Add Custom Match Criteria to a Predefined Data Pattern

Table of Contents

Add Custom Match Criteria to a Predefined Data Pattern

Clone a predefined regex data pattern on Strata Cloud Manager to add custom match criteria to enhance detection and prevention of data exfiltration.

On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.

You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This?	What Do I Need?
NGFW (Managed by Panorama or Strata Cloud Manager) Prisma Access (Managed by Panorama or Strata Cloud Manager) Prisma Browser	Enterprise Data Loss Prevention (E-DLP) license Review the Supported Platforms for details on the required license for each enforcement point. Or any of the following licenses that include the Enterprise DLP license Prisma Access CASB license Next-Generation CASB for Prisma Access and NGFW (CASB-X) license Data Security license

Where Can I Use This?

What Do I Need?

NGFW (Managed by Panorama or Strata Cloud Manager)
Prisma Access (Managed by Panorama or Strata Cloud Manager)
Prisma Browser

Enterprise Data Loss Prevention (E-DLP) license
Review the Supported Platforms for details on the required license for each enforcement point.

Or any of the following licenses that include the Enterprise DLP license

Prisma Access CASB license
Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
Data Security license

Clone a predefined regular expression (regex) data pattern to add specific inclusion or exclusion and provide custom match criteria to enhance detection and prevention of data exfiltration of sensitive data. This allows users to enhance predefined regex data pattern with more customized match criteria.

Log in to Strata Cloud Manager.
Select ConfigurationData Loss PreventionDetection MethodsData Patterns.
Locate the predefined regex data pattern.
Expand the Actions and Clone.
Modify the Data Pattern Name and Description as needed.
(Optional) Add any additional Proximity Keywords.

Proximity keywords are not case-sensitive. You can enter additional proximity keywords to increase the probability Enterprise DLP accurately detects a regular expression match. Proximity keywords impact the Enterprise DLP confidence level, which reflects how confident Enterprise DLP is when detecting matched traffic. Enterprise DLP determines confidence level by inspecting the distance of regular expressions to proximity keywords.

Data patterns that don't include any proximity keywords to identify a match always have both Low and High confidence level detections in a DLP incident.
(Optional) Enter the Proximity Distance (between 1 and 1,000) to specify the maximum character distance between sensitive data and proximity keywords required to trigger a detection.

The default proximity distance is 200.

For large files or traffic containing sensitive data where related proximity keywords might be separated by longer text blocks, you can increase the proximity distance to ensure proper detection. Conversely for files or traffic where you need tighter control to reduce false positives, you can specify a smaller proximity distance to ensure only closely associated keywords trigger a match.

The minimum proximity keyword distance must be the character length of the longest proximity keyword plus one character. This includes spaces within the proximity keyword value.

For example, consider the list of proximity keywords in the custom data pattern below. The longest proximity keyword is driver's license which is 16 characters. In this case, the minimum proximity keyword distance is 17.
Add the custom match criteria to specify data to include or exclude from inspection and verdict rendering.

Up to 50,000 characters are supported in each field. You can add multiple custom data match criteria requirements in a single field separated by a semicolon (;). You specify one, some, or all custom data match criteria.
- Include Matches Starting With—Inclusive match criteria to inspect for and trigger Enterprise DLP enforcement for only data matches starting with one or more of the criteria added.
  This field is an AND operator.
- Include Matches End With—Inclusive match criteria to inspect for and trigger Enterprise DLP enforcement for only data matches ending with one or more of the criteria added.
  This field is an AND operator.
- Exclude Matches Starting With—Exclude match criteria from Enterprise DLP inspection and enforcement for data matches starting with one or more of the criteria added.
  This field is an OR operator.
- Exclude Matches Ending With—Exclude match criteria from Enterprise DLP inspection and enforcement for data matches ending with one or more of the criteria added.
  This field is an OR operator.
Save.
Create a data profile on Strata Cloud Manager.