Reduce False Positive Detections
Focus
Focus
Enterprise DLP

Reduce False Positive Detections

Table of Contents

Reduce False Positive Detections

Address and resolve when
Enterprise Data Loss Prevention (E-DLP)
wrongly identifies traffic and takes action based on your traffic match criteria in a data profile.
Where Can I Use This?
What Do I Need?
  • NGFW (Panorama Managed)
  • Prisma Access (Managed by Strata Cloud Manager)
  • SaaS Security
  • NGFW (Cloud Managed)
  • Enterprise Data Loss Prevention (E-DLP)
    license
  • NGFW (Panorama Managed)
    —Support and
    Panorama
    device management licenses
  • Prisma Access (Managed by Strata Cloud Manager)
    Prisma Access
    license
  • SaaS Security
    SaaS Security
    license
  • NGFW (Cloud Managed)
    —Support and
    AIOps for NGFW Premium
    licenses
Or any of the following licenses that include the
Enterprise DLP
license
  • Prisma Access
    CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
    license
  • Data Security
    license
In some instances,
Enterprise Data Loss Prevention (E-DLP)
may incorrectly detect and take action on network traffic that it should not have. This is called a
false positive
detection and they can cause productivity impacts to individual employees and
Enterprise DLP
administrators alike. False positive detections are commonly caused by traffic match criteria in your data patterns that are too generalized or may be instances where the
Enterprise DLP
machine learning (ML) models need to be manually trained. Review the recommendations below to help reduce the chance of false positive detections.
  1. Log in to the management platform where you are managing
    Enterprise DLP
    .
  2. (
    Regex only
    ) Review your custom regex data patterns.
    1. Review the regular expression (regex) for the custom data pattern generating false positive detections.
      Custom data patterns use regular expressions (regex) to define the match criteria that you want
      Enterprise DLP
      to detect and take action on. Regex that is too broad contribute to false positive detections. Palo Alto Networks recommends writing narrow regex so only the sensitive data you want to prevent leaving your organization's network is detected and blocked.
    2. Add proximity keywords to your custom data pattern.
      Proximity keywords help improve overall
      Enterprise DLP
      detection accuracy and reduce false positives. Proximity keywords impact the detection confidence level, which reflects how confident
      Enterprise DLP
      is when detecting matched traffic.
      Enterprise DLP
      determines the match confidence level by inspecting the distance of the regex to the proximity keywords you added.
    3. Use the
      File Property
      configuration settings to add specific file property patterns on which to match.
      If you use classification labels or embed tags in documents to include more information for audit and tracking purposes, you can create a file property data pattern to match on the metadata or attributes that are part of the custom or extended properties in the file. Regardless whether you use an automated classification mechanism, such as Titus, or whether require users to add a tag, you can specify a name-value pair on which to match on a custom or extended property embedded in the file. This allows you to narrow down the likelihood of false positives by requiring
      Enterprise DLP
      to inspect and take action only on documents that contain the specified name-value-pair.
      For
      Panorama
      , this means modifying or creating a new data pattern. For
      Strata Cloud Manager
      , this means creating a file property data pattern.
  3. Use advanced detection tools to create specific and narrow match criteria for your data profiles.
    • —Use predefined regex data patterns enhanced with machine learning (ML) or ML-based data patterns to increase detection accuracy and reduce false positive detections.
    • —EDM is used to monitor and prevent exfiltration of sensitive and personally identifiable information (PII) such as social security numbers, Medical Record Numbers, bank account numbers, and credit card numbers, in a structured data source such as databases, directory servers, or structured data files (CSV and TSV) with high accuracy.
      With EDM, you can reduce false positive detections by uploading data sets with the specific PII data you want to prevent exfiltration of and use them as match criteria in data profiles.
    • Enterprise DLP
      supports the upload and detection of custom documents containing intellectual property for which you want to prevent exfiltration. This tool uses ML-based detection models to detect and prevent exfiltration of sensitive data contained in documents unique to your organization.
      With custom document types, you can reduce false positive detections for file-based traffic by narrowing down the possible file-based detections to just those unique to your organization. For example, be sure to set a high
      Overlapping Score Condition
      threshold when you create an advanced data profile to detect custom documents. This narrows down the possible traffic matches by requiring a high degree of overlap between the scanned file and the custom document type.
    • —Data dictionaries are a collection of one or more proximity keywords or phrases that you want to detect and prevent exfilitration. A data dictionary is added as a match criteria alongside the other supported match criteria in advanced and nested data profiles to increase the
      Enterprise Data Loss Prevention (E-DLP)
      detection accuracy
  4. Contact Palo Alto Networks Support to help investigate why false positive detections continue to occur.
    Only contact Palo Alto Networks Support if you have implemented the above recommendations and continue to experience false positive detections. Palo Alto Networks Support team members will work with your administrators to review your data patterns and data profiles to help identify what can be further improved.
    In some instances, they may go back to review your data patterns and data profiles to see if any further modifications can be made to narrow the match criteria scope.
  5. (
    Predefined Data Patterns and Profiles only
    ) Report a False Positive Detection to
    Palo Alto Networks
    .
    Report false positive detections to
    Palo Alto Networks
    to improve
    Enterprise DLP
    detection accuracy for yourself and other
    Enterprise DLP
    users. You can report snippets of false positive detections for high confidence traffic matches against predefined regular expression (regex) or machine learning (ML) data patterns.
    All selected DLP incident snippets are shared with
    Palo Alto Networks
    when you submit a false positive report. The selected snippets are stored and accessible by
    Palo Alto Networks
    for up to 90 days to allow
    Palo Alto Networks
    to investigate and improve
    Enterprise DLP
    detection accuracy.

Recommended For You