Enterprise DLP
Report a False Positive Detection
Table of Contents
Report a False Positive Detection
Report false positive detections by Enterprise Data Loss Prevention (E-DLP) to Palo Alto Networks
to improve Enterprise DLP detection accuracy.
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP
addresses to improve performance and expand availability for these services
globally.
You must allow these new service IP addresses on your network
to avoid disruptions for these services. Review the Enterprise DLP
Release Notes for more
information.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Or any of the following licenses that include the Enterprise DLP license
|
In some instances, Enterprise Data Loss Prevention (E-DLP) might incorrectly detect and take action
on the file or network traffic that it should not have. This is called a
false positive detection and they can cause
productivity impacts to individual employees and Enterprise DLP administrators
alike. False positive detections are commonly caused by traffic match criteria in
predefined regular expression (regex).
Report false positive detections to Palo Alto Networks to improve Enterprise DLP detection accuracy for yourself and other Enterprise DLP users. You report a
false positive detection against the DLP Incident where the false positive detection
occurred.
The DLP Incident must meet the following conditions to report a false positive
detection:
- Traffic matched against a predefined regular expression (regex) data patterns
- The traffic is match is high confidence
- There is a snippet available of the false positive detection to share with Palo Alto Networks
For predefined data patterns marked with
Augmented with ML, Enterprise DLP uses AI and advanced machine
learning (ML) techniques to improve its detection engine when you report a false
positive detection. This enables Enterprise DLP to continuously learn from
your feedback to reduce false positive detections and increase detection
accuracy for yourself and other Enterprise DLP users. For Enterprise DLP to use AI and ML to learn from your false positive detections
and improve its detection engine:
- Files in inspected traffic must be 19 MB and smaller
- The number of traffic matches per data pattern in the data profile is 100 matches or less
All selected DLP incident snippets are shared with Palo Alto Networks when you
submit a false positive report. The selected snippets are stored and accessible
by Palo Alto Networks for up to 90 days to enable Palo Alto Networks to
investigate and improve Enterprise DLP detection accuracy.
Enterprise DLP does not support reporting false positive detections for
incidents generated from Email DLP or SaaS Security.
- Log in to Strata Cloud Manager.Reviewed your data patterns, profiles, and Security policy rules to reduce false positive detections.Select .In the Incidents, click the File name of the false positive DLP incident you want to report to Palo Alto Networks.In the Matches within Data Profile window, click Report False Positive.In the Falsely Detection Information, select one or more data patterns.Enterprise DLP displays the list of available data patterns based on the data profile that generated a false positive detection. Enterprise DLP only displays data patterns associated with the data profile.Select one or more snippets of false positive detections.You can select snippets from multiple data patterns associated with the data profile if selected.(Optional) Add a Comment to provide additional details to Palo Alto Networks.This helps Palo Alto Networks understand how to improve the predefined data pattern match criteria or how to train the ML models to improve detection accuracy.Click Next.
![]()
A notification displays to confirm submission of the false positive report and that the snippet will be shared with Palo Alto Networks for investigative purposes.Click Submit to report the false positive detection.
