Configure Syslog Forwarding for Enterprise DLP Incidents
Focus
Focus
Enterprise DLP

Configure Syslog Forwarding for Enterprise DLP Incidents

Table of Contents

Configure Syslog Forwarding for Enterprise DLP Incidents

Configure one or more Log Forwarding profiles to forward Enterprise Data Loss Prevention (E-DLP) incidents syslogs to manage and create workflows.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • Enterprise Data Loss Prevention (E-DLP) license
    Review the Supported Platforms for details on the required license for each enforcement point.
Or any of the following licenses that include the Enterprise DLP license
  • Prisma Access CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
  • Data Security license
Create a Log Forwarding profile to automatically forward Enterprise Data Loss Prevention (E-DLP) incident syslogs to your third-party security information and event management (SIEM), Security Orchestration, and Response (SOAR), or other automated ticketing systems. This enables your SOC Analysts and Incident admins to effectively triage, review, and resolve data security risks that occur in your organization. You can configure a single Log Forwarding profile for multiple enforcement points or you can create a different Log Forwarding profile for each. You can associate the same enforcement channel with multiple Log Forwarding profiles.
Enterprise DLP forwards DLP incident syslogs over a UDP or TCP port, and requires a persistent connection to your SIEM, SOAR, or ticketing system to forward DLP incident syslogs. Enterprise DLP can only forward DLP incident syslogs while successfully connected to your SIEM, SOAR, or ticketing system. Enterprise DLP automatically continues forwarding your Enterprise DLP incident syslogs to your SIEM, SOAR, or ticketing system you restore after connectivity. However, Enterprise DLP can't forward any syslogs generated while Enterprise DLP and your SIEM, SOAR, or ticketing are disconnected.
Enterprise DLP sends an email to the admin that originally connected Enterprise DLP to your SIEM, SOAR, or ticketing system using the Log Forwarding profile and to the user who last modified the Log Forwarding profile settings. Enterprise DLP sends this email only one time at the time of disconnect. If you update the SIEM, SOAR, or ticketing system connecting settings and Enterprise DLP again losses connectivity, then Enterprise DLP sends another email to notify you of the ongoing connectivity issue.
It takes 15 minutes for your syslog forwarding configuration to take effect after you add, edit, or delete a Log Forwarding profile, or when you add a Syslog server profile to a Log Forwarding profile.
Review the syslog field descriptions provided below for more information on what data is included in syslogs forwarded from Enterprise DLP.
  • LEEF and CEF Syslog Field Descriptions
    Field Name
    Description
    cat
    Event category. Always displays data_security.
    facility
    Numeric code (0- 7) which identifies the source of a log message.
    tenant_id
    Your Enterprise DLP tenant ID.
    incident_id
    Unique DLP incident identifier. All Enterprise DLP incidents are assigned a unique ID.
    report_id
    Report ID for the DLP incident used to view additional Traffic log details regarding the DLP incident.
    channel
    Enforcement channel where DLP incident was generated. Can be NGFW, Prisma Access, or Endpoint DLP.
    created_at
    Time Enterprise DLP generated the incident.
    Format is YYYY-MM-DD-THH:MM:SSUTC
    file_name
    Name of the file containing sensitive data that generated the Enterprise DLP incident.
    usrName
    Name of the user who generated the Enterprise DLP incident.
    action
    Action configured in the data profile (Panorama), DLP Rule, or Endpoint DLP policy rule. Can be Alert or Block.
    source
    Name or ID of the NGFW or Prisma Access, or endpoint where the installed Prisma Access Agent forwarded traffic to Enterprise DLP that generated the incident.
    app_id
    Destination App-ID for traffic that generated an Enterprise DLP incident.
    app_name
    Name of the destination app for traffic that generated an Enterprise DLP incident.
    peripheral_id
    Product ID of the Endpoint DLP peripheral device that generated the Enterprise DLP incident.
    peripheral_name
    Name of the Endpoint DLP peripheral device that generated the Enterprise DLP incident.
    peripheral_type
    Type of Endpoint DLP peripheral device that Enterprise DLP incident. Can be USB, Network Share, or Printer.
    policy_name
    Name of the Endpoint DLP policy rule that generated the Enterprise DLP incident.
    policy_type
    Type of Enterprise DLP policy rule that the traffic containing sensitive data is matched.
    profile_name
    The name of the Enterprise DLPdata profile containing the match criteria that the traffic containing sensitive data matched again.
    profile_type
    Type of Enterprise DLP data profile. Can be basic, advanced, or nested.
    _time
    The data and time Enterprise DLP forwarded the syslog.
    Format is YYYY-MM-DD-THH:MM:SS.
    url
    The transactional URL against which the user generated the Enterprise DLP incident.
    src
    IP address of the source that generated the Enterprise DLP incident.
    dst
    IP address of the destination that generated the Enterprise DLP incident.
    sev
    Severity of the Enterprise DLP incident. Can be informational, low, medium, high, or critical.
    snippets_url
    API URL to view the snippet of sensitive data that generated the DLP incident.
    data_pattern_results
    Data pattern containing the sensitive data match criteria that the sensitive data matched against.
  1. Allow the IP addresses required to forward DLP incident syslogs.
  2. Log in to Strata Cloud Manager.
  3. Select ManageConfigurationData Loss PreventionSettingsLogging Settings.
  4. Add Log Forwarding Profile.
  5. Enter a descriptive Log Forwarding profile Name.
  6. For the Channel, select one or more enforcement channels to which the log forwarding applies.
    Enterprise DLP forwards all DLP incidents logs based on the selected channels.
    For example, you select NGFW and Prisma Access. In this case, Enterprise DLP forwards syslogs for all DLP incidents generated from traffic originating from any NGFW and Prisma Access tenant associated with your Customer Support Portal account that have an active Enterprise DLP license. However, Enterprise DLP does not forward any Endpoint DLP incidents.
    Select at least one of the following options.
    • Supported Channels
      • NGFW
      • Prisma Access
      • Endpoint DLP
  7. Add a Filter to forward syslogs based on the region where the user generated the Enterprise DLP incident.
    Enterprise DLP supports multiple filters. Enterprise DLP only forwards syslogs for Channels configured in the Syslog server profile based on the region where the user generated the DLP incident.
  8. For the Syslog Server Profile, Create New Profile to define the syslog server connection settings.
    Enterprise DLP does not support deleting or editing a Syslog server profile after creation. Be sure you're confident the configuration is correct before you Save the Syslog server profile and attach it to your Log Forwarding profile.
    Repeat this step to add as many Syslog server profiles as needed.
    1. Enter the Syslog Profile Name.
    2. Enter the Syslog Server IP address or Fully Qualified Domain Name (FQDN) server name.
    3. Select and enter the Syslog Port used for forwarding syslogs.
    4. Select the Syslog Facility for syslogs forwarded from Enterprise DLP.
      The syslog facility is a numeric code that a SIEM, SOAR, or ticketing system uses to identify the source of a log message and to categorize log messages. Enterprise DLP supports Log(0) through Log(7). Enterprise DLP supports one syslog facility per Syslog server profile.
    5. Select the Connection Type to define the protocol used for communicating with your syslog server.
      Enterprise DLP supports UDP and TCP ports.
    6. (Optional) Upload the Server CA certificate used to establish trust between Enterprise DLP and your SIEM, SOAR, or ticketing system during Transport Layer Security (TLS) communication.
      Enterprise DLP currently supports Public server certificate authority (CA) certificates for UDP connections and Public and Private service CA certificates for TCP connections.
      If you select Private for TCP connections, Browse and upload the syslog server CA if required for Enterprise DLP to forward syslogs to your SIEM, SOAR, or ticketing system.
    7. Select the Log Format to forward to your syslog server. You can select LEEF and CEF.
    8. Enter the Recipient email address for alerts.
      This email receives alerts when Enterprise DLP loses connectivity to your SIEM, SOAR, or ticketing system or if Enterprise DLP fails to forward a syslog.
    9. Click Test Connection to verify you configured your Syslog server profile correctly by confirming Enterprise DLP can successfully communicate with your SIEM, SOAR, or ticketing system.
      Continue if Enterprise DLP returns Connection Successful.
      If Enterprise DLP returns Connection Failed. Enterprise DLP can't connect to your SIEM, SOAR, or ticketing system because you configured the Syslog Server or Syslog Port incorrectly, or you uploaded an invalid private Service CA certificate.
    10. Save the Syslog server profile.
  9. Enable the Log Forwarding profile.
  10. Save.
  11. Configure Enterprise DLP.