Professional Documents
Culture Documents
October 2023
docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2021-2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
October 18, 2023
Enterprise DLP Administrator’s Guide October 2023 2 ©2023 Palo Alto Networks, Inc.
Table of Contents
Enterprise DLP Overview.................................................................................7
About Enterprise DLP.................................................................................................................8
Setup Prerequisites for Enterprise DLP...............................................................................11
Ports and FQDNs.......................................................................................................... 11
IP Addresses for Evidence Storage........................................................................... 12
What’s Supported with Enterprise DLP?............................................................................ 14
Platform Support............................................................................................................14
Supported Applications................................................................................................ 15
Supported File Types....................................................................................................24
Support for Non-File Based Traffic...........................................................................26
Data Patterns and Data Filtering Profiles................................................................26
Supported Enterprise DLP Data Profile Actions............................................................... 27
Supported Features for Enterprise DLP.............................................................................. 29
Predefined ML-Based Data Patterns....................................................................................30
Predefined Data Filtering Profiles.........................................................................................33
Enterprise DLP Administrator’s Guide October 2023 3 ©2023 Palo Alto Networks, Inc.
Table of Contents
Enterprise DLP Administrator’s Guide October 2023 4 ©2023 Palo Alto Networks, Inc.
Table of Contents
Set Up Enterprise DLP End User Alerting with Cortex XSOAR....................... 174
Respond to Blocked Traffic Using Enterprise DLP End User Alerting with
Cortex XSOAR............................................................................................................. 190
View the Enterprise DLP End User Alerting with Cortex XSOAR Response
History............................................................................................................................193
Inspection of Contextual Secrets for Chat Applications............................................... 195
About Inspection of Contextual Secrets............................................................... 195
Contextual Chat Examples........................................................................................196
Configure SaaS Security to Inspect for Contextual Secrets..............................196
Enterprise DLP and AI Apps................................................................................................ 198
How Enterprise DLP Safeguards Against ChatGPT Data Leakage.................. 198
Create a Security Policy Rule for ChatGPT.......................................................... 200
Custom Document Templates for Enterprise DLP......................................................... 209
About Custom Document Templates.....................................................................209
Upload a Custom Document Template................................................................. 210
Test a Custom Document Template.......................................................................213
Create a Data Profile to Detect Custom Documents.........................................215
Email DLP..................................................................................................................................219
How Does Email DLP Work?................................................................................... 219
Activate Email DLP..................................................................................................... 221
Onboard Microsoft Exchange Online.....................................................................222
Add an Enterprise DLP Email Policy.......................................................................257
Review Email DLP Incidents.....................................................................................263
Enterprise DLP Administrator’s Guide October 2023 5 ©2023 Palo Alto Networks, Inc.
Table of Contents
Enterprise DLP Administrator’s Guide October 2023 6 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Learn more about Enterprise Data Loss Prevention (E-DLP) to strengthen your security posture by
enforcing the data security standards of your organization to prevent accidental data misuse, loss,
or theft.
• About Enterprise DLP
• Setup Prerequisites for Enterprise DLP
• What’s Supported with Enterprise DLP?
• Supported Enterprise DLP Data Profile Actions
• Supported Features for Enterprise DLP
• Predefined ML-Based Data Patterns
• Predefined Data Filtering Profiles
7
Enterprise DLP Overview
Enterprise DLP Administrator’s Guide October 2023 8 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
in the policy rules, the managed firewall either creates an alert notification or blocks the file
upload.
When traffic matches a data profile that a security rule is using, a data filtering log is generated.
The log entry contains detailed information regarding the traffic that match one or more data
pattern in the data profile. The log details enable forensics by allowing you to verify when a
matched data generated an alert notification or was blocked.
You view the snippets in the data filtering logs. By default, data masking partially masks the
snippets to prevent the sensitive data from being exposed. You can completely mask the sensitive
information, unmask snippets, or disable snippet extraction and viewing.
To improve detection accuracy and reduce false positives, you can also specify:
• Proximity keywords—An asset is assigned a higher accuracy probability when a keyword
is within a 200-character distance of the expression. If a document has a 16-digit number
immediately followed by Visa, that's more likely to be a credit card number. But if Visa is the
title of the text and the 16-digit number is on the last page of the 22-page document, that's
less likely to be a credit card number.
Proximity keywords aren’t case-sensitive. Multiple proximity keywords for a single data pattern
are supported.
• Confidence levels—The confidence level reflects how confident Enterprise DLP is when
detecting matched traffic. Enterprise DLP determines confidence level by inspecting the
distance of regular expressions to proximity keywords.
• Low—Proximity keyword included in the custom or predefined regex data pattern isn’t
found within 200 characters of the regular expression match, or if a proximity keyword is
included but is not present in the inspected traffic.
When the match criteria specifies a Low confidence level match criteria, Enterprise DLP still
inspects for up to 3 matches with a High confidence level.
• High—Proximity keyword included in the custom or predefined regex data pattern is within
200 characters of the regular expression match.
When the match criteria specifies a High confidence level match criteria, Enterprise DLP still
inspects for up to 3 matches with a Low confidence level.
Additionally, custom data patterns that don't include any proximity keywords to identify a
match always have both Low and High confidence level detections.
• Basic and weighted regular expressions—A regular expression (regex for short) describes how
to search for a specific text pattern and then display the match occurrences when a pattern
match is found. There are two types of regular expressions—basic and weighted.
• A basic regular expression searches for a specific text pattern. When a pattern match is
found, the service displays the match occurrences.
• A weighted regular expression assigns a score to a text entry. When the score threshold is
exceeded, the service returns a match for the pattern.
To reduce false-positives and maximize the search performance of your regular expressions,
you can assign scores using the weighted regular expression builder when you create
data patterns to find and calculate scores for the information that is important to you.
Scoring applies a match threshold, and when a score threshold is exceeded, such as enough
Enterprise DLP Administrator’s Guide October 2023 9 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
expressions from a pattern match an asset, the asset will be indicated as a match for the
pattern.
For more information, including a use case and best practices, see Configure Regular
Expressions.
Enterprise DLP Administrator’s Guide October 2023 10 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Below are the full qualified domain names (FQDN), network ports, and IP addresses that must be
allowed. These tables describe the network settings required to forward traffic for inspection and
verdict rendering Enterprise Data Loss Prevention (E-DLP), as well as required network settings
for specific Enterprise DLP features.
FQDNs Ports
• http://ocsp.paloaltonetworks.com TCP 80
• http://crl.paloaltonetworks.com
• http://ocsp.godaddy.com
• http://crl.godaddy.com
Enterprise DLP Administrator’s Guide October 2023 11 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
FQDNs Ports
• urlcat.hawkeye.services-
edge.paloaltonetworks.com
• enforcer.hawkeye.services-
edge.paloaltonetworks.com
Region IP Address
APAC 13.228.151.58
52.74.82.77
Australia 13.54.198.248
52.63.9.154
Canada 15.222.125.234
99.59.186.42
E.U 3.123.172.116
52.59.186.42
India 15.207.246.3
3.108.103.214
U.K 13.43.141.10
18.169.44.228
35.177.5.4
52.56.54.90
Enterprise DLP Administrator’s Guide October 2023 12 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Region IP Address
18.16.224.253
3.16.224.253
34.223.123.78
52.27.148.95
Enterprise DLP Administrator’s Guide October 2023 13 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Platform Support
Enterprise Data Loss Prevention (E-DLP) is supported on the following platforms. Enterprise DLP
data patterns and data filtering profiles are designed to work across all supported platforms to
provide consistent data security across all locations.
All PA-Series firewalls and VM-Series firewalls (but not CN-Series firewalls).
• Requires PAN-OS 10.0.2 or a later version.
• Requires an M-Series or Panorama virtual appliance running PAN-OS 10.0.2 or later version.
Enterprise DLP supports adding a data filtering profile to a Security policy rule or security
profile group configured on Panorama only. To successfully use Enterprise DLP, you must
configure your Security policy rule and Security Profile Group on Panorama and push these
configurations to your managed firewalls.
Enterprise DLP doesn’t support pushing an Enterprise DLP data filtering profile to your
managed firewall and referencing the data filtering profile in a Security policy rule or Security
Profile Group created locally on the firewall.
• Requires minimum Application and Threats content release version 8334 or a later version.
Upgrade to PAN-OS 10.0.3 and install Application and Threats content release version
8413 or later version for additional application support.
Prisma Access (Panorama Managed)
• Requires Prisma Access 2.0 Innovation or a later version.
• Requires an M-Series or Panorama virtual appliance running PAN-OS 10.0.2 or later version.
• Requires minimum Application and Threats content release version 8334 or a later version.
Install Application and Threats content release version 8413 or later version for
additional application support.
• DLP is an add-on license on Prisma Access (Panorama Managed). You can either start with a
60-day trial or you can purchase a license to use Enterprise DLP on Prisma Access (Panorama
Managed).
Cloud Management
• Enterprise DLP is supported on Cloud Management when using Prisma Access (Cloud
Management), SaaS Security, or both.
Enterprise DLP Administrator’s Guide October 2023 14 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
• DLP is an add-on license on Cloud Management when using Cloud Management from a Single
Prisma SASE Platform or Multitenant Prisma SASE Platform.
Enterprise DLP is included by default and doesn’t require a separate license when using Cloud
Management from the CASB-X Platform.
• Important: Install Panorama plugin for Enterprise DLP 1.0.6 or later release if you’re using
Enterprise DLP on Cloud Management and managing the Enterprise DLP configuration from
Panorama for Palo Alto Networks Next-Generation Firewalls (NGFW) and Prisma Access
(Panorama Managed). This is required to ensure Enterprise DLP configurations are successfully
synchronized across all your security platforms.
DLP policy enforcement on Cloud Management is supported when using Panorama to manage
your Enterprise DLP configuration.
Supported Applications
The following table displays the supported web applications and operational parameters that you
can use with Enterprise Data Loss Prevention (E-DLP). See the Supported File Types for more
information on which file types Enterprise DLP can inspect and render a verdict on across all
applications. Refer to the Palo Alto Networks Applipedia for more information on each application
App-ID.
Some application support might have a Minimum Version Requirement. The minimum version
requirement to support inspection of an application might require a minimum PAN-OS version or
an Apps & Threats content release version installed.
Some Enterprise DLP functionality is dependent on a PAN-OS release.
• Any application that supports the Non-File Inspection Inspection Type requires PAN-OS
10.2.3 or later PAN-OS release.
• Any application that supports a Max File Size larger than 20 MB requires PAN-OS 10.2.4 or
later PAN-OS 10.2 release, or PAN-OS 11.0.2 or later release.
• Any application that supports the Download Direction requires PAN-OS 10.2.4 or later PAN-
OS 10.2 release, or PAN-OS 11.0.2 or later release.
• To upgrade Panorama or Cloud Management.
• For Panorama, upgrade Panorama and managed firewalls to the Minimum Version
Requirement or later release.
• For Prisma Access (Panorama Managed), you must upgrade Panorama to the Minimum
Version Requirement and ensure your Prisma Access tenants are running the Minimum
Version Requirement or later release.
• For Cloud Management, a PAN-OS software upgrade in the Cloud Management
infrastructure to the Minimum Version Requirement or later release is required. You can
view the Software Version in the Cloud Management Overview.
• Review the Compatibility Matrix for the minimum plugin versions required for your target
upgrade version.
Enterprise DLP Administrator’s Guide October 2023 15 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
To use Gmail, you must disable the Quick UDP Internet Connection (QUIC) protocol.
Palo Alto Networks recommends that you disable QUIC in Chrome. To do so, specify
chrome://flags/ in the Chrome Experimental QUIC Protocol, and select Disabled.
Enterprise DLP Administrator’s Guide October 2023 16 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Enterprise DLP Administrator’s Guide October 2023 17 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Enterprise DLP Administrator’s Guide October 2023 18 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Enterprise DLP Administrator’s Guide October 2023 19 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Enterprise DLP Administrator’s Guide October 2023 20 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Enterprise DLP Administrator’s Guide October 2023 21 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Enterprise DLP Administrator’s Guide October 2023 22 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Supported AI Applications
The following table displays the supported AI web applications and operational parameters that
you can use with Enterprise Data Loss Prevention (E-DLP). Refer to the Palo Alto Networks
Applipedia for more information on each application App-ID.
• All AI app support require PAN-OS 10.2.3 or later release.
• All AI apps support only non-file inspection unless otherwise specified.
Enterprise DLP Administrator’s Guide October 2023 23 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Enterprise DLP Administrator’s Guide October 2023 24 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Requires Application and Threats content release 8529 or later versions installed
on Panorama and managed firewalls, or Cloud Management deployment.
• Image files (.jpg, .jpeg, .png, .tif, .tiff)
Detection of image files requires you to enable Optical Character Recognition (OCR) on the
DLP app or Cloud Management.
• Source Code File Types—Enterprise DLP supports inspection of the following source code
file types.
• Cfamily—C, C++, C+, C#, Objective C
• Generic
• java
• javascript
• perl
• powershell
• python
• r
• ruby
• vbs
• verilog
• vhd1
• x86_assembly
• ZIP Files—Enterprise DLP supports inspection of ZIP and 7Z (7-ZIP file archiver) files
containing the supported file types listed above.
The Enterprise DLP cloud service supports single level compression of files only.
The Enterprise DLP cloud service doesn’t support scanning multilevel compressed files. For
example, the DLP cloud service can’t scan and render a verdict on the file contents of a zip file
if it's been compressed more than once.
Enterprise DLP Administrator’s Guide October 2023 25 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
• Response—Block and Alert actions are supported for HTTP and HTTPS files. However, the
Block page doesn’t display the name of the file that the managed firewall blocked.
Inspection of non-file based traffic is supported on Panorama running PAN-OS 10.2.1 and
later releases and Enterprise DLP plugin 3.0.1 and later releases.
To upgrade to PAN-OS 10.2.1, you must install Application and Threats content release
version 8552-7333 or later version on Panorama and managed firewalls using Enterprise
DLP. This is required to support non-file based traffic inspection.
Enterprise DLP Administrator’s Guide October 2023 26 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Prisma Access
(Panorama
Managed)
Panorama
Data Profiles containing only EDM datasets or EDM data sets and data patterns.
Enterprise DLP Administrator’s Guide October 2023 27 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Enterprise DLP Administrator’s Guide October 2023 28 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Some Enterprise DLP features supported on Panorama and Prisma Access (Panorama
Managed) require access to the DLP app on the hub to enable and configure.
See Supported Enterprise DLP Data Profile Actions for more information on data
profile actions supported on Panorama, Prisma Access (Panorama Managed), Prisma
Access (Cloud Management), and SaaS Security.
Enterprise DLP Administrator’s Guide October 2023 29 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Enterprise DLP Administrator’s Guide October 2023 30 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Enterprise DLP Administrator’s Guide October 2023 31 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Enterprise DLP Administrator’s Guide October 2023 32 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Bulk CCN Credit card numbers or Voyager Credit card numbers (more
than 100).
Financial Information Bank statements, bank routing numbers, credit card numbers
(strict checking), bankruptcy filings.
Gramm-Leach-Bliley Act Credit card numbers, Voyager credit card numbers, Magnetic
(GLBA) stripe information, Tax Id-US (TIN), National ID-US, Social
Security Number (SSN).
Intellectual Property Source code, AWS secret keys, access keys, company
confidential.
Intellectual Property - Basic Source code, AWS secret keys, access keys, company
confidential.
The Intellectual Property - Basic data filtering profile contains
a subset of data patterns included in the Intellectual Property
data filtering profile.
Enterprise DLP Administrator’s Guide October 2023 33 ©2023 Palo Alto Networks, Inc.
Enterprise DLP Overview
Personal Health Information Medical codes; ICD-9, ICD-10, NPI codes, Clinical Laboratory
(PHI) Improvement Amendments (CLIA) number, Drug Enforcement
Administration (DEA) number, and more.
Personally-Identifiable Tax IDs, National IDs, Passport numbers, and Driver’s License
Information (PII) numbers.
Secrets and Credentials Cloud database credentials, Application credentials, API access
tokens, Private keys, miscellaneous secret keys.
Sensitive Content National ID, Bank information, AWS Secret keys or access
keys, company confidential, CCN.
Enterprise DLP Administrator’s Guide October 2023 34 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
Install and configure the Enterprise Data Loss Prevention (E-DLP) on your Panorama™
management server and Prisma Access (Panorama Managed). Additionally, define access
privileges for Enterprise DLP on Cloud Management.
Review the Enterprise DLP Limitations before you set up Enterprise DLP on Panorama or
Cloud Management, or register and activate Enterprise DLP on Prisma Access (Panorama
Managed).
35
Set Up Enterprise DLP
Your existing data patterns (Objects > Custom Objects > Data Patterns) and data filtering
profiles (Objects > Security Profiles > Data Filtering) are automatically hidden after you
successfully install the Enterprise DLP plugin on your Panorama management server. To
display your existing data patterns and filtering profiles when you need to reference them,
you can temporarily Enable Existing Data Patterns and Filtering Profiles.
STEP 1 | (Best Practices) Before you install the plugin and activate your Enterprise DLP license, select
Assets > Devices to locate your Panorama management server and your managed firewalls
to verify that they all belong to the same CSP account.
Panorama and any managed firewalls on which you want to use Enterprise DLP must belong
to the same CSP account, which enables you to share data profiles and maintain consistent
Security policy rule enforcement.
Enterprise DLP Administrator’s Guide October 2023 36 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 5 | Commit and push the new configuration to your managed firewalls to complete the
Enterprise DLP plugin installation.
This step is required for Enterprise DLP data filtering profile names to appear in Data Filtering
logs.
The Commit and Push command isn’t recommended for Enterprise DLP configuration
changes. Using the Commit and Push command requires the additional and
unnecessary overheard of manually selecting the impacted templates and managed
firewalls in the Push Scope Selection.
STEP 6 | Activate your Enterprise DLP license on the Palo Alto Networks Customer Support Portal
(CSP).
Repeat this step for all managed firewalls using Enterprise DLP.
1. Log in to the Palo Alto Networks Customer Support Portal.
2. Select Assets > Devices and edit ( in the Actions column) the appropriate asset.
3. In the Device Licenses window, Activate Auth-Code and then enter the Authorization
Code (auth code).
The auth code is automatically provided to you by Palo Alto Networks in an email after
you complete your purchase of the Enterprise DLP plugin license.
4. Agree and Submit your auth code .
STEP 7 | (Optional) Create a Palo Alto Networks Support ticket to enable your Enterprise DLP license
to transfer between firewalls.
Requesting that the Enterprise DLP license is transferable enables you to transfer your DLP
license to other managed firewalls.
In the support ticket, include the following information:
• The request for a firewall transfer for the Enterprise DLP license.
• Your CSP account ID and the email associated with your CSP account.
• The managed firewall serial number. If you activated the Enterprise DLP license on multiple
managed firewalls, include the serial numbers for all the managed firewalls in a single
support ticket.
• The auth codes used to activate the Enterprise DLP license on your managed firewalls.
• Also provide the CSP account ID with which additional managed firewalls are associated if
you have managed firewalls that belong to a different CSP account.
Enterprise DLP Administrator’s Guide October 2023 37 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 9 | Select Objects > DLP > Data Filtering Profiles and verify that the predefined data filtering
profiles are displayed.
Panorama is automatically populated with predefined data filtering profiles when the
Panorama management server successfully connects to the DLP cloud service.
STEP 10 | Verify that the Enterprise DLP license is successfully activated on your managed firewalls.
1. Launch the firewall web interface.
2. Select Device > Licenses and verify that the license is successfully activated.
STEP 11 | After you successfully install the Enterprise DLP plugin on the Panorama management
server, you must create Security policy rules to enable your managed firewalls to leverage
Enterprise DLP.
Enterprise DLP Administrator’s Guide October 2023 38 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 3 | Configure the proxy server settings to enable Panorama to successfully communicate with
the Enterprise DLP cloud service.
This step is required if using a proxy server for your Panorama management server.
Continue to the next step if you aren’t using a proxy server or have already configured
your Panorama proxy server settings.
1. Select Panorama > Setup > Services and edit the Services settings.
2. Configure the proxy server settings.
• Server—IP address or hostname of the proxy server.
• Port—Port for the proxy server.
• User—Administrator username to access the proxy server.
• Password—Password for the user to access the proxy server. Reenter the password
why you Confirm Password.
• (Optional) Use proxy to fetch logs from Cortex Data Lake—If you’re using Cortex
Data Lake for log storage, enable this setting.
3. Click OK.
Enterprise DLP Administrator’s Guide October 2023 39 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 4 | (Best Practices) Create a service route to enable firewalls to connect to the internet.
Palo Alto Networks recommends configuring a service route to ensure a high level of
performance for Next-Gen firewalls using Enterprise DLP.
By default, matched traffic is sent to the DLP cloud service for inspection through the
management interface. Configuring a service route allows you to dedicate a specific Ethernet
interface from which to send matched traffic to the DLP cloud service.
For a multi-vsys firewall, the service route is a global configuration and is applied to all vsys of
a multi-vsys firewall regardless of which vsys the service route belongs to.
Create a service route for all supported firewall models running PAN-OS 10.1 or a
later release.
1. Select Device > Setup > Services and select the template that contains the Enterprise
DLP configuration.
2. Select Service Route Configuration in the Service Features and select Customize.
3. Select Data Services and configure the Source Interface and Source Address.
The source interface must have internet connectivity. See Configure Interfaces and
Create an Address Object for more information on creating the source interface and
address.
4. Enable Data Services and click OK.
5. Select Device > Setup > Content-ID and copy the Content Cloud Settings FQDN in the
Service URL section.
6. Select Policies > Security and Add a Security policy rule that allows addresses to the
Content Cloud Settings FQDN.
STEP 5 | Add a Security policy rule for dataplane service route traffic from the 127.168.0.0/16
source address to allow traffic originating from the firewall dataplane.
You’re required to create this Security policy rule to enable the DLP cloud service to
successfully scan files in specific scenarios. You can skip this step if these two scenarios below
regarding the intrazone-default Security policy rule don’t apply to your configuration.
• If you created a cleanup Deny Security policy rule that precedes the intrazone-default
Security policy rule. In this scenario, the intrazone-default action is set to Allow.
• If you modified the intrazone-default Security policy rule action from Allow to Deny.
Enterprise DLP Administrator’s Guide October 2023 40 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 6 | (Required for DLP 3.0.1 and earlier releases only) Create a decryption profile to remove
application-layer protocol negotiation (ALPN) headers from uploaded files.
Enterprise DLP supports HTTP/1.1. Some applications, such as SharePoint and OneDrive,
support HTTP/2 for uploads by default. Strip ALPN is required to force application using
HTTP/2 to use HTTP/1.1 to make them compatible with Enterprise DLP.
1. Select Objects > Decryption > Decryption Profile and specify the Device Group.
2. Add a new decryption profile.
3. Specify a descriptive Name.
4. (Optional) Enable the Shared option to make this decryption profile available across all
device groups.
5. Select SSL Decryption > SSL Forward Proxy and enable Strip ALPN in the Client
Extension.
6. Click OK.
Enterprise DLP Administrator’s Guide October 2023 41 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 7 | (Required for DLP 3.0.1 and earlier releases only) Create a policy rule to remove ALPN
headers from uploaded files.
1. Select Policies > Decryption and specify the Device Group.
2. Add a new decryption policy rule and configure as appropriate.
3. Select Options.
4. For the Action, select Decrypt.
5. Select the Decryption Profile you created.
6. Click OK.
STEP 8 | Disable the Quick UDP Internet Connection (QUIC) protocol to deny traffic on ports 80 and
443.
Many supported web applications, such as Gmail, require that you disable the QUIC protocol
for Enterprise DLP to function correctly.
1. Select Policies > Security and specify the Device Group.
2. Add a Security policy rule that denies traffic that uses the quic application.
3. Select Objects > Services and specify the Device Group.
4. Add two services: one for UDP on port 80 and one for UDP on port 443.
Newer versions of QUIC might be misidentified as unknown-udp. To account for this,
Palo Alto Networks recommends that you add an additional Security policy rule to deny
UDP traffic on those ports.
5. Select Policies > Security and specify the Device Group.
6. Add a Security policy rule that includes the services you created to deny traffic to UDP
ports 80 and 443.
When complete, you will have two Security policy rules; one that blocks the QUIC
protocol and one that blocks UDP traffic on ports 80 and 443.
Enterprise DLP Administrator’s Guide October 2023 42 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 11 | Attach the data filtering profile to a Security policy rule. If needed, create a Security policy
rule.
To downgrade your Panorama management server to an earlier PAN-OS version that doesn’t
support Enterprise DLP, you must remove all Enterprise DLP data patterns and data filtering
profiles referenced in your Security policy rules. Consider this when creating and organizing
your policy rules that reference Enterprise DLP data patterns and filtering profiles.
For example, create a device group to contain all your Security policy rules that contain
references to Enterprise DLP data patterns and filtering profiles. This enables you to quickly
modify relevant policy rules should you need to downgrade your Panorama management
server to PAN-OS 10.0.1 or an earlier PAN-OS version.
1. Select Policies > Security > Pre Rules and specify the Device Group.
2. Select the Security policy rule to which you want to add the data filtering profile.
3. Select Actions and set the Profile Type to Profiles.
4. Select the Data Filtering profile you created.
5. Click OK.-
STEP 12 | Commit and push your configuration changes to your managed firewalls using Enterprise
DLP.
The Commit and Push command isn’t recommended for Enterprise DLP configuration
changes. Using the Commit and Push command requires the additional and
unnecessary overheard of manually selecting the impacted templates and managed
firewalls in the Push Scope Selection.
Enterprise DLP Administrator’s Guide October 2023 43 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 2 | Select Device > Setup > Content-ID and select the Template associated with the managed
firewalls using Enterprise DLP.
Enterprise DLP Administrator’s Guide October 2023 44 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 4 | Commit and push your configuration changes to your managed firewalls using Enterprise
DLP.
The Commit and Push command isn’t recommended for Enterprise DLP configuration
changes. Using the Commit and Push command requires the additional and
unnecessary overheard of manually selecting the impacted templates and managed
firewalls in the Push Scope Selection.
STEP 2 | Select Device > Setup > DLP and select the Template associated with the managed firewalls
using Enterprise DLP.
Enterprise DLP Administrator’s Guide October 2023 45 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
For inspection of files greater than 20 MB, Palo Alto Networks recommends
setting the max latency to greater than 60 seconds.
2. Specify the Action on Max Latency (Block or Allow) the firewall takes if no verdict was
received for a file upload due to the upload time exceeding the Max Latency.
(DLP 3.0.3 only) Increasing the max file size for the Enterprise DLP data filtering
settings to 21 MB or greater when Panorama has the Enterprise DLP 3.0.3
plugin installed is supported only from the Panorama CLI.
admin>configure
5. Check (enable) Log Files Not Scanned to generate an alert in the data filtering log when
a file can’t be scanned to the DLP cloud service.
6. Click OK to save your configuration changes.
Enterprise DLP Administrator’s Guide October 2023 46 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 4 | Edit the Enterprise DLP Action on Error Setting to configure the action the firewall takes if
any error is encountered during non-file traffic data upload.
STEP 5 | Commit and push your configuration changes to your managed firewalls using Enterprise
DLP.
1. Select Commit > Commit to Panorama and Commit your configuration changes.
2. Select Commit > Push to Devices and Edit Selections.
3. Select Device Groups and Include Device and Network Templates.
4. Click OK.
5. Push your configuration changes to your managed firewalls.
STEP 2 | Select Device > Setup > DLP and select the Template associated with the managed firewalls
using Enterprise DLP.
Enterprise DLP Administrator’s Guide October 2023 47 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 48 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 4 | Edit the Enterprise DLP Action on Error Setting to configure the action the firewall takes if
any error is encountered during non-file traffic data upload.
STEP 5 | Commit and push your configuration changes to your managed firewalls using Enterprise
DLP.
1. Select Commit > Commit to Panorama and Commit your configuration changes.
2. Select Commit > Push to Devices and Edit Selections.
3. Select Device Groups and Include Device and Network Templates.
4. Click OK.
5. Push your configuration changes to your managed firewalls.
STEP 2 | Select Panorama > DLP > Configuration and edit the Snippet Settings.
STEP 3 | Check (enable) Store Snippets of Sensitive Data to store the snippets of sensitive data that
match your Enterprise DLP data patterns in the DLP cloud service.
STEP 4 | Configure how to Mask Sensitive Field for storage in the DLP cloud service.
• no-mask—Matched sensitive data snippet isn’t masked and entirely visible when stored in
the DLP cloud service.
• partial-mask—Matched sensitive data snippet is partially masked displaying four characters
when stored in the DLP cloud service.
• full-mask—Matched sensitive data snippet is fully masked when stored in the DLP cloud
service.
Enterprise DLP Administrator’s Guide October 2023 49 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 6 | Commit and push your configuration changes to your managed firewalls using Enterprise
DLP.
1. Select Commit > Commit to Panorama and Commit your configuration changes.
2. Select Commit > Push to Devices and Edit Selections.
3. Select Device Groups and Include Device and Network Templates.
4. Click OK.
5. Push your configuration changes to your managed firewalls.
STEP 2 | Select Device > Setup > DLP and select the Template associated with the managed firewalls
using Enterprise DLP.
STEP 4 | Specify the Action on any Error the firewall takes if an error is encountered during
upload to the DLP cloud service.
• Select Allow (default) to continue uploading if the firewall experiences any type of error.
• Select Block to stop uploading if the firewall experiences any type of error.
Enterprise DLP Administrator’s Guide October 2023 50 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 6 | Commit and push your configuration changes to your managed firewalls using Enterprise
DLP.
1. Select Commit > Commit to Panorama and Commit your configuration changes.
2. Select Commit > Push to Devices and Edit Selections.
3. Select Device Groups and Include Device and Network Templates.
4. Click OK.
5. Push your configuration changes to your managed firewalls.
STEP 2 | Select Policies > Security and remove all Enterprise DLP data filtering profiles from your
Security policy rules.
This step is required to successfully uninstall the Enterprise DLP plugin.
Enterprise DLP Administrator’s Guide October 2023 51 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 3 | Commit and push your configuration changes to your managed firewalls using Enterprise
DLP.
The Commit and Push command isn’t recommended for Enterprise DLP configuration
changes. Using the Commit and Push command requires the additional and
unnecessary overheard of manually selecting the impacted templates and managed
firewalls in the Push Scope Selection.
STEP 4 | In the Panorama web interface, select Panorama > Plugins and Uninstall the Enterprise DLP
plugin.
STEP 5 | Commit and push your configuration changes to your managed firewalls that are using
Enterprise DLP.
The Commit and Push command isn’t recommended for Enterprise DLP configuration
changes. Using the Commit and Push command requires the additional and
unnecessary overheard of manually selecting the impacted templates and managed
firewalls in the Push Scope Selection.
Enterprise DLP Administrator’s Guide October 2023 52 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
Preinstallation Requirements
Before you install the Enterprise DLP plugin, make sure that your Prisma Access deployment has
the following requirements:
• Make sure that you have purchased the Enterprise DLP add-on license for Prisma Access.
You use the Enterprise DLP plugin to activate the Enterprise DLP functionality for use
with Prisma Access, but it requires an Enterprise DLP add-on license, which includes the
Authorization code (auth code) you need when you activate your license on the Palo Alto
Networks Customer Support Portal (CSP).
• On the Panorama appliance that manages Prisma Access, make sure that you have the
minimum Panorama, content release versions, Enterprise DLP plugin, and Prisma Access
versions.
• The minimum required Panorama version is 10.0.5.
• The minimum required content version is 8334-6362.
• The minimum required DLP plugin version is 1.0.3.
• The minimum required Prisma Access version is 2.0 Innovation and the minimum Cloud
Services plugin version is version 2.0.0.h3-innovation.
If you need to upgrade the Panorama or content release version install the content and
software updates on Panorama.
• Make sure that you have installed the device certificate on Panorama.
• If you manage on-premises firewalls with Prisma Access, you should install the device
certificate for managed firewalls.
• Make sure that your Prisma Access dataplane has been upgraded.
Enterprise DLP Administrator’s Guide October 2023 53 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 1 | From the Panorama that manages Prisma Access, select Panorama > Plugins and search for
the latest version of the Enterprise DLP plugin.
Prisma Access requires a minimum Enterprise DLP plugin version of 1.0.3.
STEP 3 | Commit your changes to Panorama by selecting Commit > Commit to Panorama and
Commit your configuration changes.
STEP 4 | (Optional) if your Panorama manages on-premise firewalls as well as Prisma Access, commit
and push the changes to your managed firewalls.
This step is required for Enterprise DLP data filtering profile names to appear in Data Filtering
logs.
1. Select Commit > Commit to Panorama and Commit your configuration changes.
2. Select Commit > Push to Devices and Edit Selections.
3. Select Device Groups and Include Device and Network Templates and click OK.
4. Push your configuration changes to your managed firewalls.
Enterprise DLP Administrator’s Guide October 2023 54 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 2 | Install and activate the DLP plugin. Make a note of the following caveats during installation:
• You don’t have to verify that the Panorama and Prisma Access belong to the same CSP
account; you have already associated the Panorama serial number with the CSP account
when you installed Prisma Access.
• You don’t have to activate the Enterprise DLP plugin on Prisma Access. However, if you
have managed firewalls, you should complete the steps to enter the auth code for the target
managed firewalls.
STEP 3 | (Optional) If you have existing data patterns and data filtering profiles that you use for
Enterprise DLP on Prisma Access, verify that the installation process completed successfully
by checking that the data patterns and data filtering profiles moved to the following
locations in Panorama:
• Data patterns move from Objects > Custom Objects > Data Patterns to Objects > DLP >
Data Filtering Patterns.
• Data filtering profiles move from Objects > Security Profiles > Data Filtering to Objects >
DLP > Data Filtering Profiles.
Enterprise DLP Administrator’s Guide October 2023 55 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 56 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
3. Select Manage > Configuration > Security Services and verify Data Loss Prevention is
displayed.
4. Select Activity > Logs and verify DLP Incidents is displayed.
Enterprise DLP Administrator’s Guide October 2023 57 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 4 | Create the decryption profile required for Enterprise DLP to inspect traffic.
1. Select Manage > Configuration > Security Services > Decryption and Add Profile.
2. Enter a descriptive Name for the decryption profile.
3. Review the predefined decryption profile settings.
The predefined decryption profile settings enable Enterprise DLP to inspect traffic.
Modifying the predefined decryption profile settings isn’t required unless you need to
enable Strip ALPN.
4. (Software Version 10.2.2 or earlier versions) Configure the decryption profile to remove
Application-Layer Protocol Negotiation (ALPN) headers from uploaded files.
Remove the ALPN headers from files if any Cloud Management deployment is running
software version 10.2.2 or earlier version. If your entire Cloud Management deployment
is running software version 10.2.3 or later version, stripping ALPN headers isn’t required.
A web security admin can also strip ALPN headers in the Web Security
decryption settings(Manage > Web Security > Security Settings > Decryption
and edit the Action Options). Web Security admins don’t need to create a
decryption policy rule and can push the setting to Remote Networks and Mobile
Users.
Enterprise DLP Administrator’s Guide October 2023 58 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 5 | Create a decryption policy rule to decrypt traffic for Enterprise DLP inspection.
Enterprise DLP Administrator’s Guide October 2023 59 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 3 | Select Manage > Configuration > Security Services > Data Loss Prevention > Settings.
STEP 4 | Enable Snippets Viewing to store the snippets of sensitive data that match your Enterprise
DLP data patterns in the DLP cloud service.
STEP 5 | Configure how to Snippets Masking for storage in the DLP cloud service.
• Do not mask—Matched sensitive data snippet isn’t masked and entirely visible in cleartext.
• Partial mask—Matched sensitive data snippet is partially masked, displaying the last two
characters in cleartext.
• Full mask—Matched sensitive data snippet is fully masked.
STEP 2 | Select Manage > Configuration > Security Services > Data Loss Prevention > Settings >
Data Transfer and edit the Data Transfer settings.
Enterprise DLP Administrator’s Guide October 2023 60 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
For inspection of files greater than 20 MB, Palo Alto Networks recommends
setting the max latency to greater than 60 seconds.
2. Specify the Action on Max Latency(Allow or Block) Cloud Management takes if no
verdict was received for a file upload due to the upload time exceeding the configured
Max Latency.
Selecting Block applies only to Enterprise DLP data profiles configured to block
files. This setting doesn’t impact Enterprise DLP data profiles configured to alert
when traffic containing sensitive data is scanned.
3. Specify the Max File Size (MB) to enforce the maximum file size for files uploaded to the
DLP cloud service for inspection.
4. Specify the Action on Max File Size (Block or Allow) Cloud Management takes if no
verdict was received for a file upload due to the file size being larger than the configured
Max File Size.
Selecting Block applies only to Enterprise DLP data profiles configured to block
files. This setting doesn’t impact Enterprise DLP data filtering profiles configured
to alert when traffic containing sensitive data is scanned.
5. Check (enable) Log Files Not Scanned to generate an alert in the DLP incident when a
file can’t be scanned to the DLP cloud service.
6. Save.
Enterprise DLP Administrator’s Guide October 2023 61 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 5 | In the DLP Settings, specify the action Cloud Management takes when an error is
encountered while being scanned by the DLP cloud service.
Select Allow to allow the file upload to continue when an error is encountered or Block to
block the upload.
Save to apply the setting.
Enterprise DLP Administrator’s Guide October 2023 62 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 3 | Check (enable) Store Snippets of Sensitive Data for Cloud Management or NGFW to store
the snippets of sensitive data that match your Enterprise DLP data patterns in the DLP cloud
service.
STEP 4 | Configure how to Mask sensitive fields in snippets for Cloud Management or NGFW for
storage in the DLP cloud service.
• no-mask—Matched sensitive data snippet isn’t masked and entirely visible when stored in
the DLP cloud service.
• partial-mask—Matched sensitive data snippet is partially masked displaying four characters
when stored in the DLP cloud service.
• full-mask—Matched sensitive data snippet is fully masked when stored in the DLP cloud
service.
Enterprise DLP Administrator’s Guide October 2023 63 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
It might take 24-48 hours for Palo Alto Networks to enable EDM functionality for your
DLP app.
STEP 4 | When prompted, click Send Request to confirm your request to enable EDM.
STEP 5 | The DLP app on the hub displays Enable Request Sent while your enablement request
is pending.
STEP 6 | Set Up the EDM CLI Application after EDM is enabled on the DLP app.
EDM functionality is enabled when you can download the EDM CLI application and view the
table where uploaded EDM data sets will be displayed.
It might take 24-48 hours for Palo Alto Networks to enable EDM functionality on Cloud
Management.
Enterprise DLP Administrator’s Guide October 2023 64 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
STEP 2 | Select Manage > Configuration > Data Loss Prevention > Detection Methods > Exact Data
Matching.
STEP 4 | Cloud Management displays Enablement Request Sent while your enablement request
is pending.
STEP 5 | Set Up the EDM CLI Application after EDM is enabled on Cloud Management.
EDM functionality is enabled when you can download the EDM CLI application and view the
table where uploaded EDM data sets will be displayed.
Enterprise DLP Administrator’s Guide October 2023 65 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 66 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
You don’t need to configuring a tenant role for a user if access to only Enterprise DLP
is required.
Enterprise DLP Administrator’s Guide October 2023 67 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
OCR isn’t supported for Microsoft Visio XML drawing (.vdx) files that need to be rendered
in order to displayed. For example, OCR can’t inspect a .vdx file if the XML is the drawing
representation.
STEP 2 | Select Manage > Configuration > Security Services > Data Loss Prevention > Detection
Methods > Optical Character Recognition.
Enterprise DLP Administrator’s Guide October 2023 68 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
OCR isn’t supported for Microsoft Visio XML drawing (.vdx) files that need to be rendered
in order to display. For example, OCR can’t inspect a .vdx file if the XML is the drawing
representation.
Access to evidence storage settings and files on the hub is allowed only for an
account administrator or app administrator roles with a valid Enterprise DLP license
associated with that support account. This is to ensure that only the appropriate users
have access to report data and evidence.
STEP 3 | Select Detection Methods > Optical Character Recognition and enable Optical Character
Recognition (OCR).
OCR is disabled by default. Manually enable OCR in order for the DLP cloud service to scan
images and documents containing images for sensitive information.
Enterprise DLP Administrator’s Guide October 2023 69 ©2023 Palo Alto Networks, Inc.
Set Up Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 70 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Create and configure Enterprise Data Loss Prevention (E-DLP) data patterns and filtering profiles
for use in Security policy rules to enforce your organization’s data security standards to prevent
accidental data misuse, loss, or theft.
• Enterprise DLP Data Patterns
• Enterprise DLP Profiles
• Configure Enterprise DLP on Cloud Management
• Enable Existing Data Patterns and Filtering Profiles
• Configure Exact Data Matching (EDM)
• Enterprise DLP End User Alerting with Cortex XSOAR
• Inspection of Contextual Secrets for Chat Applications
• Enterprise DLP and AI Apps
• Custom Document Templates for Enterprise DLP
• Email DLP
71
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 72 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
To get more accurate results, Joe can initiate a weighted regular expression to assign weight
and occurrence scores to the expression, or indicate the information to exclude by assigning a
negative weight value.
Joe enters a negative weight value to exclude tap water and higher values to source water and
the proprietary water additive. The results are filtered and counted to a more manageable list,
meaning that a document containing 10 occurrences of water counts as one when all files and
folders are scanned. This enables Joe to view the match results, adjust the totals for weight
and occurrences, and calculate an adjusted score to determine if the content poses a risk to his
organization.
STEP 1 | Consider the best practices for using regular expression matches.
• Use predefined data patterns instead of regular expressions. Use Enterprise DLP
predefined data patterns instead of regular expressions where possible. Data patterns
are more efficient than regular expressions because the predefined data patterns are
tuned for accuracy and the data is validated. For example, if you want to search for social
security numbers, use the US Social Security Number (SSN) data pattern instead of a regular
expression.
• Use regular expressions sparingly. Regular expressions can be computationally expensive.
If you add a regular expression condition, observe the system for 1 hour for efficient
performance. Make sure that the system doesn’t slow down and there are no false
positives.
• Test regular expressions. If you implement regular expression matching, consider using
a third-party tool to test the regular expressions before you enable the policy rules. The
recommended tool is RegexBuddy. Another good tool for testing your regular expressions is
RegExr. If your expression is incorrect, the service can’t match or will match incorrectly.
Term Description
Enterprise DLP Administrator’s Guide October 2023 73 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Term Description
character plays a part in the search, it’s literally
the string we want to find.
Construct Description
Enterprise DLP Administrator’s Guide October 2023 74 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Construct Description
Enterprise DLP Administrator’s Guide October 2023 75 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Quantifier Description
? Match 1 or 0 times.
STEP 5 | Enter one regular expression per line, up to 100 lines of expressions.
STEP 6 | (Weighted expressions only): Assign a regular expression for each line entry between -9999
(lowest importance) to 9999 (highest importance) by entering the regular expression, the
delimiter, and the weight score. You must enter a weight threshold score of one (1) of more.
Delimiter Note
: Colon.
| Pipe.
Enterprise DLP Administrator’s Guide October 2023 76 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Delimiter Note
~ Tilde
Enterprise DLP Administrator’s Guide October 2023 77 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 2 | Select Detection Methods > Data Patterns and Add Data Patterns.
You can also create a new custom data pattern by copying an existing custom data
pattern. To copy a custom data pattern, expand the Actions column for the data
pattern you want to copy and Clone the data pattern. You can then configure the
custom data pattern you copied as needed.
Enterprise DLP Administrator’s Guide October 2023 78 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP is when detecting matched traffic. Enterprise DLP determines confidence level
by inspecting the distance of regular expressions to proximity keywords.
Enterprise DLP Administrator’s Guide October 2023 79 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 2 | Select Detection Methods > Data Patterns and Add Data Patterns.
You can also create a new custom data pattern by copying an existing custom data
pattern. To copy a custom data pattern, expand the Actions column for the data
pattern you want to copy and Clone the data pattern. You can then configure the
custom data pattern you copied as needed.
Leave the File Property Type empty if you plan to use keyword as the file
property Name. This is required to successfully match traffic against the
keyword file property.
Enterprise DLP Administrator’s Guide October 2023 80 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
bc88714345d2_contentbits=10;msip_label_defa4170-0d19-0005-000b-
bc76701345f1_contentbits=10.
• Asset Name—File name for files you want to prevent exfiltration.
Only one Asset Name entry is supported per data pattern. However, you can add
up to 100 Asset Name values to an Asset Name entry using ; as a separator. For
example, notes; billing-info;customer-data.
Fully formed regex expressions are supported for the Asset Name value. Wildcards
are not supported. For example, (?i)(\W|^)(ssn|social|security
\security|credit\card|phone|credit\card)(\W|$).
• Author—File owner first and last name in the asset metadata.
Only one Author entry is supported per data pattern. However, you can add up to
100 Author values to an Author entry using ; as a separator. For example, Bill
Smith; john doe; leslieBarnes.
The Author values are case and space insensitive.
The Author file property type is not supported for source code files.
For files protected with AIP labels, you must enter the full AIP
label Name that you want to take action on. This must be the
MSIP_Label_<GUID>_Enabled label name.
3. Enter the file property Value.
4. (Optional) Add File Property to define additional file property patterns.
Enterprise DLP Administrator’s Guide October 2023 81 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 82 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 2 | Select Manage > Configuration > Security Services > Data Loss Prevention > Detection
Methods > Data Patterns.
You can also create a new custom data pattern by copying an existing custom data
pattern. To copy a custom data pattern, select the data pattern name to view the data
pattern details and copy ( ). You can then configure the custom data pattern you
copied as needed.
Enterprise DLP Administrator’s Guide October 2023 83 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP is when detecting matched traffic. Enterprise DLP determines confidence level
by inspecting the distance of regular expressions to proximity keywords.
STEP 2 | Select Manage > Configuration > Security Services > Data Loss Prevention > Detection
Methods > Data Patterns.
Enterprise DLP Administrator’s Guide October 2023 84 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
You can also create a new file property data pattern by copying an existing file
property data pattern. To copy a custom data pattern, select the data pattern name to
view the data pattern details and copy ( ). You can then configure the file property
data pattern you copied as needed.
Leave the File Property Type empty if you plan to use keyword as the file
property Name. This is required to successfully match traffic against the
keyword file property.
Enterprise DLP Administrator’s Guide October 2023 85 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
bc88714345d2_contentbits=10;msip_label_defa4170-0d19-0005-000b-
bc76701345f1_contentbits=10.
• Asset Name—File name for files you want to prevent exfiltration.
Only one Asset Name entry is supported per data pattern. However, you can add
up to 100 Asset Name values to an Asset Name entry using ; as a separator. For
example, notes; billing-info;customer-data.
Fully formed regex expressions are supported for the Asset Name value. Wildcards
are not supported. For example, (?i)(\W|^)(ssn|social|security
\security|credit\card|phone|credit\card)(\W|$).
• Author—File owner first and last name in the asset metadata.
Only one Author entry is supported per data pattern. However, you can add up to
100 Author values to an Author entry using ; as a separator. For example, Bill
Smith; john doe; leslieBarnes.
The Author values are case and space insensitive.
The Author file property type is not supported for source code files.
For files protected with AIP labels, you must enter the full AIP
label Name that you want to take action on. This must be the
MSIP_Label_<GUID>_Enabled label name.
3. Enter the file property Value.
4. (Optional) Add File Property to define additional file property patterns.
Enterprise DLP Administrator’s Guide October 2023 86 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 87 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Clone a predefined regex data pattern to add specific inclusion or exclusion and provide custom
match criteria to enhance detection and prevention of data exfiltration of sensitive data. This
allows users to enhance predefined regex data pattern with more customized match criteria.
STEP 1 | Log in to the Strata Cloud Manager.
STEP 2 | Select Manage > Configuration > Data Loss Prevention > Detection Methods > Data
Patterns.
Enterprise DLP Administrator’s Guide October 2023 88 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 5 | Add the custom match criteria to specify data to include or exclude from inspection and
verdict rendering.
Up to 50,000 characters are supported in each field. You can add multiple custom data match
criteria requirements in a single field separated by a semicolon (;). You specify one, some, or all
custom data match criteria.
• Include Matches Starting With—Inclusive match criteria to inspect for and trigger
Enterprise DLP enforcement for only data matches starting with one or more of the criteria
added.
This field is an AND operator.
• Include Matches End With—Inclusive match criteria to inspect for and trigger Enterprise
DLP enforcement for only data matches ending with one or more of the criteria added.
This field is an AND operator.
• Exclude Matches Starting With—Exclude match criteria from Enterprise DLP inspection and
enforcement for data matches starting with one or more of the criteria added.
This field is an OR operator.
• Exclude Matches Ending With—Exclude match criteria from Enterprise DLP inspection and
enforcement for data matches ending with one or more of the criteria added.
This field is an OR operator.
STEP 6 | Save.
Enterprise DLP Administrator’s Guide October 2023 89 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 2 | Select Objects > DLP > Data Filtering Patterns and specify the Device Group.
STEP 4 | Specify a Type and criteria for the data pattern and specify a Name.
Use any of the following data pattern types:
• Regular Expression—Create regular expressions to use in the data pattern.
You can choose Basic or Advanced data patterns. Use the Advanced data pattern to create
a basic or weighted regular expression. With weighted regular expressions, each text
entry is assigned a score and when the score threshold is exceeded, such as when enough
expressions from a pattern match an asset, Enterprise DLP will indicate that the asset is a
match for the pattern.
Then use the query builder in the Regular Expressions field to add either regular (Basic) or
weighted (Advanced) expressions.
You can enter one or more Proximity Keywords to use with the data filtering pattern.
Proximity keywords aren’t case-sensitive. You can enter one or more proximity keywords
to increase the probability Enterprise DLP accurately detects a regular expression match.
Proximity keywords impact the Enterprise DLP confidence level, which reflects how
confident Enterprise DLP is when detecting matched traffic. Enterprise DLP determines
confidence level by inspecting the distance of regular expressions to proximity keywords.
• File Property—Add a file property pattern on which to match.
For data governance and protection of information, if you use classification labels or embed
tags in MS Office and PDF documents to include more information for audit and tracking
purposes, you can create a file property data pattern to match on the metadata or attributes
that are part of the custom or extended properties in the file. Regardless whether you use
an automated classification mechanism, such as Titus, or whether require users to add a tag,
Enterprise DLP Administrator’s Guide October 2023 90 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
you can specify a name-value pair on which to match on a custom or extended property
embedded in the file.
Enterprise DLP supports file property data patterns in MS Office and PDF documents and
supports both the OLE (.doc/.ppt) and XML (.docx/.pptx) formats of MS Office.
Then add a Tag Name and Tag Value.
A Tag Name and Tag Value are an associated pair that specifies the property for which
you want to look (for example, you can specify a Tag Name of Label and a Tag Value
of Confidential). You can add as many file properties as you’d like and when you later
reference the file property data pattern in a data filtering profile, Enterprise DLP will use a
boolean OR match in the match criteria.
For files protected with Microsoft Azure Information Protection (AIP), you must
enter the full AIP label Name that you want to take action on. This can be either the
MSIP_Label_<GUID>_Enabled label name or the Sensitivity label name.
STEP 6 | Commit and push your configuration changes to your managed firewalls that are using
Enterprise DLP.
The Commit and Push command isn’t recommended for Enterprise DLP configuration
changes. Using the Commit and Push command requires the additional and
unnecessary overheard of manually selecting the impacted templates and managed
firewalls in the Push Scope Selection.
STEP 7 | Create a Data Filtering Profile on Panorama using one or more data patterns.
Enterprise DLP Administrator’s Guide October 2023 91 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 92 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Updating a data profile to include an EDM data set isn’t supported if the data profile did
not include an EDM data set when it was initially created.
If you want to create a data profile that combines a predefined or custom data pattern
and an EDM data set, see Create a Data Profile with Data Patterns and EDM Data
Sets on the DLP App.
STEP 2 | Select Data Profiles > Add Data Profile > Classic Data Profile.
You can also create a new data profile by copying an existing data profile. This allows you
to quickly modify an existing data profile with additional match criteria while preserving the
original data profile from which the new data profile was copied.
Data profiles created by copying an existing data profile are appended with Copy -
<name_of_original_data_profile>. This name can be edited as needed.
Adding an EDM data set to a copied data profile is supported only if the original data
profile had an EDM data set to begin with. Adding an EDM data set to a data profile
that doesn’t already have an EDM data set isn’t supported.
Enterprise DLP Administrator’s Guide October 2023 93 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Data pattern match criteria for traffic that you want to allow must be added to the
Primary Rule. Data pattern match criteria for traffic that you want to block can be
added to either Primary Rule or Secondary Rule.
Data pattern match criteria added to the Secondary Rule block all traffic that
meets the match criteria for the data patterns by default and can’t be modified.
If you want to allow traffic that matches a data pattern match criteria, add it to
the Primary Rule.
7. Review the Data Profile Preview to verify the data profile match criteria.
8. Save the data profile.
After you save the data profile, it’s viewable on Panorama, Prisma Access (Panorama
Managed), and Cloud Management.
Enterprise DLP Administrator’s Guide October 2023 94 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 95 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
If the data profile has both Primary and Secondary Patterns, changing the data
profile Action on Panorama deletes all Secondary Pattern match criteria.
Enterprise DLP Administrator’s Guide October 2023 96 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Create a Data Profile with EDM Data Sets on the DLP App
Create a data profile with exact data matching (EDM) data sets in the DLP app on the hub. Data
profiles with EDM data sets created in the DLP app are automatically synchronized with your
Panorama™ management server so you can use the data profile in your Security policy rules.
In order for the DLP cloud service to render a match verdict using on the data profile, scanned
files containing primary and secondary field values must be within 100 character of each other.
Otherwise, the DLP cloud service is unable to render a match verdict. Data profiles with an EDM
data set can only be created on the DLP app on the hub and are viewable on Panorama, Prisma
Access (Panorama Managed), Cloud Management, and the DLP app on the hub. Viewing a data
profile created on the DLP app on Panorama requires Panorama plugin for Enterprise DLP 1.0.4 or
later release.
After you set up the EDM CLI application and configure connectivity to the DLP cloud service,
you must upload an encrypted EDM data set to the DLP cloud service using a configuration file or
in Interactive mode before you can create a data profile with EDM data sets.
Updating a data profile to include only data patterns isn’t allowed if the data profile
includes at least one EDM data set when it was initially created. However, updating a
data profile that includes only EDM data sets to include EDM data sets and data patterns
is supported.
See Create a Data Profile on the DLP App to create a data profile containing only
predefined or custom data patterns.
Enterprise DLP Administrator’s Guide October 2023 97 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 2 | Select Data Profiles > Add Data Profile > Advanced Data Profiles.
You can also create a new data profile by copying an existing data profile. This allows you
to quickly modify an existing data profile with additional match criteria while preserving the
original data profile from which the new data profile was copied.
Data profiles created by copying an existing data profile are appended with Copy -
<name_of_original_data_profile>. This name can be edited as needed.
Adding an EDM data set to a copied data profile is supported only if the original data
profile had an EDM data set to begin with. Adding an EDM data set to a data profile
that doesn’t already have an EDM data set isn’t supported.
Enterprise DLP Administrator’s Guide October 2023 98 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
When you select Any (OR), the maximum Count setting is one less than the
total number of fields included in the Primary Field or Secondary Field.
3. Select the Primary Fields values.
The list of available values is populated from the selected EDM data set. You must
select at least one primary field value.
You’re required to add at least one column where the column values occurs up to
12 times in the selected EDM data set for the Primary Field. For example, if the
Enterprise DLP Administrator’s Guide October 2023 99 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
EDM data set contains columns for first name, last name, social security number, and
credit card number, add social security number and credit card in the primary field.
6. (Optional) Select the Secondary Field values.
The list of available fields is populated from the selected EDM data set.
For the best results for exact data matching, include any columns that could
be repeated in the secondary field. For example, if the EDM data set contains
columns for first name, last name, social security number, and credit card
number, add first name and last name in the secondary field.
7. (Optional) Add EDM Dataset to add additional data pattern conditions using AND or OR
operators to the Primary Rule.
Refer to the descriptions above to configure any additional data pattern conditions as
needed.
8. (Optional) Add Group to nest additional match criteria for an EDM data set so you can
more accurately define your compliance rules.
When you click Add Group, the new match criteria group is nested under the most
recently added EDM data set. You can’t nest a new match criteria group between
existing EDM data sets. If multiple EDM data sets are added, you must remove the EDM
data sets that follow the EDM data set for which you want to add the nested match
criteria. For example, you added EDM_Dataset1, EDM_Dataset2, and EDM_Dataset3
to the Primary Rule. If you wanted to added nested match criteria to EDM_Dataset2,
you must first remove EDM_Dataset3 from the Primary Rule.
You can select the same EDM data set or a different EDM data set to more accurately
define your compliance rules. Nesting match criteria is supported only when the data
profile includes an EDM data set. Enterprise DLP supports up to three level of additional
nesting groups for each EDM data set. You can nest additional EDM data sets under an
EDM data set added to the Primary or Secondary Rule.
Nested match criteria support the AND, OR, and NOT operators. Refer to the
descriptions above to configure the nested match criteria.
Data pattern match criteria added to the Secondary Rule block all traffic that meets
the match criteria for the data patterns by default and can’t be modified. If you want
to allow traffic that matches a data pattern match criteria, add it to the Primary Rule.
STEP 5 | Review the Data Profile Preview to verify the data profile match criteria.
Enterprise DLP Administrator’s Guide October 2023 100 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 101 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
If the data profile has both Primary and Secondary Patterns, changing the data
profile Action on Panorama deletes all Secondary Pattern match criteria.
Enterprise DLP Administrator’s Guide October 2023 102 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Create a Data Profile with Data Patterns and EDM Data Sets on
the DLP App
Enterprise Data Loss Prevention (E-DLP) supports creation of data profiles that contains at least
one predefined or custom Enterprise DLP data pattern and at least one EDM dataset pattern.
Data profiles with a data pattern and an EDM data set can only be created on the DLP app on the
hub and are viewable on Panorama, Prisma Access (Panorama Managed), Cloud Management, and
the DLP app on the hub. Viewing a data profile created on the DLP app on Panorama requires
Panorama plugin for Enterprise DLP 1.0.4 or later release.
When you create a data profile using predefined data patterns, be sure to consider the detection
types used by the predefined data patterns because the detection type determines how
Enterprise DLP arrives at a verdict for scanned files.
Updating a data profile to include only data patterns isn’t allowed if the data profile
includes at least one EDM data set when it was initially created. However, updating a
data profile that includes only EDM data sets to include EDM data sets and data patterns
is supported.
See Create a Data Profile on the DLP App to create a data profile containing only
predefined or custom data patterns.
STEP 2 | Select Data Profiles > Add Data Profile > Advanced Data Profile.
You can also create a new data profile by copying an existing data profile. This allows you
to quickly modify an existing data profile with additional match criteria while preserving the
original data profile from which the new data profile was copied.
Data profiles created by copying an existing data profile are appended with Copy -
<name_of_original_data_profile>. This name can be edited as needed.
Adding an EDM data set to a copied data profile is supported only if the original data
profile had an EDM data set to begin with. Adding an EDM data set to a data profile
that doesn’t already have an EDM data set isn’t supported.
Enterprise DLP Administrator’s Guide October 2023 103 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Data pattern match criteria for traffic that you want to allow must be added to the
Primary Rule. Data pattern match criteria for traffic that you want to block can be
added to either Primary Rule or Secondary Rule.
Enterprise DLP Administrator’s Guide October 2023 104 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
1. Configure whether a Security policy rule action is taken if Any (OR) or All (AND)
primary fields are matched and if Any (OR) or All (AND) secondary fields are matched.
2. (Any(OR) only) Enter the Count to specify the number of instances of matched traffic
required to trigger a Security policy rule action. Range is 1 - 500.
When you select Any (OR), the maximum Count setting is one less than the
total number of fields included in the Primary Field or Secondary Field.
3. Select the Primary Fields values.
The list of available values is populated from the selected EDM data set. You must
select at least one primary field value.
You’re required to add at least one column where the column values occurs up to
12 times in the selected EDM data set for the Primary Field. For example, if the
EDM data set contains columns for first name, last name, social security number, and
credit card number, add social security number and credit card in the primary field.
7. (Optional) Add Group to nest additional match criteria for a data pattern or EDM data
set so you can more accurately define your compliance rules.
When you click Add Group, the new match criteria group is nested under the most
recently added data pattern or EDM data set. You can’t nest a new match criteria group
between existing data patterns or EDM data sets. If multiple data patterns or EDM data
sets are added, you must remove the data patterns or EDM data sets that follow the
data pattern or EDM data set for which you want to add the nested match criteria. For
example, you added EDM_Dataset1, Data_Pattern2, and EDM_Dataset3 to the
Primary Rule. If you wanted to added nested match criteria to Data_Pattern2, you
must first remove EDM_Dataset3 from the Primary Rule.
You can select the same data pattern or EDM data set or a different data pattern EDM
data set to more accurately define your compliance rules. Nesting match criteria is
supported only when the data profile includes an EDM data set. Enterprise DLP supports
up to three level of additional nesting groups for each data pattern or EDM data set. You
Enterprise DLP Administrator’s Guide October 2023 105 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
can nest additional data patterns or EDM data sets under a data pattern or EDM data set
added to the Primary or Secondary Rule.
Nested match criteria support the AND, OR, and NOT operators. Refer to the
descriptions above to configure the nested match criteria.
8. (Optional) Configure a Secondary Rule.
Data pattern match criteria added to the Secondary Rule block all traffic that
meets the match criteria for the data patterns by default and can’t be modified.
If you want to allow traffic that matches a data pattern match criteria, add it to
the Primary Rule.
9. Review the Data Profile Preview to verify the data profile match criteria.
10. Save the data profile.
Enterprise DLP Administrator’s Guide October 2023 106 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
If the data profile has both Primary and Secondary Patterns, changing the data
profile Action on Panorama deletes all Secondary Pattern match criteria.
Enterprise DLP Administrator’s Guide October 2023 107 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Create a Data Profile with Nested Data Profiles on the DLP App
Enterprise Data Loss Prevention (E-DLP) supports creating a single data profile that contains
multiple nested data profiles. Creating a single data profile that contains multiple nested data
profiles allows you to consolidate match criteria to prevent exfiltration of sensitive data to a
single data profile that can be used in a single Security policy rule. This allows you to simplify the
management of sensitive data leaving your network and reduces the need to manage multiple
Security policy rules and data profiles. A data profile that contains multiple nested data profiles
created on the DLP app on the hub is viewable on Panorama, Prisma Access (Panorama Managed),
Cloud Management, and the DLP app on the hub. Viewing a data profile created on the DLP app
on Panorama requires Panorama plugin for Enterprise DLP 1.0.4 or later release.
When you create a data profile that contains predefined data profiles and patterns, be sure to
consider the detection types used by the predefined data patterns because the detection type
determines how Enterprise DLP arrives at a verdict for scanned files.
• Adding, deleting, or otherwise modifying the nested data profiles you add to data
profile is supported only from the DLP app on the hub and Cloud Management, but
not from Panorama.
• Adding a nested data profile to another nested data profile is not supported.
• Nesting a data profile that includes an EDM data set to an existing data profile if one
wasn’t included when the data profile was originally created is supported.
Enterprise DLP Administrator’s Guide October 2023 108 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 3 | Select Data Profiles > Add Data Profile > Nested Data Profiles.
You can also create a new data profile by copying an existing data profile that already contains
multiple data profiles. This allows you to quickly modify an existing data profile with additional
data profile match criteria while preserving the original data profile from which the new data
profile was copied.
Data profiles created by copying an existing data profile are appended with Copy -
<name_of_original_data_profile>.
Enterprise DLP Administrator’s Guide October 2023 109 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
If the data profile has both Primary and Secondary Patterns, changing the data
profile Action on Panorama deletes all Secondary Pattern match criteria.
Enterprise DLP Administrator’s Guide October 2023 110 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Updating a data profile to include an EDM data set isn’t supported if the data profile
didn’t include an EDM data set when it was initially created.
If you want to create a data profile that combines a predefined or custom data pattern
and an EDM data set, see Create a Data Profile with Data Patterns and EDM Data
Sets on Cloud Management.
STEP 2 | Select Manage > Configuration > Security Services > Data Loss Prevention > Data Profiles
and Add Data Profile > Classic Data Profile.
You can also create a new data profile by copying an existing data profile. This allows you
to quickly modify an existing data profile with additional match criteria while preserving the
original data profile from which the new data profile was copied.
Data profiles created by copying an existing data profile are appended with Copy -
<name_of_original_data_profile>. This name can be edited as needed.
Adding an EDM data set to a copied data profile is supported only if the original data
profile had an EDM data set to begin with. Adding an EDM data set to a data profile
that doesn’t already have an EDM data set isn’t supported.
Enterprise DLP Administrator’s Guide October 2023 111 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Data pattern match criteria for traffic that you want to allow must be added to the
Primary Rule. Data pattern match criteria for traffic that you want to block can be
added to either Primary Rule or Secondary Rule.
Data pattern match criteria added to the Secondary Rule block all traffic that
meets the match criteria for the data pattern conditions. If you want to allow
traffic that matches a data pattern match criteria, add it to the Primary Rule.
7. Review the Data Profile Preview to verify the data profile match criteria.
8. Save the data profile.
After you save the data profile, it’s viewable on Panorama, Prisma Access (Panorama
Managed), Cloud Management, and the DLP app.
Enterprise DLP Administrator’s Guide October 2023 112 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 113 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Updating a data profile to include only data patterns isn’t supported if the data profile
includes at least one EDM data set when it was initially created. However, update a data
profile that includes only EDM data sets to include data patterns is supported.
See Create a Data Profile on Cloud Management to create a data profile containing
only predefined or custom data patterns.
STEP 2 | Select Manage > Configuration > Security Services > Data Loss Prevention > Data Profiles
and Add Data Profile > Advanced Data Profile.
You can also create a new data profile by copying an existing data profile. This allows you to
modify an existing data profile with additional match criteria while preserving the original data
profile from which the new data profile was copied.
Data profiles created by copying an existing data profile are appended with Copy -
<name_of_original_data_profile>. This name can be edited as needed.
Adding an EDM data set to a copied data profile is supported only if the original data
profile had an EDM data set to begin with. Adding an EDM data set to a data profile
that doesn’t already have an EDM data set isn’t supported.
Enterprise DLP Administrator’s Guide October 2023 114 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
When you select Any (OR), the maximum Count setting is one less than the
total number of fields included in the Primary Field or Secondary Field.
3. Select the Primary Fields values.
The list of available values is populated from the selected EDM data set. You must
select at least one primary field value.
You’re required to add at least one column where the column values occurs up to
12 times in the selected EDM data set for the Primary Field. For example, if the
Enterprise DLP Administrator’s Guide October 2023 115 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
EDM data set contains columns for first name, last name, social security number, and
credit card number, add social security number and credit card in the primary field.
6. (Optional) Select the Secondary Field values.
The list of available fields is populated from the selected EDM data set.
For the best results for exact data matching, include any columns that could
be repeated in the secondary field. For example, if the EDM data set contains
columns for first name, last name, social security number, and credit card
number, add first name and last name in the secondary field.
7. (Optional) Add EDM Dataset to add additional data pattern conditions.
Refer to the descriptions above to configure any additional data pattern conditions as
needed.
8. (Optional) Add Group to nest additional match criteria for an EDM data set so you can
more accurately define your compliance rules.
When you click Add Group, the new match criteria group is nested under the most
recently added EDM data set. You can’t nest a new match criteria group between
existing EDM data sets. If multiple EDM data sets are added, you must remove the EDM
data sets that follow the EDM data set for which you want to add the nested match
criteria. For example, you added EDM_Dataset1, EDM_Dataset2, and EDM_Dataset3
to the Primary Rule. If you wanted to added nested match criteria to EDM_Dataset2,
you must first remove EDM_Dataset3 from the Primary Rule.
You can select the same EDM data set or a different EDM data set to more accurately
define your compliance rules. Nesting match criteria is supported only when the data
profile includes an EDM data set. Enterprise DLP supports up to three level of additional
nesting groups for each EDM data set. You can nest additional EDM data sets under an
EDM data set added to the Primary or Secondary Rule.
Nested match criteria support the AND, OR, and NOT operators. Refer to the
descriptions above to configure the nested match criteria.
Data pattern match criteria added to the Secondary Rule block all traffic that meets
the match criteria for the data pattern conditions. If you want to allow traffic that
matches a data pattern match criteria, add it to the Primary Rule.
Enterprise DLP Administrator’s Guide October 2023 116 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 5 | Review the Data Profile Preview to verify the data profile match criteria.
Create a Data Profile with Data Patterns and EDM Data Sets on
Cloud Management
Enterprise Data Loss Prevention (E-DLP) supports creation of data profiles that contains at least
one predefined or custom Enterprise DLP data pattern and at least one EDM dataset pattern.
Data profiles with a data pattern and an EDM data set created on Cloud Management are
viewable on Panorama, Prisma Access (Panorama Managed), Cloud Management, and the DLP
app on the hub. Viewing a data profile created on Cloud Management on Panorama requires
Panorama plugin for Enterprise DLP 1.0.4 or later release.
Enterprise DLP Administrator’s Guide October 2023 117 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
When you create a data profile using predefined data patterns, be sure to consider the detection
types used by the predefined data patterns because the detection type determines how
Enterprise DLP arrives at a verdict for scanned files.
Updating a data profile to include only data patterns isn’t supported if the data profile
includes at least one data pattern and one EDM data set when it was initially created.
However, updating a data profile that includes both EDM data sets and data patterns to
only include EDM data sets is supported.
See Create a Data Profile on Cloud Management to create a data profile containing
only predefined or custom data patterns. See Create a Data Profile with EDM Data Sets
on Cloud Management to create a data profile containing only EDM data sets.
STEP 2 | Select Manage > Configuration > Security Services > Data Loss Prevention > Data Profiles
and Add Data Profile > Advanced Data Profile.
You can also create a new data profile by copying an existing data profile. This allows you
to quickly modify an existing data profile with additional match criteria while preserving the
original data profile from which the new data profile was copied.
Data profiles created by copying an existing data profile are appended with Copy -
<name_of_original_data_profile>. This name can be edited as needed.
Adding an EDM data set to a copied data profile is supported only if the original data
profile had an EDM data set to begin with. Adding an EDM data set to a data profile
that doesn’t already have an EDM data set isn’t supported.
Enterprise DLP Administrator’s Guide October 2023 118 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Data pattern match criteria for traffic that you want to allow must be added to the
Primary Rule. Data pattern match criteria for traffic that you want to block can be
added to either Primary Rule or Secondary Rule.
Enterprise DLP Administrator’s Guide October 2023 119 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
• More than or equal to—Security policy rule action triggered if Enterprise DLP
detects instances of matched traffic, with a minimum being the specified Count.
• Between (inclusive)—Security policy rule action triggered if Enterprise DLP detects
any number of instances of matched traffic between the specific Count range.
• Count—Specify the number of instances of matched traffic required to trigger a
Security policy rule action. Range is 1 - 500.
6. Configure the EDM data set Primary Fields values.
1. Configure whether a Security policy rule action is taken if Any (OR) or All (AND)
primary fields are matched and if Any (OR) or All (AND) secondary fields are matched.
2. (Any(OR) only) Enter the Count to specify the number of instances of matched traffic
required to trigger a Security policy rule action. Range is 1 - 500.
When you select Any (OR), the maximum Count setting is one less than the
total number of fields included in the Primary Field or Secondary Field.
3. Select the Primary Fields values.
The list of available values is populated from the selected EDM data set. You must
select at least one primary field value.
You’re required to add at least one column where the column values occurs up to
12 times in the selected EDM data set for the Primary Field. For example, if the
EDM data set contains columns for first name, last name, social security number, and
credit card number, add social security number and credit card in the primary field.
7. (Optional) Add Group to nest additional match criteria for a data pattern or EDM data
set so you can more accurately define your compliance rules.
When you click Add Group, the new match criteria group is nested under the most
recently added data pattern or EDM data set. You can’t nest a new match criteria group
between existing data patterns or EDM data sets. If multiple data patterns or EDM data
sets are added, you must remove the data patterns or EDM data sets that follow the
data pattern or EDM data set for which you want to add the nested match criteria. For
example, you added EDM_Dataset1, Data_Pattern2, and EDM_Dataset3 to the
Primary Rule. If you wanted to added nested match criteria to Data_Pattern2, you
must first remove EDM_Dataset3 from the Primary Rule.
You can select the same data pattern or EDM data set or a different data pattern EDM
data set to more accurately define your compliance rules. Nesting match criteria is
supported only when the data profile includes an EDM data set. Enterprise DLP supports
up to three level of additional nesting groups for each data pattern or EDM data set. You
Enterprise DLP Administrator’s Guide October 2023 120 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
can nest additional data patterns or EDM data sets under a data pattern or EDM data set
added to the Primary or Secondary Rule.
Nested match criteria support the AND, OR, and NOT operators. Refer to the
descriptions above to configure the nested match criteria.
8. (Optional) Configure a Secondary Rule.
Data pattern match criteria added to the Secondary Rule block all traffic that
meets the match criteria for the data pattern conditions. If you want to allow
traffic that matches a data pattern match criteria, add it to the Primary Rule.
9. Review the Data Profile Preview to verify the data profile match criteria.
10. Save the data profile.
Enterprise DLP Administrator’s Guide October 2023 121 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
When you create a data profile that contains predefined data profiles and patterns, be sure to
consider the detection types used by the predefined data patterns because the detection type
determines how Enterprise DLP arrives at a verdict for scanned files.
• Adding, deleting, or otherwise modifying the nested data profiles you add to data
profile is supported only from the DLP app on the hub and Cloud Management, but
not from Panorama.
• Adding a nested data profile to another nested data profile is not supported.
• Nesting a data profile that includes an EDM data set to an existing data profile if one
wasn’t included when the data profile was originally created is supported.
STEP 3 | Select Manage > Configuration > Security Services > Data Loss Prevention > Data Profiles
and Add Data Profiles > Nested Data Profiles.
You can also create a new data profile by copying an existing data profile that already contains
multiple data profiles. This allows you to quickly modify an existing data profile with additional
data profile match criteria while preserving the original data profile from which the new data
profile was copied.
Data profiles created by copying an existing data profile are appended with Copy -
<name_of_original_data_profile>.
Enterprise DLP Administrator’s Guide October 2023 122 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 123 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
If the data profile has both Primary and Secondary Patterns, changing the data
profile Action on Panorama deletes all Secondary Pattern match criteria.
STEP 2 | Edit the Enterprise DLP Data Filtering Settings to configure the minimum and maximum data
size limits and the actions the firewall takes when uploading files to the DLP cloud service.
STEP 4 | Select Objects > DLP > Data Filtering Profiles and specify the Device Group.
Enterprise DLP Administrator’s Guide October 2023 124 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 125 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
• If you select Advanced, you can create expressions by dragging and dropping data patterns,
Confidence levels, Operators, and Occurrence values into the field in the center of the
page.
Specify the values in the order that they’re shown in the following screenshot (data pattern,
Confidence, and Operator or Occurrence).
If the data filtering profile has both Primary and Secondary Patterns, changing the
data profile Action on Panorama deletes all Secondary Pattern match criteria.
Enterprise DLP Administrator’s Guide October 2023 126 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 8 | Specify the file types the DLP cloud service takes action against.
• DLP plugin 4.0.0 and earlier releases
Select the File Type. By default, any is selected and inspects all supported file types.
• DLP plugin 4.0.1 and later releases
1. Select File Types.
2. Select the Scan Type to create a file type include or exclude list.
• Include—DLP cloud service inspects only the file types you add to the File Type Array.
• Exclude—DLP cloud service inspects all supported file types except for those added
to the File Type Array.
3. Click Modify to add the file types to the File Type Array and click OK.
STEP 10 | (Optional) Set the Log Severity recorded for files that match this rule.
The default severity is Informational.
Enterprise DLP Administrator’s Guide October 2023 127 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 13 | Commit and push your configuration changes to your managed firewalls that are using
Enterprise DLP.
The Commit and Push command isn’t recommended for Enterprise DLP configuration
changes. Using the Commit and Push command requires the additional and
unnecessary overheard of manually selecting the impacted templates and managed
firewalls in the Push Scope Selection.
Enterprise DLP Administrator’s Guide October 2023 128 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 3 | Edit the Enterprise DLP Non-File Data Filtering Settings to configure the minimum and
maximum data size limits and the actions the firewall takes when uploading non-file data to
the DLP cloud service.
Palo Alto Networks recommends verifying that Enable Non File DLP is enabled after
you install Panorama plugin for Enterprise DLP 3.0.1.
STEP 4 | (Optional) Create a custom application filter or application group to define predefined or
custom application traffic you want to exclude from inspection.
The application filter and application group must be Shared to be used in the data filtering
profile application exclusion list. Data filtering profiles for non-file traffic inspection support
either both custom application filters and application groups. You aren’t required to add both.
• Create a Custom Application Filter
• Create an Application Group
STEP 5 | (Optional) Create a custom URL category to define URL traffic you want to exclude from
inspection.
The URL category must be Shared to be used in the data filtering profile URL exclusion list.
To include the custom URL category in the URL exclusion list of a data filtering profile,
adding the custom URL category to a URL Filtering profile isn’t required.
STEP 6 | Select Objects > DLP > Data Filtering Profiles and specify the Device Group.
STEP 8 | (Optional) Configure the data filtering profile to scan File Based traffic.
Data filtering profiles support scanning both file based and non-file based traffic. Select Yes
to scan for both file based and non-file based traffic. Select No to only scan for non-file based
traffic. Configuring the data filtering profile not to scan for file based traffic has no impact on
scanning non-file based traffic.
STEP 9 | Configure the data filtering profile to scan Non-File Based traffic.
Select Yes to scan for non-file based traffic.
Enterprise DLP Administrator’s Guide October 2023 129 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 130 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
• If you select Advanced, you can create expressions by dragging and dropping data patterns,
Confidence levels, Operators, and Occurrence values into the field in the center of the
page.
Specify the values in the order that they’re shown in the following screenshot (data pattern,
Confidence, and Operator or Occurrence).
If the data filtering profile has both Primary and Secondary Patterns, changing the
data profile Action on Panorama deletes all Secondary Pattern match criteria.
Enterprise DLP Administrator’s Guide October 2023 131 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 12 | (Optional) Configure the URL category list to exclude URL traffic from inspection.
The URL category list can only be configured when Non-File Based traffic inspection is
enabled.
1. Select URL Category List Excluded From Non-File.
2. Add a new URL category list.
3. Select a predefined URL category, custom URL category or EDL.
Enterprise DLP Administrator’s Guide October 2023 132 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 13 | Configure the application exclusion list to exclude application traffic from inspection.
The application list can only be configured when Non-File Based traffic inspection is enabled.
At least one application list or application group is required to create a data filtering profile for
inspecting non-file traffic.
1. Select Application List Excluded From Non-File.
2. Add an application filter or application group.
If you didn’t create a custom application filter or application group, you must add the
DLP App Exclusion Filter.
STEP 15 | (Optional) Set the Log Severity recorded for files that match this rule.
The default severity is Informational.
Enterprise DLP Administrator’s Guide October 2023 133 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 18 | Commit and push your configuration changes to your managed firewalls that are using
Enterprise DLP.
The Commit and Push command isn’t recommended for Enterprise DLP configuration
changes. Using the Commit and Push command requires the additional and
unnecessary overheard of manually selecting the impacted templates and managed
firewalls in the Push Scope Selection.
Data profiles with EDM datasets and Data profiles with data patterns and EDM
datasets can only be modified from the DLP app on the hub.
Any changes to the data profile match criteria made on the DLP app are synchronized to
Panorama but don’t display in the Panorama web interface. Security policy rules using
a data profile updated on the DLP app inspect traffic using the new or modified match
criteria.
(Panorama only) Updating the data profile Name is supported but you must manually
update the existing Security policy rules (Policies > Security to reassociate the renamed
data filtering profile. Commits on Panorama fail if you do not reassociate the renamed
data filtering profile with the Security policy rule after the updated data profile name is
synchronized to Panorama.
STEP 2 | Select Data Profiles and select a data profile to display the data profile preview window.
Enterprise DLP Administrator’s Guide October 2023 134 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Modifying the data profile to include an EDM data set isn’t supported if the data
profile did not include an EDM data set when it was initially created.
Modifying a data profile to only include data patterns isn’t supported if the data profile
included both data patterns and EDM data sets when it was initially created.
• See Create a Data Profile on the DLP App for details on configuring data pattern criteria
using predefined or custom data patterns only.
• See Create a Data Profile with EDM Data Sets on the DLP App for details on configuring
data pattern criteria using EDM data sets.
• See Create a Data Profile with Data Patterns and EDM Data Sets on the DLP App for
details on configuring data pattern criteria using both data patterns and EDM data sets.
• See Create a Data Profile with Nested Data Profiles on the DLP App for details on
configuring a single data profile that contains multiple data profiles.
Adding a data profile that includes an EDM data set to an existing data profile if
one wasn’t included when the data profile was originally created is supported.
Data profiles with EDM datasets and Data profiles with data patterns and EDM
datasets can be modified from both Cloud Management and the DLP app on the hub.
Any changes to the data profile match criteria made on Cloud Management are
synchronized to Panorama but don’t display in the Panorama web interface. Security
policy rules using a data profile updated on Cloud Management inspect traffic using the
new or modified match criteria.
Enterprise DLP Administrator’s Guide October 2023 135 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
(Panorama only) Updating the data profile Name is supported but you must manually
update the existing Security policy rules (Policies > Security to reassociate the renamed
data filtering profile. Commits on Panorama fail if you do not reassociate the renamed
data filtering profile with the Security policy rule after the updated data profile name is
synchronized to Panorama.
STEP 2 | Select Manage > Configuration > Security Services > Data Loss Prevention > Data Profiles
and navigate to the data profile you want to modify.
Modifying the data profile to include an EDM data set isn’t supported if the data
profile did not include an EDM data set when it was initially created.
Modifying a data profile to only include data patterns isn’t supported if the data profile
included both data patterns and EDM data sets when it was initially created.
• See Create a Data Profile on Cloud Management for details on configuring data pattern
criteria using predefined or custom data patterns.
• See Create a Data Profile with EDM Data Sets on Cloud Management for details on
configuring data pattern criteria using EDM data sets.
• See Create a Data Profile with Data Patterns and EDM Data Sets on Cloud Management for
details on configuring data pattern criteria using both data patterns and EDM data sets.
• See Create a Data Profile with Nested Data Profiles on Cloud Management for details on
configuring a single data profile that contains multiple data profiles.
Adding a data profile that includes an EDM data set to an existing data profile if
one wasn’t included when the data profile was originally created is supported.
• See Create a Data Profile to Detect Custom Documents for details on configuring data
pattern match criteria that contains predefined or custom document templates.
Enterprise DLP Administrator’s Guide October 2023 136 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
You can’t update or modify the data pattern match criteria for an EDM dataset or a data
profile with data patterns and EDM datasets from Panorama. You can only update
or modify the data filtering profile action from Panorama. Any changes you make to an
EDM filtering profile or a hybrid data filtering profile commit successfully on Panorama
aren’t reflected in the DLP app on the hub. See Update a Data Profile on the DLP App
to update the match criteria for an EDM data filtering profile or a data profile with data
patterns and EDM data sets.
If you update a data filtering profile to include a predefined data patterns, be sure to consider the
detection type used by the predefined data patterns because the detection type determines how
Enterprise Data Loss Prevention (E-DLP) arrives at a verdict for scanned files. For example, when
you create a data filtering profile that includes three machine learning (ML)-based data patterns
and seven regex-based data patterns, Enterprise DLP will return verdicts based on the seven
regex-based patterns whenever the scanned file exceeds 1 MB.
Updating the data filtering profile Name is supported but you must manually update the
existing Security policy rules (Policies > Security to reassociate the renamed data filtering
profile. Commits on Panorama fail if you do not reassociate the renamed data filtering
profile with the Security policy rule.
STEP 2 | Select Objects > DLP > Data Filtering Profiles and specify the Device Group.
Enterprise DLP Administrator’s Guide October 2023 137 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Profile on Panorama for details on configuring data pattern criteria using predefined or
custom data patterns.
3. (Data Filtering Profile for Non-File Traffic Inspection Only) Modify the URL Category
Excluded List from Non-File and Application List Excluded from Non-File to configure
which URL and application traffic is excluded from Enterprise DLP inspection.
See Create a Data Filtering Profile on Panorama for Non-File Detection for more
information.
4. Edit the data filtering profile settings.
Enterprise DLP supports editing the following data profile settings for a data profile with
EDM datasets and a data profile with data patterns and EDM datasets from Panorama.
• Select the data filtering profile Action (Alert or Block)
If the data profile has both Primary and Secondary Patterns, changing the
data filtering profile Action on Panorama deletes all Secondary Pattern
match criteria.
• Specify a File Type.
Leave the file type as any to match any of the supported file types.
• Set the Log Severity recorded for files that match this data filtering profile.
STEP 6 | Commit and push your configuration changes to your managed firewalls that are using
Enterprise DLP.
The Commit and Push command isn’t recommended for Enterprise DLP configuration
changes. Using the Commit and Push command requires the additional and
unnecessary overheard of manually selecting the impacted templates and managed
firewalls in the Push Scope Selection.
STEP 7 | Verify the changes you made to the data filtering profile.
1. Log in to the DLP app on the hub.
If you don’t already have access to the DLP app on the hub, see the hub Getting Started
Guide. Only Superusers can access the hub.
2. Select Data Profiles and search for the data filtering profile you updated.
Enterprise DLP Administrator’s Guide October 2023 138 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 2 | Create data patterns and a data profile to define the match criteria for sensitive data you
want to detect.
STEP 3 | Select Manage > Configuration > Security Services > SaaS Security > Discovered Apps >
Policy Recommendations and Add Policy.
Enterprise DLP Administrator’s Guide October 2023 139 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
must create a Profile Group containing the data filtering profile and attached it to a Security policy
so Prisma Access can enforce your data security standards.
STEP 1 | Launch the Cloud Management Console.
STEP 3 | Select Manage > Configuration > Security Services > Data Loss Prevention > DLP Rules and
in the Actions column, Edit the DLP rule.
The DLP rule has an identical name as the data profile from which it was automatically created.
Enterprise DLP Administrator’s Guide October 2023 140 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
The default DLP rule Direction is Upload. Downloads aren’t supported. This field can’t
be edited.
The Action is set to Alert and Block by default if the data profile has both
Primary and Secondary Patterns. Changing the data filtering profile Action isn’t
supported if both Primary and Secondary patterns are defined.
5. (Optional) Set the Log Severity recorded for files that match this rule.
The default severity is Low.
6. Save the data filtering profile.
STEP 6 | Create a Shared Profile Group for the Enterprise DLP data filtering profile.
1. Select Manage > Configuration > Security Services > Profile Groups and Add Profile
Group.
2. Enter a descriptive Name for the Profile Group.
3. For the Data Loss Prevention Profile, select the Enterprise DLP data profile.
4. Add any other additional profiles as needed.
5. Save the profile group.
Enterprise DLP Administrator’s Guide October 2023 141 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 2 | Select Manage > Configuration > Security Services > Data Loss Prevention > Settings and
click the Data Filtering Page.
Cloud Management allows you to Export HTML Template of the default block
response page to help you create a custom block page.
STEP 3 | Choose File and select the custom block response page.
Enterprise DLP Administrator’s Guide October 2023 142 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Existing data patterns and data filtering profiles aren’t hidden if you’re using Enterprise
DLP for Panorama-managed Prisma Access.
Panorama returns a pass message to confirm the existing data patterns and filtering
profiles are now displayed.
Enter the following command to disable the displaying of existing data patterns
and filtering profiles.
STEP 2 | (Optional) Enable existing data patterns and filtering profiles on the managed firewall if you
have any Security policy rules configured locally on the firewall.
1. Log in to the firewall CLI.
2. Enable the existing data patterns and filtering profiles.
The firewall returns a pass message to confirm the existing data patterns and filtering
profiles are now displayed.
Enter the following command to disable the displaying of existing data patterns
and filtering profiles.
Enterprise DLP Administrator’s Guide October 2023 143 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 5 | Select Policies > Security and select the Device Group to modify your Security policy rules
as needed.
STEP 6 | Commit and push your configuration changes to your managed firewalls that are using
Enterprise DLP.
The Commit and Push command isn’t recommended for Enterprise DLP configuration
changes. Using the Commit and Push command requires the additional and
unnecessary overheard of manually selecting the impacted templates and managed
firewalls in the Push Scope Selection.
Enterprise DLP Administrator’s Guide October 2023 144 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 145 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
service inspects for all incidents of 123456789;098765432 as a singular SSN rather than
inspecting for 123456789 and 098765432 as unique incidents.
• Up to 50 individual Data Type values are supported in a single cell.
The Data Types are data values recognized by the DLP cloud service. If a cell has more than 50
Data Type values recognized by the DLP cloud service, only the first 50 values are processed
and the remaining are ignored.
For example, Today is August 02, 2020 contains three data type values; Today and is
are Alphabet data types and August 02, 2020 is a Date data type.
• Only English (Latin script) is supported.
• Only the “,” and tab (t) delimiters are supported.
• A maximum of 120 rows and 30 columns are supported per EDM data set.
For example, you have one EDM data set containing 30 columns and 4 million rows and a
second EDM data set containing six columns and 120 million rows. Both EDM data sets are
supported because they each have contain up to the maximum number of rows and columns
supported.
• By default, up to 500 million cells are supported for a single Enterprise DLP tenant across all
EDM data sets uploaded to the DLP cloud service.
Contact Palo Alto Networks Customer Support to increase the maximum number of cells
supported for your Enterprise DLP tenant. Up to 1 billion cells are supported for your
Enterprise DLP tenant.
• The supported file encoding schemes are UTF-8, UTF-16, ISO-8859-1, and US-ASCII.
• The EDM CLI application removes all punctuation from data contained in the EDM data set.
The EDM CLI application supports the following data type formats for EDM data sets.
DD.MM.YYYY • 02.08.2020
• 02 Aug 2020
DD,MM,YYYY
• 2 August, 2020
DD MM YYYY
• 2 Aug, 2020
• MM-DD-YYYY
• 02 August 2020
MM/DD/YYYY
• 2. August 2020
MM.DD.YYYY • August 2, 2020
MM,DD,YYYY • Aug 2, 2020
MM DD YYYY • Sunday, August 2, 2020
• Sunday, August 02, 2020
Enterprise DLP Administrator’s Guide October 2023 146 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 147 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 148 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 149 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
If you plan to deploy a dedicated virtual machine to upload EDM data sets to the DLP
cloud service, Palo Alto Networks recommends you allocate a minimum of four CPUs
and 8 GB memory to the virtual machine.
STEP 2 | Log in to the DLP app on the hub or Launch Cloud Management Console.
If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide.
Only Superusers can access the hub.
If you’re leveraging Enterprise DLP from the Panorama management server for Next-
Generation and VM-Series firewall or are using Prisma Access (Panorama Managed), the EDM
CLI application is available only from the DLP app on the hub.
If using Enterprise DLP for Prisma Access (Cloud Management), the EDM CLI application is
available from Prisma Access Cloud Management or from the DLP app on the hub.
It might take up to 24 hours for Palo Alto Networks to enable EDM functionality for
your DLP app.
Continue to the next step after Palo Alto Networks has successfully enabled EDM for
your DLP app. You can verify that EDM is enabled when have the ability to download
the EDM CLI application to your local device.
Enterprise DLP Administrator’s Guide October 2023 150 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
If you use an older unsupported version of the CLI, the CLI will display an
error message: Please use the latest version of cli tool.
Latest version: <latest-version>.
Enterprise DLP Administrator’s Guide October 2023 151 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 5 | (Optional) Create a new folder for EDM on your local device.
The EDM CLI application generates secured versions of all EDM data sets uploaded to the DLP
cloud service and logs for EDM CLI application activity. As a best practice, create a folder just
for the EDM CLI application to contain all EDM-specific files to a single folder.
Refer to the documentation for Microsoft Windows or your specific Linux OS for more
information on creating a new folder.
STEP 7 | Verify the extracted .zip file contains all the required EDM CLI application files.
STEP 9 | (Linux only) Make the EDM CLI application script readable, writable, and executable.
1. Navigate to the directory where the EDM CLI application .zip contents were extracted.
In this example, the package-edm-secure-cli-<version>-<platform>.zip
contents were extracted to the EDM directory.
2. Make the EDM CLI application script readable, writable, and executable.
Enterprise DLP Administrator’s Guide October 2023 152 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
If you already have a Service Account created, you can Reset Client Secret to recover
a lost Client Secret.
The Client ID and Client Secret are used to authenticate and connect the EDM CLI
application to the DLP cloud service.
When you create the Service Account, the Client ID and Client Secret are displayed in
the Client Credentials. You can manually copy the Client Credentials or Download CSV File to
download the Client Credentials in plaintext locally to your device.
You must download EDM CLI application 2.2 or later version to upload an EDM data
set to a TSG-supported tenant.
Enterprise DLP Administrator’s Guide October 2023 153 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 3 | On the local device where you downloaded the EDM CLI application, navigate to and open
the upload configuration file.
The upload configuration file is bundled with the package-edm-secure-cli-<version>-
<platform>.zip file contents you extracted when you set up the EDM CLI application.
The name of the upload configuration for Linux and Windows versions of the EDM CLI display
as:
• Linux—upload_config.properties
• Windows—upload_config
Enterprise DLP Administrator’s Guide October 2023 154 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 4 | Configure the upload configuration file to enable connectivity to the DLP cloud service.
1. In the have_access_token_refresh_token, enter no.
2. Add the client_id andclient_secret.
3. Specify whether the local device uploading the EDM data set to the DLP cloud service
requires a proxy server to the connect to the internet.
If a proxy server isn’t required, enter no (default).
If a proxy server is required, enter yes.
4. (Proxy server only) Enter the proxy_host_name and proxy_port_number.
Skip this step if a proxy server isn’t required for the local device to connect to the
internet.
5. (Proxy server only) Enter the proxy_user_name and proxy_password.
Skip this step if a proxy server isn’t required for the local device to connect to the
internet.
6. Enter the dataset_name for the EDM data set you want to upload. The data set name
entered here is used in the DLP app for the uploaded EDM data set.
7. Save the changes to the upload configuration file.
Enterprise DLP Administrator’s Guide October 2023 155 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
for upload ahead of time rather than manually entering each parameter at the time of creation.
You can also quickly update an existing EDM data set on the DLP cloud service when you
configure the config.properties and upload_config.properties files.
STEP 1 | Set Up the EDM CLI Application.
STEP 3 | Review the Supported EDM Data Set Formats and prepare the EDM data set you want to
create.
Enterprise DLP Administrator’s Guide October 2023 156 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
8. Map your columns using the supported Data Types Value to accurately map each
column in your EDM data set to a specific Data Type.
Enterprise DLP Administrator’s Guide October 2023 157 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Refer to the README.txt file packaged with the EDM CLI application for the table to
map your EDM data set columns to the correct Data Type value.
When you create a data profile with EDM data sets on the DLP app or a data
profile with EDM data sets on Cloud Management, you’re required to add at
least one column where the column values occurs up to 12 times in the selected
EDM data set for the Primary Field.
When mapping your columns to a specific Data Type, be sure to include at
least one column with up to 12 occurrences across the entire EDM data set.
Otherwise, the DLP cloud service is unable to match traffic against the EDM
data filtering profile you create using this EDM data set.
STEP 6 | Create the EDM data set to the DLP cloud service.
1. Open a terminal and navigate to the package-edm-secure-cli-<version>-
<platform> directory where the EDM CLI application is located.
2. Create the encrypted EDM data set.
• Windows
• Linux
Entering this command creates a secured copy of the EDM data set in the package-
edm-secure-cli-<version>-<platform> directory.
3. Verify that the EDM data set is uploaded to the DLP cloud service successfully.
A progress bar and success message are displayed to notify you whether the upload is
successful.
Enterprise DLP Administrator’s Guide October 2023 158 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 7 | Verify that the encrypted EDM data set is successfully created.
The EDM CLI application only supports upload of the encrypted EDM data sets it creates to
the DLP cloud service.
A secured copy of the EDM data set specified is created in the package-edm-secure-cli-
<version>-<platform> directory. In the directory, a new folder is created with the name
of the EDM data set appended with the date and time it was created. Inside this folder is the
encrypted output.zip file containing your EDM data set that is uploaded to the DLP cloud
service.
STEP 8 | Upload an Encrypted EDM Data Set to the DLP Cloud Service.
STEP 2 | Configure Connectivity to the DLP Cloud Service if not already configured.
If you’ve already configured the upload_config.properties file, navigate to
the package-edm-secure-cli-<version>-<platform> directory where the
upload_config.properties is located to modify the dataset_name value for the
encrypted EDM data set you want to upload.
Enterprise DLP Administrator’s Guide October 2023 159 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 3 | Obtain the path for the encrypted EDM data set you created.
In the package-edm-secure-cli-<version>-<platform> directory, open the folder
containing the EDM data set and right-click the output.zip file to view the Properties. Copy
the file Location.
STEP 5 | Upload the encrypted EDM data set to the DLP cloud service.
• Windows
• Linux
STEP 6 | Verify that the EDM data set is uploaded to the DLP cloud service successfully.
A progress bar and success message are displayed to notify you whether the upload is
successful.
Enterprise DLP Administrator’s Guide October 2023 160 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
connectivity speed. For example, a 4GB EDM data set upload typically takes about 30 minutes
to display in the DLP app and be usable in a data profile with EDM data sets.
1. Log in to the DLP app on the hub or Launch Prisma Access Cloud Management.
2. Navigate to the list of uploaded EDM data sets.
• DLP app on the hub—Select Detection Methods > Exact Data Matching.
• Prisma Access (Cloud Managed)— Select Manage > Configuration > Data Loss
Prevention > Detection Methods and select Exact Data Matching.
3. The EDM data set upload is complete when the Indexing Status column displays
Complete.
Create and Upload an Encrypted EDM Data Set Using a Configuration File
Create and upload an encrypted hash Exact Data Matching (EDM) data set using a configuration
file included with the EDM CLI application. The configuration file allows you to configure the
upload parameters for upload ahead of time rather than manually entering each parameter at the
time of upload. You can also quickly update an existing EDM data set on the DLP cloud service
when you configure the config.properties and upload_config.properties files.
STEP 1 | Set Up the EDM CLI Application.
STEP 3 | Review the Supported EDM Data Set Formats and prepare the EDM data set for upload to
the DLP cloud service.
Enterprise DLP Administrator’s Guide October 2023 161 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
8. Map your columns using the supported Data Types Value to accurately map each
column in your EDM data set to a specific Data Type.
Enterprise DLP Administrator’s Guide October 2023 162 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Refer to the README.txt file packaged with the EDM CLI application for the table to
map your EDM data set columns to the correct Data Type value.
When you create a data profile with EDM data sets on the DLP app or a data
profile with EDM data sets on Cloud Management, you are required to add at
least one column where the column values occurs up to 12 times in the selected
EDM data set for the Primary Field.
When mapping your columns to a specific Data Type, be sure to include at
least one column with up to 12 occurrences across the entire EDM data set.
Otherwise, the DLP cloud service is unable to match traffic against the EDM
data filtering profile you create using this EDM data set.
STEP 6 | Upload the EDM data set to the DLP cloud service.
1. Open a terminal and navigate to the package-edm-secure-cli-<version>-
<platform> directory where the EDM CLI application is located.
2. Upload the EDM data set to the DLP cloud service.
• Windows
• Linux
A secured copy of the EDM data set specified is created and the EDM data set begins
uploading to the DLP cloud service.
3. Verify that the EDM data set is uploaded to the DLP cloud service successfully.
A progress bar and success message is displayed to notify you whether the upload is
successful.
Enterprise DLP Administrator’s Guide October 2023 163 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 164 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 1 | Access the Common Services Identity and & Access settings and add a Service Account to
generate the Client ID and Client Secret.
If you already have a Service Account created, you can Reset Client Secret to recover
a lost Client Secret.
The Client ID and Client Secret are used to authenticate and connect the EDM CLI
application to the DLP cloud service.
When you create the Service Account, the Client ID and Client Secret are displayed in
the Client Credentials. You can manually copy the Client Credentials or Download CSV File to
download the Client Credentials in plaintext locally to your device
You must download EDM CLI application 2.2 or later version to upload an EDM data
set to a TSG-supported tenant.
STEP 3 | Review the Supported EDM Data Set Formats and prepare the EDM data set for upload to
the DLP cloud service.
Enterprise DLP Administrator’s Guide October 2023 165 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 4 | Enter Interactive mode in the EDM CLI application to begin the EDM data set upload.
1. Open the terminal and navigate to the package-edm-secure-cli-<version>-
<platform> directory where the EDM CLI application is located.
2. Enter Interactive mode in the EDM CLI application.
• Windows
• Linux
Entering this command begins the interactive upload process for EDM data sets to the
DLP cloud service.
STEP 5 | Enter the path of the EDM data set for upload.
STEP 6 | Enter the delimiter used to specify boundaries between values in the EDM data set.
The “,” and “tab (t) delimiters are supported for CSV or TSV files. The EDM CLI application
uses the delimiter “,” by default. The EDM data set might only use one delimiter.
STEP 8 | Enter the error threshold percentage for the EDM data set.
A secured version of the EDM data set is not created if the DLP cloud service encounters
errors exceeding the specified error threshold percentage.
STEP 9 | Specify whether the EDM data set has a header row.
STEP 10 | Specify whether to allow uploads of EDM data sets that include empty or blank cells.
Enter true to allow rows that include empty or blank cells in an EDM data set.
Enter false to reject rows that include empty or blank cells in an EDM data set.
Enterprise DLP Administrator’s Guide October 2023 166 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 11 | Specify whether the EDM CLI application should abort the EDM data set upload if the EDM
data set includes more than the maximum number of cells supported.
Enter true to upload the maximum number of data set cells supported.
Enter false to abort EDM CLI application if the EDM data set has more than the maximum
number of data set cells supported.
STEP 13 | Map your columns using the supported Data Types Value to accurately map each column in
your EDM data set to a specific Data Type.
The EMD CLI application presents a table with each Data Type Name and the corresponding
Data Type Value. You can also view this table in the README.txt file packaged with the EDM
CLI application.
When you create a data profile with EDM data sets on the DLP app or a data
profile with EDM data sets on Cloud Management, you’re required to add at least
one column where the column values occurs up to 12 times in the selected EDM data
set for the Primary Field.
When mapping your columns to a specific Data Type, be sure to include at least one
column with up to 12 occurrences across the entire EDM data set. Otherwise, the
DLP cloud service is unable to match traffic against the EDM data filtering profile you
create using this EDM data set.
STEP 14 | Specify whether to upload the EDM data set to the DLP cloud service. Enter y to continue
uploading the EDM data set or n to upload the EDM data set later.
Entering n creates a secured copy of the EDM data set in the package-edm-
secure-cli-<version>-<platform> directory for you to review.
You can skip the remaining steps below and Upload an Encrypted EDM Data Set to
the DLP Cloud Service later.
Enterprise DLP Administrator’s Guide October 2023 167 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 15 | Enter y to create a new EDM data set and enter the data set name.
If you enter n and are uploading to the DLP cloud service, you’re still prompted to
enter an EDM data set name. This updates the existing EDM data set you previously
uploaded to the DLP cloud service.
STEP 16 | (EDM CLI application 2.2 and later) Specify the authentication mechanism used to upload the
EDM data set to the DLP cloud service.
1. When prompted about whether you have access and refresh token, enter n.
The is required to enter the Client ID and Client Secret.
2. Enter the Client ID and Client Secret.
STEP 17 | (Proxy server only) When prompted, enter y if the local device from which you’re uploading
requires a proxy server to connect to the internet.
You’re required to provide the following information for your proxy server.
• Proxy hostname
• Proxy port number
• Proxy username
• Proxy password
STEP 18 | Enter Y or y to confirm the EDM data set upload configuration is correct and begin uploading
to the DLP cloud service.
A secured copy of the EDM data set specified is created in the package-edm-secure-cli-
<version>-<platform>. In the directory, a new folder is created with the name of the
EDM data set you appended with the date and time it was created. Inside this folder is the
encrypted output.zip file containing your EDM data set that is uploaded to the DLP cloud
service.
A progress bar and success message are displayed to notify you whether the upload is
successful.
Enterprise DLP Administrator’s Guide October 2023 168 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 169 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 1 | On the local device where you downloaded the EDM CLI application, navigate to and open
the upload_config.properties file.
The upload_config.properties file is bundled in the package-edm-secure-cli-
<version>-<platform>.zip file you extracted when you set up the EDM CLI application.
Enterprise DLP Administrator’s Guide October 2023 170 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 171 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 4 | Update the EDM data set on the DLP cloud service.
1. Open a terminal and navigate to the package-edm-secure-cli-<version>-
<platform> directory where the EDM CLI application is located.
2. Upload the existing EDM data set to the DLP cloud service.
• Windows
• Linux
Entering this command creates a secured copy of the EDM data set specified in the
config.properties file and begins uploading to the DLP cloud service.
3. Verify that the EDM data set is uploaded to the DLP cloud service successfully.
A progress bar and success message are displayed to notify you whether the upload is
successful.
Enterprise DLP Administrator’s Guide October 2023 172 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
If the team member responds that the file doesn’t contain sensitive information, the DLP
cloud service flags the file as a false positive. However, Enterprise DLP continues to block
the file upload.
The Enterprise DLP cloud service preserves the response history for all scanned files after
End User Alerting with Cortex XSOAR is enabled. For example, your team member uploads
file_A.pdf that matches a data profile match criteria. The team member is prompted to
confirm if the file contains sensitive information, to which they answer Yes and request an
exemption. A few days later, the team member uploads file_A.pdf again. This time they’re
only prompted to request an exemption because the DLP cloud service is already aware of the file
response history.
Enterprise DLP Administrator’s Guide October 2023 173 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Table 1:
(Slack only) IP Cloud Identity Engine Cloud Identity Engine Cloud Identity Engine
Mapping to Email
Addresses
Set Up Enterprise DLP End User Alerting with Cortex XSOAR for Slack
To set up Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR and set
up automatic Slack alerts, you need to configure the Cloud Identity Engine to map IP addresses to
emails to allow for automatic messages to be sent on Slack. After you configure the Cloud Identity
Engine, you must enable Slack, email send integration, and Enterprise DLP with Cortex XSOAR
. This chain of integration allows the DLP cloud service to automate sending Slack messages to
team members who upload a file that matches your data profiles.
Enterprise DLP Administrator’s Guide October 2023 174 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
After you successfully integrate Slack, email send, and Enterprise DLP with Cortex XSOAR , you
need to enable End User Alerting with Cortex XSOAR functionality on the DLP app on the hub or
on Cloud Management and configure the End User Alerting settings as needed.
STEP 1 | Configure the platform on which you’re using Enterprise DLP to map IP addresses to email
addresses.
This is required to use Enterprise DLP End User Alerting with Cortex XSOAR . If Panorama,
Prisma Access (Panorama Managed), or Prisma Access (Cloud Management) aren’t configured
Enterprise DLP Administrator’s Guide October 2023 175 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
to map IP addresses to email addresses, Enterprise DLP can’t send automated messages using
Slack.
• Panorama (Next-Gen Firewalls)
1. Log in to the Panorama web interface.
2. Configure the Cloud Identity Engine as a Mapping Source on the Firewall.
When you configure the User Attributes, you must set the Primary Username as Mail.
• Prisma Access (Panorama Managed) - Get User and Group Information Using the Cloud
Identity Engine
• Cloud Management
1. Launch Cloud Management.
2. Enable the Cloud Identity Engine.
3. Set up the Cloud Identity Engine.
4. Select Manage > Configuration > Cloud Identity Engine and edit the Cloud Identity
Engine Settings.
5. For the Primary User Name, select Mail.
Configure the rest of the Cloud Identity Engine settings as needed.
6. Save.
Enterprise DLP Administrator’s Guide October 2023 176 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
If you already have a Service Account created, you can Reset Client Secret to
recover a lost Client Secret.
Enterprise DLP Administrator’s Guide October 2023 177 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 178 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 179 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 7 | Configure the End User Alerting with Cortex XSOAR exemption settings.
1. Select Manage > Configuration > Data Loss Prevention > Settings > Alerts >
Configuration and configure the Exemption Duration.
The file that prompted the End User Alerting with Cortex XSOAR notification that was
exempted can be uploaded for the duration of the exemption duration. The default is 12
hours.
2. Select Manage > Configuration > Data Loss Prevention > Settings > Alerts >
Configuration and configure whether to Include Snippets in Message.
You can select Off (default) to not include a snippet of the sensitive data or On to
include a snippet of the sensitive data in the automated message on Slack.
Set Up Enterprise DLP End User Alerting with Cortex XSOAR for Microsoft Teams
To set up Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR and set
up automatic Microsoft Teams alerts, you need to set up integration with Microsoft Teams and
Enterprise DLP with Cortex XSOAR . This is integration allows the DLP cloud service to automate
sending Microsoft Teams messages to team members who upload a file that matches your data
profiles.
After you successfully integrate Microsoft Teams and Enterprise DLP with Cortex XSOAR , you
need to enable End User Alerting with Cortex XSOAR functionality on the DLP app on the hub or
on Cloud Management and configure the End User Alerting settings as needed.
Enterprise DLP Administrator’s Guide October 2023 180 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 1 | Set up the prerequisites needed to begin integrating Microsoft Teams with Cortex XSOAR .
1. Integrate Active Directory using one of the following procedures based on your needs.
• Integrate Active Directory Query v2
• Integrate Azure Active Directory Users
2. Create the Demisto Bot in Microsoft Teams.
3. Grant the Demisto Bot Permissions in Microsoft Graph.
4. Configure Microsoft Teams on Cortex XSOAR.
5. Add the Demisto Bot to a Team.
Enterprise DLP Administrator’s Guide October 2023 181 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
If you already have a Service Account created, you can Reset Client Secret to
recover a lost Client Secret.
Enterprise DLP Administrator’s Guide October 2023 182 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 183 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 184 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
If Data Loss Prevention is not displayed, hover your mouse over the field to display
the list of available incident types to search for and select Data Loss Prevention.
4. Add the Access Token and Refresh Token you created in the previous step.
5. Check (enable) Long running instance.
6. (Optional) Modify the automated Slack Bot Message.
7. Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
A Success is displayed when Cortex XSOAR successfully integrates with Enterprise
DLP.
STEP 6 | Configure the End User Alerting with Cortex XSOAR exemption settings.
1. Select Manage > Configuration > Data Loss Prevention > Settings > Alerts >
Configuration and configure the Exemption Duration.
The file that prompted the End User Alerting with Cortex XSOAR notification that was
exempted can be uploaded for the duration of the exemption duration. The default is 12
hours.
2. Select Manage > Configuration > Data Loss Prevention > Settings > Alerts >
Configuration and configure whether to Include Snippets in Message.
You can select Off (default) to not include a snippet of the sensitive data or On to
include a snippet of the sensitive data in the automated message on Microsoft Teams.
Set Up Enterprise DLP End User Alerting with Cortex XSOAR for Email
To set up Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR and
set up automatic email alerts, you need to set up integration with Active Directory and Enterprise
DLP with Cortex XSOAR . This is integration allows the DLP cloud service to automate sending
email messages to team members who upload a file that matches your data profiles.
Enterprise DLP Administrator’s Guide October 2023 185 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
After you successfully integrate Microsoft Teams and Enterprise DLP with Cortex XSOAR , you
need to enable End User Alerting with Cortex XSOAR functionality on the DLP app on the hub or
on Cloud Management and configure the End User Alerting settings as needed.
STEP 1 | Integrate Active Directory using one of the following procedures based on your needs.
• Integrate Active Directory Query v2
• Integrate Azure Active Directory Users
Enterprise DLP Administrator’s Guide October 2023 186 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
If you already have a Service Account created, you can Reset Client Secret to
recover a lost Client Secret.
Enterprise DLP Administrator’s Guide October 2023 187 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 188 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 189 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
If Data Loss Prevention is not displayed, hover your mouse over the field to display
the list of available incident types to search for and select Data Loss Prevention.
4. Add the Access Token and Refresh Token you created in the previous step.
5. Check (enable) Long running instance.
6. (Optional) Modify the automated Slack Bot Message.
7. Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
A Success is displayed when Cortex XSOAR successfully integrates with Enterprise
DLP.
STEP 5 | Configure the End User Alerting with Cortex XSOAR exemption settings.
1. Select Manage > Configuration > Data Loss Prevention > Settings > Alerts >
Configuration and configure the Exemption Duration.
The file that prompted the End User Alerting with Cortex XSOAR notification that was
exempted can be uploaded for the duration of the exemption duration. The default is 12
hours.
2. Select Manage > Configuration > Data Loss Prevention > Settings > Alerts >
Configuration and configure whether to Include Snippets in Message.
You can select Off (default) to not include a snippet of the sensitive data or On to
include a snippet of the sensitive data in the automated message on Microsoft Teams.
Enterprise DLP Administrator’s Guide October 2023 190 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
• Confirmed Sensitive - End user confirmed that Yes,, the file contains sensitive data but
No, the end user didn’t request an exemption.
For all future uploads of the file, the file upload remains blocked and end users aren’t prompted
to request for an exemption.
• Exception Requested - End user confirmed that Yes, the file contains sensitive data and
Yes, the end user requested an exemption.
For all future uploads of the file, end users aren’t prompted to confirm the file contains
sensitive data but are prompted to request for an exemption.
• Confirmed False Positive - End user confirmed that No, the file doesn’t contain
sensitive data.
For all future uploads of the file, the file uploads remain blocked and end users aren’t prompted
to confirm if the file contains sensitive data.
This procedure assumes you have already created a data profile and have successfully set up
Enterprise DLP End User Alerting with Cortex XSOAR .
STEP 1 | Upload a file containing sensitive data that matches a data profile.
STEP 2 | On Slack, the Enterprise DLP Bot sends an automated message to the team member who
uploaded the file containing sensitive data.
Select Yes to confirm that the uploaded file containing sensitive data and to request an
exemption.
Select No to confirm that the uploaded files doesn’t contain sensitive data and flag the file as
a false positive. If you select No, the file remains as blocked for any future upload of the
same file. You will receive confirmation for the Enterprise DLP Bot that your response was
successfully received.
Enterprise DLP Administrator’s Guide October 2023 191 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 3 | If you selected Yes and the file contains sensitive information, select Yes when prompted to
request a temporary exemption for the uploaded file.
Select No if you don’t want to request a temporary exemption for the file. The file upload
remains blocked.
Skip this step if you selected No in the previous step and the file doesn’t contain sensitive data.
Enterprise DLP Administrator’s Guide October 2023 192 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 4 | The Enterprise DLP Bot confirms that the exemption was granted.
You can now reupload the file as needed for the length of the Exemption Duration.
View the Enterprise DLP End User Alerting with Cortex XSOAR
Response History
The Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR response
history provides an audit trail for administrators to understand which end user uploaded a file
containing sensitive data and how they responded to the Enterprise DLP Bot on Slack.
The possible response statuses are:
• Pending Response - The automated Enterprise DLP Bot message was sent and is pending a
response.
• Confirmed Sensitive - End user confirmed that Yes, the file contains sensitive data but
No, the end user didn’t request an exemption.
For all future uploads of the file, the file upload remains blocked and end users aren’t prompted
to request for an exemption.
• Exception Requested - End user confirmed that Yes, the file contains sensitive data and
Yes, the end user requested an exemption.
For all future uploads of the file, end users aren’t prompted to confirm the file contains
sensitive data but are prompted to request for an exemption.
• Confirmed False Positive - End user confirmed that No, the file doesn’t contain
sensitive data.
For all future uploads of the file, the file uploads remain blocked and end users aren’t prompted
to confirm if the file contains sensitive data.
Enterprise DLP Administrator’s Guide October 2023 193 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 1 | Log in based on the platform on which you’re using Enterprise DLP.
• Panorama (Next-Gen Firewalls) and Prisma Access (Panorama Managed) - Log in to the
DLP app on the hub.
If you don’t already have access to the DLP app on the hub, see the hub Getting Started
Guide. Only Superusers can access the hub.
• Prisma Access (Cloud Management) - Launch the Cloud Management Console.
STEP 3 | In the Incidents section, view the Response Status for all file uploads.
You can also Add New Filter to filter Enterprise DLP Incidents based on the Response
Status.
STEP 4 | Click on the File name to view the detailed Response History for that specific file.
The detailed response history includes the team member who uploaded the file and how they
responded to the Enterprise DLP Bot.
Enterprise DLP Administrator’s Guide October 2023 194 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 195 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
The contextual message, and password shared in response to a contextual message, must be in
text format for Enterprise DLP to detect and generate a DLP Incident. Enterprise DLP can’t detect
if a password was shared in a response to a contextual message if:
• The contextual message is a text or image attachment
• The response to the contextual message is a text or image attachment
Can you please share Virus DB credentials Alex, here it is: pA$$w0rd!23
with Alex?
Enterprise DLP Administrator’s Guide October 2023 196 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 3 | Select Manage > Configuration > SaaS Security > Settings > Data Profiles and verify that the
predefined Secrets and Credentials data profile is enabled.
(Optional) Instead of using the predefined data profile, you can create a custom
data profile and add the predefined ML-based Application Credential data pattern.
Adding a custom data pattern with regex match criteria to a custom data profile is not
supported for inspection for contextual secrets.
Enterprise DLP Administrator’s Guide October 2023 197 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 198 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Next-Generation CASB
• Use the Discovered Apps (Discovered Apps > Applications) to discover traffic to ChatGPT.
• Add Filter to narrow down the Category to Artificial Intelligence applications and Tag as
Unknown.
This filter allows you to narrow down all traffic to uncategorised AI applications on your
network. Uncategorised applications display as unknown but can be manually recategorized
as sanctioned, unsanctioned, or tolerated once the initial discovery is completed
based on your organization's risk posture.
• Alternatively, you can search for ChatGPT in the Search Application Name search
bar.
Enterprise DLP Administrator’s Guide October 2023 199 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Create a Security Policy Rule for ChatGPT on Prisma Access (Cloud Management)
Use Enterprise Data Loss Prevention (E-DLP) for Prisma Access (Cloud Management) on Cloud
Management to prevent exfiltration of sensitive data to ChatGPT in a new or existing Security
policy rule.
Your Prisma Access tenants must be running Software Version 10.2.3 or later release.
Support for non-file based HTTP/2 traffic inspection is required to successfully prevent
exfiltration to ChatGPT.
Enterprise DLP Administrator’s Guide October 2023 200 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 2 | Select Manage > Configuration > Security Services > Data Loss Prevention > Settings >
Data Transfer and Enable Non-File Inspection.
STEP 3 | Select Manage > Configuration > Security Services > Decryption and create the decryption
profile and policy rule required to enable Enterprise DLP on Cloud Management.
Do not enable Strip ALPN in the decryption profile. Enterprise DLP cannot inspect
egress traffic to ChatGPT if you remove application-layer protocol negotiation (ALPN)
headers from decrypted traffic.
STEP 5 | Create a data profile on Cloud Management or use an existing data profile.
• Create a Data Profile on Cloud Management
• Create a Data Profile with EDM Data Sets on Cloud Management
• Create a Data Profile with Data Patterns and EDM Data Sets on Cloud Management
• Create a Data Profile with Nested Data Profiles on Cloud Management
STEP 6 | Select Manage > Configuration > Security Services > Data Loss Prevention > DLP Rules and
in the Actions column, Edit the DLP rule.
1. Enable Non-File Based Match Criteria.
DLP rules configured for non-file detection are required to prevent exfiltration of
sensitive data to ChatGPT. You can further modify the DLP rule to enforce your
Enterprise DLP Administrator’s Guide October 2023 201 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
organization’s data security standards. The DLP rule has an identical name as the data
profile from which it was automatically created.
You can keep File Based Matched Criteria enabled or disable as needed. Enabling this
setting has no impact on detection of egress traffic to ChatGPT as long as Non-File
Based Match Criteria is enabled.
STEP 7 | Create a Shared Profile Group for the Enterprise DLP data filtering profile.
1. Select Manage > Configuration > Security Services > Profile Groups and Add Profile
Group.
2. Enter a descriptive Name for the Profile Group.
3. For the Data Loss Prevention Profile, select the Enterprise DLP data profile.
4. Add any other additional profiles as needed.
5. Save the profile group.
Enterprise DLP Administrator’s Guide October 2023 202 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Alternatively, you can select Manage > Configuration > Web Security to create or
add ChatGPT to a Web Security Policy. You can skip this step if you create a Web
Security Policy for ChatGPT.
1. Select Manage > Configuration > Security Services > Security Policy and Add Rule.
You can also update an existing Security policy to attach a Profile Group for Enterprise
DLP filtering.
2. In the Applications, Services, and URLs section, Add Applications to search for and select
openai-chatgpt.
3. Navigate to the Action and Advanced Inspection section, and select the Profile Group
you created in the previous step.
The Action you specify in the data profile determines whether egress traffic to
ChatGPT is blocked. The Security policy rule Action does not impact whether
matched traffic is blocked.
For example, you configured the data filtering profile to Block matching egress
traffic but configure the Security policy rule Action to Allow. In this scenario, the
matching egress traffic to ChatGPT is blocked.
5. Save the Security policy.
Enterprise DLP Administrator’s Guide October 2023 203 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Support for non-file based HTTP/2 traffic inspection is required to successfully prevent
exfiltration to ChatGPT. Your Cloud Management tenant must be running Software
Version 10.2.3 or later release.
STEP 2 | Select Manage > Configuration > Security Services > Data Loss Prevention > Settings >
Data Transfer and Enable Non-File Inspection.
STEP 3 | Select Manage > Configuration > Security Services > Decryption and create the decryption
profile and policy rule required to enable Enterprise DLP on Cloud Management.
Do not enable Strip ALPN in the decryption profile. Enterprise DLP cannot inspect
egress traffic to ChatGPT if you remove application-layer protocol negotiation (ALPN)
headers from decrypted traffic.
STEP 5 | Create a data profile on Cloud Management or use an existing data profile.
• Create a Data Profile on Cloud Management
• Create a Data Profile with EDM Data Sets on Cloud Management
• Create a Data Profile with Data Patterns and EDM Data Sets on Cloud Management
• Create a Data Profile with Nested Data Profiles on Cloud Management
Enterprise DLP Administrator’s Guide October 2023 204 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 6 | Select Manage > Configuration > Security Services > Data Loss Prevention > DLP Rules and
in the Actions column, Edit the DLP rule.
1. Enable Non-File Based Match Criteria.
DLP rules configured for non-file detection are required to prevent exfiltration of
sensitive data to ChatGPT. You can further modify the DLP rule to enforce your
organization’s data security standards. The DLP rule has an identical name as the data
profile from which it was automatically created.
You can keep File Based Matched Criteria enabled or disable as needed. Enabling this
setting has no impact on detection of egress traffic to ChatGPT as long as Non-File
Based Match Criteria is enabled.
Enterprise DLP Administrator’s Guide October 2023 205 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 7 | Select Manage > Configuration > Security Services > SaaS Security > Discovered Apps >
Policy Recommendations to create a Security policy rule recommendation.
A SaaS policy rule recommendation is required to leverage the Enterprise Data Loss
Prevention (E-DLP) data profile in SaaS Security.
1. In the Select Applications section, search for and select ChatGPT.
2. In the Data Profile section, search for and select the data profile you enabled in the
previous step.
3. Configure the policy rule recommendation as needed.
4. Save.
Support for non-file based HTTP/2 traffic inspection is required to successfully prevent
exfiltration to ChatGPT. You must upgrade Panorama and all managed firewalls to PAN-
OS 10.2.3 or later release. Additionally, you must upgrade the Panorama plugin for
Enterprise DLP to 3.0.2 or later release.
STEP 1 | Upgrade Panorama, managed firewalls, and the Enterprise DLP plugin to the minimum
required versions.
1. Upgrade Panorama to PAN-OS 10.2.3 or later release.
2. Upgrade the Enterprise DLP plugin to 3.0.2 or later release.
3. Upgrade managed firewalls to PAN-OS 10.2.3 or later release.
Enterprise DLP Administrator’s Guide October 2023 206 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 3 | Create the decryption policy rule required for Enterprise DLP.
1. Select Objects > Decryption > Decryption Profile and specify the Device Group.
Add a new decryption profile. The default decryption profile configuration is all that is
required for Enterprise DLP to inspect traffic.
Do not enable Strip ALPN in the decryption profile. Enterprise DLP cannot
inspect egress traffic to ChatGPT if you remove application-layer protocol
negotiation (ALPN) headers from decrypted traffic.
2. Select Policies > Decryption and specify the Device Group.
Add a new decryption policy rule. Select Options and assign the decryption profile.
1. For the Action, select Decrypt.
2. Select the Decryption Profile you created.
3. Click OK.
Enterprise DLP Administrator’s Guide October 2023 207 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
The Action you specify in the data filtering profile determines whether egress
traffic to ChatGPT is blocked. The Security policy rule Action does not impact
whether matched traffic is blocked.
For example, if you configured the data filtering profile to Block matching egress
traffic but configure the Security policy rule Action to Allow, the matching
egress traffic to ChatGPT will be blocked.
7. Click OK.
STEP 7 | Commit and push your configuration changes to your managed firewalls that are using
Enterprise DLP.
The Commit and Push command isn’t recommended for Enterprise DLP configuration
changes. Using the Commit and Push command requires the additional and
unnecessary overheard of manually selecting the impacted templates and managed
firewalls in the Push Scope Selection.
Enterprise DLP Administrator’s Guide October 2023 208 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Using IDM for detection of sensitive data is powerful enables Enterprise DLP to continuously
improve its detection capabilities by indexing unstructured text in your documents. Examples of
different types of custom documents where IDM can be successfully applied are:
• Standardized forms or documents specific to your business or organization
• Patent documents
• Specific business agreements
• Specific intellectual property documents
Custom documents templates are less effective if uploaded custom documents are too generic or
not specific to your organization, such as:
• Generic whitepapers
• Generic datasheets
• Image or graphic-heavy documents with little text.
For example, your organization both buys and sells software. You want to only detect instances
of sensitive customer data contained in invoices for software that you sell. In this case, you can
upload a copy of your organization's invoice as a custom document template for fingerprinting.
Enterprise DLP Administrator’s Guide October 2023 209 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
However, custom document templates will be less effective if you wanted to detect receipts
for software your organization purchases. This is because there is too much variance in format
between the various software vendors your organization purchases from. Greater document
variance results in less accurate detection of matched traffic.
The predefined document templates listed below were originally predefined ML-based
data patterns. If you have data profiles using any of the following predefined document
templates converted from ML-based data patterns:
• All existing data profile inspection will continue to function as expected.
• All basic data profiles referencing the converted predefined ML-based data patterns
listed below should be recreated to detect the predefined document templates.
A basic data profile is a data profile that includes only data pattern match criteria.
Basic data profiles cannot be edited and must be recreated.
• All advanced data profiles referencing the converted predefined ML-based data
patterns should be edited to reference the appropriate predefined document
template instead of the predefined ML-based data pattern.
An advanced data profile is a data profile that includes any combination of data
pattern, EDM, and document template match criteria.
Enterprise DLP Administrator’s Guide October 2023 210 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 211 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 212 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 5 | In Document Types, verify that your custom document successfully uploaded to Enterprise
DLP.
To quickly find the document, you can search for the custom document Name. After you have
located the custom document, confirm the Status is Completed.
Enterprise DLP Administrator’s Guide October 2023 213 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 4 | Search for the custom document template you want to test and expend the Actions to
Test the custom document template.
STEP 5 | Browse Files and select the documents you want to test against the custom document
template.
You can test up to five documents at once. Document must be one of the file types supported
by Enterprise DLP.
The Overlapping Score is displayed for each of the documents you tested. The
overlapping score represents how much content in the tested document matches the custom
document template. A score of 0 represents no commonalities between the test document and
Enterprise DLP Administrator’s Guide October 2023 214 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
the custom document template. A score of 100 represents a near-total match between the
test document and the custom document template.
Enterprise DLP Administrator’s Guide October 2023 215 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 216 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
A custom document template cannot be deleted after it's added to a data profile. You
must remove the custom document template from the data profile to delete it from
Enterprise DLP.
STEP 6 | (Optional) Configure the Secondary Rule for the data profile.
Data pattern match criteria added to the Secondary Rule block all traffic that meets
the match criteria for the data pattern conditions. If you want to allow traffic that
matches a data pattern match criteria, add it to the Primary Rule.
Enterprise DLP Administrator’s Guide October 2023 217 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 7 | Create a Security policy rule and associate the data profile.
• Prisma Access (Cloud Management)—Modify a DLP Rule for Prisma Access on Cloud
Management
• SaaS Security—Create a SaaS Security Policy Recommendation to Leverage Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 218 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Email DLP
Enterprise DLP prevents exfiltration of emails containing sensitive information with AI/ML
powered data detections. For example, Enterprise DLP can prevent exfiltration of sensitive data
over an outbound email sent from a salesperson within your organization to their personal email.
• How Does Email DLP Work?
• Activate Email DLP
• Onboard Microsoft Exchange Online
• Add an Enterprise DLP Email Policy
• Review Email DLP Incidents
Enterprise DLP Administrator’s Guide October 2023 219 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
6. Microsoft Exchange sends the allowed email to the intended recipient if allowed.
An email is allowed if Enterprise DLP did not detect any sensitive data or if the email was
quarantined and approved.
What Microsoft Exchange Online Licenses are Required for Email DLP?
Email DLP supports any Microsoft Exchange Online license, including Microsoft 365 Defender,
Microsoft 365, and Office 365 E5 licenses for inline inspection of outbound emails using
Enterprise DLP.
The type of Microsoft Exchange Online license you have activate determines the supported Email
DLP functionality available to your Microsoft Exchange Online deployment.
The MSDN license is not supported for Email DLP. MSDN does not support the use of
inbound connectors to route emails, which is required for Enterprise DLP to forward
outbound emails back to Microsoft Exchange after inspection.
Enterprise DLP Administrator’s Guide October 2023 220 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 221 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
• CASB and CASB-X—After you purchase Email DLP, activation occurs by default when you
activate your CASB-X license through Common Services.
Verify that Email DLP is included in the list of Add-Ons.
Enterprise DLP Administrator’s Guide October 2023 222 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Before you begin connecting Microsoft Exchange to Enterprise DLP, ensure that the admin
performing the connection has at least Email Administrator access for Microsoft
Exchange. This is required to allow Enterprise DLP API access to Microsoft Exchange.
STEP 1 | (Best Practices) Confirm that Active Directory is properly configured so email senders have a
manager to approve or reject quarantined emails.
Microsoft Exchange Active Directory is required to assign a manager to a sender. You can
create a transport rule to quarantine and send the email for approval by the sender's manager.
To successfully quarantine a sender's email if sensitive data is detected by Enterprise DLP, a
sender must have a manager assigned.
If no manager is assigned to a user, then the quarantined email is sent to the recipient because
no manager is assigned to approve or reject the email.
STEP 2 | (Best Practices) Save Evidence for Investigative Analysis with Enterprise DLP.
Palo Alto Networks recommends configuring evidence storage so you can download emails for
investigative analysis when your review Email DLP incidents.
STEP 6 | Select Manage > Configuration > SaaS Security > Settings > Apps Onboarding.
STEP 9 | In the Setup Connectors and Rules page, click Continue to Next Section since you
have already configured the outbound connector, inbound connector, and transport rules.
Enterprise DLP Administrator’s Guide October 2023 223 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 10 | In the Configure Smart Host page, add the email domains and relay hosts.
Adding one or more email domains and relay hosts is required to ensure emails inspected by
Enterprise DLP are successfully forwarded back to Microsoft Exchange.
1. Enter an Email Domain and its corresponding Relay Host you obtained in the previous
step.
Obtain Your Microsoft Exchange Domain and Relay Host if you don't have the Microsoft
Exchange email domain and relay host immediately available.
2. (Optional) Add any additional email domains and relay hosts as needed.
3. Connect.
Enterprise DLP Administrator’s Guide October 2023 224 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 2 | Select Mail flow > Connectors and Add a connector to launch the Microsoft Exchange
Connector wizard.
Enterprise DLP Administrator’s Guide October 2023 225 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 5 | To specify when the connector should be used, select Only when I have a transport rule set
up that redirects messages to this connector and click Next.
Using the connector only when a transport rule exists enables fine-grained control of what
action to take when an email contains sensitive data. By select this option, Microsoft Exchange
enforces action on emails based on the action specified in theEnterprise DLP data profile.
STEP 6 | To configure the route settings for emails, check (enable) Route email through these smart
hosts to add the following smart host Fully Qualified Domain Name (FQDN) and click Next.
The FQDN specifies the region where emails are forwarded to the DLP cloud service for
inspection and verdict rendering. This also generates and displays Email DLP incidents in
Enterprise DLP Administrator’s Guide October 2023 226 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
the specified region. All processes and data related to Email DLP occur and are stored in this
region.
• United States—
mail.us-west1.email.dlp.paloaltonetworks.com
• Europe—
mail.europe-west3.email.dlp.paloaltonetworks.com
• APAC—
mail.asia-southeast1.email.dlp.paloaltonetworks.com
Enterprise DLP Administrator’s Guide October 2023 227 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
mail.us-west1.email.dlp.paloaltonetworks.com
• Europe—
mail.europe-west3.email.dlp.paloaltonetworks.com
• APAC—
mail.asia-southeast1.email.dlp.paloaltonetworks.com
4. Click Next.
Enterprise DLP Administrator’s Guide October 2023 228 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
It is expected that the following errors occur when adding the validation email.
• Validation failed error is displayed.
• The Send test email validation test status displays Failed.
These do not prevent you from creating the outbound connector and do not
impact email forwarding to Enterprise DLP.
4. Click Done.
5. When prompted to confirm whether to proceed without successful validation, click Yes,
proceed.
Enterprise DLP Administrator’s Guide October 2023 229 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 10 | Back in the Connectors page, verify the outbound connector is displayed and that the
Status is On.
Enterprise DLP Administrator’s Guide October 2023 230 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 2 | Select Mail flow > Connectors and Add a connector to launch the Microsoft Exchange
Connector wizard.
Enterprise DLP Administrator’s Guide October 2023 231 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 232 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 5 | Specify the authentication IP addresses that Microsoft Exchange uses to verify Enterprise
DLP.
The authentication IP addresses are required so that Enterprise DLP can forward emails back
to Microsoft Exchange.
1. Select By verifying that the IP address of the sending server matches one of the
following IP address, which belong to your partner organization.
2. Add the following to IP addresses.
34.168.197.200
34.83.143.116
STEP 7 | Back in the Connectors page, verify the inbound connector is displayed and that the Status
is On.
Enterprise DLP Administrator’s Guide October 2023 233 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 234 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 3 | Select Mail flow > Rules > Add a rule > Create a new rule to create a new email transport
rule.
Enterprise DLP Administrator’s Guide October 2023 235 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
3. Specify Microsoft Exchange Connector you created as the transport target for email
inspection.
1. For Do the following, select redirect the message to.
2. For the transport target, select the following connector. When prompted, select the
outbound connector.
Click Save to continue.
4. Add an exception for emails that exceed the maximum message size supported by
Enterprise DLP.
Enterprise DLP supports inspection of email messages up to 20 MB in size. Larger email
messages are not supported and should not be forwarded to Enterprise DLP.
1. In the s Except If field, select The message.
2. Select size is greater than or equal to. When prompted, enter the following
maximum-supported message size KB:
20480
5. Add an exception for emails that were already inspected by Enterprise DLP.
1. In the Except if condition, click the add symbol ( ) to add a new Or condition.
Enterprise DLP Administrator’s Guide October 2023 236 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 6 | Review the email transport rule configuration and click Finish.
Click Done when prompted that the email transport rule was successfully created. You are
redirected back to the Microsoft Exchange Rules page.
Enterprise DLP Administrator’s Guide October 2023 237 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 238 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Microsoft supports email approvals on the web browser-based Microsoft Exchange only.
Approving or rejecting emails on the Microsoft Exchange mobile application or desktop
client is not supported.
STEP 3 | Select Mail flow > Rules > Add a rule > Create a new rule to create a new email transport
rule.
Enterprise DLP Administrator’s Guide October 2023 239 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
x-panw-action
quarantine
3. Specify the action Microsoft Exchange takes when an email header includes the
quarantine header added by Enterprise DLP.
1. For Do the following, select Redirect the message to.
2. Select hosted quarantine.
STEP 6 | Review the quarantine transport rule configuration and click Finish.
Click Done when prompted that the quarantine transport rule was successfully created. You
are redirected back to the Microsoft Exchange Rules page.
Enterprise DLP Administrator’s Guide October 2023 240 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 8 | An email administrator must review and approve or reject quarantined emails forwarded to
the hosted quarantine mailbox.
Enterprise DLP Administrator’s Guide October 2023 241 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Microsoft supports email approvals on the web browser-based Microsoft Exchange only.
Approving or rejecting emails on the Microsoft Exchange mobile application or desktop
client is not supported.
STEP 3 | Select Mail flow > Rules > Add a rule > Create a new rule to create a new email transport
rule.
Enterprise DLP Administrator’s Guide October 2023 242 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
x-panw-action
fwd_to_admin
3. Specify the action Microsoft Exchange takes when an email header includes the header
added by Enterprise DLP.
1. For Do the following, select Forward the message for approval.
2. Select to these people.
Enterprise DLP Administrator’s Guide October 2023 243 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 244 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 3 | Select Mail flow > Rules > Add a rule > Create a new rule to create a new email transport
rule.
Enterprise DLP Administrator’s Guide October 2023 245 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
x-panw-action
fwd_to_manager
3. Specify the action Microsoft Exchange takes when an email header includes the header
added by Enterprise DLP.
Enterprise DLP Administrator’s Guide October 2023 246 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 247 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
the email. Any future emails with this header already included will not be forwarded to Enterprise
DLP again. Instead, Microsoft Exchange will take the action specified in the encrypt transport rule.
STEP 1 | Log in to the Microsoft Exchange Admin Center.
STEP 3 | Select Mail flow > Rules > Add a rule > Create a new rule to create a new email transport
rule.
Enterprise DLP Administrator’s Guide October 2023 248 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
x-panw-action
encrypt
3. Specify the action Microsoft Exchange takes when an email header includes the encrypt
header added by Enterprise DLP.
1. For Do the following, select Modify the message security.
2. Select Apply Office 365 Message Encryption and rights protection.
3. Select the RMS template you want to use for outbound email encryption and Save.
STEP 6 | Review the encrypt transport rule configuration and click Finish.
Click Done when prompted that the encrypt transport rule was successfully created. You are
redirected back to the Microsoft Exchange Rules page.
Enterprise DLP Administrator’s Guide October 2023 249 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 250 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 3 | Select Mail flow > Rules > Add a rule > Create a new rule to create a new email transport
rule.
Enterprise DLP Administrator’s Guide October 2023 251 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
x-panw-action
block
3. Specify the action Microsoft Exchange takes when an email header includes the Block
header added by Enterprise DLP.
1. For Do the following, select Block the message.
2. Select reject the message and include an explanation. When prompted, enter the
explanation for why the email was blocked.
This is the response members of your organization receive when an outbound email is
blocked.
Click Save to continue.
Enterprise DLP Administrator’s Guide October 2023 252 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 6 | Review the Block transport rule configuration and click Finish.
Click Done when prompted that the Block transport rule was successfully created. You are
redirected back to the Microsoft Exchange Rules page.
Enterprise DLP Administrator’s Guide October 2023 253 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 2 | Select Policies > Data loss prevention > Policies and Create policy.
STEP 5 | For the Assign admin units, leave the default Full directory and click Next.
STEP 6 | When you Choose location to apply the policy, verify that the Exchange email
Status is On.
Set the Status to Off for all other locations and click Next.
STEP 7 | To Define policy settings, select Create or customize advanced DLP rules and click
Next.
You are redirected to the Customize advanced DLP rules to a sender alert policy rules
for the hosted quarantine transport rule.
Enterprise DLP Administrator’s Guide October 2023 254 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 8 | Create the Email DLP sender alert policy rule when an email is sent to hosted quarantine.
1. Create rule.
2. Enter a Name and Description.
3. In Conditions, select Add condition > Header contains words or phrases.
4. In the Enter header name field, enter x-panw-action.
5. In the Enter words and then click 'Add' field, enter quarantine.
6. Add.
Enterprise DLP Administrator’s Guide October 2023 255 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 9 | For the Policy mode, select Turn it on right away and click Next.
STEP 10 | Review the Email DLP sender alert policy and Submit.
Click Done when prompted that the new policy was successfully created.
STEP 11 | Back in the Policies, verify that the Email DLP sender alert policy is displayed and that the
Status is On.
Enterprise DLP Administrator’s Guide October 2023 256 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 3 | Make note of the Microsoft Exchange domains lists in the Domain name list.
Enterprise DLP supports inline inspection of emails from multiple domains if you use multiple
Microsoft Exchange domains make sure to make note of all email domains for which you want
inline inspection of emails.
STEP 4 | Obtain the relay host for the Microsoft Exchange domain.
Repeat this step for all Microsoft Exchange domains you want to connect to Enterprise DLP.
1. Click the Microsoft Exchange domain.
2. Select DNS records.
3. In the Microsoft Exchange section, locate the MX record.
The Value column for the MX record lists the relay host for the domain. An example of
a relay host is shown below.
The MX record displays a 0 before the relay host. This character is not required
to connect Microsoft Exchange to Enterprise DLP.
Enterprise DLP supports inspection and detection of documents containing sensitive data
that are attached to an email. Enterprise DLP does not support inspection of document
links.
Enterprise DLP Administrator’s Guide October 2023 257 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 2 | (Optional) Create custom data patterns and data profiles to specify custom match criteria.
Skip this step if you want to use the predefined Enterprise DLP data profiles available by
default.
1. Create custom data patterns and custom document templates on Cloud Management.
2. Create a data profile on Cloud Management.
STEP 3 | Select Manage > Configuration > SaaS Security > Data Security > Policies > Email DLP
Policies and Add Policy.
Enterprise DLP Administrator’s Guide October 2023 258 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 259 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
match what you have configured. In this instance, Enterprise DLP does not take action if the
Recipient Email Domain is yahoo.com.
1. Configure the email sender conditions.
To configure the email sender conditions you must specify whether the conditions are
inclusive or exclusive of the specified email domains, user groups, or specific users.
• Is one of—Inclusion condition to evaluate emails sent from an email associated with
the selected email domains, user groups, or specified users against the data profile
specified in the DLP email policy.
Any emails that are not a part of the selected email domains, user groups, or specified
users are not evaluated against the data profile associated with the DLP email policy.
• Is not one of—Exclusion condition to evaluate emails sent from an email not
associated with the selected email domains, user groups, or specified users against
the data profile specified in the DLP email policy.
Any emails that are part of the selected email domains, user groups, or specified users
are not evaluated against the data profile associated with the DLP email policy.
1. Specify the Sender Email Domain condition and select one or more email domains.
The sender email domains available to select are those you added when you
connected Microsoft Exchange and Enterprise DLP.
2. Specify the Sender User Group condition and select one or more user groups.
The sender user groups are obtained from your Client Identity Engine (CIE)
configuration. Skip this step if you do not have CIE active on Cloud Management.
3. Specify the Sender User condition and enter an email.
Click add ( ) to include additional sender emails.
2. Configure the email recipient conditions.
To configure the email recipient conditions, you must specify whether the conditions are
inclusive or exclusive of the specified email domains or specific users.
• Is one of—Inclusion condition to evaluate emails to be received by an email associated
with the selected email domains or specified users against the data profile specified in
the DLP email policy.
Any emails that are not a part of the selected email domains or specified users are not
evaluated against the data profile associated with the DLP email policy.
• Is not one of—Exclusion condition to evaluate emails to be received by an email not
associated with the selected email domains or specified users against the data profile
specified in the DLP email policy.
Any emails that are part of the selected email domains or specified users are not
evaluated against the data profile associated with the DLP email policy.
1. Specify the Recipient Email Domain condition and enter a valid email domain.
Enterprise DLP supports all valid email domains. The email domain is the web
address that follows the @ symbol in an email address. For example, gmail.com or
yahoo.com.
Enterprise DLP Administrator’s Guide October 2023 260 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 261 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
Independent review is required by the sender's manager before the email is allowed
to leave your organization's network.
The action Microsoft Exchange takes on a Forward email for approval
by end user's manager verdict rendered by Enterprise DLP is based on the
transport for manager approval rule you created.
• Forward email for approval admin—Outbound email is transported back to Microsoft
Exchange and sent to the specified email admin for approval. Independent review is
required by the specified email administrator before the email is allowed to leave your
organization's network.
The action Microsoft Exchange takes on a Forward email for approval
admin verdict rendered by Enterprise DLP is based on the transport for admin
approval rule you created.
• Encrypt—Outbound email is allowed to leave your organization and is transported
back to Microsoft Exchange to be encrypted before continuing its path to the
intended recipient.
The action Microsoft Exchange takes on a Encrypt verdict rendered by Enterprise
DLP is based on the encrypt transport rule you created.
2. (Optional) Automatically assign an Incident Assignee when Enterprise DLP renders a
Block or Quarantine verdict on matching traffic.
Strength your security posture by assigning an incident assignee to follow up on and
resolve events where Enterprise DLP detects outbound emails that contain sensitive
information.
3. (Optional) Add emails to send Notifications to receive alerts when Enterprise DLP
renders Block or Quarantine verdicts on inspected outbound traffic.
Click add ( ) to include additional emails to receive notifications.
Enterprise DLP Administrator’s Guide October 2023 262 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
STEP 2 | Select Manage > Configuration > SaaS Security > Data Security > Incidents > Email DLP
Incidents.
STEP 4 | Click the Email DLP incident Subject to view the Incident Details.
• The From and To fields display the email sender and recipient for the email that generated
the DLP incident.
• The Email content field allows you to download the email in .eml format.
To successfully download an email, you must have configured evidence storage before the
outbound email was inspected by Enterprise DLP. Emails of existing Email DLP incidents
Enterprise DLP Administrator’s Guide October 2023 263 ©2023 Palo Alto Networks, Inc.
Configure Enterprise DLP
cannot be downloaded if you configure evidence storage after the Email DLP incident
occurred.
• The Matching Data Patterns shows snippets of the sensitive data Enterprise DLP
detected and the data pattern that it matched.
• The Message ID can be used to create a message trace on Microsoft Exchange Online.
Enterprise DLP Administrator’s Guide October 2023 264 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
View the log details, snippets, and Insights for traffic that matches your Enterprise Data Loss
Prevention (E-DLP) data patterns or filtering profiles and check the health of Enterprise DLP cloud
service.
• Monitor DLP Status with the DLP Health and Telemetry App
• View Enterprise DLP Log Details on the DLP App
• Manage Enterprise DLP Incidents on the DLP App
• View Enterprise DLP Audit Logs on the DLP App
• View Enterprise DLP Log Details on Cloud Management
• Manage Enterprise DLP Incidents on Cloud Management
• View Enterprise DLP Audit Logs on Cloud Management
• View Enterprise DLP Log Details on Panorama
• Save Evidence for Investigative Analysis with Enterprise DLP
265
Monitor Enterprise DLP
Access the DLP Health and Telemetry Dashboard on the DLP App
DLP Health and Telemetry Dashboard is accessible from Enterprise DLP app on the hub. All you
need is an account administrator role or app administrator role on the hub and a valid Enterprise
DLP license associated with that support account.
STEP 1 | Log in to the hub with your SSO credentials.
STEP 2 | Select Manage > Configuration > Security Services > Data Loss Prevention > Health &
Telemetry.
Enterprise DLP Administrator’s Guide October 2023 266 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 1 | Log in to the Enterprise DLP app or Prisma Access (Cloud Management).
STEP 2 | Observe the DLP Service Status and the Last Updated timestamp.
Status Description
Degraded Experience DLP services are up and running, but not operating at optimally.
Enterprise DLP Administrator’s Guide October 2023 267 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 3 | Select a Scan Date and Region to filter the DLP Incidents.
Enterprise DLP Incidents are generated in the Region where the Public Cloud Server is located.
For Panorama and Prisma Access (Panorama Managed), the region is determined by the
currently configured Public Cloud Server. By default, the Enterprise DLP plugin is configured to
resolve to the closest Public Cloud Server to where the inspected traffic originated but you can
configure a static Public Cloud Server.
For cloud management, Enterprise DLP automatically resolves to the closest Public Cloud
Server to where the inspected traffic originated.
When a new Public Cloud Server is introduced, Enterprise DLP begins to automatically
resolve to it if it’s closer to where the inspected traffic originated. For Panorama and
Prisma Access (Panorama Managed), this happens only if you keep the default Public
Cloud Server FQDN. For cloud management, this happens by default.
This might mean that new DLP Incidents generated after the release of a new Public
Cloud Server are generated in a different Region.
Enterprise DLP Administrator’s Guide October 2023 268 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 4 | Review the DLP Incidents summary information to help focus your incident investigation.
These lists are updated hourly.
• Top Data Profiles to Investigate—Lists data profiles with the highest number of incidents in
descending order.
• Top Sources to Investigate—Lists up to seven source IP addresses and Fully Qualified
Domain Names (FQDN) with the highest number of incidents in descending order.
• Sensitive Files by Action—Lists the number of incidents based on the Action taken in
descending order.
STEP 5 | Review the Incidents and click a File name to review a specific incident.
You can filter the DLP incidents by File Name or Report ID to search for a specific incident you
want to review.
STEP 6 | Review the Incident Details to review specific file upload details.
Make note of the Report ID for the DLP incident if you haven’t already done so. The Report ID
is used to view additional Traffic log details regarding the DLP incident.
STEP 7 | Review the Matches within Data Profiles to review snippets of matching traffic and the data
patterns that matched the traffic to better understand what data was detected.
For data profiles with nested data profiles created on the DLP app or Cloud
Management, the data profile displayed is the specific nested data profile that
matched the scanned traffic. For example, you create a DataProfile, with the
nested profiles Profile1, Profile2, and Profile3 and scanned traffic matches
the nested Profile2 and is blocked. In this scenario, the data profile displayed for
the incident is Profile2.
• In the snippet, Enterprise DLP only masks traffic that matches the data pattern match
criteria. Other sensitive data captured in the snippet are not masked if they do not match
the data pattern where the snippet is displayed.
• Data pattern match criteria configured to inspect for Any occurrence of matched traffic
display up to 3 High and 3 Low confidence level matches if detected.
• Data pattern match criteria configured to inspect for High confidence level matches display
up to 3 Low confidence level matches if detected.
• Data pattern match criteria configured to inspect for Low confidence level matches display
up to 3 High confidence level matches if detected.
Enterprise DLP Administrator’s Guide October 2023 269 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 4 | (Optional) Add New Filter to filter the Enterprise DLP incidents.
STEP 6 | Change Resolution as your team works to resolve the incident that triggered Enterprise DLP
enforcement.
You can select one of the predefined incident resolution statues or type a new resolution
status to Create Tag.
Enterprise DLP Administrator’s Guide October 2023 270 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 7 | For additional auditing and clarity for your team members, you can Edit Notes to provide
further details.
Save after you finish providing the additional information in your notes. The existing note is
overwritten if you save a new note.
Delete the note if no longer needed.
Enterprise DLP Administrator’s Guide October 2023 271 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 272 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 3 | Select a Scan Date and Region to filter the DLP Incidents.
Enterprise DLP Incidents are generated in the Region where the Public Cloud Server is located.
For Cloud Management, Enterprise DLP automatically resolves to the closest Public Cloud
Server to where the inspected traffic originated.
When a new Public Cloud Server is introduced, Enterprise DLP begins to automatically
resolve to it if it’s closer to where the inspected traffic originated.
This might mean that new DLP Incidents generated after the release of a new Public
Cloud Server are generated in a different Region.
STEP 4 | Review the DLP Incidents summary information to help focus your incident investigation.
These lists are updated hourly.
• Top Data Profiles to Investigate—Lists up to seven data profiles with the highest number of
incidents in descending order.
• Top Sources to Investigate—Lists up to seven source IP addresses and Fully Qualified
Domain Names (FQDN) with the highest number of incidents in descending order.
• Sensitive Files by Action—Lists the number of incidents based on the Action taken by
Prisma Access (Cloud Management) in descending order.
Enterprise DLP Administrator’s Guide October 2023 273 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 5 | Review the Incidents and click a File name to review a specific incident.
You can filter the DLP incidents by File Name or Report ID to search for a specific incident you
want to review.
STEP 6 | Review the Incident Details to review specific file upload details.
Make note of the Report ID for the DLP incident if you haven’t already done so. The Report ID
is used to view additional Traffic log details regarding the DLP incident.
STEP 7 | Review the Matches within Data Profiles to review snippets of matching traffic and the data
patterns that matched the traffic to better understand what data was detected.
For data profiles with nested data profiles created on the DLP app or Cloud
Management, the data profile displayed is the specific nested data profile that
matched the scanned traffic. For example, you create a DataProfile, with the
nested profiles Profile1, Profile2, and Profile3 and scanned traffic matches
the nested Profile2 and is blocked. In this scenario, the data profile displayed for
the incident is Profile2.
STEP 8 | Review the file log to learn about the traffic data for the DLP incident.
1. Select Activity > Logs > Log Viewer.
2. From the Firewall drop-down, select File.
3. Filter to view the file log for the DLP incident using the Report ID.
report_id=<report-id>
4. Review the file log to learn more about the traffic data for the DLP incident.
For example, you might want to review the application and source username to better
understand where the DLP incident originated.
Enterprise DLP Administrator’s Guide October 2023 274 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 4 | (Optional) Add New Filter to filter the Enterprise DLP incidents.
STEP 6 | Change Resolution as your team works to resolve the incident that triggered Enterprise DLP
enforcement.
You can select one of the predefined incident resolution statues or type a new resolution
status to Create Tag.
Enterprise DLP Administrator’s Guide October 2023 275 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 7 | For additional auditing and clarity for your team members, you can Edit Notes to provide
further details.
Save after you finish providing the additional information in your notes. The existing note is
overwritten if you save a new note.
Delete the note if no longer needed.
Enterprise DLP Administrator’s Guide October 2023 276 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 2 | Select Manage > Configuration > Security Services > Data Loss Prevention > Audit Log.
Enterprise DLP Administrator’s Guide October 2023 277 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 2 | Select Monitor > Logs > Data Filtering and Filter the data filtering logs by entering
( subtype eq dlp ).
Enterprise DLP Administrator’s Guide October 2023 278 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 3 | View more details about the file including file snippets.
1. Click to the left of the specific log entry for which you want to view more details.
2. Select DLP to view the pattern details.
3. Show Snippet to view a snippet of the data that matched the specific data pattern.
For data profiles with nested data profiles created on the DLP app or Cloud
Management, the data profile displayed is the specific nested data profile that
matched the scanned traffic. For example, you create a DataProfile, with
the nested profiles Profile1, Profile2, and Profile3 and scanned traffic
matches the nested Profile2 and is blocked. In this scenario, the data profile
displayed for the incident is Profile2.
Enterprise DLP Administrator’s Guide October 2023 279 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Files that are scanned by the DLP cloud service while the DLP app is disconnected from
your storage bucket can’t be stored and are lost. This means that all impacted files aren’t
available for download. However, all snippet data is preserved and can still be viewed on
the DLP app on the hub.
File storage automatically resumes after the connection status is restored.
This procedure assumes you have already set up an SFTP server to save evidence for investigative
analysis.
STEP 1 | Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full
qualified domain names (FQDN), and IP addresses on your network.
Enterprise DLP Administrator’s Guide October 2023 280 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Access to evidence storage settings and files on the hub is allowed only for an
account administrator or app administrator roles with a valid Enterprise DLP license
associated with that support account. This is to ensure that only the appropriate users
have access to report data and evidence.
STEP 3 | Select Settings > Sensitive Data and select Configure Bucket > SFTP as the Public Cloud
Storage Bucket.
STEP 5 | Input Bucket Details to configure the SFTP server connection settings.
1. Enter the Username of the SFTP server user used for secure file uploads.
The user is required to have read and write access to the SFTP server.
2. Enter the Private Key for the SFTP server.
This is required to authenticate the SSH connection to the SFTP server. The Private
Key must include both the BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY
prompts.
3. (Optional) Enter the public PGP Key to sign and encrypt files uploaded to the SFTP
server.
Pretty Good Privacy (PGP) is an encryption program providing privacy and
authentication for data communication, and used for signing, encrypting, and decrypting
Enterprise DLP Administrator’s Guide October 2023 281 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
files. The PGP Key must include both the BEGIN RSA PRIVATE KEY and END RSA
PRIVATE KEY prompts.
Enterprise DLP Administrator’s Guide October 2023 282 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 283 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Path on your SFTP server. Connectivity between the DLP cloud service and your SFTP server
is successful if DLP cloud service successfully uploads the test file.
The Connection Status displays whether the initial connection test was successful. Continue to
the next step when the Bucket connected successfully.
Click Previous if the connection isn’t successful to modify the SFTP server and connection
settings as needed.
Enterprise DLP Administrator’s Guide October 2023 284 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
bucket connection settings on Cloud Management. This email is sent out every 48 hours until the
connection is restored.
Files that are scanned by the DLP cloud service while Cloud Management is disconnected
from your storage bucket can’t be stored and are lost. This means that all impacted files
aren’t available for download. However, all snippet data is preserved and can still be
viewed on Cloud Management on the hub.
File storage automatically resumes after the connection status is restored.
This procedure assumes you have already set up an SFTP server to save evidence for investigative
analysis.
STEP 1 | Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full
qualified domain names (FQDN), and IP addresses on your network.
Access to evidence storage settings and files on Cloud Management is allowed only for
an account administrator or app administrator role with Enterprise DLP read and
write privileges. This is to ensure that only the appropriate users have access to report
data and evidence.
STEP 3 | Select Manage > Configuration > Security Services > Data Loss Prevention > Settings >
Sensitive Data and select Configure Bucket > SFTP as the Public Cloud Storage Bucket.
STEP 5 | Input Bucket Details to configure the SFTP server connection settings.
1. Enter the Username of the SFTP server user used for secure file uploads.
The user is required to have read and write access to the SFTP server.
2. Enter the Private Key for the SFTP server.
This is required to authenticate the SSH connection to the SFTP server. The Private
Key must include both the BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY
prompts.
3. (Optional) Enter the public PGP Key to sign and encrypt files uploaded to the SFTP
server.
Pretty Good Privacy (PGP) is an encryption program providing privacy and
authentication for data communication, and used for signing, encrypting, and decrypting
Enterprise DLP Administrator’s Guide October 2023 285 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
files. The PGP Key must include both the BEGIN RSA PRIVATE KEY and END RSA
PRIVATE KEY prompts.
Enterprise DLP Administrator’s Guide October 2023 286 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 287 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Path on your SFTP server. Connectivity between the DLP cloud service and your SFTP server
is successful if DLP cloud service successfully uploads the test file.
The Connection Status displays whether the initial connection test was successful. Continue to
the next step when the Bucket connected successfully.
Click Previous if the connection isn’t successful to modify the SFTP server and connection
settings as needed.
Enterprise DLP Administrator’s Guide October 2023 288 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
To store your files scanned by the DLP cloud service, you must create an S3 storage bucket
and Identity and Access Management (IAM) role that allows the DLP cloud service access to
automatically store files. Palo Alto Networks provides you with a JSON data containing the
required policy permissions to create the IAM role. Files uploaded to your S3 storage bucket are
automatically named using a unique Report ID for each file. The Report ID is used to search and
download specific files for more in-depth investigation.
In case of connection issues to your S3 storage bucket due to configuration error or change in
settings on the bucket, an email is automatically generated and sent to the admin that originally
connected the DLP app to the storage bucket and to the user who last modified the storage
bucket connection settings on the DLP app. This email is sent out every 48 hours until the
connection is restored.
Files that are scanned by the DLP cloud service while the DLP app is disconnected from
your storage bucket can't be stored and are lost. This means that all impacted files are not
available for download. However, all snippet data is preserved and can still be viewed on
the DLP app on the hub.
File storage automatically resumes after the connection status is restored.
STEP 1 | Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full
qualified domain names (FQDN), and IP addresses on your network.
Enterprise DLP Administrator’s Guide October 2023 289 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 2 | Create a public S3 storage bucket to store files scanned by the Enterprise DLP cloud service.
1. Log in to the Amazon AWS console.
2. Select Services > Storage > S3 > Buckets and Create bucket.
3. Enter a descriptive Bucket name.
4. Select the AWS Region for the S3 storage bucket.
5. In the Default encryption section, select Amazon S3 managed keys (SSE-S3) as the
Encryption key type.
You can Create a KMS Key if one does not already exist. Refer to AWS Documentation
for more information on creating a new KMS key.
6. Create bucket.
7. Obtain the ARN for the S3 storage bucket.
After creating the S3 storage bucket, you're redirected back to the Buckets page. Search
for and click the storage bucket you created.
Click Properties. The storage bucket ARN is displayed in the Bucket overview.
Enterprise DLP Administrator’s Guide October 2023 290 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 3 | Enable the AWS KMS setting for the storage bucket and locate the trust relationship and
access policy JSONs provided by Palo Alto Networks.
1. Log in to the DLP app on the hub.
2. Select Settings > Sensitive Data.
3. In Evidence Storage, select Configure Bucket > AWS as the Public Cloud Storage
Bucket.
4. In Instructions - AWS, locate the trust relationship and access policy JSON provided
to define the trust relationship and access policy between the IAM role and Palo Alto
Networks.
The first JSON provided is the trust relationship and the second is the access policy.
Highlighted are the copy buttons that you will use later on to create the IAM role for the
S3 storage bucket.
Leave the Configure Bucket for Evidence Storage display open and continue
to create the IAM role for the S3 storage bucket in a separate browser window.
Enterprise DLP Administrator’s Guide October 2023 291 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
7. Click Next.
8. In Add permissions, select Create policy > JSON.
A new window is automatically opened in your browser to create the new access policy.
9. Return to the Cloud Management Console and copy the access policy JSON.
10. In the Amazon AWS console, paste the access policy JSON into the Policy editor.
11. Add the bucket ARN for the S3 storage bucket you created.
Throughout the JSON, you must replace all instances of
bucket_name_to_be_replaced with the S3 storage bucket ARN you created.
Enterprise DLP Administrator’s Guide October 2023 292 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 293 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 294 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
If Enterprise DLP can't successfully connect your bucket, select Previous and edit the
bucket connection settings.
8. In the Evidence Storage settings, enable Sensitive Files to enable storage of
sensitive files in the S3 storage bucket.
Enterprise DLP Administrator’s Guide October 2023 295 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Files that are scanned by the DLP cloud service while the DLP app is disconnected from
your storage bucket can't be stored and are lost. This means that all impacted files are not
available for download. However, all snippet data is preserved and can still be viewed on
the DLP app on the hub.
File storage automatically resumes after the connection status is restored.
STEP 1 | Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full
qualified domain names (FQDN), and IP addresses on your network.
Enterprise DLP Administrator’s Guide October 2023 296 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 2 | Create a public S3 storage bucket to store files scanned by the Enterprise DLP cloud service.
1. Log in to the Amazon AWS console.
2. Select Services > Storage > S3 > Buckets and Create bucket.
3. Enter a descriptive Bucket name.
4. Select the AWS Region for the S3 storage bucket.
5. In the Default encryption section, select AWS Key Management Service (SSE-
KMS) as the Encryption key type.
6. To specify the AWS KMS key, you can Choose from your AWS KMS keys or you can
Enter AWS key ARN.
You can Create a KMS Key if one does not already exist. Refer to AWS Documentation
for more information on creating a new KMS key.
7. Create bucket.
8. Obtain the ARN for the S3 storage bucket.
After creating the S3 storage bucket, you're redirected back to the Buckets page. Search
for and click the storage bucket you created.
Click Properties. The storage bucket ARN is displayed in the Bucket overview.
Enterprise DLP Administrator’s Guide October 2023 297 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 3 | Enable the AWS KMS setting for the storage bucket and locate the trust relationship and
access policy JSONs provided by Palo Alto Networks.
1. Log in to the DLP app on the hub.
2. Select Settings > Sensitive Data.
3. In Evidence Storage, select Configure Bucket > AWS as the Public Cloud Storage
Bucket.
4. Toggle KMS Enabled enable an S3 storage bucket using AWS KMS.
5. In Instructions - AWS, locate the trust relationship and access policy JSON provided
to define the trust relationship and access policy between the IAM role and Palo Alto
Networks.
The first JSON provided is the trust relationship and the second is the access policy.
Highlighted are the copy buttons that you will use later on to create the IAM role for the
S3 storage bucket.
Leave the Configure Bucket for Evidence Storage display open and continue
to create the IAM role for the S3 storage bucket in a separate browser window.
Enterprise DLP Administrator’s Guide October 2023 298 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
7. Click Next.
8. In Add permissions, select Create policy > JSON.
A new window is automatically opened in your browser to create the new access policy.
9. Return to the Cloud Management Console and copy the access policy JSON.
10. In the Amazon AWS console, paste the access policy JSON into the Policy editor.
11. Add the bucket ARN for the S3 storage bucket you created.
Throughout the JSON, you must replace all instances of
bucket_name_to_be_replaced with the S3 storage bucket ARN you created.
Enterprise DLP Administrator’s Guide October 2023 299 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 300 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 301 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 302 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
If Enterprise DLP can't successfully connect your bucket, select Previous and edit the
bucket connection settings.
8. In the Evidence Storage settings, enable Sensitive Files to enable storage of
sensitive files in the S3 storage bucket.
Enterprise DLP Administrator’s Guide October 2023 303 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Files scanned by the DLP cloud service while the DLP app was disconnected from your
storage account can’t be stored and are lost. This means that all impacted files aren’t
available for download. However, all snippet data is preserved and can still be viewed on
the DLP app on the hub.
File storage automatically resumes after the connection status is restored.
STEP 1 | Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full
qualified domain names (FQDN), and IP addresses on your network.
STEP 3 | (Optional) From the portal menu, select Storage groups and Create a new storage group.
You can also search for storage groups.
The storage group is required to associate the storage account you create next for
storing matched files.
Skip this step if you have an existing resource group that you want to associate with
the storage account.
Enterprise DLP Administrator’s Guide October 2023 304 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 4 | From the portal menu, select Storage accounts and Create a new storage account.
You can also search for storage accounts.
STEP 5 | Obtain the App-ID, Tenant ID, and blob service endpoint URL.
This information is required to add the Palo Alto Networks Enterprise DLP application to your
Microsoft Azure tenant and to configure connectivity to the DLP cloud service.
• Palo Alto Networks Enterprise DLP App ID - 65def4b7-bae6-4bff-ab73-63fe8c9a3c8d
The Palo Alto Networks Enterprise DLP App-ID can be found in the DLP app on the hub
(Settings > Sensitive Data > Configure Bucket > Azure).
1. Obtain your Tenant ID.
1. From the portal menu, select Azure Active Directory.
You can also search for azure active directory.
2. In the Basic Information section, copy the Tenant ID.
2. Obtain the blob service endpoint URL.
1. From the portal menu, select Storage accounts and select the storage account you
will use to save files for evidence analysis.
2. Select Settings > Endpoints and copy the Blob service endpoint URL.
Enterprise DLP Administrator’s Guide October 2023 305 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 7 | Configure permissions for the Palo Alto Networks Enterprise DLP application.
1. Select the Palo Alto Networks Enterprise DLP application name.
2. Select Security > Permissions and Grant Admin consent.
3. Select the administrator email in the Microsoft login prompt that is displayed.
4. Accept the permissions request to allow the Palo Alto Networks Enterprise DLP
application to view your Azure storage accounts.
It might take a few minutes for the permissions to be successfully granted to the Palo
Alto Networks Enterprise DLP application.
You still need to grant the Palo Alto Networks Enterprise DLP application permission to
write to a specific storage account.
5. Verify that the Azure Storage and Microsoft Graph API names are displayed in
the Admin consent section.
6. From the portal menu, select Storage accounts and select the storage account you want
to use to save files for evidence analysis.
7. Select Access Control (IAM) > Add > Add Role Assignment > Storage Blob Data Owner
and click Next.
8. Select to assign access to User, group, or service principle and select members.
9. Search and select the Palo Alto Networks Enterprise DLP application and Select the
application.
10. Review + assign to allow the Palo Alto Networks Enterprise DLP application to write to
the storage account.
It can take up to 10 minutes for the write permissions to be successfully granted to the
Palo Alto Networks Enterprise DLP application.
Enterprise DLP Administrator’s Guide October 2023 306 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Access to evidence storage settings and files on the hub is allowed only for an
account administrator or app administrator roles with a valid Enterprise DLP
license associated with that support account. This is to ensure that only the
appropriate users have access to report data and evidence.
2. Select Settings > Sensitive Data and select Configure Bucket > Azure as the Public
Cloud Storage Bucket.
3. Select Input Bucket Details.
4. Enter Microsoft Azure Tenant ID.
5. Enter the Storage Endpoint.
This is the blob service endpoint URL that you gathered for the storage account.
6. Connect the storage account and the DLP cloud service.
7. View the Connection Status to verify that the DLP cloud service successfully connected
to the storage account.
Save if the DLP app can successfully connect to your resource group. A
connectiontest file is uploaded to your storage account by the DLP cloud service to
verify connectivity.
If the DLP app can’t successfully connect to your resource group, select Previous and
edit the connection settings.
8. In the DLP Settings, Enable for NGFW to enable evidence storage for Palo Alto
Networks Next-Gen Firewalls (NGFW) and Prisma Access (Panorama Managed).
You can also Enable for Prisma Access from the DLP app if you’re using Enterprise DLP
on Prisma Access (Cloud Management).
Enterprise DLP Administrator’s Guide October 2023 307 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
You can only enable storage of sensitive files for platform for which you have activated
the Enterprise DLP license. For example, you only have the option to enable evidence
storage for Next-Generation Firewalls (NGFW) if you activated the Enterprise DLP
license on Panorama.
Files that are scanned by the DLP cloud service while Cloud Management is disconnected
from your storage bucket can't be stored and are lost. This means that all impacted files
are not available for download. However, all snippet data is preserved and can still be
viewed on Cloud Management.
File storage automatically resumes after the connection status is restored.
STEP 1 | Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full
qualified domain names (FQDN), and IP addresses on your network.
Enterprise DLP Administrator’s Guide October 2023 308 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 2 | Create a public S3 storage bucket to store files scanned by the Enterprise DLP cloud service.
1. Log in to the Amazon AWS console.
2. Select Services > Storage > S3 > Buckets and Create bucket.
3. Enter a descriptive Bucket name.
4. Select the AWS Region for the S3 storage bucket.
5. In the Default encryption section, select Amazon S3 managed keys (SSE-S3) as the
Encryption key type.
You can Create a KMS Key if one does not already exist. Refer to AWS Documentation
for more information on creating a new KMS key.
6. Create bucket.
7. Obtain the ARN for the S3 storage bucket.
After creating the S3 storage bucket, you're redirected back to the Buckets page. Search
for and click the storage bucket you created.
Click Properties. The storage bucket ARN is displayed in the Bucket overview.
Enterprise DLP Administrator’s Guide October 2023 309 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 3 | Enable the AWS KMS setting for the storage bucket and locate the trust relationship and
access policy JSONs provided by Palo Alto Networks.
1. Launch the Cloud Management Console.
2. Select Manage > Configuration > Security Services > Data Loss Prevention > Settings >
Sensitive Data.
3. In Evidence Storage, select Configure Bucket > AWS as the Public Storage Bucket.
4. In Instructions - AWS, locate the trust relationship and access policy JSON provided
to define the trust relationship and access policy between the IAM role and Palo Alto
Networks.
The first JSON provided is the trust relationship and the second is the access policy.
Highlighted are the copy buttons that you will use later on to create the IAM role for the
S3 storage bucket.
Leave the Configure Bucket for Evidence Storage display open and continue
to create the IAM role for the S3 storage bucket in a separate browser window.
Enterprise DLP Administrator’s Guide October 2023 310 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
7. Click Next.
8. In Add permissions, select Create policy > JSON.
A new window is automatically opened in your browser to create the new access policy.
9. Return to the Cloud Management Console and copy the access policy JSON.
10. In the Amazon AWS console, paste the access policy JSON into the Policy editor.
11. Add the bucket ARN for the S3 storage bucket you created.
Throughout the JSON, you must replace all instances of
bucket_name_to_be_replaced with the S3 storage bucket ARN you created.
Enterprise DLP Administrator’s Guide October 2023 311 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 312 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 313 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
If Enterprise DLP can't successfully connect your bucket, select Previous and edit the
bucket connection settings.
8. In the Evidence Storage settings, enable Sensitive Files to enable storage of
sensitive files in the S3 storage bucket.
Configure Cloud Storage on AWS for Cloud Management Using AWS KMS
Amazon Web Services (AWS) users can configure an S3 storage bucket using the AWS Key
Management Service (KMS) to automatically upload all files that match an Enterprise Data Loss
Prevention (E-DLP) data profile for Enterprise DLP deployed on Cloud Management.
To store your files scanned by the DLP cloud service, you must create an S3 storage bucket
and Identity and Access Management (IAM) role that allows the DLP cloud service access to
automatically store files. Palo Alto Networks provides you with a JSON data containing the
required policy permissions to create the IAM role. Files uploaded to your S3 storage bucket are
automatically named using a unique Report ID for each file. The Report ID is used to search and
download specific files for more in-depth investigation.
In case of connection issues to your S3 storage bucket due to configuration error or change in
settings on the bucket, an email is automatically generated and sent to the admin that originally
connected Cloud Management to the storage bucket and to the user who last modified the
storage bucket connection settings on Cloud Management. This email is sent out every 48 hours
until the connection is restored.
Enterprise DLP Administrator’s Guide October 2023 314 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Files that are scanned by the DLP cloud service while Cloud Management is disconnected
from your storage bucket can't be stored and are lost. This means that all impacted files
are not available for download. However, all snippet data is preserved and can still be
viewed on Cloud Management.
File storage automatically resumes after the connection status is restored.
STEP 1 | Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full
qualified domain names (FQDN), and IP addresses on your network.
STEP 2 | Create a public S3 storage bucket to store files scanned by the Enterprise DLP cloud service.
1. Log in to the Amazon AWS console.
2. Select Services > Storage > S3 > Buckets and Create bucket.
3. Enter a descriptive Bucket name.
4. Select the AWS Region for the S3 storage bucket.
5. In the Default encryption section, select AWS Key Management Service (SSE-
KMS) as the Encryption key type.
6. To specify the AWS KMS key, you can Choose from your AWS KMS keys or you can
Enter AWS key ARN.
You can Create a KMS Key if one does not already exist. Refer to AWS Documentation
for more information on creating a new KMS key.
7. Create bucket.
8. Obtain the ARN for the S3 storage bucket.
After creating the S3 storage bucket, you're redirected back to the Buckets page. Search
for and click the storage bucket you created.
Click Properties. The storage bucket ARN is displayed in the Bucket overview.
Enterprise DLP Administrator’s Guide October 2023 315 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 3 | Enable the AWS KMS setting for the storage bucket and locate the trust relationship and
access policy JSONs provided by Palo Alto Networks.
1. Launch the Cloud Management Console.
2. Select Manage > Configuration > Security Services > Data Loss Prevention > Settings >
Sensitive Data.
3. In Evidence Storage, select Configure Bucket > AWS as the Public Storage Bucket.
4. Toggle KMS Enabled enable an S3 storage bucket using AWS KMS.
5. In Instructions - AWS, locate the trust relationship and access policy JSON provided
to define the trust relationship and access policy between the IAM role and Palo Alto
Networks.
The first JSON provided is the trust relationship and the second is the access policy.
Highlighted are the copy buttons that you will use later on to create the IAM role for the
S3 storage bucket.
Leave the Configure Bucket for Evidence Storage display open and continue
to create the IAM role for the S3 storage bucket in a separate browser window.
Enterprise DLP Administrator’s Guide October 2023 316 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
7. Click Next.
8. In Add permissions, select Create policy > JSON.
A new window is automatically opened in your browser to create the new access policy.
9. Return to the Cloud Management Console and copy the access policy JSON.
10. In the Amazon AWS console, paste the access policy JSON into the Policy editor.
11. Add the bucket ARN for the S3 storage bucket you created.
Throughout the JSON, you must replace all instances of
bucket_name_to_be_replaced with the S3 storage bucket ARN you created.
Enterprise DLP Administrator’s Guide October 2023 317 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 318 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 319 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 320 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
If Enterprise DLP can't successfully connect your bucket, select Previous and edit the
bucket connection settings.
8. In the Evidence Storage settings, enable Sensitive Files to enable storage of
sensitive files in the S3 storage bucket.
Files that are scanned by the DLP cloud service while Cloud Management is disconnected
from your storage account can’t be stored and are lost. This means that all impacted
files aren’t available for download. However, all snippet data is preserved and can still be
viewed on Cloud Management.
File storage automatically resumes after the connection status is restored.
Enterprise DLP Administrator’s Guide October 2023 321 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 1 | Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full
qualified domain names (FQDN), and IP addresses on your network.
STEP 3 | (Optional) From the portal menu, select Storage groups and Create a new storage group.
You can also search for storage groups.
The storage group is required to associate the storage account you create next for
storing matched files.
Skip this step if you have an existing resource group that you want to associate with
the storage account.
STEP 4 | From the portal menu, select Storage accounts and Create a new storage account.
You can also search for storage accounts.
STEP 5 | Obtain the App-ID, Tenant ID, and blob service endpoint URL.
This information is required to add the Palo Alto Networks Enterprise DLP application to your
Microsoft Azure tenant and to configure connectivity to the DLP cloud service.
• Palo Alto Networks Enterprise DLP App ID - 65def4b7-bae6-4bff-ab73-63fe8c9a3c8d
The Palo Alto Networks Enterprise DLP App-ID can be found in the DLP app on the hub
(Settings > Sensitive Data > Configure Bucket > Azure).
1. Obtain your Tenant ID.
1. From the portal menu, select Azure Active Directory.
You can also search for azure active directory.
2. In the Basic Information section, copy the Tenant ID.
2. Obtain the blob service endpoint URL.
1. From the portal menu, select Storage accounts and select the storage account you
will use to save files for evidence analysis.
2. Select Settings > Endpoints and copy the Blob service endpoint URL.
Enterprise DLP Administrator’s Guide October 2023 322 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
Enterprise DLP Administrator’s Guide October 2023 323 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 7 | Configure permissions for the Palo Alto Networks Enterprise DLP application.
1. Select the Palo Alto Networks Enterprise DLP application name.
2. Select Security > Permissions and Grant Admin consent.
3. Select the administrator email in the Microsoft login prompt that is displayed.
4. Accept the permissions request to allow the Palo Alto Networks Enterprise DLP
application to view your Azure storage accounts.
It might take a few minutes for the permissions to be successfully granted to the Palo
Alto Networks Enterprise DLP application.
You still need to grant the Palo Alto Networks Enterprise DLP application permission to
write to a specific storage account.
5. Verify that the Azure Storage and Microsoft Graph API names are displayed in
the Admin consent section.
6. From the portal menu, select Storage accounts and select the storage account you want
to use to save files for evidence analysis.
7. Select Access Control (IAM) > Add > Add Role Assignment > Storage Blob Data Owner
and click Next.
8. Select to assign access to User, group, or service principle and select members.
9. Search and select the Palo Alto Networks Enterprise DLP application and Select the
application.
10. Review + assign to allow the Palo Alto Networks Enterprise DLP application to write to
the storage account.
It can take up to 10 minutes for the write permissions to be successfully granted to the
Palo Alto Networks Enterprise DLP application.
Enterprise DLP Administrator’s Guide October 2023 324 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
7. View the Connection Status to verify that the DLP cloud service successfully connected
to the storage account.
Select Save if Cloud Management can successfully connect your bucket. A
connectiontest file is uploaded to your storage account by the DLP cloud service to
verify connectivity.
If Cloud Management can’t successfully connect your bucket, select Previous and edit
the bucket connection settings.
8. In the Store Sensitive Files settings, enable storage of sensitive files for Cloud
Management.
Enterprise DLP Administrator’s Guide October 2023 325 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
data profiles, you can download to your local device any files scanned by the DLP cloud service to
allow for in-depth investigation.
Files scanned by the DLP cloud service while Enterprise DLP is disconnected from your cloud
storage aren’t stored in your cloud storage. This means that all impacted files aren’t available for
download. However, all snippet data is preserved and can still be viewed on the DLP app on the
hub.
STEP 1 | Connect your AWS storage bucket, Azure storage bucket, or SFTP server to Enterprise DLP
if not already connected.
The files available to download are only files scanned by the DLP cloud service after you
successfully connectedEnterprise DLP to your cloud storage.
STEP 2 | (AWS and Azure only) Obtain the Report ID for the file you want to download by doing one
of the following:
• Log in to the Amazon AWS console or Microsoft Azure portal and access the storage bucket
you connected to Enterprise DLP. Select Reports and enter a Report ID to Search.
The object Name is the Report ID.
• Log in to the Panorama web interface and select Monitor > Logs > Data Filtering and Filter
the data filtering logs by entering ( subtype eq dlp ). Locate the Report ID column to
obtain the Report ID for the report you want to download.
Enterprise DLP Administrator’s Guide October 2023 326 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 5 | Review report summary and click the download button to download the file to your device.
Whether the stored file is downloaded directly to your local device is dependent on the
storage bucket you connected to Enterprise DLP.
• AWS and Azure—The file associated with the particular report ID is downloaded locally to
your device.
• SFTP Server—Enterprise DLP displays the folder path of the location the file was uploaded
to on your SFTP server. Access your SFTP server to download the file to your local device.
STEP 2 | (AWS and Azure only) Log in to the Amazon AWS console or Microsoft Azure portal and
access the cloud storage you connected to Cloud Management. Select Reports and enter a
Report ID to Search.
The object Name is the Report ID.
STEP 4 | In the Cloud Management Console, select Activity > Logs > DLP Incidents and search for the
Report ID.
Enterprise DLP Administrator’s Guide October 2023 327 ©2023 Palo Alto Networks, Inc.
Monitor Enterprise DLP
STEP 5 | Review report summary and click the download button to download the file to your device.
Whether the stored file is downloaded directly to your local device is dependent on the
storage bucket you connected to Enterprise DLP.
• AWS and Azure—The file associated with the particular Report ID is downloaded locally to
your device.
• SFTP Server—Cloud Management displays the folder path of the location the file was
uploaded to on your SFTP server. You must access your SFTP server to download the file to
your local device.
Enterprise DLP Administrator’s Guide October 2023 328 ©2023 Palo Alto Networks, Inc.