View Enterprise DLP Log Details for Endpoint DLP

1. Log in to Strata Cloud Manager.
2. Select ManageConfigurationData Loss PreventionDLP Incidents.
3. Select a Scan Date and Region to filter the DLP Incidents.

   Enterprise DLP Incidents are generated in the Region where the Public Cloud Server is located.

   For Prisma Access (Managed by Strata Cloud Manager)and NGFW (Managed by Strata Cloud Manager), Enterprise DLP automatically resolves to the closest Public Cloud Server to where the inspected traffic originated.

   When a new Public Cloud Server is introduced, Enterprise DLP automatically resolve to it if it’s closer to where the inspected traffic originated.

   This might mean that new DLP Incidents generated after the release of a new Public Cloud Server are generated in a different Region.
4. Add Filter and select the Action to filter for the specific Endpoint DLP policy rule action you want to investigate.

   For example, select only Block if you wanted to investigate all Endpoint DLP incidents where access to a peripheral device or file movement from the endpoint to the peripheral device was blocked.
5. Review the Incidents and click the Incident ID to review detailed information for a specific incident.

6. Review the Incident Details to review specific file upload details.

   Make note of the Report ID for the DLP incident if you haven’t already done so. The Report ID is used to view additional Traffic log details regarding the DLP incident.

   • Info
     The Info panel displays general information about the DLP incident.
     • Channel/Source—The enforcement point using Enterprise DLP through which the incident occurred. This field always displays Endpoint DLP.
     • Incident ID—Unique ID for the DLP incident.
     • Report ID—Unique ID used to view additional Traffic log details regarding the DLP incident.
     • Action—The action Enterprise DLP took on the traffic that matched your DLP rule.
     • Data Profile—Data profile that traffic matched against that generated the incident.
       A data profile is displayed for Data in Motion Endpoint DLP policy rules only. For Peripheral Control Endpoint DLP policy rules, Not Found is displayed.
     • Assign To—Select an admin to review and manage the DLP incident.
     • Status—Select the resolution status of the DLP incident.
     • Priority—Specify the DLP incident priority. You can select P1, P2, P3, P4, or P5.
   • Data
     • Asset—Name of the file containing sensitive data that generated the incident. For non-file inspection, the asset name is http-post-put.
     • Type—File type for the file that generated the incident. For non-file inspection, the type is non-file.
     • Direction—Indicates whether the matched traffic was a Download or an Upload when the incident occurred.
     • Scan Date—Date and time the matched traffic was scanned and the DLP incident was generated.
   • User
     User data requires integration with Cloud Identity Engine (CIE) to display. The User data displayed correspond to Palo Alto Networks Attributes that correlate to specific directory provider fields in CIE.
     • User ID—ID of the user that generated the DLP incident.
       The User-ID field does not require CIE integration. However, the corresponding Palo Alto Networks Attribute is User Principal Name.
     • Role—Role of the user who generated the DLP incident.
       Corresponding Palo Alto Networks Attribute is Title.
     • Organization—Organization the user who generated the DLP incident is associated with.
       Corresponding Palo Alto Networks Attribute is Department.
     • Location—Location of the user who generated the DLP incident.
       Corresponding Palo Alto Networks Attribute is Location.
     • Manager—Manager of the user who generated the DLP incident.
       Corresponding Palo Alto Networks Attribute is Manager.
   • Session
     • Prisma Access Device SN—Serial number of the endpoint that generated the DLP incident.
     • Endpoint OS—Operating system and version running on the endpoint that generated the DLP incident.
     • App—App-ID for the target application.
     • URL—Fully Qualified Domain Name (FQDN) of the target application or user.
     • Peripheral Information—Details about the specific peripheral device connected to the endpoint that generated the DLP incident.
       This information includes the Peripheral Type, Name, Manufacturer, Model, Product ID, Vendor ID, and Serial Number.
   • Annotations
     The Annotations sections allow you to add notes and details regarding the DLP incident. Save any annotations regarding the DLP incident so other administrators can view it.

7. (Data in Motion only) Review the Matches within Data Profiles to review snippets of matching traffic and the data patterns that matched the traffic to better understand what detected data.

   For nested data profiles, the data profile displayed is the specific nested data profile that matched the scanned traffic. For example, you create a DataProfile, with the nested profiles Profile1, Profile2, and Profile3 and scanned traffic matches the nested Profile2 and is blocked. In this scenario, the data profile displayed for the incident is Profile2.

8. Review the file log to learn about the traffic data for the DLP incident.

   1. Select Incidents & AlertsLog Viewer.
   2. From the Firewall drop-down, select File.
   3. Filter to view the file log for the DLP incident using the Report ID.

      Report ID = <report-id>
   4. Review the file log to learn more about the traffic data for the DLP incident.
9. Manage Enterprise DLP Incidents.