Enterprise DLP
Create a Custom Data Pattern
Table of Contents
Create a Custom Data Pattern
Create an
Enterprise Data Loss Prevention (E-DLP)
custom data pattern using regular expressions or
file properties.Where Can I Use This? | What Do I Need? |
---|---|
|
Or any of the following licenses that include the Enterprise DLP license
|
Create an
Enterprise Data Loss Prevention (E-DLP)
custom data pattern using regular expressions.
Create data patterns to specify the match criteria and identify patterns using
regular expressions and keywords that represent sensitive information on your
network. All data patterns you create are shared across Panorama™ management server
and
Strata Cloud Manager
deployments associated with the tenant. All custom data
patterns created on Panorama
or Strata Cloud Manager
can be edited and
copied as needed.Strata Cloud Manager
Strata Cloud Manager
Create an
Enterprise Data Loss Prevention (E-DLP)
custom data pattern for Prisma Access (Managed by Strata Cloud Manager)
and SaaS Security
on Strata Cloud Manager
.- Log in toStrata Cloud Manager.
- Select.ManageConfigurationSecurity ServicesData Loss PreventionDetection MethodsData Patterns
- Add Data Patternsand selectCustom.You can also create a new custom data pattern by copying an existing custom data pattern. To copy a custom data pattern, select the data pattern name to view the data pattern details and copy ( ). You can then configure the custom data pattern you copied as needed.
- Enter a descriptiveData Pattern Name.
- (Optional) Enter aDescriptionfor the data pattern.
- Select the type ofRegular Expression.You can chooseBasicorWeighteddata patterns. Use theWeighteddata pattern to create a basic or weighted regular expression. With weighted regular expressions, each text entry is assigned a score and when the score threshold is exceeded, such as when enough expressions from a pattern match an asset,Enterprise DLPwill indicate that the asset is a match for the pattern.Then use the query builder in theRegular Expressionsfield to add either regular (Basic) orWeightedexpressions.
- (Optional) Enter one or moreProximity Keywords.Proximity keywords aren’t case-sensitive. You can enter one or more proximity keywords to increase the probabilityEnterprise DLPaccurately detects a regular expression match. Proximity keywords impact theEnterprise DLPconfidence level, which reflects how confidentEnterprise DLPis when detecting matched traffic.Enterprise DLPdetermines confidence level by inspecting the distance of regular expressions to proximity keywords.
- Savethe data pattern.
- Create a data profile onStrata Cloud Manager.
DLP App
Create an
Enterprise Data Loss Prevention (E-DLP)
custom data pattern on the DLP app on the
hub.- Log in to the DLP app on the hub.If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
- SelectandDetection MethodsData PatternsAdd Data Patterns.You can also create a new custom data pattern by copying an existing custom data pattern. To copy a custom data pattern, expand the Actions column for the data pattern you want to copy andClonethe data pattern. You can then configure the custom data pattern you copied as needed.
- Select theCustomdata pattern.
- Enter a descriptiveData Pattern Name.
- (Optional) Enter aDescriptionfor the data pattern.
- Select the type ofRegular Expression.You can chooseBasicorWeighteddata patterns. Use theWeighteddata pattern to create a basic or weighted regular expression. With weighted regular expressions, each text entry is assigned a score and when the score threshold is exceeded, such as when enough expressions from a pattern match an asset,Enterprise DLPwill indicate that the asset is a match for the pattern.Then use the query builder in theRegular Expressionsfield to add either regular (Basic) orWeightedexpressions.
- (Optional) Enter one or moreProximity Keywords.Proximity keywords aren’t case-sensitive. You can enter one or more proximity keywords to increase the probabilityEnterprise DLPaccurately detects a regular expression match. Proximity keywords impact theEnterprise DLPconfidence level, which reflects how confidentEnterprise DLPis when detecting matched traffic.Enterprise DLPdetermines confidence level by inspecting the distance of regular expressions to proximity keywords.
- Savethe data pattern.
- Create a data profile on the DLP app.
Panorama
Panorama
Create a data pattern to identify sensitive information on your network when using
Enterprise Data Loss Prevention (E-DLP)
.- Log in to thePanoramaweb interface.
- Select.ObjectsDLPData Filtering PatternsYou do not need to select the device group the managed firewalls usingEnterprise DLPare associated with. All data patterns are shared across all device groups by default.
- Adda new data pattern.
- Specify aTypeand criteria for the data pattern and specify aName.Use any of the following data pattern types:
- Regular Expression—Create regular expressions to use in the data pattern.You can chooseBasicorAdvanceddata patterns. Use theAdvanceddata pattern to create a basic or weighted regular expression. With weighted regular expressions, each text entry is assigned a score and when the score threshold is exceeded, such as when enough expressions from a pattern match an asset,Enterprise DLPwill indicate that the asset is a match for the pattern.Then use the query builder in theRegular Expressionsfield to add either regular (Basic) or weighted (Advanced) expressions.You can enter one or moreProximity Keywordsto use with the data filtering pattern. Proximity keywords aren’t case-sensitive. You can enter one or more proximity keywords to increase the probabilityEnterprise DLPaccurately detects a regular expression match. Proximity keywords impact theEnterprise DLPconfidence level, which reflects how confidentEnterprise DLPis when detecting matched traffic.Enterprise DLPdetermines confidence level by inspecting the distance of regular expressions to proximity keywords.
- File Property—Add a file property pattern on which to match.For data governance and protection of information, if you use classification labels or embed tags in MS Office and PDF documents to include more information for audit and tracking purposes, you can create a file property data pattern to match on the metadata or attributes that are part of the custom or extended properties in the file. Regardless whether you use an automated classification mechanism, such as Titus, or whether require users to add a tag, you can specify a name-value pair on which to match on a custom or extended property embedded in the file.Enterprise DLPsupports file property data patterns in MS Office and PDF documents and supports both the OLE (.doc/.ppt) and XML (.docx/.pptx) formats of MS Office.Then add aTag NameandTag Value.ATag NameandTag Valueare an associated pair that specifies the property for which you want to look (for example, you can specify aTag NameofLabeland aTag ValueofConfidential). You can add as many file properties as you’d like and when you later reference the file property data pattern in a data filtering profile,Enterprise DLPwill use a boolean OR match in the match criteria.For files protected with Microsoft Azure Information Protection (AIP), you must enter the full AIP labelNamethat you want to take action on. This can be either theMSIP_Label_<GUID>_Enabledlabel name or theSensitivitylabel name.
- ClickOKto save the data pattern.
- Commit and push the new configuration to your managed firewalls to complete theEnterprise DLPplugin installation.This step is required forEnterprise DLPdata filtering profile names to appear in Data Filtering logs.TheCommit and Pushcommand isn’t recommended forEnterprise DLPconfiguration changes. Using theCommit and Pushcommand requires the additional and unnecessary overheard of manually selecting the impacted templates and managed firewalls in the Push Scope Selection.
- Full configuration push from Panorama
- SelectandCommitCommit toPanoramaCommit.
- SelectandCommitPush to DevicesEdit Selections.
- SelectDevice GroupsandInclude Device and Network Templates.
- ClickOK.
- Pushyour configuration changes to your managed firewalls that are usingEnterprise DLP.
- Partial configuration push from PanoramaYou must always include the temporary__dlpadministrator when performing a partial configuration push. This is required to keepPanoramaand the DLP cloud service in sync.For example, you have anadminPanoramaadmin user who is allowed to commit and push configuration changes. Theadminuser made changes to theEnterprise DLPconfiguration and only wants to commit and push these changes to managed firewalls. In this case, theadminuser is required to also select the__dlpuser in the partial commit and push operations.
- Select.CommitCommit toPanorama
- SelectCommit Changes Made Byand then click the current Panorama admin user to select additional admins to include in the partial commit.In this example, theadminuser is currently logged in and performing the commit operation. Theadminuser must clickadminand then select the__dlpuser. If there are additional configuration changes made by other Panorama admins they can be selected here as well.ClickOKto continue.
- Commit.
- Select.CommitPush to Devices
- SelectPush Changes Made Byand then click the current Panorama admin user to select additional admins to include in the partial push.In this example, theadminuser is currently logged in and performing the push operation. Theadminuser must clickadminand then select the__dlpuser. If there are additional configuration changes made by other Panorama admins they can be selected here as well.ClickOKto continue.
- SelectDevice GroupsandInclude Device and Network Templates.
- ClickOK.
- Pushyour configuration changes to your managed firewalls that are usingEnterprise DLP.
- Create a data profile onPanoramaor the DLP app.