Create and Upload an Encrypted EDM Data to Enterprise DLP in Interactive Mode

Table of Contents

Create and Upload an Encrypted EDM Data Set Using a Configuration File

Update an Existing EDM Data Set on Enterprise DLP

Use the Exact Data Matching (EDM) CLI app in Interactive mode to create and upload an EDM data set in CSV or TSV format to Enterprise Data Loss Prevention (E-DLP).

On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.

You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This?	What Do I Need?
NGFW (Managed by Panorama or Strata Cloud Manager) Prisma Access (Managed by Panorama or Strata Cloud Manager)	Enterprise Data Loss Prevention (E-DLP) license Review the Supported Platforms for details on the required license for each enforcement point. Or any of the following licenses that include the Enterprise DLP license Prisma Access CASB license Next-Generation CASB for Prisma Access and NGFW (CASB-X) license Data Security license

Upload an encrypted hash Exact Data Matching (EDM) data set to Enterprise DLP using the EDM CLI app in Interactive mode to successfully create an EDM filtering profile. In Interactive Mode, you must specify the EDM data set path for upload and configure the upload parameters directly through the EDM CLI app.

The EDM CLI App first hashes the data set using the SHA256 hash function when you initiate an EDM data set upload. The EDM CLI App then encrypts the EDM data set using AES Symmetric encryption before beginning the EDM data set upload to the Enterprise DLP EDM data set storage bucket. The raw data in your EDM data sets never leave your organization's network, and Enterprise DLP does not store or have access to the raw EDM data set data. Enterprise DLP stores only hashed and encrypted EDM data set data in the EDM data set storage bucket.

Access the Common Services Identity and & Access settings and add a Service Account to generate the Client ID and Client Secret.

If you already have a Service Account created, you can Reset Client Secret to recover a lost Client Secret.

Enterprise DLP uses the Client ID and Client Secret to authenticate and connect the EDM CLI app to Enterprise DLP.

When you create the Service Account, the Client ID and Client Secret are displayed in the Client Credentials. You can manually copy the Client Credentials or Download CSV File to download the Client Credentials in plaintext locally to your device
Set Up the EDM CLI App.
Review the Supported EDM Data Set Formats and prepare the EDM data set for upload to Enterprise DLP.
Enter Interactive mode in the EDM CLI app to begin the EDM data set upload.
1. Open the terminal and navigate to the package-edm-secure-cli-<version>-<platform> directory where the EDM CLI app is located.
2. Enter Interactive mode in the EDM CLI app.
  Windows
  admin: edm-secure-cli.bat interactive
  Linux
  admin: ./edm-secure-cli.sh interactive
  
  Entering this command begins the interactive upload process for EDM data sets to Enterprise DLP.
Enter the path of the EDM data set for upload.
Enter the delimiter used to specify boundaries between values in the EDM data set.
Enterprise DLP supports the “,” and “tab (t) delimiters for CSV or TSV files. The EDM CLI app uses the delimiter “,” by default. The EDM data set might only use one delimiter.
Enter the EDM data set file encoding method.
Enter the error threshold percentage for the EDM data set.
The EDM CLI app does not create an encrypted version of the EDM data set if it encounters errors exceeding the specified error threshold percentage.
Specify whether the EDM data set has a header row.
Specify whether to allow uploads of EDM data sets that include empty or blank cells.

Enter true to allow rows that include empty or blank cells in an EDM data set.

Enter false to reject rows that include empty or blank cells in an EDM data set.
Specify whether the EDM CLI app should abort the EDM data set upload if the EDM data set includes more than the maximum number of cells supported.

Enter true to upload the maximum number of data set cells supported.

Enter false to abort EDM CLI app if the EDM data set has more than the maximum number of data set cells supported.
Enter the number of columns in your EDM data set.
Accurately map your CSV or TSV columns to the supported data types to allow Enterprise DLP to accurately ingest your EDM data set.
Map your columns using the supported Data Types Value to accurately map each column in your EDM data set to a specific Data Type.
The EMD CLI app presents a table with each Data Type Name and the corresponding Data Type Value. You can also view this table in the README.txt file packaged with the EDM CLI app.

When you create an advanced data profile on Strata Cloud Manager, you’re required to add at least one column where the column values occurs up to 12 times in the selected EDM data set for the Primary Field.
When mapping your columns to a specific Data Type, be sure to include at least one column with up to 12 occurrences across the entire EDM data set. Otherwise, Enterprise DLP is unable to match traffic against the EDM data profile you create using this EDM data set.
Specify whether to upload the EDM data set to Enterprise DLP. Enter y to continue uploading the EDM data set or n to upload the EDM data set later.

Entering n creates a secured copy of the EDM data set in the package-edm-secure-cli-<version>-<platform> directory for you to review.
You can skip the remaining steps below and Upload an Encrypted EDM Data Set to Enterprise DLP later.
Enter y to create a new EDM data set and enter the data set name.

If you enter n and are uploading to Enterprise DLP, you’re still prompted to enter an EDM data set name. This updates the existing EDM data set you previously uploaded to Enterprise DLP.
Specify the authentication mechanism used to upload the EDM data set to Enterprise DLP.
1. When prompted about whether you have access and refresh token, enter n.
  
  Enterprise DLP requires you end the Client ID and Client Secret to upload EDM data sets.
2. Enter the Client ID and Client Secret.
(Proxy server only) When prompted, enter y if the local device from which you’re uploading requires a proxy server to connect to the internet.
You’re required to provide the following information for your proxy server.
- Proxy hostname
- Proxy port number
- Proxy username
- Proxy password
Enter Y or y to confirm the EDM data set upload configuration is correct and begin uploading to Enterprise DLP.

The EDM CLI app creates a secured copy of the EDM data set in the package-edm-secure-cli-<version>-<platform>. In the directory, the EDM CLI app creates a new folder with the name of the EDM data set you appended with the date and time the EDM CLI app created it. This folder contains the encrypted output.zip file of your EDM data set that you uploaded to Enterprise DLP.

The EDM CLI app displays a progress bar and success message to notify you whether the upload is successful.

During the upload process, the EDM CLI app connects to Enterprise DLP to verify that you created the output.zipfile using a supported EDM CLI app version. The upload to Enterprise DLP fails if you created the output.zip file using an unsupported EDM CLI app version.
Monitor the upload status of the EDM data set.
The time it takes for an EDM data set uploaded to DLP cloud service to be available on Strata Cloud Manager depends on the EDM data set size and internet connectivity speed. For example, a 4GB EDM data set upload typically takes about 30 minutes to display on Strata Cloud Manager and be usable in an advanced data profile.
1. Log in to Strata Cloud Manager.
2. Select ManageConfigurationData Loss PreventionDetection MethodsExact Data Matching.
3. The EDM data set upload is complete when the Indexing Status column displays Complete.