About Enterprise DLP
Focus
Focus
Enterprise DLP

About Enterprise DLP

Table of Contents

About Enterprise DLP

Enterprise Data Loss Prevention (E-DLP) is a set of tools and processes to protect sensitive information from exfiltration.
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • Prisma Browser
  • Enterprise Data Loss Prevention (E-DLP) license
    Review the Supported Platforms for details on the required license for each enforcement point.
Or any of the following licenses that include the Enterprise DLP license
  • Prisma Access CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
  • Data Security license
Enterprise Data Loss Prevention (E-DLP) is a cloud-based service consisting of a set of tools and processes that enable you to protect sensitive information against unauthorized access, misuse, extraction, or sharing. Enterprise DLP uses supervised machine learning algorithms to sort sensitive documents into Financial, Legal, Healthcare, and other categories for document classification to guard against exposures, data loss, and data exfiltration. These patterns identify sensitive information in traffic flowing through your network and protect that information from exposure.
Enterprise DLP allows you to protect sensitive data in the following ways:
  • Prevent uploads and downloads of file and non-file based traffic from leaking to unsanctioned web apps—Discover and conditionally stop sensitive data leaks to untrusted web apps.
  • Monitor uploads and downloads to sanctioned web apps—Discover and monitor sensitive data when users upload it to sanctioned corporate apps.
To help you inspect content and analyze the data in the correct context so that you can accurately identify and secure sensitive data, Enterprise DLP operates as a cloud service. Enterprise DLP supports over 1,000 predefined data patterns and 20 predefined data profiles. Enterprise DLP automatically delivers new patterns and profiles for use in Security policy rules as soon as they appear in the cloud service.
  • Data Patterns—Help you detect sensitive content and how users share or access that content on your network.
    Predefined data patterns and built-in settings make it easy for you to protect data that contain certain properties (such as document title or author), credit card numbers, regulated information from different countries (such as driver’s license numbers), and third-party DLP labels. To improve detection rates for sensitive data in your organization, you can supplement predefined data patterns by creating custom data patterns that are specific to your content inspection and data protection requirements. In a custom data pattern, you can also define regular expressions and data properties to look for metadata or attributes in the file’s custom or extended properties and use it in a data profile.
  • Data Profiles—Power the data classification and monitor capabilities available on your managed firewalls to prevent data loss and mitigate business risk.
    Data profiles are a collection of data patterns used to scan for a specific object or type of content. To perform content analysis, the predefined data profiles have data patterns that include industry-standard data identifiers, keywords, and built-in logic in the form of machine learning, regular expressions, and checksums for legal and financial data patterns. When you use the data profile in a Security policy rule, the firewall can inspect the traffic for a match and take action.
    After you use the data patterns (either predefined or custom), you manage the data profiles from the Panorama® management server or Strata Cloud Manager. You can use a predefined data profile, or create a new profile, and add data patterns to it. You then create security policies and apply the profiles you added to the policy rules you create. For example, if a user uploads a file and data in the file matches the criteria in the policy rules, the managed firewall either creates an alert notification or blocks the file upload.
Enterprise DLP generates a DLP incident when traffic matches a data profile associated with a Security policy rule. The log entry contains detailed information regarding the traffic that matches one or more data patterns in the data profile. The log details support forensics by showing you when matched data generated an alert notification or when Enterprise DLP blocked traffic.
You can view the snippets of the traffic that generated the DLP incident. By default, data masking partially masks the snippets to prevent exposure of sensitive data. You can completely mask the sensitive information, unmask snippets, or disable snippet extraction and viewing.
Enterprise DLP caches verdicts for inspected traffic for 90 days. When an enforcement point forwards cached traffic to Enterprise DLP, Enterprise DLP returns the previously rendered verdict without reinspecting the traffic. Enterprise DLP reinspects cached traffic and renders a new verdict when either of the following occurs:
  • The cached verdict expires after 90 days.
  • You modify the DLP rule or data filtering profile that the traffic originally matched. For example, if Enterprise DLP previously blocked a file and you later change the matching rule action from Block to Alert, Enterprise DLP reinspects the file against the updated rule and applies the new action.

Data Classification with Large Language Models (LLM) and Context-Aware Machine Learning

Sensitive data exfiltration can manifest in diverse formats and traverses numerous channels within an organization's infrastructure. Traditional data loss prevention solutions adopt a one-size-fits-all approach to preventing exfiltration of sensitive data that often proves insufficient for organizations aiming to ensure comprehensive security. This creates noise and distraction, impacting your security administrators' ability to investigate and resolve real security incidents when they occur.
Enterprise DLP uses various artificial intelligence (AI) and machine learning (ML) driven methods to improve detection accuracy for different file formats and techniques.
  • Regex Data Patterns Enhanced With Large Language Models (LLM) and ML Models to Improve Detection Accuracy
    Enterprise DLP augments data patterns traditionally reliant on regular expression matching with ML classifiers. Enterprise DLP trains these data patterns using diverse data sets and LLMs to establish ground truth. This integration significantly enhances accuracy and reduces false positives across 350+ classifiers to detect PII, GDPR, Financial, and many other categories. Predefined regex data patterns that Enterprise DLP enhances with ML capabilities display the Augmented with ML label. Additionally, users can report false positive detections against the DLP incident where the false positive detection occurred to facilitate model retraining for improved accuracy.
    For example, patterns like credit card numbers or bank account numbers can vary in length and pose a challenge for strict content-matching approaches, often yielding to a large number of false positive detections. In such cases, specialized ML models further process all pattern matches, such as the detection of a 12-digit credit card number, to comprehend the context of sensitive data occurrences. LLMs generate high-quality training and testing data, resulting in best-in-class detection accuracy.
  • Predefined AI-Powered Document and Image Classifiers
    Enterprise DLP uses Deep Neural Network (DNN) based document classifiers to interpret the semantics of inspected documents to analyze their context and accurately classify them across financial, healthcare, legal, and source code categories of documents across all potential data loss vectors. When you enable Optical Character Recognition (OCR) you can use the predefined data patterns that are Augmented with ML, which use DNN-based models for image classification, to immediately start driving better detection accuracy across categories such as Driver’s Licenses, Passports, and National ID to protect sensitive information.
  • Train Your Own AI-Powered ML Models
    Your organization might have customized documents that pose a significant risk of exfiltration. For example, Merger & Acquisition documents or proprietary source code might demand unique detection models specific to your organization. Enterprise DLP lets you train your own AI model by uploading custom document types. This enables your organization to curate an ML detection model that accurately identifies documents specific to your organization. This privacy-preserving algorithm ensures that Enterprise DLP doesn't use your sensitive information to train any predefined AI-powered document type detections. All custom documents you upload to Enterprise DLP, and subsequent training of the AI-powered ML model, are specific and unique to your organization.

Additional Detection Accuracy

To further improve detection accuracy and reduce false positives, you can also specify:
  • Basic and Weighted Regular Expressions—A regular expression (regex) describes how to search for a specific text pattern and display the match occurrences when it finds a match. There are two types of regular expressions—basic and weighted.
    • A basic regular expression searches for a specific text pattern. When the regex matches a pattern, the service displays the match occurrences.
    • A weighted regular expression assigns a score to a text entry. When the score exceeds the threshold, the service returns a match for the pattern.
      To reduce false-positives and maximize the search performance of your regular expressions, you can assign scores using the weighted regular expression builder when you create data patterns to find and calculate scores for the information important to you. Scoring applies to a match threshold, and when enough expressions from a pattern match an asset to exceed the score threshold, the service indicates the asset as a match for the pattern.
      For more information, including a use case and best practices, see Configure Regular Expressions.
  • Proximity KeywordsEnterprise DLP uses proximity keywords to improve the confidence level of detections. Enterprise DLP assigns a detection a High confidence level if the data pattern's proximity keywords appear near the detected regex. Proximity keywords don't distinguish between uppercase and lowercase, and you can specify multiple proximity keywords for a single data pattern. Enterprise DLP uses the following approach to determine if a keyword is in proximity to the expression.
    Enterprise DLP considers a keyword to be in proximity if:
    • The end of the keyword is less than or equal to 200 characters of the start of the matched expression, or
    • The start of the keyword is less than or equal to 200 characters after the end of the matched expression
    For example, consider a file containing a 9-digit number detected near a SSN proximity keyword. In this case, the 9-digit number is very likely a valid social security number. Conversely, if the document title includes SSN but a 9-digit number appears a few pages into the document, the number is less likely to be relevant.
  • Confidence Levels—The confidence level reflects how confident Enterprise DLP is when detecting matched traffic. Enterprise DLP determines the confidence level by inspecting the distance of regular expressions to proximity keywords.
    • Low—Matches on regex detections only.
    • Medium—Matches on regex detections and checksum validations if applicable (for example, credit cards).
    • High—Matches on regex detections and checksum validation if applicable. Enterprise DLP considers detections as High Confidence if the proximity keyword is within 200 characters of the regular expression match.
    Additionally, custom data patterns that don't include any proximity keywords to identify a match always have both Low and High confidence level detections.

Structured Data

Enterprise DLP focuses on the actual data within structured documents to prevent exfiltration of sensitive data rather than relying on headers to identify sensitive data. This enables Enterprise DLP to inspect diverse structured data, such as addresses split across multiple columns (e.g., street, state, country, and zip code). Additionally, this enables Enterprise DLP to detect sensitive data in structured data with a high confidence level regardless of how you organize or format the data. Enterprise DLP can process horizontally aligned tables, multiple tables on a single sheet, and combinations of tables and free-form data. This ensures consistent protection across a global data ecosystem.
Enterprise DLP supports structured data processing for predefined data patterns and cloned predefined custom data patterns. Enterprise DLP doesn't support structured data processing for custom regex data patterns.
Enterprise DLP can determine where columns and rows begin and end, which allows it to understand when a proximity keyword and sensitive data appear within the same column or row. Additionally, Enterprise DLP can calculate the character distance between a keyword and sensitive data regardless of their location in structured data.
Enterprise DLP elevates a match to High Confidence for structured data if it meets any of the following criteria:
  • Proximity Keyword and Sensitive Data Within Proximity Keyword Distance
    Enterprise DLP evaluates a traffic match to a High Confidence detection if the sensitive data falls within the configured distance of the proximity keyword even when Enterprise DLP detects the sensitive traffic match in a different column or row than the proximity keyword. The default proximity keyword distance is 200 characters.
    For example, consider the proximity keyword Social Security Number and the sensitive data match 55-00-1234. Even though the sensitive traffic match is in a different column and row than the proximity keyword, Enterprise DLP considers this a High Confidence detection because the Enterprise DLP detected the sensitive data within the default 200 character distance of the proximity keyword.
  • Keyword Inclusion in a Column
    Enterprise DLP detects sensitive data when a proximity keyword appears anywhere within the data column.
  • Keyword Inclusion in a Row
    Enterprise DLP detects sensitive data when a proximity keyword appears anywhere within the data row.
  • Detections Exceed 10 Occurrences
    Enterprise DLP detects 10 or more occurrences of the same sensitive data type within a single row or column. When this occurs, Enterprise DLP considers all detections of that type in the row or column to be high confidence.
  • Clustering
    Enterprise DLP uses data clustering to group instances of sensitive data that are close to each other in structured data, such as tables. Enterprise DLP considers a group a High Confidence cluster when six or more detections of the same type appear in a row or column regardless of a proximity keyword. Two detections form a cluster if they are no more than one row or one column apart.
    For example, assume you have a structured document without multiple columns that don't have column headers. These columns contain clusters of cells with what Enterprise DLP believes to be sensitive data based on their structure.
    Clustering works best for predicting instances of sensitive data that follow highly structured and predictable patterns, such as U.S. Social Security Numbers and Credit Card Numbers. However, clustering doesn't perform as well for free-form text or very unformatted or unstructured data, such as a U.S. Bank Account Number or a Latvian Drivers ID. You can edit the structured data settings to control how Enterprise DLP detects sensitive data in structured documents that lack header rows and to reduce false positives from clustering.
Enterprise DLP considers a match Low Confidence if it does not meet any of the above criteria.

Alerting and Reporting

Enterprise DLP offers multiple ways for your data security administrators to monitor incidents, track configuration changes, and to notify end users when they commit a data security policy violation.
  • Enterprise DLP Incidents
    Enterprise DLP generates a DLP incident when user traffic contains sensitive data that matches a DLP rule (Strata Cloud Manager) or a data filtering profile (Panorama). Use the Enterprise DLP Incident Manager to explore the incident dashboard and view detailed log information for data security policy violations.
  • Audit Logs
    Audit logs provide a crucial history of all Enterprise DLP configuration and setting changes that data security administrators make on Strata Cloud Manager. Enterprise DLP automatically generates audit logs whenever a data security administrator performs supported actions to ensure transparency and audit compliance. Enterprise DLP supports separate audit logging for specific Enterprise DLP channels, including viewing Email DLP audit logs and monitoring Endpoint DLP Push Logs to confirm the successful status of policy pushes to endpoint agents.
  • End User Alerting and Coaching (Agent-based vs. Agentless)
    In modern environments, client-side JavaScript handles many file uploads, which can interfere with the direct display of standard Prisma Access or NGFW block pages. In these cases, the user might see a generic app-specific error instead of the detailed block message. To address this, Enterprise DLP uses End User Alerting and Coaching to deliver notifications directly to end users when they generate a DLP incident.
    Name
    Type
    Description
    Agentless
    Integrate Enterprise DLP with Cortex XSOAR to provide end users with information about blocked file uploads and enable self-service temporary exemptions.
    Review the setup prerequisites for End User Alerting with Cortex XSOAR for more information about supported plugin and PAN-OS versions, and apps.
    Agent-based
    End User Coaching uses the Prisma Access Agent or GlobalProtect app on the end user's device to display notifications directly to the user in the Access Experience User Interface (UI) when they generate a DLP incident.
    Review the setup prerequisites for End User Coaching for supported agent, plugin, PAN-OS, and Prisma Access data plane versions.