View Enterprise DLP Audit Logs
Focus
Focus
Enterprise DLP

View Enterprise DLP Audit Logs

Table of Contents

View Enterprise DLP Audit Logs

Use Enterprise Data Loss Prevention (E-DLP) audit logs to understand the change history for your Enterprise DLP deployment.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • Enterprise Data Loss Prevention (E-DLP) license
    Review the Supported Platforms for details on the required license for each enforcement point.
Or any of the following licenses that include the Enterprise DLP license
  • Prisma Access CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
  • Data Security license
Review your Enterprise Data Loss Prevention (E-DLP) audit logs for a comprehensive history of the changes that occurred across your Enterprise DLP security service.Enterprise DLP audit logs maintain a history of when data patterns and data profiles are created, updated, or deleted.
For Endpoint DLP, you can view the audit logs to review the change history for your Endpoint DLP configuration changes as you would for Enterprise DLP. Additionally, Push Logs reflect the latest Endpoint DLP policy rule and setting changes that were pushed as well as the Push Log history to review the history of when Endpoint DLP policy or rule configuration changes were pushed, by who, and a summary of all the changes included in the push.

View Enterprise DLP Audit Logs on Strata Cloud Manager

Use Enterprise Data Loss Prevention (E-DLP) audit logs to understand the change history for your Enterprise DLP deployment.
  1. Log in to Strata Cloud Manager.
  2. Select ManageConfigurationData Loss PreventionAudit Log.
  3. (Optional) Filter the audit logs as needed.
    • Enter an email in the search bar to filter the audit logs by user.
    • Add New Filter to filter the audit logs based on:
      • Time ­ Select a predefined time frame or specify a Custom time frame.
      • Channel ­ Select a supported platform.
      • Event ­ Select the type of audit log event (Create, Update, or Delete) to view.
  4. Show More to view additional audit log information.
    You can view additional audit log details to review what traffic match criteria was configured when the data pattern, data filtering profile, or data profile was created or to better understand what changes were made.

View Enterprise DLP Audit Logs for Email DLP

View Email DLP audit logs on SaaS Security to understand the change history for your Email DLP configuration and deployment.
  1. Log in to Strata Cloud Manager.
  2. Select ManageConfigurationSaaS SecuritySettingsMonitor Actions Taken by SaaS Security .
  3. (Optional) Filter the audit logs as needed.
    • Enter an email in the search bar to filter the audit logs by user.
    • Add Filter to filter the audit logs based on:
      • Role ­ Filter based on the admin role that made the configuration change.
      • Log ­ Filter based on the configuration change e Event type.
        The common Email DLP events are Create, Update, Delete, and Download.
      • Date ­ Select a predefined time frame or specify a Custom time frame.

View Enterprise DLP Push Logs for Endpoint DLP

View the Enterprise Data Loss Prevention (E-DLP) push logs for Endpoint DLP.
  1. Log in to Strata Cloud Manager.
  2. Select ManageConfigurationData Loss PreventionAudit LogPush Logs.
  3. Review your Endpoint DLP Push Logs.
    • Time—Date and time the Endpoint DLP policy push was performed. Timestamp is in MM/DD/YY hh:mm format.
    • User—Email of the administrator that performed the Endpoint DLP policy push.
    • Request ID—ID of the policy push operation from Strata Cloud Manager to Prisma Access Agent installed on endpoint devices. The Request ID is used for troubleshooting in the event you push Endpoint DLP changes but the Prisma Access Agent doesn't take the expected Endpoint DLP policy rule action.
    • Event—Status of the Endpoint DLP policy rule and configuration push. For a successful push, the Event column displays Endpoint DLP Policy/Configuration pushed successfully. For a failed push, the Event column displays Endpoint DLP Policy/Configuration failed.
      Click View Details to review detailed information about a specific Endpoint DLP policy rule and configuration push.
  4. Review detailed information about a specific Endpoint DLP policy rule and configuration push.
    • Status—Status of the push operation; can be Success or Failure.
    • Start Time—Date and time the push operation was initiated. Timestamp is in MM/DD/YY hh:mm format.
    • End Time—Date and time the push operation completed regardless of status. Timestamp is in MM/DD/YY hh:mm format.
    • Description—Description for the push operation added by the security administrator. This field is blank if description was added when the push was initiated.
    • Request ID—ID of the policy push operation from Strata Cloud Manager to Prisma Access Agent installed on endpoint devices. The Request ID is used for troubleshooting in the event you push Endpoint DLP changes but the Prisma Access Agent doesn't take the expected Endpoint DLP policy rule action.
    • Policies—List of new or modified Endpoint DLP policy rules included in the push.
    • Peripherals—List of peripheral devices added to Endpoint DLP.
    • Peripheral Groups—List of newly created or modified peripheral groups.
    • Settings—List of Endpoint DLP data filtering and snippet setting changes.