View Enterprise DLP Log Details for Endpoint DLP
Focus
Focus
Enterprise DLP

View Enterprise DLP Log Details for Endpoint DLP

Table of Contents


View Enterprise DLP Log Details for Endpoint DLP

View the log details for traffic that matches your Enterprise Data Loss Prevention (E-DLP) data profiles for Endpoint DLP on Strata Cloud Manager.
No data profile or snippet is displayed for a Peripheral Control Endpoint DLP policy rule. A peripheral control policy rule controls an endpoint device's access to a peripheral device (block or alert). As a result, no data profile is required because no traffic inspection occurs.
Multiple DLP Incidents (ManageConfigurationData Loss PreventionDLP Incidents) can be generated for a single file move operation from the endpoint and peripheral device. Some examples of when this may occur are:
  • Extracting the file contents of a compressed file from the endpoint to a peripheral device.
  • An application that generates any artifact files when writing to a peripheral device. For example, the Microsoft BITSAdmin tool generates multiple .tmp files when writing to a peripheral device.
To prevent exfiltration of sensitive data, Enterprise DLP inspects every file associated with the file move operation from the endpoint to the peripheral device. This ensures that all impacted files are captured in your logs and analyzed. However, this may result in the creation of unnecessary DLP Incidents.
  1. Log in to Strata Cloud Manager.
  2. (Optional) Configure syslog forwarding for Enterprise DLP incidents.
  3. Select ManageConfigurationData Loss PreventionDLP Incidents.
  4. Select a Scan Date and Region to filter the DLP incidents.
    Enterprise DLP Incidents are generated in the Region where the Public Cloud Server is located.
    For Prisma Access (Managed by Strata Cloud Manager) and NGFW (Managed by Strata Cloud Manager), Enterprise DLP automatically resolves to the closest Public Cloud Server to where the inspected traffic originated.
    When a new Public Cloud Server is introduced, Enterprise DLP automatically resolve to it if it’s closer to where the inspected traffic originated.
    This might mean that new DLP Incidents generated after the release of a new Public Cloud Server are generated in a different Region.
  5. Add Filter and select the Action to filter for the specific Endpoint DLP policy rule action you want to investigate.
    For example, select only Block if you wanted to investigate all Endpoint DLP incidents where access to a peripheral device or file movement from the endpoint to the peripheral device was blocked.
  6. Review the Incidents and click the Incident ID to review detailed information for a specific incident.
  7. Review the Incident Details to review specific incident details.
    Make note of the Report ID for the DLP incident if you have not already done so. Use the Report ID to view additional Traffic log details regarding the DLP incident.
    • Info
      The Info panel displays general information about the DLP incident.
      • Severity—The incident severity configured in the Endpoint DLP policy rule.
      • Incident ID—Unique ID for the DLP incident.
      • Channel—The enforcement point using Enterprise DLP through which the incident occurred. This field always displays ENDPOINT_DLP.
      • Report ID—Unique ID used to view additional Traffic log details regarding the DLP incident.
      • Action—The action Enterprise DLP took on the traffic that matched your Endpoint DLP policy rule.
      • Reason for Action—Provides a specific reason Prisma Access Agent took an Action.
    • Data Asset
      • File—Name of the file containing sensitive data that generated the incident.
      • Data Risk—Not supported for Endpoint DLP. Displays -.
      • Size—Size of the file that generated the DLP incident. Displays Data Not Available for an Endpoint DLP Peripheral Control policy rule.
      • Direction—Not supported for Endpoint DLP. Displays -.
      • Scan Date—Date and time Enterprise DLP generated the DLP incident.
      If you have Evidence Storage configured, you can Download a file of the matched traffic for further investigation.
      (Printing from a Windows device only) The file downloaded from your evidence storage bucket to the endpoint device will not contain the .pdf file extension and as a result you will not be able to open the downloaded file.
      To open the file, navigate to the location on the endpoint where the file was downloaded and edit the file name to append .pdf. Editing the file name to add the .pdf file extension will allow you to open the file.
    • User
      User data requires integration with Cloud Identity Engine (CIE) to display. The User data displayed correspond to Palo Alto Networks Attributes that correlate to specific directory provider fields in CIE.
      • User Name—Name of the user as configured in CIE that generated the DLP incident.
        Corresponding Palo Alto Networks Attribute is Name.
      • User ID—ID of the user who generated the DLP incident.
        The User ID field does not require CIE integration. However, the corresponding Palo Alto Networks Attribute is User Principal Name.
      • User Email—Email of the user who generated the DLP incident.
        Corresponding Palo Alto Networks Attribute is Mail.
      • Organization—Organization the user who generated the DLP incident is associated with.
        Corresponding Palo Alto Networks Attribute is Department.
      • Location—Location of the user who generated the DLP incident.
        Corresponding Palo Alto Networks Attribute is Location.
      • Manager—Manager of the user who generated the DLP incident.
        Corresponding Palo Alto Networks Attribute is Manager.
    • Session
      • Endpoint Device SN—Serial number of the endpoint that generated the DLP incident.
      • Endpoint OS—Operating system and version running on the endpoint that generated the DLP incident.
      • Peripheral Type—The specific type of peripheral against which Enterprise DLP generated the DLP incident.
      • Name—Name of the peripheral device you added that generated the DLP incident.
    • Audit History
      The Audit History shows you the full Incident Case Management history for the specific DLP incident. It outlines every step of the case management process and the specific action taken by each user from when the incident case was assigned to when it was closed.
  8. (Data in Motion only) Review the Matches within Data Profiles to review snippets of matching traffic and the data patterns that matched the traffic to better understand what sensitive data Enterprise DLP data.
    For nested data profiles, Enterprise DLP displays the name of the nested data profile and not the specific data profile containing the match criteria that matched inspected traffic. For example, you create a DataProfile, with the nested profiles Profile1, Profile2, and Profile3. Enterprise DLP inspects traffic that matches Profile2 and blocks it. In this scenario, the Matches within Data Profile displays DataProfile.
    Additionally, you can filter the Matches within Data Profile for a nested data profile to display traffic matches against specific associated data profiles.
  9. Review the file log to learn about the traffic data for the DLP incident.
    1. Select Incidents & AlertsLog Viewer.
    2. From the Firewall drop-down, select File.
    3. Filter to view the file log for the DLP incident using the Report ID.
      Report ID = <report-id>
    4. Review the file log to learn more about the traffic data for the DLP incident.
  10. Manage your Enterprise DLP incidents.