Manual Incident Case Management
Focus
Focus
Enterprise DLP

Manual Incident Case Management

Table of Contents


Manual Incident Case Management

Manually manage incidents in the Incident Management dashboard to efficiently handle security incident resolution across all your security channels.
  1. Log in to Strata Cloud Manager.
  2. Select ManageConfigurationData Loss PreventionDLP Incidents.
  3. Filter the Incident Management dashboard to locate the incident you want to assign and manage.
  4. Perform bulk incident case management for multiple DLP incidents or perform incident case management for a single DLP incident.

Bulk Incident Case Management

Enterprise DLP supports incident case management for multiple DLP incidents. Bulk incident management eases the operational overhead of managing multiple DLP incidents. It helps reduce the time your security administrators spend on Enterprise DLP incident management by enabling them to assign and update that status for that you need to assign to the same team member or updating the case resolution status of similar DLP incidents.
  1. Select one or more Enterprise DLP incidents that you want to manage.
  2. Click Assign To to search for and select a security administrator to assign the incident to.
  3. Click Change Status and designate the most current resolution status.
    Enterprise DLP includes the following predefined incident statuses.
    • New
      Assigned by default to all new DLP incidents.
    • Open
    • Under Investigation
    • Closed
  4. Click Edit Notes to add, edit, review, or delete investigative notes for all selected DLP incidents to provide additional details and updates.
    • Save the new investigative note you added or editing an existing note.
    • Delete the existing investigative note.
    The investigative note displays no information if you select multiple DLP incidents that don't all have the same note. If a selected DLP incident already has a note, adding a new note for multiple DLP incidents overwrites the existing note. Enterprise DLP prompts the security administrator to confirm when overwriting an existing note.
    For example, you have three DLP incidents—Incident1, Incident2, and Incident3. Your security admin added the QA Testing Fix for Incident1 and Incident2, and Waiting for Customer Response for Incident3.
    Later, the security administrator selects Incident1, Incident2, and Incident3 and adds the note Fix Verified; Pending Release. This new note overwrites the existing notes for all three incidents.

Individual Incident Case Management

  1. Click the Incident ID for the Enterprise DLP incident you want to manage.
    Enterprise DLP redirects you to the DLP incident details page.
  2. In the Assign To to field, search for and select a security administrator to assign the incident to.
    Enterprise DLP displays all users who have access to the Strata Cloud Manager tenant regardless of the role assigned. Palo Alto Networks recommends you enable role based access to ensure you don't over provision access to Enterprise DLP.
  3. Select the incident Priority level.
    You can select P1 (highest), P2, P3, P4, P5 (lowest).
  4. Select the Status to designate the most current resolution status.
    Enterprise DLP includes the following predefined incident statuses.
    • New
      Assigned by default to all new DLP incidents.
    • Open
    • Under Investigation
    • Closed
  5. In the Notes section, add investigative notes to provide additional details and updates.
    If a security administrator already added a note to a DLP incident, adding a new note using bulk incident management overwrites the existing note. Enterprise DLP prompts the security administrator to confirm when overwriting an existing note.
    For example, you have three DLP incidents—Incident1, Incident2, and Incident3. Your security admin added the QA Testing Fix for Incident1 and Incident2 using bulk incident management, and Waiting for Customer Response for Incident3.
    Later, the security administrator selects Incident1, Incident2, and Incident3 and adds the note Fix Verified; Pending Release. This new note overwrites the existing notes for all three incidents.
  6. Save.