DLP App

Log in to the DLP app on the hub.
If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
View the DLP
Incidents
.
Select a
Scan Date
and
Region
to filter the DLP Incidents.
Enterprise DLP
Incidents are generated in the
Region
where the Public Cloud Server is located.
For
Panorama
and
Prisma Access (Managed by Panorama)
, the region is determined by the currently configured Public Cloud Server. By default, the
Enterprise DLP
plugin is configured to resolve to the closest Public Cloud Server to where the inspected traffic originated but you can configure a static Public Cloud Server.
For
Strata Cloud Manager
,
Enterprise DLP
automatically resolves to the closest Public Cloud Server to where the inspected traffic originated.
When a new Public Cloud Server is introduced,
Enterprise DLP
begins to automatically resolve to it if it’s closer to where the inspected traffic originated. For
Panorama
and
Prisma Access (Managed by Panorama)
, this happens only if you keep the default Public Cloud Server FQDN. For
Strata Cloud Manager
, this happens by default.
This might mean that new DLP Incidents generated after the release of a new Public Cloud Server are generated in a different
Region
.
Review the DLP Incidents summary information to help focus your incident investigation.
These lists are updated hourly.
Top Data Profiles to Investigate—
Lists data profiles with the highest number of incidents in descending order.
Top Sources to Investigate—
Lists up to seven source IP addresses and Fully Qualified Domain Names (FQDN) with the highest number of incidents in descending order.
Sensitive Files by Action—
Lists the number of incidents based on the Action taken in descending order.
Review the Incidents and click a
File
name to review a specific incident.
You can filter the DLP incidents by
File Name
or
Report ID
to search for a specific incident you want to review.
Review the Incident Details to review specific file upload details.
Make note of the
Report ID
for the DLP incident if you haven’t already done so. The Report ID is used to view additional Traffic log details regarding the DLP incident.
Review the
Matches within Data Profiles
to review snippets of matching traffic and the data patterns that matched the traffic to better understand what data was detected.
For nested data profiles, the data profile displayed is the specific nested data profile that matched the scanned traffic. For example, you create a
DataProfile
, with the nested profiles
Profile1
,
Profile2
, and
Profile3
and scanned traffic matches the nested
Profile2
and is blocked. In this scenario, the data profile displayed for the incident is
Profile2
.
In the snippet,
Enterprise DLP
only masks traffic that matches the data pattern match criteria. Other sensitive data captured in the snippet are not masked if they do not match the data pattern where the snippet is displayed.
Data pattern match criteria configured to inspect for
Any
occurrence of matched traffic display up to 3
High
and 3
Low
confidence level matches if detected.
Data pattern match criteria configured to inspect for
High
confidence level matches display up to 3
Low
confidence level matches if detected.
Data pattern match criteria configured to inspect for
Low
confidence level matches display up to 3
High
confidence level matches if detected.
Manage Enterprise DLP Incidents.