Create an Endpoint DLP Data at Rest Policy Rule

1. Log in to Strata Cloud Manager.
2. Configure the Enterprise DLP match criteria to define the sensitive data you want to scan for.

   1. Create an Endpoint Compatible custom data patterns to define your match criteria.

      Data at rest scanning uses the local Prisma Access Agent detection engine, which supports regex-based and OCR-based data patterns only. You can also use Endpoint Compatible predefined data patterns.
   2. Create a data profile and add your data patterns.

      You can only add data profiles that contain Endpoint Compatible data patterns. If any pattern in a profile requires the cloud detection engine, the entire profile is classified as cloud-supported and can't be used for data at rest scanning. Alternatively, you can select Endpoint Compatible predefined data profiles.
3. Select ConfigurationData Loss PreventionEndpoint DLP and edit the Data at Rest Scan policy rule.

4. Add an Endpoint Compatible data profile to the Data at Rest policy rule.

   1. Add Local Data Profile to search for and select an Endpoint Compatible data profile.
   2. Select whether inspected files on the endpoint containing sensitive data Trigger an Incident.

      This setting applies per data profile. Enterprise DLP generates a DLP incident if Prisma Access Agent detects sensitive data in a file that matches the data profile.
   3. If you enabled Trigger an Incident, select the Severity of the generated incident.

      The severity applies to all incidents generated by this data profile. You can select Critical, High, Medium, Low, or Information.
   4. Repeat this step to add as many Endpoint Compatible data profiles as needed.

5. Select the File Types to include or exclude in the scan.

   • Any File Types (default)—Scan all supported file types.
     (Optional) Exclude specific file types from the scan.
   • Select File Types—Scan only the file types you select.
6. Configure the User scope to define which users the data at rest policy rule applies to.

   1. Enable Apply Users match criteria to all enabled data profiles.
   2. Select the Users whose endpoints you want to scan.

      • Any User (default)—Scan endpoints for all users.
        (Optional) Exclude specific users or groups from the scan.
      • Select Users—Scan endpoints only for the users and groups you select.
        (Optional) Exclude individual users from the selected groups.

7. Configure the Folder Paths to define which directories on the endpoint the scan targets.

   Enter the folder paths for each operating system separately. You can specify paths for macOS, Windows, or both.

   Add Folder Path to include directories in the scan.

   Prisma Access Agent inspects only actual files and directories within the specified paths, not symbolic links (shortcuts that point to files or directories in other locations).

8. Click Next to continue.
9. Review the policy rule Summary to verify the configuration is correct and click Save.
10. Push your Endpoint DLP policy rule.

    1. Select Push Policies and click Push Policies.
    2. (Optional) Enter a Description for the Endpoint DLP policy push.
    3. Review the Push Policies scope to understand which Endpoint DLP policy rules and configuration changes are included in the push.
    4. Click Push.
11. Review your Endpoint DLP Audit and Push Logs.
12. Review your DLP incidents.

    A DLP incident is generated when the data at rest scan detects sensitive data on an endpoint that matches the configured data profiles, and you enabled Trigger Incident in the policy rule.