: Use Data Policies to Scan for Data Exposure or Malware

Use Data Policies to Scan for Data Exposure or Malware

Table of Contents

Use Data Policies to Scan for Data Exposure or Malware

Prisma Cloud includes default data policies to help you start scanning. These data policies include predefined data profiles and data patterns that enable you to detect malware and prevent inadvertent or malicious exposure of sensitive data. You can also create custom data policies that include data patterns and proximity keywords for detecting and preventing data leak in your organization. When data policies are enabled, Prisma Cloud detects malware and provides visibility into how your data is exposed. If you want to generate alerts, you must create an alert rule and include the data policies for which you want alerts.

Add a New Data Profile to Prisma Cloud

A Data Profile is a collection of Data Patterns in Prisma Cloud that you can use to scan for sensitive data in your cloud resources. Prisma Cloud provides you the ability to use any of the predefined Data Profiles, or the option to create a custom Data Profile. With a custom data profile, you can combine predefined and custom Data Patterns to meet your content scanning use cases.
  1. Select
    Data Profile
  2. + Add New
    and enter a
    Data Profile Name
    and an optional
    Data Profile Description
  3. Select data patterns.
    Select at least one
    Data Pattern
    and modify the following thresholds for content matching:
    • Match
      —provides the option to include or exclude the Data Pattern in the Data Profile. Default is
    • Occurrence
      —applies the conditional logic of
      More than or equal to
      Less than or equal to
      , and
      to your Data Pattern. Default is
      More than or equal to
    • Min
      —the minimum number of occurrences to trigger a match.
    • Max
      —only applicable when the occurrence type selected is
    • Confidence
      —a content analysis technique to identify content and rate it with a Low or High confidence.
      Low Confidence - A low confidence match looks at the specified pattern only. It uses multiple techniques such as regular expressions, Machine Learning, and check sum to identify the content.
      High Confidence - A high confidence match looks for proximity keywords, 200 characters on either side of the match, in addition to the techniques used by a low confidence match.
  4. Click
    to review and
    the data profile.
    Data profiles are
    by default and can be used in a data policy. To disable scanning toggle the icon.

Add a New Data Pattern in Prisma Cloud

Data Patterns are the entities used to scan files or objects for any sensitive content. Prisma Cloud supports over 600 predefined Data Patterns such as API Credentials Client ID, Healthcare Provider, and Tax ID. A Data Pattern is used with a Data Profile to scan for risks and protect your data. You also have the ability to clone and edit custom patterns after you create them; predefined data patterns cannot be deleted or modified.
  1. Select
    Data Patterns
  2. +Add New
    to create a new pattern.
  3. Enter a
    Data Pattern Name
    and provide a pattern description.
  4. Add
    Regular Expressions
    A regular expressions or regex is the match criteria for the data you want to find within your assets. You can add a basic expression or a weighted expression which assigns a score to a text entry. You can assign a weight by appending a semi colon and a number between -9999 and 9999 after your regex. When no weight is assigned, “1” is appended by default. A pattern match occurs when the score threshold is exceeded.
  5. (
    ) To improve the accuracy of the match, use
    Proximity Keywords
    to specify the keywords that must appear within 200 characters.
  6. Confirm
    to save the data pattern.

Create a Custom Data Policy

You must first onboard an account and enable Data Security before you can create a custom data policy.
  1. Select
    Add Policy
    Enter a Policy Name, Description, Severity, and Labels for the new policy.
  2. Select a
    Data Profile
    You can select one of the predefined data profiles, such as Financial Information, Healthcare Information, Intellectual Property, PII, or a custom data profile.
  3. Select the File Exposure.
    Exposure can be Private, Public, Conditional (AWS only), or External (Azure only). See Exposure Evaluation.
  4. Select the
    File Extension
    that you want to scan for sensitive information.
    For example,
    . If you select Financial Information, Public, and txt, the policy will generate an alert if a publicly exposed .txt file has Financial Information. Do not use a dot before the extension; if you do, an error message displays.
  5. Save
    the data policy.
    You can now add this custom policy to an alert rule.

Generate Alerts for Data Policies

You must attach data policies to an alert rule to generate alerts. See Create an Alert Rule for Run-Time Checks for detail on alert rules. The following section focuses on policies and notification channels that are supported for Prisma Cloud Data Security.
  1. Create a new alert rule or edit an existing rule.
    You can select from the list of predefined Data policies or any custom policies. To filter and view the list of available Data policies, see Manage Prisma Cloud Policies. For example:
    • Objects containing Healthcare information public exposed
    • Objects containing Intellectual Property public exposed
    • Objects containing Financial Information publicly exposed
    • Objects containing PII data publicly exposed
    • Objects containing GDPR publicly exposed (EU only)
    • Objects containing Malware
  2. Select the notification channels.
    Prisma Cloud Data Security only supports—Amazon SQS, Splunk, and Webhook integration. See Configure External Integrations on Prisma Cloud.
  3. Confirm
    to save the alert rule.
  4. View data policy alerts and scan results.
    1. Select
      1. Filter on Policy Type—Data, to view all alerts related to Data policies.
      2. Select an alert to view details.
        Click Bucket Name to see bucket information in the Data Inventory.
        Click Object Name to see object information in Data Inventory, Object Explorer.
        Click on Alert Rule to see the Alert Rule that generates this particular instance
    2. Select
      Top Publicly Exposed Objects by Data Profile
      widget and the
      Object Data Profile Region
      map give you a view into how your content is exposed.

Recommended For You