View DLP Logs and File Snippets

View the logs and file snippets for DLP on Prisma Access.
When DLP on Prisma Access detects sensitive content during a file upload, and you have created an Alert or Block action, it generates a log. You can then view the sensitive content, called a
snippet
, from the Data Filtering logs. A snippet is evidence or identifiable information associated with a pattern match. For example, if you specified a data pattern of Credit Card Number, Prisma Access returns the user’s social security number as the snippet that was matched. By default, Prisma Access returns snippets.
Prisma Access uses
data masking
to mask the data in the snippets. By default, Prisma Access displays the last four digits of the value in clear text (partial masking). For example, Prisma Access displays a snippet of a credit card number as
XXXX-XXXX-XXXX-1234
. You can also specify the data to be completely displayed in clear text, or fully mask the data to hide all the values. You enable or disable snippet retrieval and specify data masking levels when you enable DLP.
To view the DLP-specific logs, including file snippets, complete the following steps.
  1. View the DLP-specific Data Filtering logs by selecting
    Monitor
    Logs
    Data Filtering
    and, in the
    Filter
    area, entering
    ( subtype eq data )
    .
    dlp-view-logs-add-filter.png
    You cannot search the logs by profile name. To search by profile, find the profile ID in the data filtering logs. The profile ID is listed in the
    ID
    column in the logs.
    dlp-search-by-threat-id.png
  2. (
    Optional
    ) View more details about the file, including file snippets.
    1. Click the magnifying glass next to the file to view its details.
      dlp-view-details.png
    2. Click the
      DLP
      tab; then, select a
      Pattern
      to view the pattern details.
      dlp-detailed-log-view.png
    3. (
      Optional
      ) View the snippets associated with the pattern match.
      The following screenshot shows social security numbers with a partial data masking level.
      dlp-view-snippets.png

Recommended For You