AIP labeled file upload or download does not create DLP incidents

No incidents are created when AIP labelled files are uploaded or downloaded.

• Prisma Access or Next Gen Firewalls (NGFW)
• Enterprise DLP
• Azure Information Protection (AIP)

Current DLP design only supports detection of AIP labels and Microsoft Encrypted files but will not scan data within the Encrypted files.

The following series of steps will help configure the DLP data patterns and profiles to create incidents.

1. Ensure that the data pattern “File Property” are defined as documented.
2. Ensure that the AIP labels are defined exactly the same way as its defined in “File Properties”.
3. Ensure that the data profile to include (1) data pattern with AIP label and/or (2) Encrypted- Microsoft AIP and Encrypted- Standard.
4. Once the data profiles/patterns are pushed to firewalls, an upload or download files should block.
5. To verify, check the incidents in DLP portal UI and the snippets will show detection and matched AIP labels and Encrypted- Microsoft AIP/Encrypted- Standard upon match.