>
    Add an Enterprise DLP Email Policy Rule
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Enterprise DLP Administration
    4. Configure Enterprise DLP
    5. Email DLP
    6. Add an Enterprise DLP Email Policy Rule
    Download PDF
    Enterprise DLP

    Add an Enterprise DLP Email Policy

    Table of Contents

    Add an Enterprise DLP Email Policy Rule

    Add an
    Enterprise Data Loss Prevention (E-DLP)
     email policy rule to prevent sensitive data exfiltration contained in outbound emails.
    Where Can I Use This?
    What Do I Need?
    • SaaS Security
    • Enterprise Data Loss Prevention (E-DLP)
      license
    • SaaS Security
       license
      Or
    • Any of the following licenses
      • Prisma Access
         CASB license
      • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
         license
      • Data Security
         license
    Add and configure an
    Enterprise Data Loss Prevention (E-DLP)
     email policy so
    Enterprise DLP
     to prevent sensitive data exfiltration contained in outbound emails. The DLP email policy specifies the incident severity and the action
    Enterprise DLP
     takes when matching traffic is inspected and sensitive data is detected.
    Enterprise DLP
     supports inspection and detection of documents containing sensitive data that are attached to an email.
    Enterprise DLP
     does not support inspection of document links.
    1. Log in to
      Strata Cloud Manager
      .
    2. (
      Optional
      ) Create custom data patterns and data profiles to specify custom match criteria.
      Skip this step if you want to use the predefined
      Enterprise DLP
       data profiles available by default.
    3. Select
      Manage
      Configuration
      SaaS Security
      Data Security
      Policies
      Email DLP Policies
       and
      Add Policy
      .
    4. Configure the Basic Information of the email DLP policy.
      1. Enter a descriptive
        Name
        .
      2. Specify the Evaluation Priority of the email DLP policy.
        This Evaluation Priority determines the order email DLP policies are evaluated.
        Select whether the new email DLP policy goes
        before
         or
        after
         an existing email DLP policy.
      1. For the Email Application, select
        Microsoft Exchange
         or
        Gmail
        .
      2. Select the
        Enterprise DLP
         incident severity for when
        Enterprise DLP
         detects matching traffic.
      3. Select the
        DLP Data Profile
         to associate with the email DLP policy.
        The DLP data profile you select is used as the traffic match criteria that
        Enterprise DLP
         evaluates inspected traffic against. The data profile can be either a predefined data profile or a custom data profile.
      4. Verify that
        Enable Policy
         is toggled on.
        This setting is enabled by default when you add a new email DLP policy.
    5. (
      Optional
      ) Configure the DLP email policy
      Conditions
      .
      The DLP email policy conditions determine the email sender and recipient criteria for when inline inspection of email traffic should or should not be performed by
      Enterprise DLP
      . The Email DLP policy conditions have an
      AND
       relationship. This means that all email sender and recipient
      Conditions
       you configure must be met for
      Enterprise DLP
       to take action.
      You can configure all or only some of the DLP email policy conditions settings as needed. If no email sender or recipient conditions are configured, then all outbound email traffic is inspected by
      Enterprise DLP
       and evaluated against the data profile you selected in the previous step.
      For example, you configure the Email DLP policy conditions to inspect for the
      yourcompany.com
      Sender Email Domain
       and
      gmail.com
      Recipient Email Domain
       only. For
      Enterprise DLP
       to take action, the email sender domain and recipient email domain must match what you have configured. In this instance,
      Enterprise DLP
       does not take action if the
      Recipient Email Domain
       is
      yahoo.com
      .
      1. Configure the email
        Sender
         conditions.
        To configure the email sender conditions you must specify whether the conditions are inclusive or exclusive of the specified email domains, user groups, or specific users.
        • Is one of
          —Inclusion condition to evaluate emails sent from an email associated with the selected email domains, user groups, or specified users against the data profile specified in the DLP email policy.
          Any emails that are not a part of the selected email domains, user groups, or specified users are not evaluated against the data profile associated with the DLP email policy.
        • Is not one of
          —Exclusion condition to evaluate emails sent from an email not associated with the selected email domains, user groups, or specified users against the data profile specified in the DLP email policy.
          Any emails that are part of the selected email domains, user groups, or specified users are not evaluated against the data profile associated with the DLP email policy.
        1. Specify the
          Sender Email Domain
           condition and select one or more email domains.
          The sender email domains available to select are those you added when you connected Microsoft Exchange or Gmail.
        2. Specify the
          Sender User Group
           condition and select one or more user groups.
          The sender user groups are obtained from your Client Identity Engine (CIE) configuration. Skip this step if you do not have CIE active on
          Strata Cloud Manager
          .
        3. Specify the
          Sender User
           condition and enter an email.
          Click add ( ) to include additional sender emails.
      2. Configure the email
        Recipient
         conditions.
        To configure the email recipient conditions, you must specify whether the conditions are inclusive or exclusive of the specified email domains or specific users.
        • Is one of
          —Inclusion condition to evaluate emails to be received by an email associated with the selected email domains or specified users against the data profile specified in the DLP email policy.
          Any emails that are not a part of the selected email domains or specified users are not evaluated against the data profile associated with the DLP email policy.
        • Is not one of
          —Exclusion condition to evaluate emails to be received by an email not associated with the selected email domains or specified users against the data profile specified in the DLP email policy.
          Any emails that are part of the selected email domains or specified users are not evaluated against the data profile associated with the DLP email policy.
        1. Specify the
          Recipient Email Domain
           condition and enter a valid email domain.
          Enterprise DLP
           supports all valid email domains. The email domain is the web address that follows the
          @
           symbol in an email address. For example,
          gmail.com
           or
          yahoo.com
          .
          Click add ( ) to include additional email domains.
        2. Specify the
          Recipient User
           condition and enter an email.
          Click add ( ) to include additional recipient emails.
      3. Configure the email components
        Enterprise DLP
         needs to
        Evaluate
        .
        Enterprise DLP
         can inspect and evaluate the
        Email Subject
        ,
        Email Body
        , and
        Email Attachment(s)
         as needed. You can select one, two, or all available evaluation criteria. At least one evaluation criteria must be selected to save the Email DLP policy rule.
    6. Configure the DLP email policy
      Response
      .
      The DLP email policy response configuration specifies the action
      Enterprise DLP
       takes when inspected traffic matches the data profile associated with the policy.
      1. Specify the
        Action
        Enterprise DLP
         takes when inspected traffic matches the data profile associated with the policy.
        • Monitor
          —Outbound email is allowed to leave your organization to the intended recipient. A DLP incident is generated
        • Block
          —Outbound email is blocked from leaving your organization's network.
          The action Microsoft Exchange or Gmail takes on a
          Block
           verdict rendered by
          Enterprise DLP
           is based on the block transport rule you created.
        • Quarantine
          —Outbound email is transported back to the email server and quarantined. The email is forwarded to the hosted quarantine spam inbox and requires review by an email administrator before the email is allowed to leave your organization's network.
          The action Microsoft Exchange or Gmail takes on a
          Quarantine
           verdict rendered by
          Enterprise DLP
           is based on the quarantine transport rule you created.
        • (
          Microsoft Exchange only
          )
          Forward email for approval by end user's manager
          —Outbound email is transported back to Microsoft Exchange and sent to the sender's manager for approval. Independent review is required by the sender's manager before the email is allowed to leave your organization's network.
          The action Microsoft Exchange takes on a
          Forward email for approval by end user's manager
           verdict rendered by
          Enterprise DLP
           is based on the transport for manager approval rule you created.
        • (
          Microsoft Exchange only
          )
          Forward email for approval admin
          —Outbound email is transported back to Microsoft Exchange and sent to the specified email admin for approval. Independent review is required by the specified email administrator before the email is allowed to leave your organization's network.
          The action Microsoft Exchange takes on a
          Forward email for approval admin
           verdict rendered by
          Enterprise DLP
           is based on the transport for admin approval rule you created.
        • (
          Microsoft Exchange only
          )
          Encrypt
          —Outbound email is allowed to leave your organization and is transported back to Microsoft Exchange to be encrypted before continuing its path to the intended recipient.
          The action Microsoft Exchange takes on a
          Encrypt
           verdict rendered by
          Enterprise DLP
           is based on the encrypt transport rule you created.
      2. (
        Optional
        ) Automatically assign an
        Incident Assignee
         when
        Enterprise DLP
         renders a
        Block
         or
        Quarantine
         verdict on matching traffic.
        Strength your security posture by assigning an incident assignee to follow up on and resolve events where
        Enterprise DLP
         detects outbound emails that contain sensitive information.
      3. (
        Optional
        ) Add emails to send
        Notifications
         to receive alerts when
        Enterprise DLP
         renders
        Block
         or
        Quarantine
         verdicts on inspected outbound traffic.
        Click add ( ) to include additional emails to receive notifications.
    7. Save Policy
      .

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.