>
    Report a False Positive Detection
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Monitor Enterprise DLP
    4. Report a False Positive Detection
    Download PDF
    Enterprise DLP

    Report a False Positive Detection

    Table of Contents

    Report a False Positive Detection

    Report false positive detections by Enterprise Data Loss Prevention (E-DLP) to Palo Alto Networks to improve the DLP cloud service detection accuracy.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Enterprise Data Loss Prevention (E-DLP) license
      Review the Supported Platforms for details on the required license for each enforcement point.
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
    In some instances, Enterprise Data Loss Prevention (E-DLP) may incorrectly detect and take action on the file or network traffic that it should not have. This is called a false positive detection and they can cause productivity impacts to individual employees and Enterprise DLP administrators alike. False positive detections are commonly caused by traffic match criteria in predefined regular expression (regex).
    Report false positive detections to Palo Alto Networks to improve Enterprise DLP detection accuracy for yourself and other Enterprise DLP users. False positive detections are reported against the DLP Incident where the false positive detection occurred. The DLP Incident must meet the following conditions to report a false positive detection:
    • Traffic matched against a predefined regular expression (regex) data patterns.
    • The traffic is match is high confidence.
    • There is a snippet available of the false positive detection to share with Palo Alto Networks
    All selected DLP incident snippets are shared with Palo Alto Networks when you submit a false positive report. The selected snippets are stored and accessible by Palo Alto Networks for up to 90 days to allow Palo Alto Networks to investigate and improve Enterprise DLP detection accuracy.
    Reporting false positive detections for incidents generated from Email DLP or SaaS Security are not supported.
    1. Log in to the management platform where you are managing Enterprise DLP.
    2. Reviewed your data patterns, profiles, and Security policy rules to reduce false positive detections
    3. Select ManageConfigurationData Loss PreventionDLP Incidents.
    4. In the Incidents, click the File name of the false positive DLP incident you want to report to Palo Alto Networks.
    5. In the Matches within Data Profile window, click Report False Positive.
    6. In the Falsely Detection Information, select one or more data patterns.
      The list of available data patterns is based on the data profile that generated a false positive detection. Only data patterns associated with the data profile are displayed.
    7. Select one or more snippets of false positive detections.
      You can select snippets from multiple data patterns associated with the data profile if selected.
    8. (Optional) Add a Comment to provide additional details to Palo Alto Networks.
      This helps Palo Alto Networks understand how to improve the predefined data pattern match criteria or how to train the ML models to improve detection accuracy.
      Click Next.
    9. A notification is displayed to confirm submission of the false positive report and that the snippet will be shared with Palo Alto Networks for investigative purposes.
      Click Submit to report the false positive detection.

    © 2024 Palo Alto Networks, Inc. All rights reserved.