View Enterprise DLP Log Details on the DLP App
Table of Contents
Expand all | Collapse all
-
- Register and Activate Enterprise DLP on Prisma Access (Panorama Managed)
- Edit the Enterprise DLP Snippet Settings on the DLP App
- Enable Role Based Access to Enterprise DLP on Strata Cloud Manager
- Enable Optical Character Recognition on Strata Cloud Manager
- Enable Optical Character Recognition for Enterprise DLP
-
-
- Create a Data Profile on the DLP App
- Create a Data Profile with EDM Data Sets on the DLP App
- Create a Data Profile with Data Patterns and EDM Data Sets on the DLP App
- Create a Data Profile with Nested Data Profiles on the DLP App
- Create a Data Profile on Strata Cloud Manager
- Create a Data Profile with EDM Data Sets on Strata Cloud Manager
- Create a Data Profile with Data Patterns and EDM Data Sets on Strata Cloud Manager
- Create a Data Profile with Nested Data Profiles on Strata Cloud Manager
- Create a Data Filtering Profile on Panorama
- Create a Data Filtering Profile on Panorama for Non-File Detection
- Update a Data Profile on the DLP App
- Update a Data Profile on Strata Cloud Manager
- Update a Data Filtering Profile on Panorama
- Enable Existing Data Patterns and Filtering Profiles
-
- How Does Email DLP Work?
- Activate Email DLP
- Add an Enterprise DLP Email Policy
- Review Email DLP Incidents
-
- Monitor DLP Status with the DLP Health and Telemetry App
- View Enterprise DLP Log Details on the DLP App
- Manage Enterprise DLP Incidents on the DLP App
- View Enterprise DLP Audit Logs on the DLP App
- View Enterprise DLP Log Details on Strata Cloud Manager
- Manage Enterprise DLP Incidents on Strata Cloud Manager
- View Enterprise DLP Audit Logs on Strata Cloud Manager
- View Enterprise DLP Log Details on Panorama
View Enterprise DLP Log Details on the DLP App
Enterprise DLP
Log Details on the DLP AppView the log details for traffic that matches your
Enterprise Data Loss Prevention (E-DLP)
data profiles
on the DLP app on the hub.Where Can I Use This? | What Do I Need? |
---|---|
|
|
An
Enterprise Data Loss Prevention (E-DLP)
Incident is generated when traffic matches your Enterprise DLP
data profiles for Panorama
,Prisma Access
(Panorama Managed)
, and Strata Cloud Manager
.
You can filter and view the DLP Incident for the detected traffic, such as matched
data patterns, the source and destination of the traffic, the file and file type.
Additionally, the DLP Incident displays the specific data pattern that the traffic
matched and also displays the total number of unique and total occurrences of those
data pattern matches.You can then view this sensitive content called a
snippet
. A snippet is evidence or
identifiable information associated with a pattern match. For example, if you
specified a data pattern of Credit Card Number, the managed firewall returns the
credit card number of the user as the snippet that was matched. By default, the
managed firewall returns snippets.Enterprise DLP
uses data masking
to mask the data in the snippets. By default, the
DLP Incident displays the last four digits of the value in cleartext (partial
masking). For example, a DLP Incident displays a snippet of a credit card number as
XXXX-XXXX-XXXX-1234
. You can also specify the data
to be completely displayed in clear text or to fully mask the data and hide all
values. Snippets
are available for regular expression (regex)-based patterns only.
- Log in to the DLP app on the hub.If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
- View the DLPIncidents.
- Select aScan DateandRegionto filter the DLP Incidents.Enterprise DLPIncidents are generated in theRegionwhere the Public Cloud Server is located.ForPanoramaandPrisma Access (Panorama Managed), the region is determined by the currently configured Public Cloud Server. By default, theEnterprise DLPplugin is configured to resolve to the closest Public Cloud Server to where the inspected traffic originated but you can configure a static Public Cloud Server.ForStrata Cloud Manager,Enterprise DLPautomatically resolves to the closest Public Cloud Server to where the inspected traffic originated.When a new Public Cloud Server is introduced,Enterprise DLPbegins to automatically resolve to it if it’s closer to where the inspected traffic originated. ForPanoramaandPrisma Access (Panorama Managed), this happens only if you keep the default Public Cloud Server FQDN. ForStrata Cloud Manager, this happens by default.This might mean that new DLP Incidents generated after the release of a new Public Cloud Server are generated in a differentRegion.
- Review the DLP Incidents summary information to help focus your incident investigation.These lists are updated hourly.
- Top Data Profiles to Investigate—Lists data profiles with the highest number of incidents in descending order.
- Top Sources to Investigate—Lists up to seven source IP addresses and Fully Qualified Domain Names (FQDN) with the highest number of incidents in descending order.
- Sensitive Files by Action—Lists the number of incidents based on the Action taken in descending order.
- Review the Incidents and click aFilename to review a specific incident.You can filter the DLP incidents byFile NameorReport IDto search for a specific incident you want to review.
- Review the Incident Details to review specific file upload details.Make note of theReport IDfor the DLP incident if you haven’t already done so. The Report ID is used to view additional Traffic log details regarding the DLP incident.
- Review theMatches within Data Profilesto review snippets of matching traffic and the data patterns that matched the traffic to better understand what data was detected.For data profiles with nested data profiles created on the DLP app orStrata Cloud Manager, the data profile displayed is the specific nested data profile that matched the scanned traffic. For example, you create aDataProfile, with the nested profilesProfile1,Profile2, andProfile3and scanned traffic matches the nestedProfile2and is blocked. In this scenario, the data profile displayed for the incident isProfile2.
- In the snippet,Enterprise DLPonly masks traffic that matches the data pattern match criteria. Other sensitive data captured in the snippet are not masked if they do not match the data pattern where the snippet is displayed.
- Data pattern match criteria configured to inspect forAnyoccurrence of matched traffic display up to 3Highand 3Lowconfidence level matches if detected.
- Data pattern match criteria configured to inspect forHighconfidence level matches display up to 3Lowconfidence level matches if detected.
- Data pattern match criteria configured to inspect forLowconfidence level matches display up to 3Highconfidence level matches if detected.