Create a Custom Data Pattern
Focus
Focus
Enterprise DLP

Create a Custom Data Pattern

Table of Contents

Create a Custom Data Pattern

Create an
Enterprise Data Loss Prevention (E-DLP)
custom data pattern using regular expressions or file properties.
Where Can I Use This?
What Do I Need?
  • NGFW (Panorama Managed)
  • Prisma Access (Cloud Management)
  • SaaS Security
  • NGFW (Cloud Managed)
  • Enterprise Data Loss Prevention (E-DLP)
    license
  • NGFW (Panorama Managed)
    —Support and
    Panorama
    device management licenses
  • Prisma Access (Cloud Management)
    Prisma Access
    license
  • SaaS Security
    SaaS Security
    license
  • NGFW (Cloud Managed)
    —Support and
    AIOps for NGFW Premium
    licenses
Or any of the following licenses that include the
Enterprise DLP
license
  • Prisma Access
    CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
    license
  • Data Security
    license
Create an
Enterprise Data Loss Prevention (E-DLP)
custom data pattern using regular expressions. Create data patterns to specify the match criteria and identify patterns using regular expressions and keywords that represent sensitive information on your network. All data patterns you create are shared across
Panorama™ management server
and
Strata Cloud Manager
deployments associated with the tenant. All custom data patterns created on
Panorama
or
Strata Cloud Manager
can be edited and copied as needed.

Strata Cloud Manager

Create an
Enterprise Data Loss Prevention (E-DLP)
custom data pattern for
Prisma Access (Cloud Management)
and
SaaS Security
on
Strata Cloud Manager
.
  1. Log in to
    Strata Cloud Manager
    .
  2. Select
    Manage
    Configuration
    Security Services
    Data Loss Prevention
    Detection Methods
    Data Patterns
    .
  3. Add Data Patterns
    and select
    Custom
    .
    You can also create a new custom data pattern by copying an existing custom data pattern. To copy a custom data pattern, select the data pattern name to view the data pattern details and copy ( ). You can then configure the custom data pattern you copied as needed.
  4. Enter a descriptive
    Data Pattern Name
    .
  5. (
    Optional
    ) Enter a
    Description
    for the data pattern.
  6. Select the type of
    Regular Expression
    .
    You can choose
    Basic
    or
    Weighted
    data patterns. Use the
    Weighted
    data pattern to create a basic or weighted regular expression. With weighted regular expressions, each text entry is assigned a score and when the score threshold is exceeded, such as when enough expressions from a pattern match an asset,
    Enterprise DLP
    will indicate that the asset is a match for the pattern.
    Then use the query builder in the
    Regular Expressions
    field to add either regular (
    Basic
    ) or
    Weighted
    expressions.
  7. (
    Optional
    ) Enter one or more
    Proximity Keywords
    .
    Proximity keywords aren’t case-sensitive. You can enter one or more proximity keywords to increase the probability
    Enterprise DLP
    accurately detects a regular expression match. Proximity keywords impact the
    Enterprise DLP
    confidence level, which reflects how confident
    Enterprise DLP
    is when detecting matched traffic.
    Enterprise DLP
    determines confidence level by inspecting the distance of regular expressions to proximity keywords.
  8. Save
    the data pattern.
  9. Create a data profile on
    Strata Cloud Manager
    .

DLP App

Create an
Enterprise Data Loss Prevention (E-DLP)
custom data pattern on the DLP app on the hub.
  1. Log in to the DLP app on the hub.
    If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
  2. Select
    Detection Methods
    Data Patterns
    and
    Add Data Patterns
    .
    You can also create a new custom data pattern by copying an existing custom data pattern. To copy a custom data pattern, expand the Actions column for the data pattern you want to copy and
    Clone
    the data pattern. You can then configure the custom data pattern you copied as needed.
  3. Select the
    Custom
    data pattern.
  4. Enter a descriptive
    Data Pattern Name
    .
  5. (
    Optional
    ) Enter a
    Description
    for the data pattern.
  6. Select the type of
    Regular Expression
    .
    You can choose
    Basic
    or
    Weighted
    data patterns. Use the
    Weighted
    data pattern to create a basic or weighted regular expression. With weighted regular expressions, each text entry is assigned a score and when the score threshold is exceeded, such as when enough expressions from a pattern match an asset,
    Enterprise DLP
    will indicate that the asset is a match for the pattern.
    Then use the query builder in the
    Regular Expressions
    field to add either regular (
    Basic
    ) or
    Weighted
    expressions.
  7. (
    Optional
    ) Enter one or more
    Proximity Keywords
    .
    Proximity keywords aren’t case-sensitive. You can enter one or more proximity keywords to increase the probability
    Enterprise DLP
    accurately detects a regular expression match. Proximity keywords impact the
    Enterprise DLP
    confidence level, which reflects how confident
    Enterprise DLP
    is when detecting matched traffic.
    Enterprise DLP
    determines confidence level by inspecting the distance of regular expressions to proximity keywords.
  8. Save
    the data pattern.
  9. Create a data profile on the DLP app.

Panorama

Create a data pattern to identify sensitive information on your network when using
Enterprise Data Loss Prevention (E-DLP)
.

  1. Log in to the
    Panorama
    web interface.
  2. Select
    Objects
    DLP
    Data Filtering Patterns
    .
    You do not need to select the device group the managed firewalls using
    Enterprise DLP
    are associated with. All data patterns are shared across all device groups by default.
  3. Add
    a new data pattern.
  4. Specify a
    Type
    and criteria for the data pattern and specify a
    Name
    .
    Use any of the following data pattern types:
    • Regular Expression
      —Create regular expressions to use in the data pattern.
      You can choose
      Basic
      or
      Advanced
      data patterns. Use the
      Advanced
      data pattern to create a basic or weighted regular expression. With weighted regular expressions, each text entry is assigned a score and when the score threshold is exceeded, such as when enough expressions from a pattern match an asset,
      Enterprise DLP
      will indicate that the asset is a match for the pattern.
      Then use the query builder in the
      Regular Expressions
      field to add either regular (
      Basic
      ) or weighted (
      Advanced
      ) expressions.
      You can enter one or more
      Proximity Keywords
      to use with the data filtering pattern. Proximity keywords aren’t case-sensitive. You can enter one or more proximity keywords to increase the probability
      Enterprise DLP
      accurately detects a regular expression match. Proximity keywords impact the
      Enterprise DLP
      confidence level, which reflects how confident
      Enterprise DLP
      is when detecting matched traffic.
      Enterprise DLP
      determines confidence level by inspecting the distance of regular expressions to proximity keywords.
    • File Property
      —Add a file property pattern on which to match.
      For data governance and protection of information, if you use classification labels or embed tags in MS Office and PDF documents to include more information for audit and tracking purposes, you can create a file property data pattern to match on the metadata or attributes that are part of the custom or extended properties in the file. Regardless whether you use an automated classification mechanism, such as Titus, or whether require users to add a tag, you can specify a name-value pair on which to match on a custom or extended property embedded in the file.
      Enterprise DLP
      supports file property data patterns in MS Office and PDF documents and supports both the OLE (.doc/.ppt) and XML (.docx/.pptx) formats of MS Office.
      Then add a
      Tag Name
      and
      Tag Value
      .
      A
      Tag Name
      and
      Tag Value
      are an associated pair that specifies the property for which you want to look (for example, you can specify a
      Tag Name
      of
      Label
      and a
      Tag Value
      of
      Confidential
      ). You can add as many file properties as you’d like and when you later reference the file property data pattern in a data filtering profile,
      Enterprise DLP
      will use a boolean OR match in the match criteria.
      For files protected with Microsoft Azure Information Protection (AIP), you must enter the full AIP label
      Name
      that you want to take action on. This can be either the
      MSIP_Label_<GUID>_Enabled
      label name or the
      Sensitivity
      label name.
  5. Click
    OK
    to save the data pattern.
  6. Commit and push the new configuration to your managed firewalls to complete the
    Enterprise DLP
    plugin installation.
    This step is required for
    Enterprise DLP
    data filtering profile names to appear in Data Filtering logs.
    The
    Commit and Push
    command isn’t recommended for
    Enterprise DLP
    configuration changes. Using the
    Commit and Push
    command requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
    • Full configuration push from Panorama
      1. Select
        Commit
        Commit to
        Panorama
        and
        Commit
        .
      2. Select
        Commit
        Push to Devices
        and
        Edit Selections
        .
      3. Select
        Device Groups
        and
        Include Device and Network Templates
        .
      4. Click
        OK
        .
      5. Push
        your configuration changes to your managed firewalls that are using
        Enterprise DLP
        .
    • Partial configuration push from Panorama
      You must always include the temporary
      __dlp
      administrator when performing a partial configuration push. This is required to keep
      Panorama
      and the DLP cloud service in sync.
      For example, you have an
      admin
      Panorama
      admin user who is allowed to commit and push configuration changes. The
      admin
      user made changes to the
      Enterprise DLP
      configuration and only wants to commit and push these changes to managed firewalls. In this case, the
      admin
      user is required to also select the
      __dlp
      user in the partial commit and push operations.
      1. Select
        Commit
        Commit to
        Panorama
        .
      2. Select
        Commit Changes Made By
        and then click the current Panorama admin user to select additional admins to include in the partial commit.
        In this example, the
        admin
        user is currently logged in and performing the commit operation. The
        admin
        user must click
        admin
        and then select the
        __dlp
        user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click
        OK
        to continue.
      3. Commit
        .
      4. Select
        Commit
        Push to Devices
        .
      5. Select
        Push Changes Made By
        and then click the current Panorama admin user to select additional admins to include in the partial push.
        In this example, the
        admin
        user is currently logged in and performing the push operation. The
        admin
        user must click
        admin
        and then select the
        __dlp
        user. If there are additional configuration changes made by other Panorama admins they can be selected here as well.
        Click
        OK
        to continue.
      6. Select
        Device Groups
        and
        Include Device and Network Templates
        .
      7. Click
        OK
        .
      8. Push
        your configuration changes to your managed firewalls that are using
        Enterprise DLP
        .
  7. Create a data profile on
    Panorama
    or the DLP app.

Recommended For You