SaaS Security

1. Log into Strata Cloud Manager.
2. Enable Non-File Inspection.
3. Select ConfigurationNGFW and Prisma AccessSecurity ServicesDecryption and create the decryption profile and policy rule required to enable Enterprise DLP on Strata Cloud Manager.

   Do not enable Strip ALPN in the decryption profile. Enterprise DLP cannot inspect egress traffic to ChatGPT if you remove application-layer protocol negotiation (ALPN) headers from decrypted traffic.
4. (Optional) Create a data pattern.

   Create a custom regex data pattern to define your own match criteria. You can skip this step if you plan to use predefined or existing data patterns to define match criteria in your data filtering profile.
5. Create a data profile or use an existing data profile.
6. Select ConfigurationData Loss PreventionDLP Rules and in the Actions column, Edit the DLP rule.

   1. Enable Non-File Based Match Criteria.

      DLP rules configured for non-file detection are required to prevent exfiltration of sensitive data to ChatGPT. You can further modify the DLP rule to enforce your organization’s data security standards. The DLP rule has an identical name as the data profile from which it was automatically created.

      You can keep File Based Matched Criteria enabled or disable as needed. Enabling this setting has no impact on detection of egress traffic to ChatGPT as long as Non-File Based Match Criteria is enabled.

   2. Modify the Action and Log Severity.
   3. Modify the rest of the DLP rule as needed.
   4. Save.
7. Select ConfigurationSaaS SecurityDiscovered AppsPolicy Recommendations to create a Security policy rule recommendation.

   A SaaS policy rule recommendation is required to leverage the Enterprise Data Loss Prevention (E-DLP) data profile in SaaS Security.

   1. In the Select Applications section, search for and select ChatGPT.

   2. In the Data Profile section, search for and select the data profile you enabled in the previous step.
   3. Configure the policy rule recommendation as needed.
   4. Save.