Asset Level and File Level Filters

Define Complex Risks With Ease by Combining File Level and Asset Level Filters

In Prisma Cloud DSPM it is possible to perform a search on the file level in addition to searching on the asset level.
This article explains the distinction between searching for risks on the asset level versus the file level and how a combination of file level and asset level risk can significantly impact the effectiveness of threat detection and mitigation strategies.

Asset Level Search

When conducting a risk search on the asset level, the focus is on identifying potential threats within entire assets, such as servers, workstations, or databases. For instance, suppose an organization wants to search for credit card information and email addresses across its assets. In this scenario, the search results provide a list of assets, each representing a potential source of risk. These assets, defined in the Inventory page and utilized through filters, serve as the focal point for assessing security risks. When creating a risk, users inquire whether any credit card or email data exists within their assets. Thus, while files within assets may vary in content, the critical concern lies in identifying the presence of credit card or email data at the asset level, rendering file distinctions irrelevant to the query.

File Level Search

When conducting a file level search, the analysis is granular, focusing on individual files rather than entire assets. By creating filters in the Findings By File tab or in the Findings tab of individual assets—the search fundamentally queries if specific files contain either or both credit card information or email data. This capability enables users to specify their search criteria for credit card and email data together or individually.

• The search query is directed at specific files, aiming to identify those containing either or both types of sensitive information.
• The search results provide a list of files that contain the targeted data.
• Unlike an asset level search, a file level search pinpoints the specific files containing the required information.
• It is also essential to consider factors like asset encryption, which may render the contents inaccessible even if the file itself poses a risk.

Combine File Level and Asset Level Filters

By combining file level and asset level filters, users have the capability to consider both files and assets together, as described below:

1. Identify the files you are interested in by assigning them a label.
2. Use the label as a filter when defining a risk.
3. View the assets containing these selected files, thereby integrating insights from both levels to gain a better insight of your security situation.

• Leverage a custom rule that uses the intersection of file level (Label) and asset level (Region) to identify a specific compliance risk.

Example
Use the Data Sovereignty - US PII data saved outside of US regions custom rule to identify data that includes US Sensitive information that is saved in a region outside of the USA.

• Search for files that may be in breach of data retention regulations and standards.

Example
Use the Data Retention Overdue custom rule to search for files that may be in breach of data retention regulations and standards.

Additional Information

Risk Context

Understanding the context of risk is crucial. Asset-level searches provide a holistic view of potential threats across organizational assets, whereas file level searches offer detailed insights into specific files containing sensitive information.

Encryption Impact

File level searches may encounter challenges when dealing with encrypted assets or files, potentially limiting the efficacy of risk identification.

The approach to risk definition—whether on the asset or file level—impacts the depth and accuracy of threat detection efforts. Organizations should carefully consider their objectives, risk tolerance, and the nature of their data when implementing search strategies within their cybersecurity frameworks. By understanding the nuances between asset level and file level filtering, organizations can tailor their security measures to effectively mitigate threats and safeguard sensitive information.

Perform File Level Filtering

Perform file-level filtering by utilizing Labels.
Labels are established in the Findings page, with all associated filters operating at the file level. Risks, on the other hand, are defined at the asset level. Consequently, filters applied at the asset level only pertain to assets.
By utilizing the Label filter at the asset level, it is possible to create risks focusing exclusively on the file level or integrating data from both the file and asset levels.

Example
Search for files with US Personally Identifiable Information (PII), using a Label filter that contains list of these data types, situated in non-US cloud regions—an intersection that underscores the nuanced approach possible through this feature.

1. In Prisma Cloud DSPM, go to Risks, and in the Custom Risk thumbnail, click Create.
   
2. When prompted, click Go to Inventory. The Inventory page opens.
3. In the Filter by field, enter the required search parameters. Include the Label filter in your search query to search for specific files.
   
4. Click Create Custom Risk to create a custom risk based on the filters you used.

Perform an Asset Level Search

Perform an asset level search to find files containing multiple data type over specific time frames.

Example
Search for files containing credit card information and email address:
Create a Custom Risk based on the following search parameters:

• Labels (All) Public CCs: This query searches for all files assigned with the label “Open to the World Credit Cards”
• Data Types (All) Email Addresses: This query searches for all data types that include email addresses.
  
  

Example
Search for assets discovered in the last month that contain sensitive files:
Create a Custom Risk based on the following search parameters:

• First Discovered < MMDDYY: The First Discovered filter is performed on asset level, meaning Prisma Cloud DSPM searches for all assets that were first discovered before a specific date.