Enterprise DLP
Configure Syslog Forwarding for Enterprise DLP Incidents
Table of Contents
Expand All
|
Collapse All
Enterprise DLP Docs
-
- About Enterprise DLP
- What’s Supported with Enterprise DLP?
- Data Patterns, Document Types, and Data Profiles
- Enable Role Based Access
- Edit the Cloud Content Settings
- Edit the Enterprise DLP Data Filtering Settings
- Edit the Enterprise DLP Snippet Settings
- Configure Syslog Forwarding for Enterprise DLP Incidents
- Request a New Feature
-
-
- Enable Existing Data Patterns and Filtering Profiles
- Modify a DLP Rule on Strata Cloud Manager
- Create a SaaS Security Policy Recommendation to Leverage Enterprise DLP
- Reduce False Positive Detections
- Data Dictionaries
- Recommendations for Security Policy Rules
- Enterprise DLP Migrator
-
-
-
- Driver License - Australia
- Driver License - Austria
- Driver License - Belgium
- Driver License - Brazil
- Driver License - Bulgaria
- Driver License - Canada
- Driver License - China
- Driver License - Croatia
- Driver License - Cyprus
- Driver License - Czech Republic
- Driver License - Denmark
- Driver License - Estonia
- Driver License - Finland
- Driver License - France
- Driver License - Germany
- Driver License - Greece
- Driver License - Hungary
- Driver License - Iceland
- Driver License - Ireland
- Driver License - Italy
- Driver License - Japan
- Driver License - Latvia
- Driver License - Liechtenstein
- Driver License - Lithuania
- Driver License - Luxembourg
- Driver License - Malta
- Driver License - Netherlands
- Driver License - New Zealand
- Driver License - Norway
- Driver License - Poland
- Driver License - Portugal
- Driver License - Romania
- Driver License - Slovakia
- Driver License - Slovenia
- Driver License - South Africa
- Driver License - South Korea
- Driver License - Spain
- Driver License - Sweden
- Driver License - Switzerland
- Driver License - Taiwan
- Driver License - Turkey
- Driver License - UK
- Driver License - US
- Driver License - US - AK
- Driver License - US - AL
- Driver License - US - AR
- Driver License - US - AZ
- Driver License - US - CA
- Driver License - US - CO
- Driver License - US - CT
- Driver License - US - DC
- Driver License - US - DE
- Driver License - US - FL
- Driver License - US - GA
- Driver License - US - HI
- Driver License - US - IA
- Driver License - US - ID
- Driver License - US - IL
- Driver License - US - IN
- Driver License - US - KS
- Driver License - US - KY
- Driver License - US - LA
- Driver License - US - MA
- Driver License - US - ME
- Driver License - US - MI
- Driver License - US - MN
- Driver License - US - MO
- Driver License - US - MS
- Driver License - US - MT
- Driver License - US - NC
- Driver License - US - ND
- Driver License - US - NE
- Driver License - US - NH
- Driver License - US - NM
- Driver License - US - NV
- Driver License - US - NY
- Driver License - US - OH
- Driver License - US - OK
- Driver License - US - OR
- Driver License - US - PA
- Driver License - US - RI
- Driver License - US - SC
- Driver License - US - SD
- Driver License - US - TN
- Driver License - US - TX
- Driver License - US - UT
- Driver License - US - VA
- Driver License - US - VT
- Driver License - US - WA
- Driver License - US - WI
- Driver License - US - WV
- Driver License - US - WY
- National ID - Albania
- National Id - Argentina ID
- National ID - Australia
- National Id - Austria - Central Register of Residents
- National Id - Austria Social Security Card - e-card
- National ID - Bahrain
- National Id - Belgium - Citizen Service Number - BSN
- National Id - Belgium - National Registration Number
- National ID - Bosnia and Herzegovina
- National ID - Brazil
- National Id - Brazil - CNPJ
- National Id - Brazil - CPF
- National Id - Bulgaria - Uniform Civil Number
- National Id - Canada - Social Insurance Number - SIN
- National ID - Chile
- National Id - China ID
- National Id - Colombia National ID
- National ID - Costa Rica
- National Id - Croatia - Personal Identification Number
- National ID - Cuba
- National Id - Cyprus - Identity Card
- National Id - Czech - Birth Number
- National Id - Czech - National eID Card
- National Id - Denmark - CPR Number
- National ID - Dominican Republic
- National ID - Ecuador
- National ID - Egypt
- National Id - Estonia - Personal Identification Code
- National Id - Finland - Personal Identity Code - HETU
- National Id - France - INSEE
- National Id - France - Social Security Number - NIR
- National Id - Germany
- National Id - Greece
- National Id - Hong Kong ID
- National Id - Hungary - Personal Identification Number
- National Id - Iceland
- National ID - India
- National ID - Indonesia
- National ID - Iran
- National Id - Ireland - Personal Public Service Number - PPSN
- National ID - Israel
- National Id - Italy - Fiscal Code Card - Codice Fiscale
- National Id - Japan Corporate Number
- National Id - Japan My Number
- National ID - Kazakhstan
- National ID - Kuwait
- National Id - Latvia - Personal Public Service Number - PPSN
- National Id - Liechtenstein
- National Id - Lithuania
- National Id - Luxembourg
- National Id - Malaysia National ID
- National Id - Malta
- National ID - Mexico
- National ID - Moldova
- National ID - Montenegro
- National Id - Netherlands - Citizen Service Number - BSN
- National ID - North Macedonia
- National Id - Norway - Identification Number - Fødselsnummer
- National ID - Pakistan
- National ID - Paraguay
- National ID - Peru
- National ID - Philippines
- National Id - Poland
- National Id - Portugal
- National Id - Romania - Identity Card - CNP
- National ID - Russia
- National ID - Serbia
- National Id - Singapore NRIC
- National Id - Slovakia
- National Id - Slovenia
- National ID - South Africa
- National ID - South Korea
- National Id - Spain - National Identity Document - Documento Nacional de Identidad
- National ID - Sri Lanka
- National Id - Sweden - Personal Identity Number
- National ID - Switzerland
- National Id - Taiwan ID
- National Id - Thailand ID
- National Id - Turkey Identification Number
- National Id - UAE Emirates ID
- National Id - UK National Insurance Number - NINO
- National ID - Uruguay
- National Id - US Social Security Number - SSN
- National ID - Venezuela
- Passport - Australia
- Passport - Austria
- Passport - Belgium
- Passport - Brazil
- Passport - Bulgaria
- Passport - Canada
- Passport - Croatia
- Passport - Cyprus
- Passport - Czech Republic
- Passport - Denmark
- Passport - Estonia
- Passport - Finland
- Passport - France
- Passport - Germany
- Passport - Greece
- Passport - Hungary
- Passport - Iceland
- Passport - Ireland
- Passport - Italy
- Passport - Latvia
- Passport - Liechtenstein
- Passport - Lithuania
- Passport - Luxembourg
- Passport - Malta
- Passport - Netherlands
- Passport - New Zealand
- Passport - Norway
- Passport Number - China
- Passport Number - Singapore
- Passport Number - South Africa
- Passport number - South Korea
- Passport number - Taiwan
- Passport - Poland
- Passport - Portugal
- Passport - Romania
- Passport - Slovakia
- Passport - Slovenia
- Passport - Spain
- Passport - Sweden
- Passport - Switzerland
- Passport - Turkey
- Passport - UK
- Passport - US
- Tax Id - Australia
- Tax Id - Austria
- Tax Id - Belgium
- Tax Id - Brazil
- Tax Id - Bulgaria
- Tax ID - Canada
- Tax ID - China
- Tax ID - Costa Rica
- Tax Id - Cyprus
- Tax Id - Czech Republic
- Tax Id - Denmark
- Tax ID - Dominican Republic
- Tax Id - Estonia
- Tax Id - Finland
- Tax Id - France
- Tax Id - Germany
- Tax Id - Greece
- Tax Id - Hungary
- Tax Id - Iceland
- Tax Id - India - PAN
- Tax Id - Ireland
- Tax Id - Italy
- Tax ID - Japan
- Tax Id - Latvia
- Tax Id - Liechtenstein
- Tax Id - Lithuania
- Tax Id - Luxembourg
- Tax Id - Malta
- Tax Id - Netherlands
- Tax Id - New Zealand
- Tax Id - Norway
- Tax Id - Poland
- Tax Id - Portugal
- Tax Id - Romania
- Tax Id - Slovakia
- Tax Id - Slovenia
- Tax ID - South Africa
- Tax ID - South Korea
- Tax Id - Spain
- Tax Id - Sweden
- Tax Id - Switzerland
- Tax ID - Taiwan
- Tax Id - Turkey
- Tax Id - UK - UTR
- Tax Id - US - TIN
-
-
-
-
- March 2025
- February 2025
- January 2025
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- July 2024
- June 2024
- April 2024
- March 2024
- January 2024
- December 2023
- November 2023
- October 2023
- August 2023
- July 2023
- June 2023
- May 2023
- March 2023
- February 2023
- January 2023
- November 2022
- October 2022
- August 2022
- July 2022
- June 2022
- May 2022
- April 2022
- March 2022
- February 2022
- January 2022
- December 2021
- November 2021
- October 2021
- September 2021
- July 2021
- New Features in Enterprise DLP Plugin 5.0
- New Features in Enterprise DLP Plugin 4.0
- New Features in Enterprise DLP Plugin 3.0
- New Features in Enterprise DLP Plugin 1.0
-
- Known Issues in the Enterprise DLP Cloud Service
- Known Issues in Endpoint DLP
-
- Known Issues in Enterprise DLP Plugin 3.0.9
- Known Issues in Enterprise DLP Plugin 3.0.8
- Known Issues in Enterprise DLP Plugin 3.0.7
- Known Issues in Enterprise DLP Plugin 3.0.6
- Known Issues in Enterprise DLP Plugin 3.0.5
- Known Issues in Enterprise DLP Plugin 3.0.4
- Known Issues in Enterprise DLP Plugin 3.0.3
- Known Issues in Enterprise DLP Plugin 3.0.2
- Known Issues in Enterprise DLP Plugin 3.0.1
- Known Issues in Enterprise DLP Plugin 3.0.0
-
- Known Issues in Enterprise DLP Plugin 1.0.8
- Known Issues in Enterprise DLP Plugin 1.0.7
- Known Issues in Enterprise DLP Plugin 1.0.6
- Known Issues in Enterprise DLP Plugin 1.0.5
- Known Issues in Enterprise DLP Plugin 1.0.4
- Known Issues in Enterprise DLP Plugin 1.0.3
- Known Issues in Enterprise DLP Plugin 1.0.2
- Known Issues in Enterprise DLP Plugin 1.0.1
- Enterprise DLP Limitations
- Changes to Default Behavior
-
Configure Syslog Forwarding for Enterprise DLP Incidents
Configure one or more Log Forwarding profiles to forward Enterprise Data Loss Prevention (E-DLP)
incidents syslogs to manage and create workflows.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Or any of the following licenses that include the Enterprise DLP license
|
Create a Log Forwarding profile to automatically forward Enterprise Data Loss Prevention (E-DLP)
incident syslogs to your third-party security information and event management
(SIEM), Security Orchestration, and Response (SOAR), or other automated ticketing
systems. This enables your SOC Analysts and Incident admins to effectively triage,
review, and resolve data security risks that occur in your organization. You can
configure a single Log Forwarding profile for multiple enforcement points or you can
create a different Log Forwarding profile for each. You can associate the same
enforcement channel with multiple Log Forwarding profiles.
Enterprise DLP forwards DLP incident syslogs over a UDP or TCP port, and
requires a persistent connection to your SIEM, SOAR, or ticketing system to forward
DLP incident syslogs. Enterprise DLP can only forward DLP incident syslogs
while successfully connected to your SIEM, SOAR, or ticketing system. Enterprise DLP automatically continues forwarding your Enterprise DLP
incident syslogs to your SIEM, SOAR, or ticketing system you restore after
connectivity. However, Enterprise DLP can't forward any syslogs generated while
Enterprise DLP and your SIEM, SOAR, or ticketing are disconnected.
Enterprise DLP sends an email to the admin that originally connected Enterprise DLP to your SIEM, SOAR, or ticketing system using the Log Forwarding
profile and to the user who last modified the Log Forwarding profile settings. Enterprise DLP sends this email only one time at the time of disconnect. If you
update the SIEM, SOAR, or ticketing system connecting settings and Enterprise DLP again losses connectivity, then Enterprise DLP sends another email to notify
you of the ongoing connectivity issue.
It takes 15 minutes for your syslog forwarding configuration to take effect after
you add, edit, or delete a Log Forwarding profile, or when you add a Syslog
server profile to a Log Forwarding profile.
Review the syslog field descriptions provided below for more information on what data
is included in syslogs forwarded from Enterprise DLP.
- LEEF and CEF Syslog Field DescriptionsField NameDescriptioncat
Event category. Always displays data_security. facilityNumeric code (0- 7) which identifies the source of a log message.tenant_idYour Enterprise DLP tenant ID.incident_idUnique DLP incident identifier. All Enterprise DLP incidents are assigned a unique ID. report_idReport ID for the DLP incident used to view additional Traffic log details regarding the DLP incident.channelEnforcement channel where DLP incident was generated. Can be NGFW, Prisma Access, or Endpoint DLP.created_atTime Enterprise DLP generated the incident.Format is YYYY-MM-DD-THH:MM:SSUTCfile_nameName of the file containing sensitive data that generated the Enterprise DLP incident.usrNameName of the user who generated the Enterprise DLP incident.action Action configured in the data profile (Panorama), DLP Rule, or Endpoint DLP policy rule. Can be Alert or Block.source Name or ID of the NGFW or Prisma Access, or endpoint where the installed Prisma Access Agent forwarded traffic to Enterprise DLP that generated the incident.app_idDestination App-ID for traffic that generated an Enterprise DLP incident.app_nameName of the destination app for traffic that generated an Enterprise DLP incident. peripheral_idProduct ID of the Endpoint DLP peripheral device that generated the Enterprise DLP incident.peripheral_nameName of the Endpoint DLP peripheral device that generated the Enterprise DLP incident.peripheral_typeType of Endpoint DLP peripheral device that Enterprise DLP incident. Can be USB, Network Share, or Printer. policy_nameName of the Endpoint DLP policy rule that generated the Enterprise DLP incident.policy_typeType of Enterprise DLP policy rule that the traffic containing sensitive data is matched.profile_nameThe name of the Enterprise DLPdata profile containing the match criteria that the traffic containing sensitive data matched again.profile_type_timeThe data and time Enterprise DLP forwarded the syslog.Format is YYYY-MM-DD-THH:MM:SS.urlThe transactional URL against which the user generated the Enterprise DLP incident.srcIP address of the source that generated the Enterprise DLP incident.dstIP address of the destination that generated the Enterprise DLP incident. sevSeverity of the Enterprise DLP incident. Can be informational, low, medium, high, or critical.snippets_urlAPI URL to view the snippet of sensitive data that generated the DLP incident.data_pattern_resultsData pattern containing the sensitive data match criteria that the sensitive data matched against.
Expand all
Collapse all
- Allow the IP addresses required to forward DLP incident syslogs.
- Log in to Strata Cloud Manager.
- Select ManageConfigurationData Loss PreventionSettingsLogging Settings.
- Add Log Forwarding Profile.
- Enter a descriptive Log Forwarding profile Name.
- For the Channel, select one or more enforcement channels to which the log forwarding applies.Enterprise DLP forwards all DLP incidents logs based on the selected channels.For example, you select NGFW and Prisma Access. In this case, Enterprise DLP forwards syslogs for all DLP incidents generated from traffic originating from any NGFW and Prisma Access tenant associated with your Customer Support Portal account that have an active Enterprise DLP license. However, Enterprise DLP does not forward any Endpoint DLP incidents.Select at least one of the following options.
- Supported Channels
- NGFW
- Prisma Access
- Endpoint DLP
Expand allCollapse all - Add a Filter to forward syslogs based on the region where the user generated the Enterprise DLP incident.Enterprise DLP supports multiple filters. Enterprise DLP only forwards syslogs for Channels configured in the Syslog server profile based on the region where the user generated the DLP incident.
- For the Syslog Server Profile, Create New Profile to define the syslog server connection settings.Enterprise DLP does not support deleting or editing a Syslog server profile after creation. Be sure you're confident the configuration is correct before you Save the Syslog server profile and attach it to your Log Forwarding profile.Repeat this step to add as many Syslog server profiles as needed.
- Enter the Syslog Profile Name.
- Enter the Syslog Server IP address or Fully Qualified Domain Name (FQDN) server name.
- Select and enter the Syslog Port used for forwarding syslogs.
- Select the Syslog Facility for syslogs forwarded from Enterprise DLP.The syslog facility is a numeric code that a SIEM, SOAR, or ticketing system uses to identify the source of a log message and to categorize log messages. Enterprise DLP supports Log(0) through Log(7). Enterprise DLP supports one syslog facility per Syslog server profile.
- Select the Connection Type to define the protocol used for communicating with your syslog server.Enterprise DLP supports UDP and TCP ports.
- (Optional) Upload the Server CA certificate used to establish trust between Enterprise DLP and your SIEM, SOAR, or ticketing system during Transport Layer Security (TLS) communication.Enterprise DLP currently supports Public server certificate authority (CA) certificates for UDP connections and Public and Private service CA certificates for TCP connections.If you select Private for TCP connections, Browse and upload the syslog server CA if required for Enterprise DLP to forward syslogs to your SIEM, SOAR, or ticketing system.
- Select the Log Format to forward to your syslog server. You can select LEEF and CEF.
- Enter the Recipient email address for alerts.This email receives alerts when Enterprise DLP loses connectivity to your SIEM, SOAR, or ticketing system or if Enterprise DLP fails to forward a syslog.
- Click Test Connection to verify you configured your Syslog server profile correctly by confirming Enterprise DLP can successfully communicate with your SIEM, SOAR, or ticketing system.Continue if Enterprise DLP returns Connection Successful.If Enterprise DLP returns Connection Failed. Enterprise DLP can't connect to your SIEM, SOAR, or ticketing system because you configured the Syslog Server or Syslog Port incorrectly, or you uploaded an invalid private Service CA certificate.
- Save the Syslog server profile.
- Enable the Log Forwarding profile.
- Save.
- Configure Enterprise DLP.