View Enterprise DLP Log Details on Prisma Access (Cloud Managed)
View the log details for traffic that matches your Enterprise
data loss prevention (DLP) data profiles on Prisma Access (Cloud
Managed).
An Enterprise data loss prevention (DLP) Incident
is generated when traffic matches your Enterprise data loss prevention
(DLP) data profiles on Prisma Access (Cloud Managed). You can then
filter and view the DLP Incident for the detected traffic, such as
matched data patterns, the source and destination of the traffic,
the file and file type. Additionally, the DLP Incident displays
the specific data pattern that the traffic matched and also displays
the total number of unique and total occurrences of those data pattern
matches.
You can then view this sensitive content called a
snippet
. A snippet is evidence or
identifiable information associated with a pattern match. For example, if you
specified a data pattern of Credit Card Number, the managed firewall returns the
social security number of the user as the snippet that was matched. By default, the
managed firewall returns snippets.Prisma Access (Cloud Managed) uses
data
masking
to mask the data in the snippets. By default, the DLP
Incident displays the last four digits of the value in clear text (partial
masking). For example, a DLP Incident displays a snippet of a credit
card number as XXXX-XXXX-XXXX-1234
.
You can also specify the data to be completely displayed in clear
text or to fully mask the data and hide all values. - Select.LogsDLP Incidents
- Select aScan DateandRegionto filter the DLP Incidents.
- Review the DLP Incidents summary information to help focus your incident investigation.These lists are updated hourly.
- Top Data Profiles to Investigate—Lists up to seven data profiles with the highest number of incidents in descending order.
- Top Sources to Investigate—Lists up to seven source IP addresses and Fully Qualified Domain Names (FQDN) with the highest number of incidents in descending order.
- Sensitive Files by Action—Lists the number of incidents based on the Action taken by Prisma Access (Cloud Managed) in descending order.
- Review the Incidents and click aFilename to review a specific incident.You can filter the DLP incidents byFile NameorReport IDto search for a specific incident you want to review.
- Review the Incident Details to review specific file upload details.Make note of theReport IDfor the DLP incident if you have not already done so. The Report ID is used to view additional traffic log details regarding the DLP incident.
- Review the Matches within Data Profiles to review snippets of matching traffic and the data patterns that matched the traffic to better understand what data was detected.
- Review the file log to learn about the traffic data for the DLP incident.
- Select.ActivityLogsLog Viewer
- From the Firewall drop-down, selectFile.
- Filter to view the file log for the DLP incident using the Report ID.report_id=<report-id>
- Review the file log to learn more about the traffic data for the DLP incident.For example, you may want to review the application and source user name to better understand where the DLP incident originated.
Recommended For You
Recommended Videos
Recommended videos not found.