End User Coaching for Endpoint DLP

1. Review the Setup Prerequisites for End User Coaching to ensure you're running the minimum required agent, endpoint software, and Enterprise DLP plugin versions to display notifications.
2. Contact your Palo Alto Networks representative to enable End User Coaching on your tenant.
3. Install the Prisma Access Agent on Windows or macOS.
4. Log in to Strata Cloud Manager.
5. Enable Autonomous DEM.

   On Strata Cloud Manager, select WorkflowsPrisma Access SetupAccess AgentPrisma Access Agent and Add Agent Settings. Configure the required settings to display notifications to your users in the Access Experience UI when they generate a DLP incident.

   Configure the following required App Configuration settings. Configure the rest of the Prisma Access Agent settings as needed.

   • Access Experience—Select Install.
   • Display ADEM Update Notification—Check Enable.

6. (macOS only) In the Access Experience UI, select SettingsNotifications and enable Allow notifications.

   This setting must be enabled in the Access Experience UI for each user and is required to display notifications when the user generates a DLP incident. Configure the rest of the Access Experience notifications settings as needed.
7. Configure Enterprise DLP.

   1. Create a decryption profile and policy rule.

      This is required for Enterprise DLP to decrypt and inspect traffic for sensitive data.
   2. Create custom data patterns to define your match criteria.

      Alternatively, you can use the predefined data patterns instead of creating custom data patterns.
   3. Create a data profile and add your data patterns.

      Only custom data profiles are supported. By default, all predefined DLP Rules' Action are set to Alert. You must clone the predefined data profile to edit the DLP Rule Action.
   4. Set up Endpoint DLP.

      1. Add a Peripheral.
      2. Create a Peripheral Group.
      3. Create an Endpoint DLP Policy Rule.
8. Select ManageConfiguration NGFW and Prisma AccessGlobal SettingsUser Coaching Notification Template and create an End User Notification Template.

   The end user notification template defines which DLP Rules generate a notification in the Access Experience UI and the contents of the notification. You should only add DLP Rules added to a Profile Group that is associated with a Security policy rule. This is required for Enterprise DLP to generate a DLP incident which then generates a notification in the Access Experience UI. A single DLP Rule can be added to multiple User Coaching Notification Templates.

   1. For the Product Name, select Endpoint Data Loss Prevention.
   2. Check (enable) Enable Notification Template to enable the template after creation.

      This setting is enabled by default.
   3. Enter a Notification Template Name.
   4. (Optional) Check (enable) High Confidence Detections Only.

      High confidence matches reflect how confident Enterprise DLP is when detecting matched traffic. For regular expression (regex) patterns, this is based on the character distance to the configured proximity keywords. For machine learning (ML) patterns, this confidence level is calculated by the ML models.

   5. Add one or more Applied Rules to the notification template.

      You must add at least one Endpoint DLP policy rule to the notification template. The end user notification template defines which Endpoint DLP policy rules generate a notification in the Access Experience UI and the contents of the notification.

      You can View Details for each DLP rule or Endpoint DLP policy rule you add to review the specific inspection details. This includes associated Data Profile, impacted users and peripheral device types, Action, the Incident Assignee, and the Notification email recipient when an Endpoint DLP incident is generated.
   6. Define the Notification Message users receive when Enterprise DLP blocks sensitive data that match the data profiles associated with the DLP Rule.

      The message templates are the Access Experience toast notifications users receive when Enterprise DLP blocks sensitive data. You can use the following variables in your message templates. You must include the brackets for each variable.

      • [File Name]—File name and extension containing sensitive data blocked by Enterprise DLP.
      • [Transfer Method]—Application user attempted to upload to, download from, or post non-file based content.
      • [Peripheral Type]—Type of peripheral device associated with the Endpoint DLP incident.
      • [Peripheral Name]—Name of the peripheral device associated with the Endpoint DLP incident.
      • [Action]—Action Enterprise DLP took when sensitive data was detected. This value is always Blocked.
      • [Policy Name]—Name of the Endpoint DLP policy rule against which the Endpoint DLP incident was generated.

      1. Define the Message Template for File.
         This is the message displayed when traffic matches a Data in Motion Endpoint DLP policy rule.
      2. Define the Message Template for Peripheral Control based detections.
         This is the message displayed when traffic matches a Peripheral Control Endpoint DLP policy rule.
      3. Add a Support Link.
         You can add links directly into the Access Experience toast notification that describe your company policy for sharing or downloading sensitive data.

9. Save.
10. The user who generated the Endpoint DLP incident can view the Data Security notification for more information about the sensitive data uploaded, downloaded, or posted.

    A Data Security notification is displayed for 7 days. There is no limit to the number of notifications displayed.