Create a Data Profile on Strata Cloud Manager

1. Log in to Strata Cloud Manager.
2. Configure your Enterprise DLP settings if not already configured.

   • Data Filtering Settings—Edit the data filtering settings to specify the traffic forwarding parameters for your enforcement points and Enterprise DLP. This includes settings such as the minimum and maximum data size limits for scanned traffic, latency settings, and the actions the enforcement point or Enterprise DLP takes when encountering issues for both file and non-file traffic.
   • Snippet Settings—Edit the snippet settings to specify if and how Enterprise DLP stores and masks snippets of sensitive data that match your data pattern match criteria in a data profile. Your snippet setting configuration determines how Enterprise DLP displays snippets of matched traffic when you review your DLP incidents.
3. Create one or more data patterns to define your match criteria if not already created. You can also use any of the predefined data patterns.
4. Select ConfigurationData Loss PreventionData ProfilesNew Data Profile and click Custom Data Profile.

   You can also create a new data profile by copying an existing data profile. This enables your data security administrators to quickly modify an existing data profile with additional match criteria while preserving the original data profile from which the new data profile was copied.

   Enterprise DLP appends data profiles names created by copying an existing data profile with Copy - <name_of_original_data_profile>. You can edit the name as needed.

   (Prisma Browser) If you copied a Cloud detection data profile, you can Convert to Local Supported Profile to convert the match criteria to regex match criteria supported for Local Detection by Prisma Browser. Enterprise DLP removes all match criteria not supported for Local Detection.
5. Enter a descriptive Data Profile Name.
6. (Optional) Enter a Description for the data profile.
7. (Prisma Browser) Enable Local Detection to make the data profile available for Prisma Browser only.

   A data profile configured for local detection supports regex data patterns, data dictionaries, and data profile groups containing only regex data patterns.

   This is required for Prisma Browser users without an active Enterprise DLP license.

   Enterprise DLP supports data profiles with Local Detection enabled for Prisma Browser only. If you enable this setting, Enterprise DLP automatically filters and displays data patterns and other detections methods that support local detection.

   You can't use a data profile with Local Detection enabled for NGFW or Prisma Access (Managed by Panorama or Strata Cloud Manager).
8. Select the match criteria operator (AND or OR).
9. Configure the Primary Rule.

   Add data pattern match criteria for traffic that you want to allow to the Primary Rule. You can add data pattern match criteria for traffic that you want to block to either Primary Rule or Secondary Rule.

   1. Add your detection methods to define the data profile match criteria.

      • Data Pattern
        Select AddData Pattern and define the data pattern match criteria.
        • Data Pattern—Select a custom or predefined data pattern.
          Predefined ML-based data patterns support only the Any occurrence condition with either High or Lowconfidence. You can't configure any other traffic match criteria other than the confidence level for Predefined ML-based data patterns.
          If you enabled Local Detection, Enterprise DLP displays the supported regex data patterns only.
        • Occurrence Condition—Specify the occurrences condition required to trigger a Security policy rule action.
          • Any—Security policy rule action triggered if Enterprise DLP detects at least one instance of matched traffic.
          • Less than or equal to—Security policy rule action triggered if Enterprise DLP detects instances of matched traffic, with the maximum being the specified Count.
          • More than or equal to—Security policy rule action triggered if Enterprise DLP detects instances of matched traffic, with a minimum being the specified Count.
          • Between (inclusive)—Security policy rule action triggered if Enterprise DLP detects any number of instances of matched traffic between the specific Count range.
        • Count—Specify the number of instances of matched traffic required to trigger a Security policy rule action. Range is 1 - 500.
          For example, to match a pattern that appears three or more times in a file, select More than or equal to as the Occurrence Condition and specify 3 as the Threshold.
        • Confidence—Specify the confidence level required for a Security policy rule action to be taken (High or Low).
        • Unique Occurrences—Check (enable) to detect only unique instances of traffic matches. Only unique occurrences of traffic matches are counted toward the specified Count.
          This setting is disabled by default. Keep Unique Occurrences disabled if you want all instances of traffic matches to count toward the specified Count.
      • Data Dictionary
        Select AddData Dictionary and define the data dictionary match criteria.
        • Dictionary—Select a custom or predefined data pattern.
        • Occurrence Condition—Specify the occurrences condition required to trigger a Security policy rule action.
          • Any—Security policy rule action triggered if Enterprise DLP detects at least one instance of matched traffic.
          • Less than or equal to—Security policy rule action triggered if Enterprise DLP detects instances of matched traffic, with the maximum being the specified Count.
          • More than or equal to—Security policy rule action triggered if Enterprise DLP detects instances of matched traffic, with a minimum being the specified Count.
          • Between (inclusive)—Security policy rule action triggered if Enterprise DLP detects any number of instances of matched traffic between the specific Count range.
        • Count—Specify the number of instances of matched traffic required to trigger a Security policy rule action. Range is 1 - 500.
          For example, to match a pattern that appears three or more times in a file, select More than or equal to as the Occurrence Condition and specify 3 as the Threshold.
        • Confidence—Specify the confidence level required for a Security policy rule action to be taken (High or Low).
        • Unique Occurrences—Check (enable) to detect only unique instances of traffic matches. Only unique occurrences of traffic matches are counted toward the specified Count.
          This setting is disabled by default. Keep Unique Occurrences disabled if you want all instances of traffic matches to count toward the specified Count.
      • Custom Document Types
        Select AddDocument Types and define the custom document type match criteria.
        Prisma Browser supports custom document types for cloud detections only. You can't add a custom document type to a data profile with Local Detection enabled.
        • Document Type—Select a predefined or custom document type you uploaded to Enterprise DLP.
        • Overlapping Score Condition—Specify the custom document overlapping score required to trigger a Security policy rule action.
          • Greater Than or Equal To—Security policy rule triggered if Enterprise DLP detects an instance of matched traffic with the specified minimum overlapping score.
          • Between (Inclusive)—Security policy rule action triggered if Enterprise DLP detects an instance of matched traffic with an overlapping score between the specified min and max overlapping scores.
      • EDM
        Select AddEDM Dataset and define the EDM match criteria.
        Prisma Browser supports custom document types for cloud detections only. You can't add a custom document type to a data profile with Local Detection enabled.
        • EDM Dataset—Select an EDM data set uploaded to the DLP cloud service.
        • Occurrence Condition—Specify the occurrences condition required to trigger a Security policy rule action.
        • Count—Specify the number of instances of matched traffic required to trigger a Security policy rule action. Range is 1 - 500.
        • Configure EDM data set Primary Fields values to specify whether a Security policy rule action is taken if Any (OR) or All (AND) primary fields are matched and if Any (OR) or All (AND) secondary fields are matched.
        • (Any(OR) only) Enter the Count to specify the number of instances of matched traffic required to trigger a Security policy rule action. Range is 1 - 500.
          When you select Any (OR), the maximum Count setting is one less than the total number of fields included in the Primary Field or Secondary Field.
        • Select the Primary Fields values.
          The list of available values is populated from the selected EDM data set. Select at least one primary field value.
          You’re required to add at least one column where the column values occurs up to 12 times in the selected EDM data set for the Primary Field. For example, if the EDM data set contains columns for first name, last name, social security number, and credit card number, add social security number and credit card in the primary field.
      • Data Profiles
        See Create a Nested Data Profile for detailed information.
        Select AddData Profile to add a granular or nested data profile to enhance your Enterprise DLP detection capabilities by enabling you to apply differentiated inline content inspection requirements and response actions within the same Security policy rule.
        For example, you can use a granular profile to block high-risk data patterns while alerting on lower-risk ones, set varying log severities for different data profiles, and selecting specific file types for each data profile included the granular data profile. Granular profiles simplify policy rulebase management by consolidating multiple rules into a single, more flexible policy. This allows your security administrators to streamline Security policy rulebase administration. It reduces false positive detections and achieves a more nuanced approach to data protection that aligns closely with your organization's risk management strategy while maintaining a lean and efficient policy rulebase.
        (Enterprise DLP Plugin 5.0 and earlier releases) Granular profiles are backwards compatible. This means that if you can configure a granular profile on Strata Cloud Manager, Enterprise DLP can successfully synchronize the granular data profile and make it available for use on Panorama and NGFW running PAN-OS 11.1 or earlier releases and Enterprise DLP plugin 5.0 and earlier releases.
        Search for and select one or more compatible predefined or custom data profiles and click Apply to add them. Enterprise DLP does not support adding a granular or nested profile to another granular or nested profile.
        If you enabled Local Detection, you can only add other data profiles with Local Detection enabled.
      • Group
        Select AddGroup to nest and group additional match criteria so you can more accurately define your compliance rules.
        When you click add a new Group, the new match criteria group is nested under the most recently added match criteria. You can’t nest a new match criteria group between existing match criteria. If you add multiple match criteria, you must remove the match criteria that follow the match criteria that you want to add.
        For example, you added EDM_Dataset1, Data_Pattern2, and EDM_Dataset3 to the Primary Rule. If you wanted to added nested match criteria to Data_Pattern2, you must first remove EDM_Dataset3 from the Primary Rule.
        You can select the same match criteria or different match criteria to more accurately define your compliance rules. Enterprise DLP supports up to three level of additional groups for each match criteria.
        Nested match criteria support the AND, OR, and NOT operators. Refer to the descriptions above to configure the nested match criteria.
10. (Optional) Add Secondary Rule.

    Enterprise DLP blocks traffic that matches the match criteria added to the Secondary Rule block. If you want to allow traffic that matches a data pattern match criteria, add it to the Primary Rule.

    (Prisma Browser) Prisma Browser doesn't support Secondary Rules for both cloud-assisted and local detection data profiles. Prisma Browser ignores all Secondary Rules.
11. Review your data profile configuration.

    Additionally, you can use the Preview to see a detailed list view of your Primary and Secondary Rule configuration, the Detection Coverage indicating whether the data profile supports Cloud Only or Local Detection.

    • Example of Local Detection Support

    • Example of No Local Detection Support
      Click Convert to Local Detection Compatible Profile to remove any cloud-assisted data profiles and make the data profile compatible with local detection for Prisma Browser.
12. Click Test Run to test and verify the data profile accurately detects the sensitive data you configured it to detect.
13. Save the data profile.
14. In Data Profiles, search for the data profile you created to verify it was successfully created.
15. Modify the DLP rule or add the data profile to a Data Control Rule

    • NGFW and Prisma Access Tenants—Modify a DLP rule to define the type of traffic to inspect, the impacted file types and apps, the action Enterprise DLP takes when sensitive data is detected, log severity, and more for the data profile match criteria. Enterprise DLP automatically creates a DLP rule with an identical name as the data profile from which it was created.
    • Prisma Browser—Create or edit a Data Control rule to prevent exfiltration of sensitive data for specific apps, website classifications, or URLs.