Enterprise DLP
Configure Syslog Forwarding for Enterprise DLP Incidents
Table of Contents
Expand All
|
Collapse All
Enterprise DLP Docs
Configure Syslog Forwarding for Enterprise DLP Incidents
Configure one or more Log Forwarding profiles to forward Enterprise Data Loss Prevention (E-DLP)
incidents syslogs to manage and create workflows.
Where Can I Use This? | What Do I Need? |
---|---|
|
Or any of the following licenses that include the Enterprise DLP license
|
Create a Log Forwarding profile to automatically forward Enterprise Data Loss Prevention (E-DLP)
incident syslogs to your third-party security information and event management
(SIEM), Security Orchestration, and Response (SOAR), or other automated ticketing
systems. This enables your SOC Analysts and Incident admins to effectively triage,
review, and resolve data security risks that occur in your organization. You can
configure a single Log Forwarding profile for multiple enforcement points or you can
create a different Log Forwarding profile for each. You can associate the same
enforcement channel with multiple Log Forwarding profiles.
Enterprise DLP forwards DLP incident syslogs over a UDP or TCP port, and
requires a persistent connection to your SIEM, SOAR, or ticketing system to forward
DLP incident syslogs. Enterprise DLP can only forward DLP incident syslogs
while successfully connected to your SIEM, SOAR, or ticketing system. Enterprise DLP automatically continues forwarding your Enterprise DLP
incident syslogs to your SIEM, SOAR, or ticketing system you restore after
connectivity. However, Enterprise DLP can't forward any syslogs generated while
Enterprise DLP and your SIEM, SOAR, or ticketing are disconnected.
Enterprise DLP sends an email to the admin that originally connected Enterprise DLP to your SIEM, SOAR, or ticketing system using the Log Forwarding
profile and to the user who last modified the Log Forwarding profile settings. Enterprise DLP sends this email only one time at the time of disconnect. If you
update the SIEM, SOAR, or ticketing system connecting settings and Enterprise DLP again losses connectivity, then Enterprise DLP sends another email to notify
you of the ongoing connectivity issue.
It takes 15 minutes for your syslog forwarding configuration to take effect after
you add, edit, or delete a Log Forwarding profile, or when you add a Syslog
server profile to a Log Forwarding profile.
Review the syslog field descriptions provided below for more information on what data
is included in syslogs forwarded from Enterprise DLP.
- LEEF and CEF Syslog Field DescriptionsField NameDescriptioncat
Event category. Always displays data_security. facilityNumeric code (0- 7) which identifies the source of a log message.tenant_idYour Enterprise DLP tenant ID.incident_idUnique DLP incident identifier. All Enterprise DLP incidents are assigned a unique ID. report_idReport ID for the DLP incident used to view additional Traffic log details regarding the DLP incident.channelEnforcement channel where DLP incident was generated. Can be NGFW, Prisma Access, or Endpoint DLP.created_atTime Enterprise DLP generated the incident.Format is YYYY-MM-DD-THH:MM:SSUTCfile_nameName of the file containing sensitive data that generated the Enterprise DLP incident.usrNameName of the user who generated the Enterprise DLP incident.action Action configured in the data profile (Panorama), DLP Rule, or Endpoint DLP policy rule. Can be Alert or Block.source Name or ID of the NGFW or Prisma Access, or endpoint where the installed Prisma Access Agent forwarded traffic to Enterprise DLP that generated the incident.app_idDestination App-ID for traffic that generated an Enterprise DLP incident.app_nameName of the destination app for traffic that generated an Enterprise DLP incident. peripheral_idProduct ID of the Endpoint DLP peripheral device that generated the Enterprise DLP incident.peripheral_nameName of the Endpoint DLP peripheral device that generated the Enterprise DLP incident.peripheral_typeType of Endpoint DLP peripheral device that Enterprise DLP incident. Can be USB, Network Share, or Printer. policy_nameName of the Endpoint DLP policy rule that generated the Enterprise DLP incident.policy_typeType of Enterprise DLP policy rule that the traffic containing sensitive data is matched.profile_nameThe name of the Enterprise DLPdata profile containing the match criteria that the traffic containing sensitive data matched again.profile_type_timeThe data and time Enterprise DLP forwarded the syslog.Format is YYYY-MM-DD-THH:MM:SS.urlThe transactional URL against which the user generated the Enterprise DLP incident.srcIP address of the source that generated the Enterprise DLP incident.dstIP address of the destination that generated the Enterprise DLP incident. sevSeverity of the Enterprise DLP incident. Can be informational, low, medium, high, or critical.snippets_urlAPI URL to view the snippet of sensitive data that generated the DLP incident.data_pattern_resultsData pattern containing the sensitive data match criteria that the sensitive data matched against.
- Allow the IP addresses required to forward DLP incident syslogs.Log in to Strata Cloud Manager.Select ManageConfigurationData Loss PreventionSettingsLogging Settings.Add Log Forwarding Profile.Enter a descriptive Log Forwarding profile Name.For the Channel, select one or more enforcement channels to which the log forwarding applies.Enterprise DLP forwards all DLP incidents logs based on the selected channels.For example, you select NGFW and Prisma Access. In this case, Enterprise DLP forwards syslogs for all DLP incidents generated from traffic originating from any NGFW and Prisma Access tenant associated with your Customer Support Portal account that have an active Enterprise DLP license. However, Enterprise DLP does not forward any Endpoint DLP incidents.Select at least one of the following options.
- Supported Channels
- NGFW
- Prisma Access
- Endpoint DLP
Add a Filter to forward syslogs based on the region where the user generated the Enterprise DLP incident.Enterprise DLP supports multiple filters. Enterprise DLP only forwards syslogs for Channels configured in the Syslog server profile based on the region where the user generated the DLP incident.For the Syslog Server Profile, Create New Profile to define the syslog server connection settings.Enterprise DLP does not support deleting or editing a Syslog server profile after creation. Be sure you're confident the configuration is correct before you Save the Syslog server profile and attach it to your Log Forwarding profile.Repeat this step to add as many Syslog server profiles as needed.- Enter the Syslog Profile Name.Enter the Syslog Server IP address or Fully Qualified Domain Name (FQDN) server name.Select and enter the Syslog Port used for forwarding syslogs.Select the Syslog Facility for syslogs forwarded from Enterprise DLP.The syslog facility is a numeric code that a SIEM, SOAR, or ticketing system uses to identify the source of a log message and to categorize log messages. Enterprise DLP supports Log(0) through Log(7). Enterprise DLP supports one syslog facility per Syslog server profile.Select the Connection Type to define the protocol used for communicating with your syslog server.Enterprise DLP supports UDP and TCP ports.(Optional) Upload the Server CA certificate used to establish trust between Enterprise DLP and your SIEM, SOAR, or ticketing system during Transport Layer Security (TLS) communication.Enterprise DLP currently supports Public server certificate authority (CA) certificates for UDP connections and Public and Private service CA certificates for TCP connections.If you select Private for TCP connections, Browse and upload the syslog server CA if required for Enterprise DLP to forward syslogs to your SIEM, SOAR, or ticketing system.Select the Log Format to forward to your syslog server. You can select LEEF and CEF.Enter the Recipient email address for alerts.This email receives alerts when Enterprise DLP loses connectivity to your SIEM, SOAR, or ticketing system or if Enterprise DLP fails to forward a syslog.Click Test Connection to verify you configured your Syslog server profile correctly by confirming Enterprise DLP can successfully communicate with your SIEM, SOAR, or ticketing system.Continue if Enterprise DLP returns Connection Successful.If Enterprise DLP returns Connection Failed. Enterprise DLP can't connect to your SIEM, SOAR, or ticketing system because you configured the Syslog Server or Syslog Port incorrectly, or you uploaded an invalid private Service CA certificate.Save the Syslog server profile.Enable the Log Forwarding profile.Save.Configure Enterprise DLP.