>
    Strata Copilot
    Create a File Property Data Pattern
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Administration
    4. Configure Enterprise DLP
    5. Data Patterns
    6. Create a File Property Data Pattern
    Download PDF
    Enterprise DLP

    Create a File Property Data Pattern

    Table of Contents

    Create a File Property Data Pattern

    Create an Enterprise Data Loss Prevention (E-DLP) data pattern using file properties to specify the match criteria and identify patterns that represent sensitive information on your network
    On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
    You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Prisma Browser
    • Enterprise Data Loss Prevention (E-DLP) license
      Review the Supported Platforms for details on the required license for each enforcement point.
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
    Create an Enterprise Data Loss Prevention (E-DLP) data pattern using file properties to specify the match criteria and identify patterns that represent sensitive information on your network. All data patterns you create are shared across Panorama® management server and Strata Cloud Manager deployments associated with the tenant. All custom data patterns created on Panoramaor Strata Cloud Manager can be edited and copied as needed.
    For file property data patterns configured to detect AIP Tags, Enterprise DLP has detection mechanism to designed to help reduce instances of detection failures when Microsoft makes changes to Purview labeling. This helps strengthen your data security posture in the event of unknown and unplanned changes by Microsoft and reduces the need for your data security administrators to update custom file property data patterns when Microsoft makes changes.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationData Loss PreventionDetection MethodsData Patterns.
    3. Add Data Patterns and select File Property.
      You can also create a new file property data pattern by copying an existing file property data pattern. To copy a custom data pattern, select the data pattern name to view the data pattern details and copy (
      ). You can then configure the file property data pattern you copied as needed.
    4. Enter a descriptive Name for the file property data pattern.
      If updating an existing data pattern, Enterprise DLP supports changing the data pattern name only if the data pattern isn't currently in use in a data profile or a Data Security (SaaS API) data asset policy rule. You must remove the data pattern from the data profile data asset policy before you change the name. Enterprise DLP prevents you from changing the name if the data pattern is currently in use.
      Enterprise DLP updates the data pattern name for all DLP incidents with the new archived data pattern name amendment after you archive a data pattern. It takes about10 minutes for the new data pattern name to reflect in the Incident Manager for existing and new incidents.
    5. (Optional) Enter a Description for the data pattern.
    6. Select the File Property Type and enter the corresponding Value.
      Enterprise DLP supports file property data patterns in MS Office and PDF documents and supports both the OLE (.doc/.ppt) and XML (.docx/.pptx) formats of MS Office.
      (Extended Properties and Custom only) You must enter the file property Name to identify which extended or custom property Enterprise DLP needs to inspect for.
      • AIP Tags
        Microsoft Azure Information Protection (AIP) labels used to classify and protect documents and emails. AIP tags are case insensitive and only whole word matches are supported. Regex expressions and wildcards are not supported.
        Enterprise DLP can't inspect files encrypted using the encryption option for AIP labels.
        Review the examples of the supported AIP tag format when configuring a file property data pattern to prevent exfiltration of documents with AIP tags:
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_Enabled=true
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_SetDate=2024-01-25T07:05:49Z
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_Method=Privileged
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_Name=Confidential
          Enterprise DLP supports using either the Name or Display Name for a Microsoft Purview sensitivity label.
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_SiteId=fb8ed654-3195-4846-ac37-491dc8a2349e
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_ActionId=218bb304-e1fc-46f2-9210-7fb21702c52a
        • MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_ContentBits=2
        Only one AIP Tag entry is supported per data pattern. However, you can add up to 10 AIP tag values to an AIP Tag entry using ; as a separator. For example, MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_Enabled:true; MSIP_Label_305f50f5-e953-4c63-867b-388561f41989_SetDate:2024-01-25T07:05:49Z; SIP_Label_305f50f5-e953-4c63-867b-388561f41989_Method:Privileged.
      • Asset Name
        Asset names are the file name of files you want to prevent exfiltration. Asset names are case insensitive.
        Only one Asset Name entry is supported per data pattern. However, you can add up to 100 Asset Name values to an Asset Name entry using ; as a separator. Asset Names entries support plaintext and fully formed regex expressions for the Asset Name value. Asset Name is designed to inspect for a full word match. If a partial match is required, then the inclusion of a wild card character in the regular expression is required. You can mix asset names and regex in a single Asset Name entry. For example, billing-info.csv;customer-data.docx;(?i)(\.*(ssn|password|pwd|security|credit|CCN|finance).*.
        • For plaintext Asset Name values, the asset name must include the file extension. For example, billing-info.csv or customer-data.docx.
        • For regex, the following expression matches all variations of file types when the specific keywords are present due to the inclusion of a wild card at the end of the expression to specify the file type. For example, password.csv and ccn.docx match this regex expression:
          (?i)(\(ssn|password|pwd|security|credit|CCN|finance).*
        • Alternatively, the following regex expression matches variations in the file name and all variations of file types due to the inclusion of a wildcard added before the expression specifying the file name and a wild card at the end of the expression. For example, 100ssn.txt, 200ssn.docx, and 300ssn.csv match this regex expression:
          (?i)(\.*(ssn|password|pwd|security|credit|CCN|finance).*
      • Author
        First and last name of the file owner contained in the asset metadata. Author tags are case and space insensitive and only whole word matches are supported. Enterprise DLP can detect all types of Author metadata values such as the Author, Original Author and Last Author. No regex expressions or wildcards are supported.
        Only one Author entry is supported per data pattern. However, you can add up to 100 Author values to an Author entry using ; as a separator. For example, Bill Smith; john doe; leslieBarnes.
        The Author file property type is not supported for source code files.
      • Comments
        A catch-all text field embedded in the properties of a file where a users or automated systems leave notes, status updates, or internal instructions.
        Enterprise DLP supports only one Comments entry per data pattern. However, you can add up to 100 Comments values to a Comments entry using ; as a separator. For example, Status: Final Draft; Sensitivity: High; Note: Contains PII for 2025 payroll review; Approved by: Vertex Financial Compliance Team.
      • Company
        Identifies the corporate owner of the file.
        Enterprise DLP supports only one Company entry per data pattern. However, you can add up to 100 Company values to a Company entry using ; as a separator. For example, Palo Alto Networks; Acme Corp; Novus Health Solutions.
      • Copyright
        Identifies the legal rights-holder and usage restrictions of a file. This can include a legal declaration, intellectual property protection notices, asset maturity tracking, and inbound risk management statements. Enterprise DLP supports the following copyright entry formats:
        • Plaintext
        Enterprise DLP supports only one Copyright entry per data pattern. However, you can add up to 100 Copyright values to an Copyright entry using ; as a separator. For example, Copyright © 2025 Vertex Financial Holdings. All Rights Reserved. ; xmlns:xmpRights="http://ns.adobe.com/xap/1.0/rights/" ; <xmpRights:UsageTerms>Internal Use Only; Distribution Prohibited</xmpRights:UsageTerms>.
      • Description
        Identifies the abstract or summary of a document. Description metadata is commonly used by professional Document Management Systems (DMS) and web-crawlers to understand what a file is about without opening it.
        Enterprise DLP supports only one Description entry per data pattern. However, you can add up to 100 Description values to a Description entry using ; as a separator. For example, Project: Phoenix; Content: Employee Salary Benchmarking; Status: Strictly Confidential; Warning: Unauthorized disclosure is a violation of company policy.
      • File Extension
        Specify one or more file type extensions supported by Enterprise DLP. File Extension tags are case and space insensitive and only whole word matches are supported. Regex expressions and wildcards are not supported. To scan files based on a specific file extension, the file extension must be included in the file name.
        Only one File Extension entry is supported per data pattern. However, you can add up to 10 File Extension values to a File Extension entry using ; as a separator. For example, .pdf;.csv;.rtf.
      • File SHA
        String of letters and numbers that represent a long checksum. Only SHA-256 are supported. File Extension tags are case and space insensitive and only whole word matches are supported. Regex expressions and wildcards are not supported.
        Only one File SHA entry is supported per data pattern. However, you can add up to 1,000 File SHA values to an File SHA entry using ; as a separator. For example, CA4D03E8F8A495AA671930184A04275E050D096B9E7E3CF693E0AB12898F3A46;5C4753EAE1F27F0D7EDB5F3245155F668BF5B86A8B3BB2D86F32C65692837F79.
      • Keywords or Tags
        Identifies descriptors or other non-specific metadata attributes that categorize the file's content for search and security systems.
        Enterprise DLP supports only one Keywords or Tags entry per data pattern. However, you can add up to 100 Keyword or Tag values to a Keywords or Tags entry using ; as a separator.. For example, PII; Financial-Audit; Export-Controlled; Project-Phoenix; Do-Not-Distribute.
      • File Size
        Configure a sensitive data traffic match based on the file size. The maximum supported file size is 100 MB for inline Enterprise DLP and 20 MB for all other channels, including Data Security (SaaS API), Email DLP, and Endpoint DLP. You must enter the file size in kilobytes (KB).
        Enterprise DLP supports the following occurrence conditions:
        • Equal To—Considered a sensitive traffic match if the forwarded file is exactly the configured file size.
        • Less than—Considered a sensitive traffic match if the forwarded file is less than the configured file size.
        • More than—Considered a sensitive traffic match if the forwarded file is more than the configured file size.
        • Less than or equal to—Considered a sensitive traffic match if the forwarded file is less than or equal to the configured file size.
        • More than or equal to—Considered a sensitive traffic match if the forwarded file is more than or equal to the configured file size.
      • File Type
        Detect the file signature for a specific type of file. The file signature is a unique sequence of bytes, often referred to as Magic Numbers or Magic Bytes, that identifies its format.
        Enterprise DLP supports only one File Type entry per data pattern. You can select up to 200 file types.
      • Publisher
        Identifies the organization, software, or legal entity responsible for publishing or releasing a document.
        Enterprise DLP supports only one Publisher entry per data pattern. However, you can add up to 100 Publisher values to a Publisher entry using ; as a separator. For example, Global Finance Corp - Internal Audit Division; Acme Publishing.
      • Title
        Identifies the document title within the file's internal header.
        Enterprise DLP supports only one Title entry per data pattern. However, you can add up to 100 Title values to a Title entry using ; as a separator. For example, 2025 M&A Roadmap - Project Falcon; Vertex Financial Quarterly Salary Audit; Strictly Confidential - Source Code Architecture.
      • Watermark
        Detect text-based watermarks in supported file types. Enterprise DLP supports watermark detection in MS Office (.doc, .docx, .rtf, .xls, .xlsx, .ppt, .pptx), PDF, and Google Docs files.
        You can configure the Watermark file property to:
        • Detect any Watermark—Detects the presence of any text-based watermark in the file, regardless of the watermark content. Use this setting to identify and flag all watermarked documents without matching specific text.
        • Match by Keyword—Matches watermark content against user-defined keywords. Enterprise DLP triggers a DLP incident only when the specified keywords appear within the watermark itself, not in the body of the document. Enterprise DLP matches keywords exactly and returns only high confidence matches. You can enter multiple keywords using ; as a separator. For example, Internal Use Only; Restricted; Confidential; Draft.
        Enterprise DLP supports only one Watermark entry per data pattern.
      • Extended Properties
        Unique Advanced properties added to Microsoft Suite (Word, Excel, PPT, PDF) file properties that are not the default General properties.
        Only one Extended Properties entry is supported per data pattern. However, you can add up to 100 Extended Property values to an Extended Properties entry using ; as a separator.
      • Custom
        Unique Custom properties added to Microsoft Suite (Word, Excel, PPT, PDF) file properties that are not the default General prope1rties.
        Multiple Custom entries are supported per data pattern. However, only one Custom value per Custom entry is supported.
    7. Save the data pattern.
    8. Create a data profile on Strata Cloud Manager.

    © 2026 Palo Alto Networks, Inc. All rights reserved.