Create a File Property Data Pattern

Table of Contents

Add Custom Match Criteria to a Predefined Data Pattern

Create an Enterprise Data Loss Prevention (E-DLP) data pattern using file properties to specify the match criteria and identify patterns that represent sensitive information on your network

Where Can I Use This?	What Do I Need?
NGFW (Managed by Panorama or Strata Cloud Manager) Prisma Access (Managed by Panorama or Strata Cloud Manager)	Enterprise Data Loss Prevention (E-DLP) license Review the Supported Platforms for details on the required license for each enforcement point. Or any of the following licenses that include the Enterprise DLP license Prisma Access CASB license Next-Generation CASB for Prisma Access and NGFW (CASB-X) license Data Security license

Create an Enterprise Data Loss Prevention (E-DLP) data pattern using file properties to specify the match criteria and identify patterns that represent sensitive information on your network. All data patterns you create are shared across Panorama™ management server and Strata Cloud Manager deployments associated with the tenant. All custom data patterns created on Panoramaor Strata Cloud Manager can be edited and copied as needed.

Log in to Strata Cloud Manager.
Select ManageConfigurationData Loss PreventionDetection MethodsData Patterns.
Add Data Patterns and select File Property.

You can also create a new file property data pattern by copying an existing file property data pattern. To copy a custom data pattern, select the data pattern name to view the data pattern details and copy (

). You can then configure the file property data pattern you copied as needed.
Enter a descriptive Name for the file property data pattern.
(Optional) Enter a Description for the data pattern.
Select the File Property Type and enter the corresponding Value.
Enterprise DLP supports file property data patterns in MS Office and PDF documents and supports both the OLE (.doc/.ppt) and XML (.docx/.pptx) formats of MS Office.

(Extended Properties and Custom only) You must enter the file property Name to identify which extended or custom property Enterprise DLP needs to inspect for.
- AIP Tags
  Microsoft Azure Information Protection (AIP) labels used to classify and protect documents and emails. AIP tags are case insensitive and only whole word matches are supported. Regex expressions and wildcards are not supported.
  Review the examples of the supported AIP tag format when configuring a file property data pattern to prevent exfiltration of documents with AIP tags:
  MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_Enabled=true
  MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_SetDate=2024-01-25T07:05:49Z
  MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_Method=Privileged
  MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_Name=Confidential
  Enterprise DLP supports using either the Name or Display Name for a Microsoft Purview sensitivity label.
  MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_SiteId=fb8ed654-3195-4846-ac37-491dc8a2349e
  MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_ActionId=218bb304-e1fc-46f2-9210-7fb21702c52a
  MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_ContentBits=2
  Only one AIP Tag entry is supported per data pattern. However, you can add up to 10 AIP tag values to an AIP Tag entry using ; as a separator. For example, MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_Enabled:true; MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_SetDate:2024-01-25T07:05:49Z; SIP_Label_305f50f5-e953-4c63-867b-388561f41989_Method:Privileged.
- Asset Name
  Asset names are the file name of files you want to prevent exfiltration. Asset names are case insensitive.
  Only one Asset Name entry is supported per data pattern. However, you can add up to 100 Asset Name values to an Asset Name entry using ; as a separator. Asset Names entries support plaintext and fully formed regex expressions for the Asset Name value. Asset Name is designed to inspect for a full word match. If a partial match is required, then the inclusion of a wild card character in the regular expression is required.
  For plaintext Asset Name values, the asset name must include the file extension. For example, billing-info.csv or customer-data.docx.
  
  For regex, the following expression matches all variations of file types when the specific keywords are present due to the inclusion of a wild card at the end of the expression to specify the file type. For example, password.csv and ccn.docx match this regex expression:
  (?i)(\(ssn|password|pwd|security|credit|CCN|finance).*
  
  Alternatively, the following regex expression matches variations in the file name and all variations of file types due to the inclusion of a wildcard added before the expression specifying the file name and a wild card at the end of the expression. For example, 100ssn.txt, 200ssn.docx, and 300ssn.csv match this regex expression:
  (?i)(\.*(ssn|password|pwd|security|credit|CCN|finance).*
  
  Only one Asset Name entry is supported per data pattern. However, you can add up to 100 asset name values to an Asset Name entry using ; as a separator:
  billing-info.csv;customer-data.docx;(?i)(\.*(ssn|password|pwd|security|credit|CCN|finance).*.
- Author
  
  First and last name of the file owner contained in the asset metadata. Author tags are case and space insensitive and only whole word matches are supported. No regex expressions or wildcards are supported.
  Only one Author entry is supported per data pattern. However, you can add up to 100 Author values to an Author entry using ; as a separator. For example, Bill Smith; john doe; leslieBarnes.
  
  The Author file property type is not supported for source code files.
- File Extension
  
  Specify one or more file types supported by Enterprise DLP. File Extension tags are case and space insensitive and only whole word matches are supported. Regex expressions and wildcards are not supported. To scan files based on a specific file extension, the file extension must be included in the file name.
  Only one File Extension entry is supported per data pattern. However, you can add up to 10 File Extension values to a File Extension entry using ; as a separator. For example, .pdf;.csv;.rtf.
- File SHA
  
  String of letters and numbers that represent a long checksum. Only SHA-256 are supported. File Extension tags are case and space insensitive and only whole word matches are supported. Regex expressions and wildcards are not supported.
  Only one File SHA entry is supported per data pattern. However, you can add up to 1,000 File SHA values to an File SHA entry using ; as a separator. For example, CA4D03E8F8A495AA671930184A04275E050D096B9E7E3CF693E0AB12898F3A46;5C4753EAE1F27F0D7EDB5F3245155F668BF5B86A8B3BB2D86F32C65692837F79.
- Extended Properties
  
  Unique Advanced properties added to Microsoft Suite (Word, Excel, PPT, PDF) file properties that are not the default General properties.
  Only one Extended Properties entry is supported per data pattern. However, you can add up to 100 Extended Property values to an Extended Properties entry using ; as a separator.
- Custom
  
  Unique Custom properties added to Microsoft Suite (Word, Excel, PPT, PDF) file properties that are not the default General properties.
  Multiple Custom entries are supported per data pattern. However, only one Custom value per Custom entry is supported.
Save the data pattern.
Create a data profile on Strata Cloud Manager.