Use Data Policies to Scan for
Data Exposure or Malware
Prisma Cloud includes default data policies to help
you start scanning. These data policies include predefined data
profiles and data patterns that enable you to detect malware and
prevent inadvertent or malicious exposure of sensitive data. You
can also create custom data policies that include data patterns
and proximity keywords for detecting and preventing data leak in
your organization. When data policies are enabled, Prisma Cloud
detects malware and provides visibility into how your data is exposed.
If you want to generate alerts, you must create an alert rule and
include the data policies for which you want alerts.
Add a New Data Profile to Prisma Cloud
A Data Profile is a collection of Data Patterns that you can use to
scan for sensitive data in your cloud resources. Prisma Cloud provides
you the ability to use any of the predefined Data Profiles, or the
option to create a custom Data Profile. With a custom data profile,
you can combine predefined and custom Data Patterns to meet your
content scanning use cases.
- Select .
- + Add Newand enter aData Profile Nameand an optionalData Profile Description.
- Select data patterns.Select at least oneData Patternand modify the following thresholds for content matching:
- Match—provides the option to include or exclude the Data Pattern in the Data Profile. Default isIncludes.
- Occurrence—applies the conditional logic ofany,More than or equal to,Less than or equal to, andBetweento your Data Pattern. Default isMore than or equal to.
- Min—the minimum number of occurrences to trigger a match.
- Max—only applicable when the occurrence type selected isbetween.
- Confidence—a content analysis technique to identify content and rate it with a Low or High confidence.Low Confidence - A low confidence match looks at the specified pattern only. It uses multiple techniques such as regular expressions, Machine Learning, and check sum to identify the content.High Confidence - A high confidence match looks for proximity keywords, 200 characters on either side of the match, in addition to the techniques used by a low confidence match.
- ClickNextto review andSavethe data profile.
Data profiles areEnabledby default and can be used in a data policy. To disable scanning toggle the icon.
Add a New Data Pattern in Prisma Cloud
Data Patterns are the entities used to scan
files or objects for any sensitive content. Prisma Cloud supports
over 600 predefined Data Patterns such as API Credentials Client
ID, Healthcare Provider, and Tax ID. A Data Pattern is used with
a Data Profile to scan for risks and protect your data. You also
have the ability to clone and edit custom patterns after you create
them; predefined data patterns cannot be deleted or modified.
- Select .
- +Add Newto create a new pattern.
- Enter aData Pattern Nameand provide a pattern description.
- AddRegular Expressions.A regular expressions or regex is the match criteria for the data you want to find within your assets. You can add a basic expression or a weighted expression which assigns a score to a text entry. You can assign a weight by appending a semi colon and a number between -9999 and 9999 after your regex. When no weight is assigned, “1” is appended by default. A pattern match occurs when the score threshold is exceeded.
- (Optional) To improve the accuracy of the match, useProximity Keywordsto specify the keywords that must appear within 200 characters.
- Confirmto save the data pattern.
Create a Custom Data Policy
You must first onboard an account and enable
Data Security before you can create a custom data policy.
- Select .Enter a Policy Name, Description, Severity, and Labels for the new policy.
- Select aData Profile.You can select one of the predefined data profiles, such as Financial Information, Healthcare Information, Intellectual Property, PII, or a custom data profile.
- Select the File Exposure.Exposure can be Private, Public, Conditional (AWS only), or External (Azure only). See Exposure Evaluation.
- Select theFile Extensionthat you want to scan for sensitive information.For example,txt. If you select Financial Information, Public, and txt, the policy will generate an alert if a publicly exposed .txt file has Financial Information. Do not use a dot before the extension; if you do, an error message displays.
- Savethe data policy.
You can now add this custom policy to an alert rule.
Generate Alerts for Data Policies
You must attach data policies to an alert rule
to generate alerts. See Create an Alert Rule for Run-Time Checks for detail
on alert rules. The following section focuses on policies and notification
channels that are supported for Prisma Cloud Data Security.
- Create a new alert rule or edit an existing rule.You can select from the list of predefined Data policies or any custom policies. To filter and view the list of available Data policies, see Manage Prisma Cloud Policies. For example:
- Objects containing Healthcare information public exposed
- Objects containing Intellectual Property public exposed
- Objects containing Financial Information publicly exposed
- Objects containing PII data publicly exposed
- Objects containing GDPR publicly exposed (EU only)
- Objects containing Malware
- Select the notification channels.Prisma Cloud Data Security only supports—Amazon SQS, Splunk, and Webhook integration. See Configure External Integrations on Prisma Cloud.
- Confirmto save the alert rule.
- View data policy alerts and scan results.
- Select .
- Filter on Policy Type—Data, to view all alerts related to Data policies.
- Select an alert to view details.Click Bucket Name to see bucket information in the Data Inventory.Click Object Name to see object information in Data Inventory, Object Explorer.Click on Alert Rule to see the Alert Rule that generates this particular instance
- SelectTheTop Publicly Exposed Objects by Data Profilewidget and theObject Data Profile Regionmap give you a view into how your content is exposed.
