Set Up Cloud Storage on Microsoft Azure to Save Evidence
Focus
Focus
Enterprise DLP

Set Up Cloud Storage on Microsoft Azure to Save Evidence

Table of Contents

Set Up Cloud Storage on Microsoft Azure to Save Evidence

Configure cloud storage on Microsoft Azure to save evidence for investigative analysis with Enterprise Data Loss Prevention (E-DLP).
Where Can I Use This?What Do I Need?
  • Panorama
  • Prisma Access (Managed by Strata Cloud Manager)
  • SaaS Security
  • NGFW (Managed by Strata Cloud Manager)
  • Enterprise Data Loss Prevention (E-DLP) license and any of the following:
    • Panorama—Support and device management licenses
    • Prisma Access (Managed by Strata Cloud Manager)Prisma Access license
    • SaaS SecuritySaaS Security license
    • NGFW (Managed by Strata Cloud Manager)—Support and AIOps for NGFW Premium licenses
    Or
  • Any of the following licenses
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
Microsoft Azure users can configure a blog storage bucket to automatically upload all files that match an Enterprise Data Loss Prevention (E-DLP) data profile for Enterprise DLP.
To store your files scanned by the DLP cloud service, you must create a storage account and Identity and Access Management (IAM) role that allows the DLP cloud service access to automatically store files. Files uploaded to your storage account are automatically named using a unique Report ID for each file. The Report ID is used to search and download specific files for more in-depth investigation.
In case of connection issues to your storage account due to configuration error or change in settings, an email is automatically generated and sent to the admin that originally connected to Enterprise DLP to the storage bucket and to the user who last modified the storage account connection settings. This email is sent out every 48 hours until the connection is restored.
Files scanned by the DLP cloud service while Enterprise DLP was disconnected from your storage account can’t be stored and are lost. This means that all impacted files aren’t available for download. However, all snippet data is preserved and can still be viewed in the Enterprise DLP
File storage automatically resumes after the connection status is restored.
  1. Review the Setup Prerequisites for Enterprise DLP and enable the required ports, full qualified domain names (FQDN), and IP addresses on your network.
  2. Log in to the Microsoft Azure portal as an administrator.
    Administrator level privileges are required to successfully add the Enterprise DLP evidence storage application using Cloud Shell and to configure access to the storage account to enable file uploads by the DLP cloud service to save files for evidence analysis.
  3. (Optional) From the portal menu, select Storage groups and Create a new storage group.
    You can also search for storage groups.
    The storage group is required to associate the storage account you create next for storing matched files.
    Skip this step if you have an existing resource group that you want to associate with the storage account.
  4. From the portal menu, select Storage accounts and Create a new storage account.
    You can also search for storage accounts.
  5. Obtain the App-ID, Tenant ID, and blob service endpoint URL.
    This information is required to add the Palo Alto Networks Enterprise DLP application to your Microsoft Azure tenant and to configure connectivity to the DLP cloud service.
    • Palo Alto Networks Enterprise DLP App ID - 65def4b7-bae6-4bff-ab73-63fe8c9a3c8d
      The Palo Alto Networks Enterprise DLP App-ID can be found in the DLP app on the hub (SettingsSensitive DataConfigure BucketAzure).
    1. Obtain your Tenant ID.
      1. From the portal menu, select Azure Active Directory.
        You can also search for azure active directory.
      2. In the Basic Information section, copy the Tenant ID.
    2. Obtain the blob service endpoint URL.
      1. From the portal menu, select Storage accounts and select the storage account you will use to save files for evidence analysis.
      2. Select SettingsEndpoints and copy the Blob service endpoint URL.
  6. Add the Palo Alto Networks Enterprise DLP application.
    1. Open Cloud Shell.
      Click the Cloud Shell icon located in the top-right corner of the Microsoft Azure portal.
    2. Add the Palo Alto Networks Enterprise DLP application.
      Connect-AzureAD -TenantID <Your_Tenant_ID>
      New-AzureADServicePrincipal -AppId 65def4b7-bae6-4bff-ab73-63fe8c9a3c8d
      It might take a few minutes for Microsoft Azure to add a new application to your Azure tenant.
    3. Close the Cloud Shell.
    4. Search for and select Enterprise applications.
    5. For the Application type, select All applications.
    6. Search for the Palo Alto Networks Enterprise DLP application name to verify you successfully added the application.
  7. Configure permissions for the Palo Alto Networks Enterprise DLP application.
    1. Select the Palo Alto Networks Enterprise DLP application name.
    2. Select SecurityPermissions and Grant Admin consent.
    3. Select the administrator email in the Microsoft login prompt that is displayed.
    4. Accept the permissions request to allow the Palo Alto Networks Enterprise DLP application to view your Azure storage accounts.
      It might take a few minutes for the permissions to be successfully granted to the Palo Alto Networks Enterprise DLP application.
      You still need to grant the Palo Alto Networks Enterprise DLP application permission to write to a specific storage account.
    5. Verify that the Azure Storage and Microsoft Graph API names are displayed in the Admin consent section.
    6. From the portal menu, select Storage accounts and select the storage account you want to use to save files for evidence analysis.
    7. Select Access Control (IAM)AddAdd Role AssignmentStorage Blob Data Owner and click Next.
    8. Select to assign access to User, group, or service principle and select members.
    9. Search and select the Palo Alto Networks Enterprise DLP application and Select the application.
    10. Review + assign to allow the Palo Alto Networks Enterprise DLP application to write to the storage account.
      It can take up to 10 minutes for the write permissions to be successfully granted to the Palo Alto Networks Enterprise DLP application.
  8. Configure the storage bucket for evidence file storage.
    1. Log in to Strata Cloud Manager.
      Access to evidence storage settings and files on Strata Cloud Manager is allowed only for an account administrator or app administrator role with Enterprise DLP read and write privileges. This is to ensure that only the appropriate users have access to report data and evidence.
    2. Select ManageConfigurationData Loss PreventionSettingsSensitive Data and select Azure as the Public Cloud Storage Bucket.
    3. Select Input Bucket Details.
    4. Enter Microsoft Azure Tenant ID.
    5. Enter the Storage Endpoint.
      This is the blob service endpoint URL that you gathered for the storage account.
    6. Connect the storage account and the DLP cloud service.
    7. View the Connection Status to verify that the DLP cloud service successfully connected to the storage account.
      Select Save if Strata Cloud Manager can successfully connect your bucket. A connectiontest file is uploaded to your storage account by the DLP cloud service to verify connectivity.
      If Strata Cloud Manager can’t successfully connect your bucket, select Previous and edit the bucket connection settings.
    8. In the Store Sensitive Files settings, enable storage of sensitive files for Strata Cloud Manager.
  9. Enable Sensitive Files for your enforcement points.
    You can enable evidence storage of sensitive files for Prisma Access, NGFW, and Endpoint DLP. Enable evidence storage when prompted to confirm.