Solved

DLP is not working for CSV, TXT, JPG & PNG

  • 26 July 2023
  • 5 replies
  • 100 views

Userlevel 2
  • Netskope Partner
  • 10 replies

Hi Community Team,

 

A DLP policy with PCI-DSS profile is placed as top-rule to identify sensitive information in upload & download activities. It is working as expected only with DOCX files. This policy is not working with CSV, TXT, JPG & PNG files. When uploading CSV/TXT files, the policy is not even being hit. I would like enquire with Netskope community if anyone has noticed such issue and how they fixed it.

 

Thanks.

icon

Best answer by Indu 1 August 2023, 08:28

View original

5 replies

Badge +6

Hard to say without any screenshots. Do you have a file profile configured in your DLP profile that could be limiting the rule to specific extensions/file types?

Badge +15

Is this for inline Real-time Protection Policy or API Enabled Protection policy? JPG and PNG formats require OCR which is not currently generally available for RTP. API OCR scanning has certain licensing requirements and is limited to 4MB file size on supported types (BMP, JPG, PNG, and TIFF).

 

As for the CSV, @0x114 makes a good point in that it's hard to advise without seeing your actual config. 

Userlevel 2

Hi @ryans, & @0x114 

we confirmed that JPG & PNG need advanced DLP license, hence not working.

Inspection of CSV & TXT files should work with Standard DLP license, but it is still not working as expected.

We are using RTP (real-time protection policy).

We are using default Payment Card Industry Data Security Standard (PCI-DSS) profile. It doesn't have specific file type extension and hence it should apply to all files.

Here is the copy of the policy.

 

 

Thanks.

 

Userlevel 2

The fix is to apply to DLP-PCI and DLP-PII instead of Payment Card Industry Data Security Standard (PCI-DSS) profile. It is strange behavior and weird fix, but policy is now identifying TXT and CSV files.

Badge +15

@Indu it sounds like your sample data wasn't matching how the rules are defined in the Payment Card Industry Data Security Standard (PCI-DSS) profile. You can look at your DLP Incident details to see what rule was violated in the DLP-PCI profile. My guess is that same rule isn't in Payment Card Industry Data Security Standard (PCI-DSS) or if it is, it's defined slightly differently. 

 

I suggest you review how the DLP rules are built between the two to profiles to better understand the detection logic. The context used in DLP-PCI is a bit more broad in terms of what identifiers are used and what context is matched within those rules. When dealing with structured data such as spreadsheets you should also consider if "record based scanning" and setting Global Identifiers is required. 

Reply