Modify a DLP Rule on Strata Cloud Manager for a Granular Data Profile

1. Log in to Strata Cloud Manager.
2. Create a Granular Data Profile on Strata Cloud Manager.
3. Select ConfigurationData Loss PreventionDLP Rules and in the Actions column, Edit the DLP rule.

   Enterprise DLP assigns the DLP rule an identical name as the data profile from which it was automatically created. You can't change this name.
4. Define the Basic Information for the granular data profile.

   1. Select the File Mode to explicitly include or exclude specific file types from Enterprise DLP inspection.

      • Include—Enterprise DLP only inspects the selected file types configured in the data profiles added to the granular data profile. The enforcement point ignores all other file types and does not send them Enterprise DLP for inspection and verdict rendering.
      • Exclude—The NGFW or Prisma Access tenant ignores the selected File Types and does not send them Enterprise DLP for inspection and verdict rendering. The NGFW or Prisma Access tenant forwards all other file types to Enterprise DLP.
   2. (Optional) Enter a Description for the DLP rule.
   3. Click Next to continue.
5. Define the granular data profile Match Criteria.

   Define the match criteria for each data profile added to the granular data profile.

   1. Enable file inspection, non-file inspection, or both.

      Review the supported file types and apps that support file and non-file based traffic inspection.

      • File Based Match Criteria—Forwards file-based traffic to Enterprise DLP.
      • Non-File Based Match Criteria—Forwards non-file based traffic to Enterprise DLP.
   2. Select the File Direction you want to inspect.

      You can select Upload (default), Download, or Both.
   3. Select the Action Enterprise DLP takes if inspected traffic contains sensitive data.

      You can select Alert (default) or Block.
   4. Set the Log Severity for the DLP incident when Enterprise DLP detects sensitive data that matches this data profile.

      You can select Critical, High, Medium, Low, or Informational (default).
   5. (File Based Match Criteria only) Select the File Type you want to forward to Enterprise DLP. Click Modify to add one or more supported file types.

      Add at least one file type to forward to Enterprise DLP. Skip this step if you disabled File Based Match Criteria in the previous step.
   6. Click Next to continue.

6. (Optional) Create an Exception Rule.

   Exception rules give data security administrators the flexibility to create rules that apply to specific users, groups, and destinations. These rules can override the default block or alert actions with different actions, such as allowing otherwise blocked traffic without creating an incident. While the Allow action is always available, the block action is only an option if there is a block action in the default rules.

   For example, you created a granular profile that includes the U.K POPCP, SOX, and Secrets and Credentials data profiles. However, you want to allow a specific user to upload files that match the Secrets and Credentials data profile to your corporate GitHub Copilot Business. Additionally, you want this traffic to generate an Informational DLP incident. In this case, you would add an exception rule with the following configuration:

   • Data Profiles—Secrets and Credentials
   • Source—Specific user traffic you want to allow
   • Destination—github-copilot-business
   • Policy Action—Alert
   • Log Severity—Informational

   1. Add Exception Rule.
   2. Remove any data profiles that you don't want traffic from the user or user group inspected against.

      Enterprise DLP supports only removing data profiles added to the granular profile, and does not support adding new data profiles.
   3. Select the traffic Source.

      User Groups and User data requires integration with Cloud Identity Engine (CIE) to display.

      • Any—Exception rule applies to all User Group or User traffic sources.
      • Select—Select one or more User Groups or Users to which the exception rule applies.
   4. Select the traffic Destination.

      Enterprise DLP supports writing exception rules for supported GenAI apps delivered through App-ID Cloud Engine (ACE).

      • Any—Exception rule applies to all app or URL destinations.
      • Select—Select one or more Applications, or add any URL to which the exception rule applies.
   5. Select the Policy Action (Alert or Block) Enterprise DLP when traffic matches the exception rule.
   6. Select the Log Severity of the DLP incident generated when traffic matches the exception rule.
   7. Add Exception Rule to add any additional exceptions as needed.

      A granular data profile supports multiple exception rules.
   8. Click Next to continue.

7. Configure the URL Category and Application Exclusion lists.

   • (Optional) URL Category List —Exclude forwarding traffic from one or more specific URLs to Enterprise DLP.
     You can use a predefined URL category or create a custom URL category in the Global Configuration Scope. You can select multiple URL categories to exclude traffic from non-file inspection.
   • (Required for Non-File Based Match Criteria) Application List Exclusion—Exclude forwarding traffic from one or more specific apps to Enterprise DLP.
     Enterprise DLP requires at least one Application Filter if you enable exclusions for non-file based traffic inspection. Palo Alto Networks recommends adding the predefined DLP App Exclusion application filter if you don't have a custom or predefined application filter you want to add. Alternatively, you can create a custom application filter in the Global Configuration Scope. You can select multiple application filters to exclude app traffic from non-file inspection.

   Click Next to continue.

8. Review the Summary of the granular data profile.

   Edit the Basic Information, Match Criteria, Exclusions or Exception Rules to modify the granular data profile configuration if needed.

   Save the granular data profile if you don’t need to make any further edits.

9. (Best Practices for File Based Inspection) Create a File Blocking profile and create a Block Rule to block the file types you don't explicitly forward to Enterprise DLP.

   Palo Alto Networks recommends creating this File Blocking profile to ensure sensitive data can't be exfiltrated in file types Enterprise DLP does not support.
10. Create a Shared Profile Group for the Enterprise DLP data filtering profile.

    1. Select ConfigurationSecurity ServicesProfile Groups and Add Profile Group.
    2. Enter a descriptive Name for the Profile Group.
    3. (Best Practices for File Based Inspection) For the File Blocking Profile, select the File Blocking profile you created in the previous step.
    4. For the Data Loss Prevention Profile, select the Enterprise DLP data profile.
    5. Add any other additional profiles as needed.
    6. Save the profile group.
11. Create a Security policy rule and attached the Profile Group.

    1. Select ConfigurationSecurity Policy and Add Rule.

       You can also update an existing Security policy to attach a Profile Group for Enterprise DLP filtering.
    2. Configure the Security policy as needed.
    3. Navigate to the Action and Advanced Inspection section, and select the Profile Group you created in the previous step.
    4. Save the Security policy.
12. Push Config and push your configuration changes.