Secure AIP Labeled Files with Enterprise DLP
Focus
Focus
Prisma Access

Secure AIP Labeled Files with Enterprise DLP

Table of Contents

Secure AIP Labeled Files with Enterprise DLP

Leverage Enterprise Data Loss Prevention (E-DLP) to inspect and take action on assets protected with Microsoft Azure Information Protection (AIP).
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • Enterprise Data Loss Prevention (E-DLP) license
    Review the Supported Platforms for details on the required license for each enforcement point.
Or any of the following licenses that include the Enterprise DLP license
  • Prisma Access CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
  • Data Security license
Use Enterprise Data Loss Prevention (E-DLP) on Strata Cloud Manager to inspect for and take action on assets protected with Microsoft Microsoft Purview Information Protection (formerly Azure Information Protection (AIP)).
  1. Create a document protected with a Microsoft AIP label.
    Refer to the Microsoft Microsoft Purview Information Protection documentation for detailed information.
  2. Log in to Strata Cloud Manager.
  3. Enable Enterprise DLP if not already enabled.
  4. Select ManageConfiguration Security ServicesData Loss Prevention.
  5. Create a file property data pattern for to inspect for AIP Tags.
  6. Create an advanced data profile and add the file property data pattern you created in the previous step.
    You can add any additional data patterns as needed.
  7. Modify the DLP Rule to define the type of traffic to inspect, the impacted file types, the action taken when sensitive data is detected, and the DLP incident log severity when Enterprise DLP detects sensitive data.
  8. Add the Enterprise DLP data profile to a profile group.
    1. Select ManageConfigurationSecurity ServicesProfile Groups.
    2. Add Profile Group or select an existing profile group.
    3. For the Data Loss Prevention Profile, select the DLP rule you modified in the previous step.
    4. Save.
  9. Add the profile group to a Security policy rule.
    1. Select ManageConfigurationSecurity ServicesSecurity Policy and Add Rule.
    2. Configure the Security policy rule as needed.
    3. For the Action and Advanced Inspection:
    1. set the Action as Allow.
      • Verify the Action is Allow (default).
      • For the Profile Group, select the profile group you added the DLP rule to in the previous step.
    2. Save.
    3. In the Prisma Access - Pre Rules, verify that the Security policy rule is at the top of the policy rulebase to ensure traffic is not allowed or blocked before it can be inspected.
  10. Push Config.
  11. Verify that the Enterprise DLP successfully detects and takes action on the assets protected by AIP labels you specified in your Enterprise DLP configuration.
    You can use sites such as DLP ToolBox and DLP Test to verify.
    Refer to the Enterprise DLP Administrator's Guide for more information on supported applications.