Remediate Discovered Shadow Data

Table of Contents

Analyze Discovered Shadow Data

End User Coaching

Remediate Discovered Shadow Data

Take remediation action for shadow data discovered by Enterprise Data Loss Prevention (E-DLP),

Where Can I Use This?	What Do I Need?
Strata Cloud Manager	Data Security license Enterprise DLP license Or any of the following licenses that include the Enterprise DLP and Data Security licenses Prisma Access CASB license Next-Generation CASB for Prisma Access and NGFW (CASB-X) license Data Security license

Where Can I Use This?

What Do I Need?

Strata Cloud Manager

Data Security license
Enterprise DLP license

Or any of the following licenses that include the Enterprise DLP and Data Security licenses

Prisma Access CASB license
Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
Data Security license

Contact Palo Alto Networks to enable Shadow Data Discovery on your tenant.

Enterprise Data Loss Prevention (E-DLP) takes action on discovered shadow creating a new custom document type using the discovered files. Enterprise DLP uses the custom document type created using the Shadow Data Discovery category and sub category to take action on shadow data detected on all subsequent scans. This inspection isn't retroactive and applies only to new scans after you create the new custom document type and add it to your data asset policy.

Log in to Strata Cloud Manager.
Start a Shadow Data Discovery Scan.
Analyze Discovered Shadow Data.
In the Categories, expand the Actions menu and Review Files for the shadow data category you want to remediate.

If you selected a category from the Top Clusters, the Categories lists all the shadow data discovered by Enterprise DLP. Click Review Files at the top of the Categories list.
Review the discovered files.
Apply filters to narrow down and understand the types of shadow data discovered by Enterprise DLP in the specific category. Applying filters does not narrow down shadow data Enterprise DLP takes action on in the next step. Enterprise DLP takes the action you configure in the next step for all shadow data in the selected category regardless of filters applied.
Click Next: Actions to configure the actions Enterprise DLP takes to secure this sensitive data from exfiltration.
Configure the actions Enterprise DLP takes discovered shadow data.

Enterprise DLP creates an Indexed Document Matching (IDM) custom document type to prevent exfiltration of sensitive data that matches the selected Category and Sub Category if selected.

In the example displayed below, the selected Category is Cybersecurity and Privacy Requests and the Sub Category is Credit Report Disputes and Innaccuracies. In this case, Enterprise DLP takes action on any shadow data that matches both these categories when you add the custom document type to a data asset policy rule.
1. Enter a Name for the new custom document type.
2. (Optional) Enter a Description.
3. The Category field displays the shadow data category you want to take remediation action for. You can't edit this field.
4. (Optional) Select a Sub Category. You can only select one sub category.
5. Click Next: Summary.
Review the summary of the new custom document types and Finish.
Create a data profile and add the custom document type you created.
Enable the data profile for use in Data Security.

Select ConfigurationSaaS SecuritySettingsData Profiles and select the data profile you created. Select ActionEnable and Confirm you want to enable the data profile.
Select Data SecurityPolicies and add a data asset policy.

When configuring the Match Criteria for the data asset policy, select BasicData Profile and Add Data Profile to add the data profile you enabled in the previous step.

Add any additional data profiles as needed. Palo Alto Networks recommends using the OR operator to ensure that Enterprise DLP can detect any combination of sensitive data that matches the different data profiles you add.

Click Next to define the Rule Actions and to Submit the new data asset policy.