Enterprise DLP
Add Custom Match Criteria to a Predefined Data Pattern
Table of Contents
Add Custom Match Criteria to a Predefined Data Pattern
Clone a predefined regex data pattern on Strata Cloud Manager to add custom match
criteria to enhance detection and prevention of data exfiltration.
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP
addresses to improve performance and expand availability for these services
globally.
You must allow these new service IP addresses on your network
to avoid disruptions for these services. Review the Enterprise DLP
Release Notes for more
information.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Or any of the following licenses that include the Enterprise DLP license
|
Clone a predefined regular expression (regex) data pattern to add specific inclusion
or exclusion and provide custom match criteria to enhance detection and prevention
of data exfiltration of sensitive data. This allows users to enhance predefined
regex data pattern with more customized match criteria.
- Log in to Strata Cloud Manager.Select .Locate the predefined regex data pattern.Expand the Actions and Clone.
![]()
Modify the Data Pattern Name and Description as needed.(Optional) Add any additional Proximity Keywords.Proximity keywords are not case-sensitive. You can enter additional proximity keywords to increase the probability Enterprise DLP accurately detects a regular expression match. Proximity keywords impact the Enterprise DLP confidence level, which reflects how confident Enterprise DLP is when detecting matched traffic. Enterprise DLP determines confidence level by inspecting the distance of regular expressions to proximity keywords.Data patterns that don't include any proximity keywords to identify a match always have both Low and High confidence level detections in a DLP incident.(Optional) Enter the Proximity Distance (between 1 and 1,000) to specify the maximum character distance between sensitive data and proximity keywords required to trigger a detection.The default proximity distance is 200.For large files or traffic containing sensitive data where related proximity keywords might be separated by longer text blocks, you can increase the proximity distance to ensure proper detection. Conversely for files or traffic where you need tighter control to reduce false positives, you can specify a smaller proximity distance to ensure only closely associated keywords trigger a match.The minimum proximity keyword distance must be the character length of the longest proximity keyword plus one character. This includes spaces within the proximity keyword value.For example, consider the list of proximity keywords in the custom data pattern below. The longest proximity keyword is driver's license which is 16 characters. In this case, the minimum proximity keyword distance is 17.![]()
Add the custom match criteria to specify data to include or exclude from inspection and verdict rendering.Up to 50,000 characters are supported in each field. You can add multiple custom data match criteria requirements in a single field separated by a semicolon (;). You specify one, some, or all custom data match criteria.- Include Matches Starting With—Inclusive match criteria to inspect for and trigger Enterprise DLP enforcement for only data matches starting with one or more of the criteria added.This field is an AND operator.
- Include Matches End With—Inclusive match criteria to inspect for and trigger Enterprise DLP enforcement for only data matches ending with one or more of the criteria added.This field is an AND operator.
- Exclude Matches Starting With—Exclude match criteria from Enterprise DLP inspection and enforcement for data matches starting with one or more of the criteria added.This field is an OR operator.
- Exclude Matches Ending With—Exclude match criteria from Enterprise DLP inspection and enforcement for data matches ending with one or more of the criteria added.This field is an OR operator.
![]()
Save.Create a data profile on Strata Cloud Manager.
