>
    Create a File Property Data Pattern
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Enterprise DLP Administration
    4. Configure Enterprise DLP
    5. Data Patterns
    6. Create a File Property Data Pattern
    Download PDF
    Enterprise DLP

    Create a File Property Data Pattern

    Table of Contents

    Create a File Property Data Pattern

    Create an
    Enterprise Data Loss Prevention (E-DLP)
     data pattern using file properties to specify the match criteria and identify patterns that represent sensitive information on your network
    Where Can I Use This?
    What Do I Need?
    • NGFW (Managed by Panorama)
    • Prisma Access (Managed by Strata Cloud Manager)
    • SaaS Security
    • NGFW (Managed by Strata Cloud Manager)
    • Enterprise Data Loss Prevention (E-DLP)
       license
    • NGFW (Managed by Panorama)
      —Support and
      Panorama
       device management licenses
    • Prisma Access (Managed by Strata Cloud Manager)
      Prisma Access
       license
    • SaaS Security
      SaaS Security
       license
    • NGFW (Managed by Strata Cloud Manager)
      —Support and
      AIOps for NGFW Premium
       licenses
    Or any of the following licenses that include the
    Enterprise DLP
     license
    • Prisma Access
       CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
       license
    • Data Security
       license
    Create an
    Enterprise Data Loss Prevention (E-DLP)
     data pattern using file properties to specify the match criteria and identify patterns that represent sensitive information on your network. All data patterns you create are shared across
    Panorama™ management server
     and
    Strata Cloud Manager
     deployments associated with the tenant. All custom data patterns created on
    Panorama
    or
    Strata Cloud Manager
     can be edited and copied as needed.

    Strata Cloud Manager

    Create an
    Enterprise Data Loss Prevention (E-DLP)
     file property data pattern for
    Prisma Access (Managed by Strata Cloud Manager)
     and
    SaaS Security
     on
    Strata Cloud Manager
    .
    1. Log in to
      Strata Cloud Manager
      .
    2. Select
      Manage
      Configuration
      Data Loss Prevention
      Detection Methods
      Data Patterns
      .
    3. Add Data Patterns
       and select
      File Property
      .
      You can also create a new file property data pattern by copying an existing file property data pattern. To copy a custom data pattern, select the data pattern name to view the data pattern details and copy ( ). You can then configure the file property data pattern you copied as needed.
    4. Enter a descriptive
      Name
       for the file property data pattern.
    5. (
      Optional
      ) Enter a
      Description
       for the data pattern.
    6. Select the
      File Property Type
       and enter the corresponding
      Value
      .
      Enterprise DLP
       supports file property data patterns in MS Office and PDF documents and supports both the OLE (.doc/.ppt) and XML (.docx/.pptx) formats of MS Office.
      (
      Extended Properties and Custom only
      ) You must enter the file property
      Name
       to identify which extended or custom property
      Enterprise DLP
       needs to inspect for.
      • AIP Tags
        Microsoft Azure Information Protection (AIP) labels used to classify and protect documents and emails. AIP tags are case insensitive and only whole word matches are supported. Regex expressions and wildcards are not supported.
        Review the examples of the supported AIP tag format when configuring a file property data pattern to prevent exfiltration of documents with AIP tags:
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_Enabled=true
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_SetDate=2024-01-25T07:05:49Z
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_Method=Privileged
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_Name=305f50f5-e953-4c63-867b-388561f41989
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_SiteId=fb8ed654-3195-4846-ac37-491dc8a2349e
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_ActionId=218bb304-e1fc-46f2-9210-7fb21702c52a
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_ContentBits=2
        Only one AIP Tag entry is supported per data pattern. However, you can add up to 10 AIP tag values to an AIP Tag entry using
        ;
         as a separator. For example,
        MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_Enabled:true; MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_SetDate:2024-01-25T07:05:49Z; SIP_Label_305f50f5-e953-4c63-867b-388561f41989_Method:Privileged
        .
      • Asset Name
        Asset names are the file name of files you want to prevent exfiltration. Asset names are case insensitive.
        Only one Asset Name entry is supported per data pattern. However, you can add up to 100 Asset Name values to an Asset Name entry using
        ;
         as a separator. Asset Names entries support plaintext and fully formed regex expressions for the Asset Name value. Asset Name is designed to inspect for a full word match. If a partial match is required, then the inclusion of a wild card character in the regular expression is required.
        • For plaintext Asset Name values, the asset name must include the file extension. For example,
          billing-info.csv
           or
          customer-data.docx
          .
        • For regex, the following expression matches all variations of file types when the specific keywords are present due to the inclusion of a wild card at the end of the expression to specify the file type. For example,
          password.csv
           and
          ccn.docx
           match this regex expression:
          (?i)(\(ssn|password|pwd|security|credit|CCN|finance).*
        • Alternatively, the following regex expression matches variations in the file name and all variations of file types due to the inclusion of a wildcard added before the expression specifying the file name and a wild card at the end of the expression. For example,
          100ssn.txt
          ,
          200ssn.docx
          , and
          300ssn.csv
           match this regex expression:
          (?i)(\.*(ssn|password|pwd|security|credit|CCN|finance).*
        Only one Asset Name entry is supported per data pattern. However, you can add up to 100 asset name values to an Asset Name entry using
        ;
         as a separator:
        billing-info.csv;customer-data.docx;(?i)(\.*(ssn|password|pwd|security|credit|CCN|finance).*
        .
      • Author
        First and last name of the file owner contained in the asset metadata. Author tags are case and space insensitive and only whole word matches are supported. No regex expressions or wildcards are supported.
        Only one Author entry is supported per data pattern. However, you can add up to 100 Author values to an Author entry using
        ;
         as a separator. For example,
        Bill Smith; john doe; leslieBarnes
        .
        The Author file property type is not supported for source code files.
      • File Extension
        Specify one or more file types supported by
        Enterprise DLP
        . File Extension tags are case and space insensitive and only whole word matches are supported. Regex expressions and wildcards are not supported. To scan files based on a specific file extension, the file extension must be included in the file name.
        Only one File Extension entry is supported per data pattern. However, you can add up to 10 File Extension values to a File Extension entry using
        ;
         as a separator. For example,
        .pdf;.csv;.rtf
        .
      • File SHA
        String of letters and numbers that represent a long checksum. Only SHA-256 are supported. File Extension tags are case and space insensitive and only whole word matches are supported. Regex expressions and wildcards are not supported.
        Only one File SHA entry is supported per data pattern. However, you can add up to 1,000 File SHA values to an File SHA entry using
        ;
         as a separator. For example,
        CA4D03E8F8A495AA671930184A04275E050D096B9E7E3CF693E0AB12898F3A46;5C4753EAE1F27F0D7EDB5F3245155F668BF5B86A8B3BB2D86F32C65692837F79
        .
      • Extended Properties
        Unique
        Advanced
         properties added to Microsoft Suite (Word, Excel, PPT, PDF) file properties that are not the default
        General
         properties.
        Only one Extended Properties entry is supported per data pattern. However, you can add up to 100 Extended Property values to an Extended Properties entry using
        ;
         as a separator.
      • Custom
        Unique
        Custom
         properties added to Microsoft Suite (Word, Excel, PPT, PDF) file properties that are not the default
        General
         properties.
        Only one Custom entry is supported per data pattern. However, you can add up to 100 Custom values to a Custom entry using
        ;
         as a separator.
    7. Save
       the data pattern.
    8. Create a data profile on
      Strata Cloud Manager
      .

    DLP App

    Create an
    Enterprise Data Loss Prevention (E-DLP)
     file property data pattern on the DLP app on the hub.
    1. Log in to the DLP app on the hub.
      If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
    2. Select
      Detection Methods
      Data Patterns
       and
      Add Data Patterns
      .
      You can also create a new custom data pattern by copying an existing custom data pattern. To copy a custom data pattern, expand the Actions column for the data pattern you want to copy and
      Clone
       the data pattern. You can then configure the custom data pattern you copied as needed.
    3. Select the
      File Property
       data pattern.
    4. Enter a descriptive
      Name
       for the file property data pattern.
    5. (
      Optional
      ) Enter a
      Description
       for the data pattern.
    6. Select the
      File Property Type
       and enter the corresponding
      Value
      .
      Enterprise DLP
       supports file property data patterns in MS Office and PDF documents and supports both the OLE (.doc/.ppt) and XML (.docx/.pptx) formats of MS Office.
      (
      Extended Properties and Custom only
      ) You must enter the file property
      Name
       to identify which extended or custom property
      Enterprise DLP
       needs to inspect for.
      • AIP Tags
        Microsoft Azure Information Protection (AIP) labels used to classify and protect documents and emails. AIP tags are case insensitive and only whole word matches are supported. Regex expressions and wildcards are not supported.
        Review the examples of the supported AIP tag format when configuring a file property data pattern to prevent exfiltration of documents with AIP tags:
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_Enabled=true
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_SetDate=2024-01-25T07:05:49Z
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_Method=Privileged
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_Name=305f50f5-e953-4c63-867b-388561f41989
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_SiteId=fb8ed654-3195-4846-ac37-491dc8a2349e
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_ActionId=218bb304-e1fc-46f2-9210-7fb21702c52a
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_ContentBits=2
        Only one AIP Tag entry is supported per data pattern. However, you can add up to 10 AIP tag values to an AIP Tag entry using
        ;
         as a separator. For example,
        MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_Enabled:true; MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_SetDate:2024-01-25T07:05:49Z; SIP_Label_305f50f5-e953-4c63-867b-388561f41989_Method:Privileged
        .
      • Asset Name
        Asset names are the file name of files you want to prevent exfiltration. Asset names are case insensitive.
        Only one Asset Name entry is supported per data pattern. However, you can add up to 100 Asset Name values to an Asset Name entry using
        ;
         as a separator. Asset Names entries support plaintext and fully formed regex expressions for the Asset Name value. Asset Name is designed to inspect for a full word match. If a partial match is required, then the inclusion of a wild card character in the regular expression is required.
        • For plaintext Asset Name values, the asset name must include the file extension. For example,
          billing-info.csv
           or
          customer-data.docx
          .
        • For regex, the following expression matches all variations of file types when the specific keywords are present due to the inclusion of a wild card at the end of the expression to specify the file type. For example,
          password.csv
           and
          ccn.docx
           match this regex expression:
          (?i)(\(ssn|password|pwd|security|credit|CCN|finance).*
        • Alternatively, the following regex expression matches variations in the file name and all variations of file types due to the inclusion of a wildcard added before the expression specifying the file name and a wild card at the end of the expression. For example,
          100ssn.txt
          ,
          200ssn.docx
          , and
          300ssn.csv
           match this regex expression:
          (?i)(\.*(ssn|password|pwd|security|credit|CCN|finance).*
        Only one Asset Name entry is supported per data pattern. However, you can add up to 100 asset name values to an Asset Name entry using
        ;
         as a separator:
        billing-info.csv;customer-data.docx;(?i)(\.*(ssn|password|pwd|security|credit|CCN|finance).*
        .
      • Author
        First and last name of the file owner contained in the asset metadata. Author tags are case and space insensitive and only whole word matches are supported. No regex expressions or wildcards are supported.
        Only one Author entry is supported per data pattern. However, you can add up to 100 Author values to an Author entry using
        ;
         as a separator. For example,
        Bill Smith; john doe; leslieBarnes
        .
        The Author file property type is not supported for source code files.
      • File Extension
        Specify one or more file types supported by
        Enterprise DLP
        . File Extension tags are case and space insensitive and only whole word matches are supported. Regex expressions and wildcards are not supported. To scan files based on a specific file extension, the file extension must be included in the file name.
        Only one File Extension entry is supported per data pattern. However, you can add up to 10 File Extension values to a File Extension entry using
        ;
         as a separator. For example,
        .pdf;.csv;.rtf
        .
      • File SHA
        String of letters and numbers that represent a long checksum. Only SHA-256 are supported. File Extension tags are case and space insensitive and only whole word matches are supported. Regex expressions and wildcards are not supported.
        Only one File SHA entry is supported per data pattern. However, you can add up to 1,000 File SHA values to an File SHA entry using
        ;
         as a separator. For example,
        CA4D03E8F8A495AA671930184A04275E050D096B9E7E3CF693E0AB12898F3A46;5C4753EAE1F27F0D7EDB5F3245155F668BF5B86A8B3BB2D86F32C65692837F79
        .
      • Extended Properties
        Unique
        Advanced
         properties added to Microsoft Suite (Word, Excel, PPT, PDF) file properties that are not the default
        General
         properties.
        Only one Extended Properties entry is supported per data pattern. However, you can add up to 100 Extended Property values to an Extended Properties entry using
        ;
         as a separator.
      • Custom
        Unique
        Custom
         properties added to Microsoft Suite (Word, Excel, PPT, PDF) file properties that are not the default
        General
         properties.
        Only one Custom entry is supported per data pattern. However, you can add up to 100 Custom values to a Custom entry using
        ;
         as a separator.
    7. Save
       the data pattern.
    8. Create a data profile on the DLP app.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.