Create a Data Profile with Data Patterns and EDM Datasets on the DLP App

Create and configure an Enterprise data loss prevention (DLP) data profile containing a predefined or custom data pattern and an EDM dataset on the DLP app.
Enterprise data loss prevention (DLP) supports creation of data profiles that contains at least one predefined or custom Enterprise DLP data pattern and at least one EDM dataset pattern. Data profiles with a data pattern and an EDM dataset can only be created on the DLP app on the hub and are viewable on Panorama, Prisma Access (Panorama Managed), Prisma Access (Cloud Managed), and the DLP app on the hub. Viewing a data profile created on the DLP app on Panorama requires Panorama plugin for Enterprise DLP 1.0.4 or later release.
When you create a data profile using predefined data patterns, be sure to consider the detection types used by the predefined data patterns because the detection type determines how Enterprise data loss prevention (DLP) arrives at a verdict for scanned files. For example, when you create a data profile that includes three machine learning (ML)-based data patterns and seven regex-based data patterns, Enterprise DLP will return verdicts based on the seven regex-based patterns whenever the scanned file exceeds 1MB.
Updating a data profile to include only data patterns is not allowed if the data profile includes at least one EDM dataset when it was initially created. However, updating a data profile that includes only EDM datasets to include EDM datasets and data patterns is supported.
See Create a Data Profile on the DLP App to create a data profile containing only predefined or custom data patterns.
  1. Log in to the DLP app on the hub.
    If you do not already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
  2. Select
    Data Profiles
    Add Data Profile
    With EDM or a combination of EDM and Data Patterns
    .
    You can also create a new data profile by copying an existing data profile. This allows you to quickly modify an existing data profile with additional match criteria while preserving the original data profile from which the new data profile was copied.
    Data profiles created by copying an existing data profile are appended with
    Copy - <name_of_original_data_profile>
    . This name can be edited as needed.
    Adding an EDM dataset to a copied data profile is supported only if the original data profile had an EDM dataset to begin with. Adding an EDM dataset to a data profile that does not already have an EDM dataset is not supported.
  3. Configure the Primary Rule for the data profile.
    Data pattern match criteria for traffic that you want to allow must be added to the Primary Rule. Data pattern match criteria for traffic that you want to block can be added to either Primary Rule or Secondary Rule.
    1. Enter a descriptive
      Data Profile Name
      .
    2. For the Primary Rule,
      Add Rule
      and
      Add Data Pattern
      .
    3. Configure the data pattern conditions as needed.
      • Select the operator for data pattern.
      • Data Pattern
        —Select a custom or predefined data pattern.
      • Occurrences
        —Specify the occurrences required to trigger a Security policy rule action.
      • Confidence
        —Specify the confidence level required for a Security policy rule action to be taken (
        Low
        ,
        Medium
        , or
        High
        )
    4. Add EDM Dataset
      to define the EDM dataset match criteria using an
      AND
      or
      OR
      operator to the Primary Rule.
      See Create a Data Profile with EDM Datasets on the DLP App for more information on configuring EDM dataset match criteria in a data profile.
    5. Configure the match criteria for a Security policy rule action based on the values in the primary and secondary fields.
      When you select
      Any (OR)
      , the maximum
      Count
      setting is one less than the total number of fields included in the
      Primary Field
      or
      Secondary Field
      .
      Configure whether an action if
      Any (OR)
      or
      All (AND)
      primary fields are matched and if
      Any (OR)
      or
      All (AND)
      secondary fields are matched.
      For example, you configure the data profile to scan for at least 20 occurrences that match for All primary fields and Any secondary fields with a match count of 3. When applied to a Security policy rule, an action is taken when a scanned file contains at least 20 matches to all primary field values and any 3 of the secondary field values.
    6. (
      Optional
      )
      Add Group
      to nest additional match criteria for a data pattern or EDM dataset so you can more accurately define your compliance rules.
      When you click
      Add Group
      , the new match criteria group is nested under the most recently added data pattern or EDM dataset. You cannot nest a new match criteria group between existing data patterns or EDM datasets. If multiple data patterns or EDM datasets are added, you must remove the data patterns or EDM datasets that follow the data pattern or EDM dataset for which you want to added the nested match criteria. For example, you added
      EDM_Dataset1
      ,
      Data_Pattern2
      , and
      EDM_Dataset3
      to the Primary Rule. If you wanted to added nested match criteria to
      Data_Pattern2
      , you must first remove
      EDM_Dataset3
      from the Primary Rule.
      You can select the same data pattern or EDM dataset or a different data pattern EDM dataset to more accurately define your compliance rules. Nesting match criteria is supported only when the data profile includes an EDM dataset. Enterprise DLP supports up to 3 level of additional nesting groups for each data pattern or EDM dataset. You can nest additional data patterns or EDM datasets under a data pattern or EDM dataset added to the Primary or Secondary Rule.
      Nested match criteria support the
      AND
      ,
      OR
      , and
      NOT
      operators. Refer to the descriptions above to configure the nested match criteria.
    7. (
      Optional
      ) Configure a Secondary Rule.
      Data pattern match criteria added to the Secondary Rule block all traffic that meet the match criteria for the data patterns by default and cannot be modified. If you want to allow traffic that matches a data pattern match criteria, add it to the Primary Rule.
    8. Review the
      Data Profile Preview
      to verify the data profile match criteria.
    9. Save
      the data profile.
  4. Verify that the data profile you created.
    • DLP App on the hub—
      Log in to the DLP app on the hub as a Superuser and select
      Data Profiles
      to view the data profile you created.
    • Prisma Access (Cloud Managed)
      1. Select
        Manage
        Configuration
        Security Services
        Data Loss Prevention
        and search for the data profile you created.
    • Panorama and Prisma Access (Panorama Managed)
      See Update a Data Filtering Profile on Panorama for more information on which data profile settings are editable on Panorama for a data profile created on Prisma Access (Cloud Managed).
    1. Select
      Objects
      DLP
      Data Filtering Profiles
      and navigate to the data profile you created.
    2. (
      Optional
      ) Edit the data profile Action to block traffic.
      The Action for a data profile created on the Prisma Access (Cloud Managed) is configured to
      Alert
      by default.
      If the data profile has both Primary and Secondary Patterns, changing the data profile Action on Panorama deletes all Secondary Pattern match criteria.
      1. Select the data profile created on Prisma Access (Cloud Managed).
      2. Set the data profile Action to
        Block
        traffic that matches the data profile match criteria.
      3. Select
        Commit
        Commit to Panorama
        and
        Commit
        .
      4. Click
        OK
        .
      5. Select
        Commit
        Push to Devices
        and
        Edit Selections
        .
      6. Select
        Device Groups
        and
        Include Device and Network Templates
        .
      7. Push
        your configuration changes to your managed firewalls that are leveraging Enterprise DLP.
  5. Verify that the data profile you created.
    1. View the data profile you created on the DLP app.
      • Prisma Access (Cloud Managed)
        1. Select
          Manage
          Configuration
          Security Services
          Data Loss Prevention
          and search for the data profile you created.
      • Panorama and Prisma Access (Panorama Managed)
        See Update a Data Filtering Profile on Panorama for more information on which data profile settings are editable on Panorama for a data profile created on the DLP app on the hub.
        1. Select
          Objects
          DLP
          Data Filtering Profiles
          and navigate to the data profile you created.
    2. (
      Optional
      ) Edit the data profile Action to block traffic.
      The Action for a data profile created on the DLP app on the hub is configured to
      Alert
      by default.
      If the data profile has both Primary and Secondary Patterns, changing the data profile Action on Panorama deletes all Secondary Pattern match criteria.
      1. Select the data profile created on the DLP app.
      2. Set the data profile Action to
        Block
        traffic that matches the data profile match criteria.
      3. Select
        Commit
        Commit to Panorama
        and
        Commit
        .
      4. Click
        OK
        .
      5. Select
        Commit
        Push to Devices
        and
        Edit Selections
        .
      6. Select
        Device Groups
        and
        Include Device and Network Templates
        .
      7. Push
        your configuration changes to your managed firewalls that are leveraging Enterprise DLP.
  6. Attach the data profile to a Security policy rule.
    1. Select
      Policies
      Security
      and specify the
      Device Group
      .
    2. Select the Security policy rule to which you want to add the data profile.
    3. Select
      Actions
      and set the
      Profile Type
      to
      Profiles
      .
    4. Select the
      Data Filtering
      profile you created.
    5. Click
      OK
      .
    6. Select
      Commit
      and
      Commit and Push
      .

Recommended For You