Enterprise DLP
Reduce False Positive Detections
Table of Contents
Expand All
|
Collapse All
Enterprise DLP Docs
Reduce False Positive Detections
Address and resolve when Enterprise Data Loss Prevention (E-DLP) wrongly identifies traffic and
takes action based on your traffic match criteria in a data profile.
Where Can I Use This? | What Do I Need? |
---|---|
|
Or any of the following licenses that include the Enterprise DLP license
|
In some instances, Enterprise Data Loss Prevention (E-DLP) may incorrectly detect and take action on
network traffic that it should not have. This is called a false
positive detection and they can cause productivity impacts to
individual employees and Enterprise DLP administrators alike. False positive
detections are commonly caused by traffic match criteria in your data patterns that
are too generalized or may be instances where the Enterprise DLP machine
learning (ML) models need to be manually trained. Review the recommendations below
to help reduce the chance of false positive detections.
- Log in to the management platform where you are managing Enterprise DLP.(Regex only) Review your custom regex data patterns.
- Review the regular expression (regex) for the custom data pattern generating false positive detections.Custom data patterns use regular expressions (regex) to define the match criteria that you want Enterprise DLP to detect and take action on. Regex that is too broad contribute to false positive detections. Palo Alto Networks recommends writing narrow regex so only the sensitive data you want to prevent leaving your organization's network is detected and blocked.Add proximity keywords to your custom data pattern.Proximity keywords help improve overall Enterprise DLP detection accuracy and reduce false positives. Proximity keywords impact the detection confidence level, which reflects how confident Enterprise DLP is when detecting matched traffic. Enterprise DLP determines the match confidence level by inspecting the distance of the regex to the proximity keywords you added.Use the File Property configuration settings to add specific file property patterns on which to match.If you use classification labels or embed tags in documents to include more information for audit and tracking purposes, you can create a file property data pattern to match on the metadata or attributes that are part of the custom or extended properties in the file. Regardless whether you use an automated classification mechanism, such as Titus, or whether require users to add a tag, you can specify a name-value pair on which to match on a custom or extended property embedded in the file. This allows you to narrow down the likelihood of false positives by requiring Enterprise DLP to inspect and take action only on documents that contain the specified name-value-pair.For Panorama, this means modifying or creating a new data pattern. For Strata Cloud Manager, this means creating a file property data pattern.Use advanced detection tools to create specific and narrow match criteria for your data profiles.
- ML-Based Data Patterns—Use predefined regex data patterns enhanced with machine learning (ML) or ML-based data patterns to increase detection accuracy and reduce false positive detections.
- Exact Data Matching (EDM)—EDM is used to monitor and prevent exfiltration of sensitive and personally identifiable information (PII) such as social security numbers, Medical Record Numbers, bank account numbers, and credit card numbers, in a structured data source such as databases, directory servers, or structured data files (CSV and TSV) with high accuracy.With EDM, you can reduce false positive detections by uploading data sets with the specific PII data you want to prevent exfiltration of and use them as match criteria in data profiles.
- Custom Document Types—Enterprise DLP supports the upload and detection of custom documents containing intellectual property for which you want to prevent exfiltration. This tool uses ML-based detection models to detect and prevent exfiltration of sensitive data contained in documents unique to your organization.With custom document types, you can reduce false positive detections for file-based traffic by narrowing down the possible file-based detections to just those unique to your organization. For example, be sure to set a high Overlapping Score Condition threshold when you create an advanced data profile to detect custom documents. This narrows down the possible traffic matches by requiring a high degree of overlap between the scanned file and the custom document type.
- Data Dictionaries—Data dictionaries are a collection of one or more proximity keywords or phrases that you want to detect and prevent exfilitration. A data dictionary is added as a match criteria alongside the other supported match criteria in advanced and nested data profiles to increase the Enterprise Data Loss Prevention (E-DLP) detection accuracy
Contact Palo Alto Networks Support to help investigate why false positive detections continue to occur.Only contact Palo Alto Networks Support if you have implemented the above recommendations and continue to experience false positive detections. Palo Alto Networks Support team members will work with your administrators to review your data patterns and data profiles to help identify what can be further improved.In some instances, they may go back to review your data patterns and data profiles to see if any further modifications can be made to narrow the match criteria scope.(Predefined Data Patterns and Profiles only) Report a False Positive Detection to Palo Alto Networks.Report false positive detections to Palo Alto Networks to improve Enterprise DLP detection accuracy for yourself and other Enterprise DLP users. You can report snippets of false positive detections for high confidence traffic matches against predefined regular expression (regex) or machine learning (ML) data patterns.All selected DLP incident snippets are shared with Palo Alto Networks when you submit a false positive report. The selected snippets are stored and accessible by Palo Alto Networks for up to 90 days to allow Palo Alto Networks to investigate and improve Enterprise DLP detection accuracy.