View Enterprise DLP Log Details
Focus
Focus
Enterprise DLP

View Enterprise DLP Log Details

Table of Contents

View Enterprise DLP Log Details

View the log details for traffic that matches your data filtering profiles on firewalls that are using Enterprise Data Loss Prevention (E-DLP) on the Panorama™ management server.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • Enterprise Data Loss Prevention (E-DLP) license
    Review the Supported Platforms for details on the required license for each enforcement point.
Or any of the following licenses that include the Enterprise DLP license
  • Prisma Access CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
  • Data Security license
An Enterprise Data Loss Prevention (E-DLP) Incident is generated when traffic matches your Enterprise DLP data profiles for Prisma Access (Managed by Strata Cloud Manager) and SaaS Security on Strata Cloud Manager. You can then filter and view the DLP Incident for the detected traffic, such as matched data patterns, the source and destination of the traffic, the file and file type. Additionally, the DLP Incident displays the specific data pattern that the traffic matched and also displays the total number of unique and total occurrences of those data pattern matches.
You can then view this sensitive content called a snippet. A snippet is evidence or identifiable information associated with a pattern match. For example, if you specified a data pattern of Credit Card Number, the managed firewall returns the credit card number of the user as the snippet that was matched. By default, the managed firewall returns snippets.
Strata Cloud Manager uses data masking to mask the data in the snippets. By default, the DLP Incident displays the last four digits of the value in cleartext (partial masking). For example, a DLP Incident displays a snippet of a credit card number as XXXX-XXXX-XXXX-1234. You can also specify the data to be completely displayed in cleartext or to fully mask the data and hide all values.
Snippets are available for regular expression (regex)-based patterns only.

Strata Cloud Manager

View the log details for traffic that matches your Enterprise Data Loss Prevention (E-DLP) data profiles on Strata Cloud Manager.
  1. Log in to Strata Cloud Manager.
  2. Select ManageConfigurationData Loss PreventionDLP Incidents.
  3. Select a Scan Date and Region to filter the DLP Incidents.
    Enterprise DLP Incidents are generated in the Region where the Public Cloud Server is located.
    For Prisma Access (Managed by Strata Cloud Manager) and NGFW (Managed by Strata Cloud Manager), Enterprise DLP automatically resolves to the closest Public Cloud Server to where the inspected traffic originated.
    When a new Public Cloud Server is introduced, Enterprise DLP automatically resolve to it if it’s closer to where the inspected traffic originated.
    This might mean that new DLP Incidents generated after the release of a new Public Cloud Server are generated in a different Region.
  4. Review the DLP Incidents summary information to help focus your incident investigation.
    These lists are updated hourly.
    • Top Data Profiles to Investigate—Lists up to seven data profiles with the highest number of incidents in descending order.
    • Top Sources to Investigate—Lists up to seven source IP addresses and Fully Qualified Domain Names (FQDN) with the highest number of incidents in descending order.
    • Sensitive Files by Action—Lists the number of incidents based on the Action taken by Enterprise DLP in descending order.
  5. Review the Incidents and click the File name to review detailed information for a specific incident.
    You can Add New Filter to filter the DLP incidents by Action, Channel, Data Profile or Response Status to search for a specific incident you want to review.
  6. Review the Incident Details to review specific file upload details.
    Make note of the Report ID for the DLP incident if you haven’t already done so. The Report ID is used to view additional Traffic log details regarding the DLP incident.
      Expand all
      Collapse all
    • Info
    • Data
    • User
    • Session
    • Annotations
  7. Review the Matches within Data Profiles to review snippets of matching traffic and the data patterns that matched the traffic to better understand what data was detected.
    For nested data profiles, Enterprise DLP displays the name of the nested data profile and not the specific data profile containing the match criteria that matched inspected traffic. For example, you create a DataProfile, with the nested profiles Profile1, Profile2, and Profile3. Enterprise DLP inspects traffic that match Profile2 and blocks it. In this scenario, the Matches within Data Profile displays DataProfile.
    Additionally, you can filter the Matches within Data Profile for a nested data profile to display traffic matches against specific associated data profiles.
  8. Review the file log to learn about the traffic data for the DLP incident.
    1. Select Incidents & AlertsLog Viewer.
    2. From the Firewall drop-down, select File.
    3. Filter to view the file log for the DLP incident using the Report ID.
      Report ID = <report-id>
    4. Review the file log to learn more about the traffic data for the DLP incident.

Panorama

View the log details for traffic that matches your data profiles on firewalls that are using Enterprise Data Loss Prevention (E-DLP) on the Panorama™ management server.
  1. Log in to the Panorama web interface.
  2. Select MonitorLogsData Filtering and Filter the data filtering logs by entering ( subtype eq dlp ).
  3. View more details about the file including file snippets.
    1. Click
      to the left of the specific log entry for which you want to view more details.
    2. Select DLP to view the pattern details.
    3. Show Snippet to view a snippet of the data that matched the specific data pattern.
      For nested data profiles, Enterprise DLP displays the name of the nested data profile and not the specific data profile containing the match criteria that matched inspected traffic. For example, you create a nested data profile called DataProfile and you add Profile1, Profile2, and Profile3. Enterprise DLP inspects traffic that matches Profile2 and blocks it. In this scenario, the Data Profile Name in the DLP incident logs displays DataProfile.
    4. Review the masked snippet to understand what data was detected.

View Enterprise DLP Log Details for Endpoint DLP

View the log details for traffic that matches your Enterprise Data Loss Prevention (E-DLP) data profiles for Endpoint DLP on Strata Cloud Manager.
No data profile or snippet is displayed for a Peripheral Control Endpoint DLP policy rule. A peripheral control policy rule controls an endpoint device's access to a peripheral device (block or alert). As a result, no data profile is required because no traffic inspection occurs.
Multiple DLP Incidents (ManageConfigurationData Loss PreventionDLP Incidents) can be generated for a single file move operation from the endpoint and peripheral device. Some examples of when this may occur are:
  • Extracting the file contents of a compressed file from the endpoint to a peripheral device.
  • An application that generates any artifact files when writing to a peripheral device. For example, the Microsoft BITSAdmin tool generates multiple .tmp files when writing to a peripheral device.
To prevent exfiltration of sensitive data, Enterprise DLP inspects every file associated with the file move operation from the endpoint to the peripheral device. This ensures that all impacted files are captured in your logs and analyzed. However, this may result in the creation of unnecessary DLP Incidents.
  1. Log in to Strata Cloud Manager.
  2. Select ManageConfigurationData Loss PreventionDLP Incidents.
  3. Select a Scan Date and Region to filter the DLP Incidents.
    Enterprise DLP Incidents are generated in the Region where the Public Cloud Server is located.
    For Prisma Access (Managed by Strata Cloud Manager)and NGFW (Managed by Strata Cloud Manager), Enterprise DLP automatically resolves to the closest Public Cloud Server to where the inspected traffic originated.
    When a new Public Cloud Server is introduced, Enterprise DLP automatically resolve to it if it’s closer to where the inspected traffic originated.
    This might mean that new DLP Incidents generated after the release of a new Public Cloud Server are generated in a different Region.
  4. Add Filter and select the Action to filter for the specific Endpoint DLP policy rule action you want to investigate.
    For example, select only Block if you wanted to investigate all Endpoint DLP incidents where access to a peripheral device or file movement from the endpoint to the peripheral device was blocked.
  5. Review the Incidents and click the Incident ID to review detailed information for a specific incident.
  6. Review the Incident Details to review specific file upload details.
    Make note of the Report ID for the DLP incident if you haven’t already done so. The Report ID is used to view additional Traffic log details regarding the DLP incident.
      Expand all
      Collapse all
    • Info
    • Data
    • User
    • Session
    • Annotations
  7. (Data in Motion only) Review the Matches within Data Profiles to review snippets of matching traffic and the data patterns that matched the traffic to better understand what detected data.
    For nested data profiles, Enterprise DLP displays the name of the nested data profile and not the specific data profile containing the match criteria that matched inspected traffic. For example, you create a DataProfile, with the nested profiles Profile1, Profile2, and Profile3. Enterprise DLP inspects traffic that match Profile2 and blocks it. In this scenario, the Matches within Data Profile displays DataProfile.
    Additionally, you can filter the Matches within Data Profile for a nested data profile to display traffic matches against specific associated data profiles.
  8. Review the file log to learn about the traffic data for the DLP incident.
    1. Select Incidents & AlertsLog Viewer.
    2. From the Firewall drop-down, select File.
    3. Filter to view the file log for the DLP incident using the Report ID.
      Report ID = <report-id>
    4. Review the file log to learn more about the traffic data for the DLP incident.