View Enterprise DLP Log Details on Cloud Management

View the log details for traffic that matches your
Enterprise data loss prevention (DLP)
data profiles for
Prisma Access (Cloud Management)
and SaaS Security on
Cloud Management
.
An
Enterprise data loss prevention (DLP)
Incident is generated when traffic matches your Enterprise data loss prevention (DLP) data profiles for
Prisma Access (Cloud Management)
and SaaS Security on
Cloud Management
. You can then filter and view the DLP Incident for the detected traffic, such as matched data patterns, the source and destination of the traffic, the file and file type. Additionally, the DLP Incident displays the specific data pattern that the traffic matched and also displays the total number of unique and total occurrences of those data pattern matches.
You can then view this sensitive content called a
snippet
. A snippet is evidence or identifiable information associated with a pattern match. For example, if you specified a data pattern of Credit Card Number, the managed firewall returns the credit card number of the user as the snippet that was matched. By default, the managed firewall returns snippets.
Cloud Management
uses
data masking
to mask the data in the snippets. By default, the DLP Incident displays the last four digits of the value in cleartext (partial masking). For example, a DLP Incident displays a snippet of a credit card number as
XXXX-XXXX-XXXX-1234
. You can also specify the data to be completely displayed in cleartext or to fully mask the data and hide all values.
Snippets are available for regular expression (regex)-based patterns only.
  1. Select
    Logs
    DLP Incidents
    .
  2. Select a
    Scan Date
    and
    Region
    to filter the DLP Incidents.
    Enterprise DLP
    Incidents are generated in the
    Region
    where the Public Cloud Server is located.
    For
    Cloud Management
    ,
    Enterprise DLP
    automatically resolves to the closest Public Cloud Server to where the inspected traffic originated.
    When a new Public Cloud Server is introduced,
    Enterprise DLP
    begins to automatically resolve to it if it’s closer to where the inspected traffic originated.
    This might mean that new DLP Incidents generated after the release of a new Public Cloud Server are generated in a different
    Region
    .
  3. Review the DLP Incidents summary information to help focus your incident investigation.
    These lists are updated hourly.
    • Top Data Profiles to Investigate—
      Lists up to seven data profiles with the highest number of incidents in descending order.
    • Top Sources to Investigate—
      Lists up to seven source IP addresses and Fully Qualified Domain Names (FQDN) with the highest number of incidents in descending order.
    • Sensitive Files by Action—
      Lists the number of incidents based on the Action taken by
      Prisma Access (Cloud Management)
      in descending order.
  4. Review the Incidents and click a
    File
    name to review a specific incident.
    You can filter the DLP incidents by
    File Name
    or
    Report ID
    to search for a specific incident you want to review.
  5. Review the Incident Details to review specific file upload details.
    Make note of the
    Report ID
    for the DLP incident if you haven’t already done so. The Report ID is used to view additional Traffic log details regarding the DLP incident.
  6. Review the Matches within Data Profiles to review snippets of matching traffic and the data patterns that matched the traffic to better understand what data was detected.
    For data profiles with nested data profiles created on the DLP app or Cloud Management, the data profile displayed is the specific nested data profile that matched the scanned traffic. For example, you create a
    DataProfile
    , with the nested profiles
    Profile1
    ,
    Profile2
    , and
    Profile3
    and scanned traffic matches the nested
    Profile2
    and is blocked. In this scenario, the data profile displayed for the incident is
    Profile2
    .
  7. Review the file log to learn about the traffic data for the DLP incident.
    1. Select
      Activity
      Logs
      Log Viewer
      .
    2. From the Firewall drop-down, select
      File
      .
    3. Filter to view the file log for the DLP incident using the Report ID.
      report_id=<report-id>
    4. Review the file log to learn more about the traffic data for the DLP incident.
      For example, you might want to review the application and source username to better understand where the DLP incident originated.

Recommended For You