>
    Data Asset Policies
    Focus
    Download PDF
    Focus
    1. Home
    2. SaaS Security
    3. Manage Policy for Sanctioned SaaS Apps in Data Security
    4. Data Asset Policies
    Download PDF
    SaaS Security

    Data Asset Policies

    Table of Contents

    Data Asset Policies

    Learn about how data asset policies work on Data Security.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Strata Cloud Manager)
    • Data Security license
    Or any of the following licenses that include the Data Security license:
    • CASB-X
    • CASB-PA
    In addition to the predefined data patterns and predefined policies already configured on Data Security, you can add your own data asset policies for greater comprehensive coverage.
    For example, you can create a policy that creates an incident and when a file is shared internally. Data asset policies have a large set of match criteria options that enable you to precisely define how Data Security monitors your sanctioned SaaS apps.

    Predefined Data Asset Policies on Data Security

    Learn about the predefined that are automatically applied when Data Security scans your assets.
    Data Security provides predefined policies that are automatically applied after you add a cloud app and Data Security scans the assets on that cloud app, if predefined policies are Enabled. By default, policies are Disabled. Predefined policies help you identify security threats without the need to create a policy from scratch.
    The immediate results from predefined polices help you identify what sensitive content you have and evaluate and understand how those policies are working on that content. Later, you can modify—to change the underlying predefined profile—clone, disable, or delete these policies; however, if you want to modify the predefined policy, the SaaS Security team recommends that you clone the predefined policy so that you can retain the original predefined policy, then fine-tune the new policy to meet your unique needs.
    Predefined policies discover commonly known sensitive content and are based on strong security practices; when applicable, the data patterns that underlie these predefined policies are based on predefined profiles of the same name. The same predefined policies are available whether or not you have SaaS Security with Enterprise DLP Add–on, although the availability of predefined profiles differs.
    All predefined policies use Basic criteria matching: a policy can be configured to add individual match criteria using a dropdown list and an interactive UI (Basic) or a query search (Advanced).

    Building Blocks in Data Asset Policies

    Learn about the building blocks available to create data asset policies on Data Security.
    A data asset (or content) policy has the following information:
    Field
    Description
    Data Asset Policy Name
    A name for the data asset policy.
    Description
    A description that explains the purpose of the policy.
    Severity
    Specify a value to indicate the impact of the issue. The value can range from 1 to 5, with 5 representing the highest severity.
    Status
    A policy can be in the enabled or disabled state. The predefined data patterns provided by Data Security are disabled by default.
    After you Configure Data Patterns, you must enable the pattern.
    Match Criteria
    Specifies what the policy scans for and the number of occurrences or frequency required to trigger an alert. See Match Criteria for Data Asset Policies for details about each policy type.
    When you change the match criteria settings, you automatically trigger a rescan of all assets for the corresponding SaaS application. Data Security uses the updated settings in the policy configuration to rescan assets and identify incidents.
    Actions
    • Basic Actions
      • Log as an incident only—Automatically changes incident status to Open and the incident category to New so the administrator can Assess Incidents.
      • Send Admin Alert and log as an incident—Select send admin alert for compliance issues that need immediate action, such as policies that are high risk or sensitive. Sends an email digest to the asset administrator that describes actions they can take to fix the issue.
    • Autoremediate Actions
      • Quarantine—Automatically moves the compromised asset to a quarantine folder. For User Quarantine, you can send the asset to a quarantine folder in the owner’s root directory for the associated cloud app. For Admin Quarantine, you can send the asset to a special Admin quarantine folder which only an Admin can access. When the asset is quarantined, you can send the asset owner an email that describes the actions that were taken.
      • Change Sharing—Automatically removes removes public links or external collaborators.
      • Notify File Owner —Sends an email digest to the asset owner that describes actions they can take to fix the issue.
      • Notify via Bot— Sends a message using the Cisco Webex bot that you configured in Begin Scanning a Cisco Webex Teams App.
    • Apply Data Label
    View which autoremediate options are supported for each sanctioned SaaS application.

    Match Criteria for Data Asset Policies

    Define the match criteria that a data asset policy uses when the service scans for matches.
    Define the match criteria that a data asset policy uses when the service scans for matches.

    Match Criteria for a Data Asset Policy

    When you add a new asset rule or you modify a policy rule, you define the match criteria that the data asset policy uses when Data Security scans for matches. The service compares all of the information it discovers against the enabled data asset policies and identifies incidents and exposures in every asset across all your monitored SaaS applications. Match criteria is critical for successful discovery of risks in SaaS application usage across your organization so, when you set the match criteria, you must carefully consider the thresholds, types of information, and risks associated with how assets are shared. Use match criteria to enforce compliance with your corporate acceptable use policy.
    You can also use the Advanced tab to define the match criteria using expressions. Use the tooltip at the right side of the field to learn about the various advanced search queries.
    The fields policy.name, incident.category, email.sent, and assigned.to in the Advanced tab are:
    • Applicable only when you perform an advanced search in the Data Assets page.
    • Not applicable when you create a policy (using Match CriteriaAdvanced).
    Match Criteria
    Description
    Activity
    Select the asset access and modification activities within a selected time frame to match. For example, activities can include Accessed, Not Accessed, Modified, and Not Modified. Time frames include in the past week, in the past month, and in the past 6 months.
    Asset Name
    Enter the Asset Name to include or exclude in the match results. Select either Equals to match the asset, or Does not Equal to exclude the asset from matching.
    Cloud Applications
    Select the managed applications to scan and match. By default, all cloud apps you added to Data Security are scanned, but you can Rescan a Managed Cloud App.
    Data Pattern
    Select the available data patterns to match, including predefined or custom data patterns or a file property you defined when you create a custom data pattern. Specify your include or exclude logic. Enter the number of Occurrences and Confidence (Confidence Level) required to display a data pattern match.
    Data Profiles
    Select the available data profiles to match when you create a custom data profile.
    Exposure
    Select the match conditions for how the asset is shared (Public, External, Company, or Internal).
    Label
    Select the app (Google Drive) and the data label that you fetched for that app.
    For Microsoft Labels, use custom DLP patterns as match criteria.
    Extension
    Enter the File Extension to include or exclude in the match results. Select either Equals to match the asset file extension, or Does not Equal to exclude the asset file extension from matching.
    File Hash (SHA256)
    Files are scanned using WildFire analysis to detect and protect against malicious portable executables (PEs) and known threats based on file hash. Enter the Hash (SHA256) details of the file to match. Select Equals (include in matching), or Does not Equal (exclude in matching).
    Owner
    Enter the email address for the asset Owner to Include or Exclude in the match results. You can add one or more Directory groups
    Owner Group
    To enforce group-based policy using File Owner’s Group, you must first Integrate Cloud Identity Engine with Data Security.
    Select either Equals, or Does not Equal and the Identity Provider Group to which the file owner must belong. You can also select Not Available if you want to enforce an action for any users who are not identified either because the email address is unavailable or because they belong to an AD group that is not being scanned by Data Security.
    Trust State occurrence
    When you Define Untrusted Users and Domains or if you are matching on an assets trust state, all assets shared with a user in the selected Trusted, Untrusted, or Anyone Not Trusted users list are detected as a match. Specify the number of occurrences (such as Any, More than, Fewer than, or Between with whom a file must be shared to trigger a match.

    Add a New Data Asset Policy

    Learn how to create a new data asset policy.
    Data Security enables you to add new policies for scanning assets (content) stored on your sanctioned SaaS applications. For example, you can create a policy that triggers an alert based on match criteria such a given exposure level (for example, an asset is publicly accessible) needed to protect a specific asset. An exclamation point for your cloud app denotes no active rules.
    When you create a new data asset policy, you have the option to automatically remediate incidents that violate that policy. Automatic remediation is a powerful tool and can modify a large number of assets in a short amount of time: before you include these remediation actions in additional policies, perform a test using one policy and a small set of assets.
    1. Log in to SaaS Security. Go to Data SecurityPolicies. Three types of policies are listed:
      • Data Asset Policies
      • User Activity Policies
      • Security Control Policies
      • Email DLP Policies
      Select your policy type and click Add Policy.
    2. Enter a Policy Name and an optional Description.
    3. Select a Severity for the policy.
    4. Verify that the Status is Enabled.
    5. Specify Match Criteria, including the exposure levels.
    6. Specify Actions and automatically remediate for change sharingwhen there are policy violations:
      • Create Incident—Do one of the following:
        • (Recommended) Enable to create an incident when a file violates this policy and display only the first occurrence of the violation in the Remediation Email Digest.
        • Disable to add the violation in the Remediation Email Digest and display the violation daily until the asset owner remediates the violation. Repeating the same violation in an email digest might cause user fatigue, resulting in asset owners ignoring daily email digests. However, if you know that administrators do not have time to remediate issues, an alternative is to repeatedly ask asset owners to remediate issues themselves.
      • Quarantine—Automatically move the compromised asset to a quarantine folder.
      • Change Sharing—Automatically remove links that allow the asset to be accessed. Base your selections on your organization’s Exposure Level tolerance.
      • Notify File Owner—Include in the email digest actions (Recommended Action) asset owners can take to remediate policy violations (Issue). Issue is an in-line link that takes asset owners to the file or folder that needs remediation. From there, asset owners can change share settings within the cloud app.
        Best practice is for you to provide text in these fields and provide detailed explanations and instructions via internal links in the email digest body as outlined in Remediation Email Digest.
      • (Designated Apps Only) Notify via Bot—Uses a machine account that you created to send a direct message to the asset owner who triggered the policy match. Only designated SaaS apps support this capability.
      • Include Remediation Email Digest—When you either Quarantine or Change Sharing for an asset, include in the email digest actions taken along with the specific policy violation (Issue).
      • Send Administrator Alert—Temporarily choose an administrator who has context to triage the policy violations and address the potential risk. By default any incidents generated by this asset rule are not assigned to an administrator. As a best practice, after you uncover specific issues that are high-compliance risks on your network, modify the rule or add a new rule that triggers automatic remediation instead of sending alerts. If you connect Directory Services to Data Security, the SaaS Security web interface displays Assign to.
        • Use for compliance issues for which administrators need to take immediate action, such as policies that identify high-risk or sensitive assets.
        • Consider your administrators’ areas of expertise and triage accordingly to minimize overloading any one administrator. Data Security sends up to five emails per hour on matches against each Cloud app instance.
        • Enable alerts only after Data Security completes the initial discovery scan so that administrators are not inundated with emails when historical assets are scanned.
    7. Save/Create your new data asset policy.
      Data Security starts scanning files against the data asset policy as soon as you save the changes. After the scan starts, you can start to assess new incidents and fine-tune your new policy.

    View Asset Details

    Learn about how Data Security displays detailed information about an asset violating a policy rule.
    As Data Security scans your managed cloud apps and discovers content, you can view the details on the console. Go to Data SecurityData Assets. This page provides context into the findings so you can Assess Incidents and Monitor and Investigate User Activity across these applications.
    The details for each incident vary depending on:
    • Which cloud app retains the asset.
    • Whether the asset is a file or a container (for example, a folder or a repository).
    • The policy the asset violated.
    • How the asset is shared.
    • Whether users accessed the file or took other actions on the file.
    Asset Detail Description
    1
    Details
    Summarizes asset file name, file type, exposure on cloud app, owner, and last updated timestamp.
    • Cloud app—app in which the asset resides.
    • Exposure—exposure level of the asset.
    • Owner—owner of the asset.
    • File Owner’s Groups—groups used for group-based policy.
    • Created—date on which the asset was created.
    • Type—one of the following:
      • Specific file format—whether the asset is a supported file type.
      • OBJ—when C++ code is compiled, it results in an .obj file. Additionally, OBJ is used when file type is unrecognizable.
      • MSG—when the asset is a chat message.
    • Size—file size of the asset.
    Actions
    Lists available actions for an asset, depending on the cloud app and admin role permissions:
    2
    Incidents
    Displays which data asset policy or policies that an asset violates, the date Data Security identified the incident, the status of the incident, and whether there have been previous incidents associated with the asset. From here you can Assign Incidents to Another Administrator.
    3
    Match Criteria
    Displays the data pattern that the asset matched, number of occurrences, and date found. Administrators with Write access for Request Snippets in Common Services can view asset snippets to view any available details about the asset matching the data pattern.
    For assets that match the WildFire Analysis rule, you can Use the WildFire Report to Track Down Threats.
    4
    Exposure Details
    Details how the asset is exposed (Published to the web, accessible by a public URL, if sign-in is required, or the asset is exposed by a parent folder). You can View Details to access the asset URL, if available. Strike through text on attributes denotes no exposure.
    Lists information about the users who most recently interacted with the file: Timestamp, event (for example, whether the user downloaded the file), username, IP address, and location. You can View all user activities to see details about this event and all other events associated with this file. Such information helps you investigate whether there is malicious or inappropriate access to the file.
    5
    Explore
    Explore on Cloud App
    Displays the asset tree, policy violations, and exposure level for a given asset. View the asset in the context of its file and folder hierarchy to help you identify risks and inherited exposure.
    Displays a list of collaborators (members) to help you identify who has access to shared drives (Google Drive) or team folders (Dropbox) and inherited exposure.

    © 2025 Palo Alto Networks, Inc. All rights reserved.