>
    Strata Copilot
    Download Files for Evidence Analysis
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Administration
    4. Monitor Enterprise DLP
    5. Save Evidence for Investigative Analysis with Enterprise DLP
    6. Download Files for Evidence Analysis
    Download PDF
    Enterprise DLP

    Download Files for Evidence Analysis

    Table of Contents

    Download Files for Evidence Analysis

    Download files that match your Enterprise Data Loss Prevention (E-DLP) data profiles for investigative analysis.
    On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
    You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Prisma Browser
    • Enterprise Data Loss Prevention (E-DLP) license
      Review the Supported Platforms for details on the required license for each enforcement point.
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
    After you successfully connect your AWS storage bucket, Azure storage bucket, or SFTP server to Enterprise Data Loss Prevention (E-DLP), you can download the file that generated a DLP incident for in-depth investigation.
    Traffic scanned by Enterprise DLP while Enterprise DLP is disconnected from your cloud storage isn't stored. Files created by traffic that generated a DLP incident during the disconnection aren't available for download. However, all snippet data is preserved and can still be viewed in Enterprise DLP.
    The file format of the matched traffic depends on the type of traffic that generated the DLP incident.
    • File Based—A copy of the file that generated the incident is saved in the same file format in which it was inspected.
    • Non-File—Non-file traffic is saved in .txt format.
      If a file is shared in a non-file based app (for example, Slack), the file is saved in the same file format in which it was inspected.
    • Email DLP—Outbound emails are saved in .eml format.
    1. Connect your AWS storage bucket, Azure storage bucket, or SFTP server to Enterprise DLP if not already connected.
      Only files scanned by Enterprise DLP after you connect the storage bucket are available for download.
    2. (AWS and Azure only) Log in to the Amazon AWS console or Microsoft Azure portal and access the cloud storage you connected to Strata Cloud Manager.
      Select Reports and enter a Report ID to search. The object Name is the Report ID.
    3. Log in to Strata Cloud Manager.
    4. Select ConfigurationData Loss PreventionDLP Incidents and search for the Report ID.
    5. Review the report summary and click the download icon to download the file to your device.
      How the stored file is delivered depends on the storage type you connected to Enterprise DLP.
      • SFTP ServerEnterprise DLP displays the folder path where the file was uploaded on your SFTP server. You must access your SFTP server to download the file to your local device.
      • AWS and Azure—The file associated with the Report ID is downloaded directly to your device.

    © 2026 Palo Alto Networks, Inc. All rights reserved.