1. Home
    2. Enterprise DLP
    3. Enterprise DLP Administrator’s Guide
    4. Monitor Enterprise DLP
    5. View Enterprise DLP Log Details on the DLP App

    View Enterprise DLP Log Details on the DLP App

    View the log details for traffic that matches your Enterprise data loss prevention (DLP) data profiles on the DLP app on the hub.
    An Enterprise data loss prevention (DLP) Incident is generated when traffic matches your Enterprise data loss prevention (DLP) data profiles for Panorama, Prisma Access (Panorama Managed), and Cloud Management. You can filter and view the DLP Incident for the detected traffic, such as matched data patterns, the source and destination of the traffic, the file and file type. Additionally, the DLP Incident displays the specific data pattern that the traffic matched and also displays the total number of unique and total occurrences of those data pattern matches.
    You can then view this sensitive content called a
    snippet
    . A snippet is evidence or identifiable information associated with a pattern match. For example, if you specified a data pattern of Credit Card Number, the managed firewall returns the credit card number of the user as the snippet that was matched. By default, the managed firewall returns snippets.
    Enterprise DLP uses
    data masking
     to mask the data in the snippets. By default, the DLP Incident displays the last four digits of the value in cleartext (partial masking). For example, a DLP Incident displays a snippet of a credit card number as
    XXXX-XXXX-XXXX-1234
    . You can also specify the data to be completely displayed in clear text or to fully mask the data and hide all values.
    Snippets are available for regular expression (regex)-based patterns only.
    1. Log in to the DLP app on the hub.
      If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
    2. View the DLP
      Incidents
      .
    3. Select a
      Scan Date
       and
      Region
       to filter the DLP Incidents.
      Enterprise DLP Incidents are generated in the
      Region
       where the Public Cloud Server is located.
      For Panorama and Prisma Access (Panorama Managed), the region is determined by the currently configured Public Cloud Server. By default, the Enterprise DLP plugin is configured to resolve to the closest Public Cloud Server to where the inspected traffic originated but you can configure a static Public Cloud Server.
      For cloud management, Enterprise DLP automatically resolves to the closest Public Cloud Server to where the inspected traffic originated.
      When a new Public Cloud Server is introduced, Enterprise DLP begins to automatically resolve to it if it’s closer to where the inspected traffic originated. For Panorama and Prisma Access (Panorama Managed), this happens only if you keep the default Public Cloud Server FQDN. For cloud management, this happens by default.
      This might mean that new DLP Incidents generated after the release of a new Public Cloud Server are generated in a different
      Region
      .
    4. Review the DLP Incidents summary information to help focus your incident investigation.
      These lists are updated hourly.
      • Top Data Profiles to Investigate—
        Lists data profiles with the highest number of incidents in descending order.
      • Top Sources to Investigate—
        Lists up to seven source IP addresses and Fully Qualified Domain Names (FQDN) with the highest number of incidents in descending order.
      • Sensitive Files by Action—
        Lists the number of incidents based on the Action taken in descending order.
    5. Review the Incidents and click a
      File
       name to review a specific incident.
      You can filter the DLP incidents by
      File Name
       or
      Report ID
       to search for a specific incident you want to review.
    6. Review the Incident Details to review specific file upload details.
      Make note of the
      Report ID
       for the DLP incident if you haven’t already done so. The Report ID is used to view additional Traffic log details regarding the DLP incident.
    7. Review the
      Matches within Data Profiles
       to review snippets of matching traffic and the data patterns that matched the traffic to better understand what data was detected.
      For data profiles with nested data profiles created on the DLP app or Cloud Management, the data profile displayed is the specific nested data profile that matched the scanned traffic. For example, you create a
      DataProfile
      , with the nested profiles
      Profile1
      ,
      Profile2
      , and
      Profile3
       and scanned traffic matches the nested
      Profile2
       and is blocked. In this scenario, the data profile displayed for the incident is
      Profile2
      .
      • In the snippet, Enterprise DLP only masks traffic that matches the data pattern match criteria. Other sensitive data captured in the snippet are not masked if they do not match the data pattern where the snippet is displayed.
      • Data pattern match criteria configured to inspect for
        Any
         occurrence of matched traffic display up to 3
        High
         and 3
        Low
         confidence level matches if detected.
      • Data pattern match criteria configured to inspect for
        High
         confidence level matches display up to 3
        Low
         confidence level matches if detected.
      • Data pattern match criteria configured to inspect for
        Low
         confidence level matches display up to 3
        High
         confidence level matches if detected.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo