Reduce False Positive Detections

1. Log in to the management platform where you are managing Enterprise DLP.

   • Log in to Strata Cloud Manager
   • Log in to the Panorama web interface
2. (Regex only) Review your custom regex data patterns.

   1. Review the regular expression (regex) for the custom data pattern generating false positive detections.

      Custom data patterns use regular expressions (regex) to define the match criteria that you want Enterprise DLP to detect and take action on. Regex that is too broad contribute to false positive detections. Palo Alto Networks recommends writing narrow regex so only the sensitive data you want to prevent leaving your organization's network is detected and blocked.
   2. Add proximity keywords to your custom data pattern.

      Proximity keywords help improve overall Enterprise DLP detection accuracy and reduce false positives. Proximity keywords impact the detection confidence level, which reflects how confident Enterprise DLP is when detecting matched traffic. Enterprise DLP determines the match confidence level by inspecting the distance of the regex to the proximity keywords you added.
   3. Use the File Property configuration settings to add specific file property patterns on which to match.

      If you use classification labels or embed tags in documents to include more information for audit and tracking purposes, you can create a file property data pattern to match on the metadata or attributes that are part of the custom or extended properties in the file. Regardless whether you use an automated classification mechanism, such as Titus, or whether require users to add a tag, you can specify a name-value pair on which to match on a custom or extended property embedded in the file. This allows you to narrow down the likelihood of false positives by requiring Enterprise DLP to inspect and take action only on documents that contain the specified name-value-pair.

      For Panorama, this means modifying or creating a new data pattern. For Strata Cloud Manager, this means creating a file property data pattern.
3. Use advanced detection tools to create specific and narrow match criteria for your data profiles.

   • ML-Based Data Patterns—Use predefined regex data patterns enhanced with machine learning (ML) or ML-based data patterns to increase detection accuracy and reduce false positive detections.
   • Exact Data Matching (EDM)—EDM is used to monitor and prevent exfiltration of sensitive and personally identifiable information (PII) such as social security numbers, Medical Record Numbers, bank account numbers, and credit card numbers, in a structured data source such as databases, directory servers, or structured data files with high accuracy.
     With EDM, you can reduce false positive detections by uploading data sets with the specific PII data you want to prevent exfiltration of and use them as match criteria in data profiles.
   • Custom Document Types—Enterprise DLP supports the upload and detection of custom documents containing intellectual property for which you want to prevent exfiltration. This tool uses ML-based detection models to detect and prevent exfiltration of sensitive data contained in documents unique to your organization.
     With custom document types, you can reduce false positive detections for file-based traffic by narrowing down the possible file-based detections to just those unique to your organization. For example, be sure to set a high Overlapping Score Condition threshold when you create a data profile to detect custom documents. This narrows down the possible traffic matches by requiring a high degree of overlap between the scanned file and the custom document type.
   • Data Dictionaries—Data dictionaries are a collection of one or more proximity keywords or phrases that you want to detect and prevent exfilitration. A data dictionary is added as a match criteria alongside the other supported match criteria in data profiles to increase the Enterprise Data Loss Prevention (E-DLP) detection accuracy
4. Contact Palo Alto Networks Support to help investigate why false positive detections continue to occur.

   Only contact Palo Alto Networks Support if you have implemented the above recommendations and continue to experience false positive detections. Palo Alto Networks Support team members will work with your administrators to review your data patterns and data profiles to help identify what can be further improved.

   In some instances, they may go back to review your data patterns and data profiles to see if any further modifications can be made to narrow the match criteria scope.
5. (Predefined Data Patterns and Profiles only) Report a False Positive Detection to Palo Alto Networks.

   Report false positive detections to Palo Alto Networks to improve Enterprise DLP detection accuracy for yourself and other Enterprise DLP users. You can report snippets of false positive detections for high confidence traffic matches against predefined regular expression (regex) or machine learning (ML) data patterns.

   All selected DLP incident snippets are shared with Palo Alto Networks when you submit a false positive report. The selected snippets are stored and accessible by Palo Alto Networks for up to 90 days to allow Palo Alto Networks to investigate and improve Enterprise DLP detection accuracy.