>
    Reduce False Positive Detections
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Enterprise DLP Administration
    4. Configure Enterprise DLP
    5. Reduce False Positive Detections
    Download PDF
    Enterprise DLP

    Reduce False Positive Detections

    Table of Contents

    Reduce False Positive Detections

    Address and resolve when
    Enterprise Data Loss Prevention (E-DLP)
     wrongly identifies traffic and takes action based on your traffic match criteria in a data profile.
    Where Can I Use This?
    What Do I Need?
    • NGFW (Managed by Panorama)
    • Prisma Access (Managed by Strata Cloud Manager)
    • SaaS Security
    • NGFW (Managed by Strata Cloud Manager)
    • Enterprise Data Loss Prevention (E-DLP)
       license
    • NGFW (Managed by Panorama)
      —Support and
      Panorama
       device management licenses
    • Prisma Access (Managed by Strata Cloud Manager)
      Prisma Access
       license
    • SaaS Security
      SaaS Security
       license
    • NGFW (Managed by Strata Cloud Manager)
      —Support and
      AIOps for NGFW Premium
       licenses
    Or any of the following licenses that include the
    Enterprise DLP
     license
    • Prisma Access
       CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
       license
    • Data Security
       license
    In some instances,
    Enterprise Data Loss Prevention (E-DLP)
     may incorrectly detect and take action on network traffic that it should not have. This is called a
    false positive
     detection and they can cause productivity impacts to individual employees and
    Enterprise DLP
     administrators alike. False positive detections are commonly caused by traffic match criteria in your data patterns that are too generalized or may be instances where the
    Enterprise DLP
     machine learning (ML) models need to be manually trained. Review the recommendations below to help reduce the chance of false positive detections.
    1. Log in to the management platform where you are managing
      Enterprise DLP
      .
    2. (
      Regex only
      ) Review your custom regex data patterns.
      1. Review the regular expression (regex) for the custom data pattern generating false positive detections.
        Custom data patterns use regular expressions (regex) to define the match criteria that you want
        Enterprise DLP
         to detect and take action on. Regex that is too broad contribute to false positive detections. Palo Alto Networks recommends writing narrow regex so only the sensitive data you want to prevent leaving your organization's network is detected and blocked.
      2. Add proximity keywords to your custom data pattern.
        Proximity keywords help improve overall
        Enterprise DLP
         detection accuracy and reduce false positives. Proximity keywords impact the detection confidence level, which reflects how confident
        Enterprise DLP
         is when detecting matched traffic.
        Enterprise DLP
         determines the match confidence level by inspecting the distance of the regex to the proximity keywords you added.
      3. Use the
        File Property
         configuration settings to add specific file property patterns on which to match.
        If you use classification labels or embed tags in documents to include more information for audit and tracking purposes, you can create a file property data pattern to match on the metadata or attributes that are part of the custom or extended properties in the file. Regardless whether you use an automated classification mechanism, such as Titus, or whether require users to add a tag, you can specify a name-value pair on which to match on a custom or extended property embedded in the file. This allows you to narrow down the likelihood of false positives by requiring
        Enterprise DLP
         to inspect and take action only on documents that contain the specified name-value-pair.
        For
        Panorama
        , this means modifying or creating a new data pattern. For
        Strata Cloud Manager
        , this means creating a file property data pattern.
    3. Use advanced detection tools to create specific and narrow match criteria for your data profiles.
      • —Use predefined regex data patterns enhanced with machine learning (ML) or ML-based data patterns to increase detection accuracy and reduce false positive detections.
      • —EDM is used to monitor and prevent exfiltration of sensitive and personally identifiable information (PII) such as social security numbers, Medical Record Numbers, bank account numbers, and credit card numbers, in a structured data source such as databases, directory servers, or structured data files (CSV and TSV) with high accuracy.
        With EDM, you can reduce false positive detections by uploading data sets with the specific PII data you want to prevent exfiltration of and use them as match criteria in data profiles.
      • Enterprise DLP
         supports the upload and detection of custom documents containing intellectual property for which you want to prevent exfiltration. This tool uses ML-based detection models to detect and prevent exfiltration of sensitive data contained in documents unique to your organization.
        With custom document types, you can reduce false positive detections for file-based traffic by narrowing down the possible file-based detections to just those unique to your organization. For example, be sure to set a high
        Overlapping Score Condition
         threshold when you create an advanced data profile to detect custom documents. This narrows down the possible traffic matches by requiring a high degree of overlap between the scanned file and the custom document type.
      • —Data dictionaries are a collection of one or more proximity keywords or phrases that you want to detect and prevent exfilitration. A data dictionary is added as a match criteria alongside the other supported match criteria in advanced and nested data profiles to increase the
        Enterprise Data Loss Prevention (E-DLP)
         detection accuracy
    4. Contact Palo Alto Networks Support to help investigate why false positive detections continue to occur.
      Only contact Palo Alto Networks Support if you have implemented the above recommendations and continue to experience false positive detections. Palo Alto Networks Support team members will work with your administrators to review your data patterns and data profiles to help identify what can be further improved.
      In some instances, they may go back to review your data patterns and data profiles to see if any further modifications can be made to narrow the match criteria scope.
    5. (
      Predefined Data Patterns and Profiles only
      ) Report a False Positive Detection to
      Palo Alto Networks
      .
      Report false positive detections to
      Palo Alto Networks
       to improve
      Enterprise DLP
       detection accuracy for yourself and other
      Enterprise DLP
       users. You can report snippets of false positive detections for high confidence traffic matches against predefined regular expression (regex) or machine learning (ML) data patterns.
      All selected DLP incident snippets are shared with
      Palo Alto Networks
       when you submit a false positive report. The selected snippets are stored and accessible by
      Palo Alto Networks
       for up to 90 days to allow
      Palo Alto Networks
       to investigate and improve
      Enterprise DLP
       detection accuracy.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.