Ignore non-sensitive Asset Findings
  • 28 Feb 2024
  • 5 Minutes to read
  • PDF

Ignore non-sensitive Asset Findings

  • PDF

Article summary

Overview

A sensitive asset is defined as any asset with Findings that contain confidential information, such as financial data (PII) that could be vulnerable to unauthorized access.

Example of sensitive asset 

Historically, discerning between authentic Findings indicating a sensitive asset and false positives posed a challenge. Consider an instance where an asset, housing a file with 5,000 email addresses, is rightly identified as sensitive.

However, distinguishing this from a scenario where an asset contains a JavaScript file containing a solitary email address of the person who wrote the file and put it online — a case that unequivocally falls under the non-sensitive category — proved to be a complex task until now.

Example of non sensitive Email Data Type. 

Introducing Ignore Rules

To overcome these issues, Prisma Cloud DSPM has introduced a feature that enables customers to apply filters tailored to specific use cases, allowing them to disregard files that were erroneously identified as sensitive due to certain findings. Customers now have the capability to create custom “Ignore Rules”, thereby classifying these files as non-sensitive.
For instance, a customer can formulate an Ignore Rule stipulating that any JavaScript file containing fewer than 5 email addresses should be categorized as non-sensitive, notwithstanding the presence of Findings within them.


Another scenario where sensitivity may not apply involves Data Types that contain lists of countries. Lists of countries, by themselves, are not considered sensitive. Previously, the presence of such files within a bucket would render the entire bucket sensitive. The implementation of the Ignore Rule effectively addresses and resolves this issue.

Create an Ignore Rule

Note

No files are deleted when an Ignore Rule is applied. The files are just marked as Ignore.

Important

When creating an Ignore Rule, it is crucial to include in the Rule configurations to include the "Number of data types = 1" filter.
1.png

This is essential because if a file for example only contains a country data type, it is not inherently sensitive, and an Ignore Rule can be applied. However, in cases where a file contains multiple data types, such as a combination of countries and phone numbers, a blanket ignore may not be appropriate. The solution lies in creating a rule specifying "Number of data types = 1," ensuring selective ignoring of files with a single data type, such as countries, without inadvertently excluding those with additional, potentially sensitive data types, for example credit card information.

If an additional data type is subsequently incorporated into the file, it ceases to be ignored. For instance, if the file initially only featured an email data type, making it eligible for non-sensitive classification and application of the Ignore Rule, the situation changes if credit card numbers are subsequently included in the file. In such cases, the file should no longer be subject to the Ignore Rule to ensure comprehensive sensitivity evaluation.

Create an Ignore Rule in the Inventory window

  1. In the side menu, click Inventory and navigate to the asset you want to apply the Ignore Rule to.
Tip

Apply filters to quickly access the required asset.
Untitled 2.png

  1. Click the asset, and go to the Findings tab.
  2. Apply the Ignore Ruler filters, and click Create Ignore Rule.
  3. In the Add File Ignore Rule pop-up, do the following:
    1. Enter a name for the rule.
    2. Enter a meaningful description.
    3. In the Rule configuration section, If required, click +Add to add more filter criteria, or alternatively delete some of the existing filters.
    4. In the Rule Scope section choose to apply the Ignore Rule to individual assets or across the entire asset inventory.
    5. Click Create. The Ignore Rule you created is added to the list of Classification Rules.
Note

When the Ignore Rule has been applied to all files within a bucket, the files do not appear in the Risks tab as they are no longer categorized as sensitive. Consequently, the Risks tab does not display any files for which the Ignore Rule has been activated.

Create an Ignore Rule in the Findings Window

  1. In the side menu, click Findings and go to the By File tab.
  2. Apply the Ignore Ruler filters, and click Create Ignore Rule.
  3. In the Add File Ignore Rule pop-up, do the following:
    1. Enter a name for the rule.
    2. Enter a meaningful description.
    3. In the Rule configuration section, If required, click +Add to add more filter criteria, or alternatively delete some of the existing filters.
    4. Click Create. The Ignore Rule you created is added to the list of Classification Rules.
Note

The Findings window displays all the assets at the company level, therefore, utilizing this method does not provide the option to selectively apply the Ignore Rule to individual assets or across the entire asset inventory.

Create an Ignore Rule in the Classification Rules Tab

  1. In the side menu, click Settings and go to the Classification Rules tab.
  2. Click Add New.
  3. In the Add File Ignore Rule pop-up, do the following:
    1. Enter a name for the rule.
    2. Enter a meaningful description.
    3. In the Rule configuration section, click +Add to add Ignore Rule criteria.
    4. Click Create.

Identify Ignored Files

In the Findings tab, the "Ignored" column indicates whether a file is marked as True, signifying that it has been ignored, or False, indicating that it has not been subject to the Ignore Rule.

Search for Ignored Files

  1. In the side menu, click Findings and go to the By File tab.
    OR
    In the side menu, click Inventory, navigate to an asset, and go to the Findings tab.
  2. Apply the following filters: Is Ignored = True to display ignored files or Is Ignored = False to display files that aren’t ignored.

Apply search filters in the By File tab

 

Apply search filters in the Findings tab

View Ignore Rules

When you create an Ignore Rule, it is added to the list in the Classification Rules tab.

  1. In the side menu, click Settings and go to the Classification Rules tab.
  2. Use the search filters to look for Ignore Rules according to their created date, the person who created the rule, or by the name of the rule.
  3. Expand the Ignore Rules to view their description.

Edit Ignore Rules

  1. In the side menu, click Settings and go to the Classification Rules tab.
  2. Navigate to the Ignore Rule you want to edit, and click Edit.
  3. In the Edit File Ignore Rule window, edit the Ignore Rule as required.
  4. Optional: Click View in Findings to view the Ignore Rule in the Findings window.
  5. Click Save Changes.

Delete Ignore Rules

  1. In the side menu, click Settings and go to the Classification Rules tab.
  2. Navigate to the Ignore Rule you want to delete, and click the Delete icon.
  3. In the confirmation pop-up, click Delete.

Predefined Ignore Rules

For your convenience, Prisma Cloud DSPM has created the following four predefined Ignore Rules based on frequent occurrences:

Ignore Rule NameDescription
Exclude single non-identifiable data typesIgnore non sensitive data types
Exclude Email addresses found in CSS filesIgnore a handful of emails in CSS files
Exclude Email and IP addresses found in JS filesExclude email addresses in JS files
Exclude Email addresses found in HTML filesExclude email addresses in HTML files
  • To view the predefined Ignore Rules in the side menu, click Settings and go to the Classification Rules tab.
  • It is possible to add, edit, and delete Ignore Rules in the Classification Rules tab.
  • The predefined Ignore Rules can be identified by looking at the Created By column and noting which Ignore Rules were created by Prisma Cloud DSPM.


Was this article helpful?