Report a False Positive Detection
Focus
Focus
Enterprise DLP

Report a False Positive Detection

Table of Contents

Report a False Positive Detection

Report false positive detections by
Enterprise Data Loss Prevention (E-DLP)
to
Palo Alto Networks
to improve the DLP cloud service detection accuracy.
Where Can I Use This?
What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • Enterprise Data Loss Prevention (E-DLP)
    license
    Review the Supported Platforms for details on the required license for each enforcement point.
Or any of the following licenses that include the
Enterprise DLP
license
  • Prisma Access
    CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
    license
  • Data Security
    license
In some instances,
Enterprise Data Loss Prevention (E-DLP)
may incorrectly detect and take action on the file or network traffic that it should not have. This is called a
false positive
detection and they can cause productivity impacts to individual employees and
Enterprise DLP
administrators alike. False positive detections are commonly caused by traffic match criteria in predefined regular expression (regex).
Report false positive detections to
Palo Alto Networks
to improve
Enterprise DLP
detection accuracy for yourself and other
Enterprise DLP
users. False positive detections are reported against the DLP Incident where the false positive detection occurred. The DLP Incident must meet the following conditions to report a false positive detection:
  • Traffic matched against a predefined regular expression (regex) data patterns.
  • The traffic is match is high confidence.
  • There is a snippet available of the false positive detection to share with
    Palo Alto Networks
All selected DLP incident snippets are shared with
Palo Alto Networks
when you submit a false positive report. The selected snippets are stored and accessible by
Palo Alto Networks
for up to 90 days to allow
Palo Alto Networks
to investigate and improve
Enterprise DLP
detection accuracy.
Reporting false positive detections for incidents generated from Email DLP or
SaaS Security
are not supported.
  1. Log in to the management platform where you are managing
    Enterprise DLP
    .
  2. Reviewed your data patterns, profiles, and Security policy rules to reduce false positive detections
  3. Select
    Manage
    Configuration
    Data Loss Prevention
    DLP Incidents
    .
  4. In the
    Incidents
    , click the
    File
    name of the false positive DLP incident you want to report to
    Palo Alto Networks
    .
  5. In the
    Matches within Data Profile
    window, click
    Report False Positive
    .
  6. In the
    Falsely Detection Information
    , select one or more data patterns.
    The list of available data patterns is based on the data profile that generated a false positive detection. Only data patterns associated with the data profile are displayed.
  7. Select one or more snippets of false positive detections.
    You can select snippets from multiple data patterns associated with the data profile if selected.
  8. (
    Optional
    ) Add a
    Comment
    to provide additional details to
    Palo Alto Networks
    .
    This helps
    Palo Alto Networks
    understand how to improve the predefined data pattern match criteria or how to train the ML models to improve detection accuracy.
    Click
    Next
    .
  9. A notification is displayed to confirm submission of the false positive report and that the snippet will be shared with
    Palo Alto Networks
    for investigative purposes.
    Click
    Submit
    to report the false positive detection.

Recommended For You