Explore the Enterprise DLP Incident Management Dashboard
Focus
Focus
Enterprise DLP

Explore the Enterprise DLP Incident Management Dashboard

Table of Contents

Explore the Enterprise DLP Incident Management Dashboard

Explore and learn more about the Enterprise Data Loss Prevention (E-DLP) Incident Management dashboard and the available filters and widgets.
On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • Enterprise Data Loss Prevention (E-DLP) license
    Review the Supported Platforms for details on the required license for each enforcement point.
Or any of the following licenses that include the Enterprise DLP license
  • Prisma Access CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
  • Data Security license
Explore the Enterprise Data Loss Prevention (E-DLP) Incident Management dashboard and learn more about the available filters and widgets that allow your data security administrators to aggregate and correlate data security incidents across your various enforcement channels to efficiently apply a consistent security posture.
To navigate to the Incident Management dashboard, select ManageConfigurationData Loss PreventionDLP Incidents.

Incident Management Dashboard Filters

The Incident Management filters allow you to quickly filter the Incidents list displayed in the dashboard. You can apply any combination of the following filters.
  • Time Filter—Filter for incidents generated in the Past 60 Minutes, Past 3 Hours, Past 24 Hours, Past 7 Days, Past 30 Days, or Past 90 Days. You can apply only one filter at a time.
  • Action—Filter for incidents based on the enforcement action taken. You can select Alert, Block, or Quarantine. Additionally, you can select any combination of the available action filters.
  • Severities—Filter for incidents based on the incident severity level. You can select Critical, High, Medium, Low, or Lowest. Additionally, you can select any combination of the available severity filters.
  • Channels—Filter for incidents based on the security enforcement channel where that generated the incident. Email DLP, Endpoint DLP, NGFW, Prisma Access, Prisma Access Browser, or SaaS API. Additionally, you can select any combination of the available channel filters.
  • Data Profile—Filter for incidents that match an Enterprise DLP data profile. The Incident Management dashboard displays all available data profiles and you can select any combination.
  • Data Pattern—Filter for incidents that match an Enterprise DLP data pattern. The Incident Management dashboard displays all available data patterns and you can select any combination.

Incident Management Dashboard Search

Use the Incident Management search to find incident information specific to a single Asset, URL Domain, Report ID, or Source. The search filter applies to all dashboard widgets as well as the Incidents list. You can apply any of the dashboards filters after you search for a specific asset, URL domain, report ID, or source to further investigate a specific incident.

Incident Management Dashboard Widgets

The Incident Management dashboard widgets enable your data security administrators to view summary information for all your data security incidents across all your security channels.
  • Incident Summary Widget
    Shows a summary of all your data security incidents. You can filter
    • Severity—All incidents based on the incident severity (Critical, High, Medium, Low, or Lowest).
    • Priority— All incidents based on the priority assigned during incident case management (P1, P2, P3, P4, P5.
    • Action—All incidents based on the action the security enforcement took (Alert, Block, or Quarantine).
    • Location—All regions where users generated incidents.
    • Channel—All security enforcement points that generated incidents.
  • Top Incident Widget
    Shows the top five incidents Alerted or Blocked by Enterprise DLP. You can filter the top incidents based on the following: the Data Profiles containing the data pattern match criteria or
    • Data Profiles—Shows the top 5 predefined and custom data profiles that contained sensitive data match criteria that generated an incident.
    • Data Patterns—Shows the top 5 predefined or custom data patterns that sensitive data matched against that generated an incident.
  • Violations Widget
    Shows the top five violations. Additionally, the Incident Management dashboard includes a timestamp in Month, Day, HH:MM <AM or PM> <timezone> format describing the last time a user generated an incident.
    • Source—Name of the user who generated.
    • Asset—Name of the asset that contained sensitive data that generated an incident.
    • URL Domain—URL domain name that a user uploaded sensitive data to or downloaded sensitive data from that generated an incident.

Incidents Distribution Over Time Graph

The Incidents Distribution Over Time line graph helps your security administrators by creating a visual representation of Enterprise DLP incidents across all your enforcement channels. This graph helps your data security administrators correlate configuration changes and network activity with corresponding DLP incidents. This helps data security administrators observe data security trends and helps them make decisions to strengthen your organization's security posture and prevent exfiltration of sensitive data. Enterprise DLP updates the graph based on the Incident Management Dashboard Filters you configure.

Incidents List

The Incidents list provides acts as a centralized repository for tracking and managing all incidents that match the Incident Management filters you apply. It plays a crucial role for maintaining an organized and effective approach to managing your data security incidents.
For each incident, the DLP incidents list provides crucial information such as the date and time the incident occurred, the Incident ID, the data profile containing the sensitive match criteria, the asset name, the region where the incident occurred, the user who generated the incident, the severity of the data security incident, the security enforcement channel where the incident was generated, and more. Additionally, you can configure the Incident list settings to hide or display incident information as needed.
The Incident list updates in real time when new users generate new incidents to ensure real-time visibility into incident management. Furthermore, all incidents persist even after a data security administrator resolves the incident to maintain an accurate historical record. This supports your data security administrators in conducting postincident analysis and lessons learned activities.
Data security administrators can download (
) the full list of DLP incidents to their local device in .csv format based on the currently applied filters. This enables your data security administrators to create workflows based on the types of DLP incidents that matter most to your organization.
Click the Incident ID to view incident details and snippets of matched traffic, as well as to perform Incident Case Management.