bucket > AWS as the Public Cloud Storage
Bucket.
4. In Instructions - AWS, locate the trust relationship and access policy JSON provided
to define the trust relationship and access policy between the IAM role and Palo Alto
Networks.
The first JSON provided is the trust relationship and the second is the access policy.
Highlighted are the copy buttons that you will use later on to create the IAM role for the
S3 storage bucket.
Leave the Configure Bucket for Evidence Storage display open and continue
to create the IAM role for the S3 storage bucket in a separate browser window.
STEP 4 | Create the IAM role for the S3 storage bucket.

This role is required to allow the DLP cloud service to write to the S3 storage bucket.
2. Select Services > Security, Identity, and Compliance > IAM > Access management >
Roles and Create role.
3. Select Custom trust policy.
4. For the Trusted entity type, select Custom trust policy.
5. Return to the Cloud Management Console and copy the trust relationship JSON.
6. In the Amazon AWS console, paste the trust relationship JSON into the Custom trust
policy to configure the trust policy.
7. Click Next.
8. In Add permissions, select Create policy > JSON.
A new window is automatically opened in your browser to create the new access policy.
9. Return to the Cloud Management Console and copy the access policy JSON.
10. In the Amazon AWS console, paste the access policy JSON into the Policy editor.
11. Add the bucket ARN for the S3 storage bucket you created.
Throughout the JSON, you must replace all instances of
bucket_name_to_be_replaced with the S3 storage bucket ARN you created.
12. Click Next.

13. Enter a Policy name and Create policy.
14. Return to the browser window where you're creating the IAM role,
15. Search for and select the access policy you created.
16. Click Next.

17. Enter a descriptive Role name for the IAM role.
18. Review the IAM role trust relationship and access policy.
19. Create role.
STEP 5 | Configure the S3 storage bucket for evidence file storage.

2. Select Manage > Configuration > Security Services > Data Loss Prevention > Settings >
Sensitive Data and select AWS as the Public Cloud Storage Bucket.
3. Select Input Bucket Details.
4. Enter the S3 Bucket Name of the bucket you created.
The name you enter in the Cloud Management Console must match the name of the S3
storage bucket on AWS.
5. Enter the Role ARN for the IAM role you created.
The IAM Role ARN can be found in the IAM role Permissions. The role ARN is displayed
in the Summary.
6. Select the AWS Region where the bucket is located.
7. Select Connect to verify the connections status your S3 storage bucket.
Select Save if Enterprise DLP can successfully connect your bucket. A

Palo_Alto_Networks_DLP_Connection_Test.txt file is uploaded to your
storage bucket by the DLP cloud service to verify connectivity.
If Enterprise DLP can't successfully connect your bucket, select Previous and edit the
bucket connection settings.
8. In the Evidence Storage settings, enable Sensitive Files to enable storage of
sensitive files in the S3 storage bucket.
Configure Cloud Storage on AWS Using AWS KMS for Panorama

Amazon Web Services (AWS) users can configure an S3 storage bucket using the AWS Key
Management Service (KMS) to automatically upload all files that match an Enterprise Data Loss
Prevention (DLP) data filtering profile for Enterprise DLP deployed on Panorama, Prisma Access
(Panorama Managed), and Cloud Management.
connected the DLP app to the storage bucket and to the user who last modified the storage
bucket connection settings on the DLP app. This email is sent out every 48 hours until the
your storage bucket can't be stored and are lost. This means that all impacted files are not
5. In the Default encryption section, select AWS Key Management Service (SSE-
KMS) as the Encryption key type.
6. To specify the AWS KMS key, you can Choose from your AWS KMS keys or you can
Enter AWS key ARN.
7. Create bucket.
2. Select Settings > Sensitive Data.
3. In Evidence Storage, select Configure Bucket > AWS as the Public Cloud Storage
Bucket.
4. Toggle KMS Enabled enable an S3 storage bucket using AWS KMS.
Networks.
S3 storage bucket.

7. Click Next.
12. Add the AWS KMS key ARN.

The AWS KMS ARN you add here must be the same AWS KMS Key ARN you provided
when you created the S3 storage bucket.
13. Click Next.

17. Click Next.

20. Create role.

in the Summary.

STEP 6 | Download Files for Evidence Analysis on Cloud Management.
Configure Cloud Storage on Microsoft Azure for Panorama

Microsoft Azure users can configure an S3 bucket to automatically upload all files that match an
Enterprise Data Loss Prevention (E-DLP) data profile for Enterprise DLP deployed on Panorama,
Prisma Access (Panorama Managed), and Cloud Management.
To store your files scanned by the DLP cloud service, you must create a storage account
automatically store files. Files uploaded to your storage account are automatically named using
a unique Report ID for each file. The Report ID is used to search and download specific files for
more in-depth investigation.
In case of connection issues to your storage account due to configuration error or change in
settings, an email is automatically generated and sent to the admin that originally connected the
DLP app to the storage bucket and to the user who last modified the storage account connection
settings on the DLP app. This email is sent out every 48 hours until the connection is restored.
Files scanned by the DLP cloud service while the DLP app was disconnected from your
storage account can’t be stored and are lost. This means that all impacted files aren’t
STEP 2 | Log in to the Microsoft Azure portal as an administrator.

Administrator level privileges are required to add the Enterprise DLP evidence storage
application using Cloud Shell and to configure access to the storage account to enable file
uploads by the DLP cloud service to save files for evidence analysis.
STEP 3 | (Optional) From the portal menu, select Storage groups and Create a new storage group.
You can also search for storage groups.
The storage group is required to associate the storage account you create next for
storing matched files.
Skip this step if you have an existing resource group that you want to associate with
the storage account.
STEP 4 | From the portal menu, select Storage accounts and Create a new storage account.
You can also search for storage accounts.
STEP 5 | Obtain the App-ID, Tenant ID, and blob service endpoint URL.
This information is required to add the Palo Alto Networks Enterprise DLP application to your
Microsoft Azure tenant and to configure connectivity to the DLP cloud service.
• Palo Alto Networks Enterprise DLP App ID - 65def4b7-bae6-4bff-ab73-63fe8c9a3c8d
The Palo Alto Networks Enterprise DLP App-ID can be found in the DLP app on the hub
(Settings > Sensitive Data > Configure Bucket > Azure).
1. Obtain your Tenant ID.
1. From the portal menu, select Azure Active Directory.
You can also search for azure active directory.
2. In the Basic Information section, copy the Tenant ID.
2. Obtain the blob service endpoint URL.
1. From the portal menu, select Storage accounts and select the storage account you
will use to save files for evidence analysis.
2. Select Settings > Endpoints and copy the Blob service endpoint URL.
STEP 6 | Add the Palo Alto Networks Enterprise DLP application.

1. Open Cloud Shell.
Click the Cloud Shell icon located in the top-right corner of the Microsoft Azure portal.
2. Add the Palo Alto Networks Enterprise DLP application.
Connect-AzureAD -TenantID <Your_Tenant_ID>
New-AzureADServicePrincipal -AppId 65def4b7-bae6-4bff-
ab73-63fe8c9a3c8d
It might take a few minutes for Microsoft Azure to add a new application to your Azure
tenant.
3. Close the Cloud Shell.
4. Search for and select Enterprise applications.
5. For the Application type, select All applications.
6. Search for the Palo Alto Networks Enterprise DLP application name to verify
you successfully added the application.
STEP 7 | Configure permissions for the Palo Alto Networks Enterprise DLP application.
1. Select the Palo Alto Networks Enterprise DLP application name.
2. Select Security > Permissions and Grant Admin consent.
3. Select the administrator email in the Microsoft login prompt that is displayed.
4. Accept the permissions request to allow the Palo Alto Networks Enterprise DLP
application to view your Azure storage accounts.
It might take a few minutes for the permissions to be successfully granted to the Palo
Alto Networks Enterprise DLP application.
You still need to grant the Palo Alto Networks Enterprise DLP application permission to
write to a specific storage account.
5. Verify that the Azure Storage and Microsoft Graph API names are displayed in
the Admin consent section.
6. From the portal menu, select Storage accounts and select the storage account you want
to use to save files for evidence analysis.
7. Select Access Control (IAM) > Add > Add Role Assignment > Storage Blob Data Owner
and click Next.
8. Select to assign access to User, group, or service principle and select members.
9. Search and select the Palo Alto Networks Enterprise DLP application and Select the
application.
10. Review + assign to allow the Palo Alto Networks Enterprise DLP application to write to
It can take up to 10 minutes for the write permissions to be successfully granted to the
Palo Alto Networks Enterprise DLP application.
STEP 8 | Configure the storage bucket for evidence file storage.

account administrator or app administrator roles with a valid Enterprise DLP
license associated with that support account. This is to ensure that only the
appropriate users have access to report data and evidence.
2. Select Settings > Sensitive Data and select Configure Bucket > Azure as the Public
Cloud Storage Bucket.
4. Enter Microsoft Azure Tenant ID.
5. Enter the Storage Endpoint.
This is the blob service endpoint URL that you gathered for the storage account.
6. Connect the storage account and the DLP cloud service.
7. View the Connection Status to verify that the DLP cloud service successfully connected
to the storage account.
Save if the DLP app can successfully connect to your resource group. A
connectiontest file is uploaded to your storage account by the DLP cloud service to
verify connectivity.
If the DLP app can’t successfully connect to your resource group, select Previous and
edit the connection settings.
8. In the DLP Settings, Enable for NGFW to enable evidence storage for Palo Alto
Networks Next-Gen Firewalls (NGFW) and Prisma Access (Panorama Managed).
You can also Enable for Prisma Access from the DLP app if you’re using Enterprise DLP
on Prisma Access (Cloud Management).
You can only enable storage of sensitive files for platform for which you have activated
the Enterprise DLP license. For example, you only have the option to enable evidence
storage for Next-Generation Firewalls (NGFW) if you activated the Enterprise DLP
license on Panorama.
Set Up Cloud Storage to Save Evidence for Cloud Management

Set up cloud storage on Amazon Web Services (AWS) or Microsoft Azure and connect it to
the DLP cloud service for Prisma Access (Cloud Management) and SaaS Security on Cloud
Management to save evidence for investigative analysis with Enterprise Data Loss Prevention (E-
DLP).
• Configure Cloud Storage on AWS for Cloud Management
• Configure Cloud Storage on AWS for Cloud Management Using AWS KMS
• Configure Cloud Storage on Microsoft Azure for Cloud Management
Configure Cloud Storage on AWS for Cloud Management

Amazon Web Services (AWS) users can configure an S3 storage bucket to automatically upload
all files that match an Enterprise Data Loss Prevention (E-DLP) data profile for Enterprise DLP
deployed on Cloud Management.
connected Cloud Management to the storage bucket and to the user who last modified the
storage bucket connection settings on Cloud Management. This email is sent out every 48 hours
until the connection is restored.
from your storage bucket can't be stored and are lost. This means that all impacted files
are not available for download. However, all snippet data is preserved and can still be
viewed on Cloud Management.
5. In the Default encryption section, select Amazon S3 managed keys (SSE-S3) as the
Encryption key type.
6. Create bucket.
Sensitive Data.
3. In Evidence Storage, select Configure Bucket > AWS as the Public Storage Bucket.
Networks.
S3 storage bucket.

7. Click Next.
12. Click Next.

16. Click Next.

19. Create role.

Access to evidence storage settings and files on Cloud Management is allowed

only for an account administrator or app administrator role with Enterprise
DLP read and write privileges. This is to ensure that only the appropriate users
in the Summary.

Configure Cloud Storage on AWS for Cloud Management Using AWS KMS
Amazon Web Services (AWS) users can configure an S3 storage bucket using the AWS Key
Management Service (KMS) to automatically upload all files that match an Enterprise Data Loss
Prevention (E-DLP) data profile for Enterprise DLP deployed on Cloud Management.
connected Cloud Management to the storage bucket and to the user who last modified the
storage bucket connection settings on Cloud Management. This email is sent out every 48 hours
until the connection is restored.
from your storage bucket can't be stored and are lost. This means that all impacted files
are not available for download. However, all snippet data is preserved and can still be
5. In the Default encryption section, select AWS Key Management Service (SSE-
KMS) as the Encryption key type.
6. To specify the AWS KMS key, you can Choose from your AWS KMS keys or you can
Enter AWS key ARN.
7. Create bucket.
Sensitive Data.
3. In Evidence Storage, select Configure Bucket > AWS as the Public Storage Bucket.
4. Toggle KMS Enabled enable an S3 storage bucket using AWS KMS.
Networks.
S3 storage bucket.

7. Click Next.
12. Add the AWS KMS key ARN.

The AWS KMS ARN you add here must be the same AWS KMS Key ARN you provided
when you created the S3 storage bucket.
13. Click Next.

17. Click Next.

20. Create role.


in the Summary.

Configure Cloud Storage on Microsoft Azure for Cloud Management

Microsoft Azure users can configure a storage account to automatically upload all files that match
an Enterprise Data Loss Prevention (E-DLP) data profile for Enterprise DLP deployed on Cloud
Management.
To store your files scanned by the DLP cloud service, you must create a storage account
automatically store files. Files uploaded to your storage account are automatically named using
a unique Report ID for each file. The Report ID is used to search and download specific files for
more in-depth investigation.
In case of connection issues to your storage account due to configuration error or change in
settings, an email is automatically generated and sent to the admin that originally connected
the Cloud Management to the storage bucket and to the user who last modified the storage
account connection settings on Cloud Management. This email is sent out every 48 hours until the
from your storage account can’t be stored and are lost. This means that all impacted
files aren’t available for download. However, all snippet data is preserved and can still be
STEP 2 | Log in to the Microsoft Azure portal as an administrator.

Administrator level privileges are required to successfully add the Enterprise DLP evidence
storage application using Cloud Shell and to configure access to the storage account to enable
file uploads by the DLP cloud service to save files for evidence analysis.
STEP 3 | (Optional) From the portal menu, select Storage groups and Create a new storage group.
You can also search for storage groups.
The storage group is required to associate the storage account you create next for
storing matched files.
Skip this step if you have an existing resource group that you want to associate with
STEP 4 | From the portal menu, select Storage accounts and Create a new storage account.
You can also search for storage accounts.
STEP 5 | Obtain the App-ID, Tenant ID, and blob service endpoint URL.
This information is required to add the Palo Alto Networks Enterprise DLP application to your
Microsoft Azure tenant and to configure connectivity to the DLP cloud service.
• Palo Alto Networks Enterprise DLP App ID - 65def4b7-bae6-4bff-ab73-63fe8c9a3c8d
The Palo Alto Networks Enterprise DLP App-ID can be found in the DLP app on the hub
(Settings > Sensitive Data > Configure Bucket > Azure).
1. Obtain your Tenant ID.
1. From the portal menu, select Azure Active Directory.
You can also search for azure active directory.
2. In the Basic Information section, copy the Tenant ID.
2. Obtain the blob service endpoint URL.
1. From the portal menu, select Storage accounts and select the storage account you
will use to save files for evidence analysis.
2. Select Settings > Endpoints and copy the Blob service endpoint URL.
STEP 6 | Add the Palo Alto Networks Enterprise DLP application.

1. Open Cloud Shell.
Click the Cloud Shell icon located in the top-right corner of the Microsoft Azure portal.
2. Add the Palo Alto Networks Enterprise DLP application.
Connect-AzureAD -TenantID <Your_Tenant_ID>
New-AzureADServicePrincipal -AppId 65def4b7-bae6-4bff-
ab73-63fe8c9a3c8d
It might take a few minutes for Microsoft Azure to add a new application to your Azure
tenant.
3. Close the Cloud Shell.
4. Search for and select Enterprise applications.
5. For the Application type, select All applications.
6. Search for the Palo Alto Networks Enterprise DLP application name to verify
you successfully added the application.
STEP 7 | Configure permissions for the Palo Alto Networks Enterprise DLP application.
1. Select the Palo Alto Networks Enterprise DLP application name.
2. Select Security > Permissions and Grant Admin consent.
3. Select the administrator email in the Microsoft login prompt that is displayed.
4. Accept the permissions request to allow the Palo Alto Networks Enterprise DLP
application to view your Azure storage accounts.
It might take a few minutes for the permissions to be successfully granted to the Palo
Alto Networks Enterprise DLP application.
You still need to grant the Palo Alto Networks Enterprise DLP application permission to
write to a specific storage account.
5. Verify that the Azure Storage and Microsoft Graph API names are displayed in
the Admin consent section.
6. From the portal menu, select Storage accounts and select the storage account you want
to use to save files for evidence analysis.
7. Select Access Control (IAM) > Add > Add Role Assignment > Storage Blob Data Owner
and click Next.
8. Select to assign access to User, group, or service principle and select members.
9. Search and select the Palo Alto Networks Enterprise DLP application and Select the
application.
10. Review + assign to allow the Palo Alto Networks Enterprise DLP application to write to
It can take up to 10 minutes for the write permissions to be successfully granted to the
Palo Alto Networks Enterprise DLP application.
STEP 8 | Configure the storage bucket for evidence file storage.


Sensitive Data and select Azure as the Public Cloud Storage Bucket.
4. Enter Microsoft Azure Tenant ID.
5. Enter the Storage Endpoint.
This is the blob service endpoint URL that you gathered for the storage account.
6. Connect the storage account and the DLP cloud service.
7. View the Connection Status to verify that the DLP cloud service successfully connected
to the storage account.
Select Save if Cloud Management can successfully connect your bucket. A
connectiontest file is uploaded to your storage account by the DLP cloud service to
verify connectivity.
If Cloud Management can’t successfully connect your bucket, select Previous and edit
the bucket connection settings.
8. In the Store Sensitive Files settings, enable storage of sensitive files for Cloud
Management.
Download Files for Evidence Analysis on Panorama

After you successfully connect your AWS storage bucket, Azure storage bucket, or SFTP server
to Cloud Management to store files that match your Enterprise Data Loss Prevention (E-DLP)
data profiles, you can download to your local device any files scanned by the DLP cloud service to
allow for in-depth investigation.
Files scanned by the DLP cloud service while Enterprise DLP is disconnected from your cloud
storage aren’t stored in your cloud storage. This means that all impacted files aren’t available for
download. However, all snippet data is preserved and can still be viewed on the DLP app on the
hub.
STEP 1 | Connect your AWS storage bucket, Azure storage bucket, or SFTP server to Enterprise DLP
if not already connected.
The files available to download are only files scanned by the DLP cloud service after you
successfully connectedEnterprise DLP to your cloud storage.
STEP 2 | (AWS and Azure only) Obtain the Report ID for the file you want to download by doing one
of the following:
• Log in to the Amazon AWS console or Microsoft Azure portal and access the storage bucket
you connected to Enterprise DLP. Select Reports and enter a Report ID to Search.
The object Name is the Report ID.
• Log in to the Panorama web interface and select Monitor > Logs > Data Filtering and Filter
the data filtering logs by entering ( subtype eq dlp ). Locate the Report ID column to
obtain the Report ID for the report you want to download.

STEP 4 | Select Reports and enter a Report ID to Search.
STEP 5 | Review report summary and click the download button to download the file to your device.
Whether the stored file is downloaded directly to your local device is dependent on the
storage bucket you connected to Enterprise DLP.
• AWS and Azure—The file associated with the particular report ID is downloaded locally to
your device.
• SFTP Server—Enterprise DLP displays the folder path of the location the file was uploaded
to on your SFTP server. Access your SFTP server to download the file to your local device.
Download Files for Evidence Analysis on Cloud Management

After you successfully connect your AWS storage bucket, Azure storage bucket, or SFTP server
to Cloud Management to store files that match your Enterprise Data Loss Prevention (E-DLP)
data profiles, you can download to your local device any files scanned by the DLP cloud service to
allow for in-depth investigation.
Files scanned by the DLP cloud service while Enterprise DLP is disconnected from your cloud
storage bucket aren’t stored in your cloud storage. This means that all impacted files aren’t
available for download. However, all snippet data is preserved and can still be viewed on Cloud
Management.
STEP 1 | Connect your AWS storage bucket, Azure storage bucket, or SFTP server to Enterprise DLP
if not already connected.
The files available to download are only files scanned by the DLP cloud service after you
successfully connected Enterprise DLP to your cloud storage bucket.
STEP 2 | (AWS and Azure only) Log in to the Amazon AWS console or Microsoft Azure portal and
access the cloud storage you connected to Cloud Management. Select Reports and enter a
Report ID to Search.
The object Name is the Report ID.
STEP 4 | In the Cloud Management Console, select Activity > Logs > DLP Incidents and search for the
Report ID.
STEP 5 | Review report summary and click the download button to download the file to your device.
Whether the stored file is downloaded directly to your local device is dependent on the
storage bucket you connected to Enterprise DLP.
• AWS and Azure—The file associated with the particular Report ID is downloaded locally to
your device.
• SFTP Server—Cloud Management displays the folder path of the location the file was
uploaded to on your SFTP server. You must access your SFTP server to download the file to
your local device.

Enterprise DLP Admin

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Enterprise DLP Admin

Uploaded by

Copyright:

Available Formats

Enterprise DLP Administrator’s Guide

About the Documentation

Set Up Enterprise DLP................................................................................... 35

Configure Enterprise DLP..............................................................................71

Monitor Enterprise DLP...............................................................................265

Set Up Cloud Storage to Save Evidence for Cloud Management....................308

About Enterprise DLP

Setup Prerequisites for Enterprise DLP

• Panorama (Panorama) Device management license

Ports and FQDNs

• https://api.paloaltonetworks.com TCP 443

IP Addresses for Evidence Storage

(Default) U.S.A 3.230.176.219

What’s Supported with Enterprise DLP?

Application App-ID Inspection Direction Max File Minimum

Amazon Cloud amazon- File Upload 20 MB None

Amazon S3 web- File Upload 20 MB None

Apple iCloud icloud File Upload 20 MB None

Asana Web asana File Upload 20 MB None

Basecamp Web basecamp File Upload 20 MB None

Bitrix24 Web bitrix24 File Upload 20 MB None

Blackboard blackboard File Upload 20 MB None

Blogs (e.g blog-posting File Upload 20 MB None

Box Desktop - boxnet File Upload 100 MB Version

Box Web boxnet File Upload 100 MB Version

Application App-ID Inspection Direction Max File Minimum

Canvas Web canvas File Upload 20 MB None

Confluence confluence- Non-File Upload N/A 10.2.3

DocSend Web docsend File Upload 20 MB None

Dropbox Web dropbox File Upload 100 MB 11.1.0

Egnyte Web egnyte File Upload 20 MB None

Evernote Web evernote Non-File Upload N/A 10.2.3

(Images only) facebook- File Upload 10 MB 10.2.3

Facebook facebook- File Upload 25MB None

FilesAnywhere filesanywhere File Upload 20 MB None

Freshdesk Web freshdesk File Upload 20 MB None

GitHub Web github File Upload 20 MB Version

Gitlab - Web- gitlab File Upload 100 MB Version

Application App-ID Inspection Direction Max File Minimum

Glassdoor Web web- Non-File Upload N/A 10.2.3

Gmail Web gmail File Upload 25 MB Version

Google Chat google-chat Non-File Upload N/A 10.2.3

Google Cloud google- File Upload 100 MB None

Google Drive google-base File Upload 100 MB 10.2.4

Google Docs google-docs- Non-File Upload N/A 10.2.3

Google Forms google-docs- Non-File Upload N/A 10.2.3

Google Meet google-meet Non-File Upload N/A 10.2.3

Google Photos google- File Upload 10 MB 10.2.3

Google Sheets google-docs- Non-File Upload N/A 10.2.3

Google Slides google-docs- Non-File Upload N/A 10.2.3

GSuite (Export google-base File Download 25 MB 10.2.4

Application App-ID Inspection Direction Max File Minimum

Hubspot Web hubspot File Upload 20 MB None

LinkedIn Web linkedin Non-File Upload N/A 10.2.3

Mendeley Web mendeley File Upload 20 MB None

Microsoft windows- File Download 100 MB 10.2.4 or

Microsoft Excel web- File Download 26 MB 10.2.4

Microsoft Excel web- File Download 26 MB 10.2.4

Microsoft office365- File Upload 100 MB 10.2.4

Microsoft office365- File Download 100 MB 10.2.4

Microsoft ms-onedrive File Upload 100 MB 10.2.4

Application App-ID Inspection Direction Max File Minimum

Microsoft ms-onenote File Upload 20 MB Version