Secure AIP Labeled Files with Enterprise DLP
Focus
Focus
Prisma Access

Secure AIP Labeled Files with Enterprise DLP

Table of Contents

Secure AIP Labeled Files with Enterprise DLP

Leverage Enterprise data loss prevention (DLP) to inspect and take action on assets protected with Microsoft Azure Information Protection (AIP).
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
Leverage Enterprise data loss prevention (DLP) from the cloud management console to inspect for and take action on assets protected with Microsoft Microsoft Purview Information Protection (formerly Azure Information Protection (AIP)).
  1. Create a document protected with a Microsoft AIP label.
    Refer to the Microsoft Microsoft Purview Information Protection documentation for detailed information.
  2. In the cloud management console, select ManageConfiguration Security ServicesData Loss Prevention.
  3. Configure a file property data pattern.
    1. Select Detection MethodsData PatternsAdd Data PatternsFile Property.
    2. Enter a Name for the file property data pattern.
    3. For the File Property Type, select Custom.
    4. For the custom file property Name.
      You must enter the full AIP label Name that you want to take action on. This can be either the MSIP_Label_<GUID>_Enabled label name or the Sensitivity label name.
    5. For the custom file property Value, enter the Microsoft AIP label you want to scan for and take action on.
      For example, if you want to take action on assets protected with the Confidential AIP label, enter Confidential.
    6. (Optional) Add File Property and repeat the steps above to take the same action on multiple AIP labels using a single data pattern.
    7. Save.
  4. Configure a data profile.
    Before you create the data profile, consider which AIP labels you want to allow and block. If you add match criteria only to the Primary rule, you can select whether to allow or block matched traffic. If you add match criteria to both the Primary and Secondary rules, traffic that matches the Primary rule is always allowed and traffic that matches criteria the Secondary rule is always blocked.
    When a data profile contains match criteria that you want to both allow and block, be aware that the sessions in which the matched traffic is inspected matters. For example, File1 matches criteria in the Primary rule you want to allow and File2 matches criteria in the Secondary rule you want to block. Both of these files are attached to a single email. In this scenario, the DLP cloud service blocks the email both files are attached to because File2 has match criteria that is blocked. However, if each file is attached to separate emails or if the files are attached to the same email one at a time, the appropriate action is taken for each file.
    1. Select Data Profiles and Add Data ProfileWith Data Patterns only.
    2. Enter a Data Profile Name.
    3. For the Primary Rule, Add Data Pattern Group and set the confidence level as Low.
      Search for and select the file property data pattern you created in the previous step. Repeat this step to add multiple data patterns if needed.
    4. (Optional) For the Secondary rule, Add Data Pattern Group and set the confidence level as Low.
      Search for and select the file property data pattern you want to block. Repeat this step to add multiple data patterns if needed.
      You can add data patterns to the Primary rule and skip this step if you plan to only block matched traffic.
    5. Save.
  5. Modify the DLP rule.
    1. Select DLP rules and locate the data profile you created in the previous step.
      The data profile and corresponding DLP rule have identical names.
    2. Expand the Action column and Edit.
    3. Select the Action you want to take.
      If you added data patterns to both the Primary and Secondary rules, the Action is Alert and Block by default and cannot be modified. Alert applies to the Primary rule and Block applies to the Secondary rule.
      • Alert generates a DLP incident and allows matched traffic.
      • Block generates a DLP incident and blocks matched traffic.
    4. Specify the Log Severity when a DLP log is generated for matched traffic.
      Informational generates an information DLP log and does not generate a DLP incident. All other log severity types generate the corresponding severity DLP log and generate a DLP incident.
    5. Save.
  6. Add the Enterprise DLP data profile to a profile group.
    1. Select ManageConfigurationSecurity ServicesProfile Groups.
    2. Add Profile Group or select an existing profile group.
    3. For the Data Loss Prevention Profile, select the DLP rule you modified in the previous step.
    4. Save.
  7. Add the profile group to a Security policy rule.
    1. Select ManageConfigurationSecurity ServicesSecurity Policy and Add Rule.
    2. Configure the Security policy rule as needed.
    3. For the Action and Advanced Inspection:
    1. set the Action as Allow.
      • Verify the Action is Allow (default).
      • For the Profile Group, select the profile group you added the DLP rule to in the previous step.
    2. Save.
    3. In the Prisma Access - Pre Rules, verify that the Security policy rule is at the top of the policy rulebase to ensure traffic is not allowed or blocked before it can be inspected.
  8. Push Config.
  9. Verify that the Enterprise DLP successfully detects and takes action on the assets protected by AIP labels you specified in your Enterprise DLP configuration.
    You can use sites such as DLP ToolBox and DLP Test to verify.
    Refer to the Enterprise DLP Administrator's Guide for more information on supported applications.