>
    Set Up Enterprise DLP End User Alerting with Cortex XSOAR
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Configure Enterprise DLP
    4. Enterprise DLP End User Alerting with Cortex XSOAR
    5. Set Up Enterprise DLP End User Alerting with Cortex XSOAR
    Download PDF
    Enterprise DLP

    Set Up Enterprise DLP End User Alerting with Cortex XSOAR

    Table of Contents

    Set Up Enterprise DLP End User Alerting with Cortex XSOAR

    Set up Cortex XSOAR to use Enterprise Data Loss Prevention (E-DLP) End User Alerting.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Enterprise Data Loss Prevention (E-DLP) license
      Review the Supported Platforms for details on the required license for each enforcement point.
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
    Integrate Enterprise Data Loss Prevention (E-DLP) with Cortex XSOAR to use the Enterprise DLP End User Alerting.
    (Slack) To set up Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR and set up automatic Slack alerts, you need to integrate your preferred IP address directory service to map IP addresses to emails to allow for automatic messages to be sent on Slack. After integration, you must enable Slack, email send integration, and Enterprise DLP with Cortex XSOAR. This chain of integration allows the DLP cloud service to automate sending Slack messages to team members who upload a file that matches your data profiles.
    (Microsoft Teams) To set up Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR and set up automatic Microsoft Teams alerts, you need to set up integration with Microsoft Teams and Enterprise DLP with Cortex XSOAR. This is integration allows the DLP cloud service to automate sending Microsoft Teams messages to team members who upload a file that matches your data profiles.
    (Email) To set up Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR and set up automatic email alerts, you need to integrate your preferred IP address directory service and Enterprise DLP with Cortex XSOAR. This is integration allows the DLP cloud service to automate sending email messages to team members who upload a file that matches your data profiles.
    After you successfully integrate Slack, Microsoft Teams, or your Email provider and Enterprise DLP with Cortex XSOAR, you need to enable End User Alerting with Cortex XSOAR functionality on the DLP app on the hub or on Strata Cloud Manager and configure the End User Alerting settings as needed.

    Slack

    Set up Cortex XSOAR to use Enterprise Data Loss Prevention (E-DLP) End User Alerting for Slack.
    1. Integrate your preferred IP address directory service using one of the following procedures.
    2. Enable Slack Integration with XSOAR.
    3. Enable Mail Send Integration with XSOAR.
    4. Configure Enterprise DLP authentication.
      • Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
        Access the Common Services Identity and & Access settings and add a Service Account to generate the Client ID and Client Secret.
        If you already have a Service Account created, you can Reset Client Secret to recover a lost Client Secret.
        The Client ID and Client Secret are used for authentication.
        When you create the Service Account, the Client ID and Client Secret are displayed in the Client Credentials. You can manually copy the Client Credentials or Download CSV File to download the Client Credentials in plaintext locally to your device.
      • Panorama (Not TSG-enabled)
        1. Log in to the DLP app on the hub.
          If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
        2. Select API and Create Token.
        3. Enter a descriptive Token Name and Create the access token.
        4. Copy the Access Token and Refresh Token and save them in a secure location.
    5. Enable Enterprise DLP on Cortex XSOAR.
      • Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
        1. Add the Client Credentials to Cortex XSOAR.
          1. On Cortex XSOAR, select SettingsIntegrationsCredentials and add a New credential.
          2. Enter a descriptive Credential Name.
          3. For the Username, enter the Client ID created in the previous step.
          4. For the Password, enter the Client Secret created in the previous step.
          5. Save.
        2. Select MarketplaceBrowse and search for Enterprise DLP.
        3. Install the Enterprise DLP content pack.
        4. Select SettingsIntegrationsInstances and search for Enterprise DLP.
          Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
          1. Select a descriptive Name.
          2. For the Incident Type, verify Data Loss Prevention is selected.
            If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
          3. for the Mapper, verify that Data Loss Prevention is selected.
            If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
          4. Click Switch to credentials.
          5. Enter the Client Credentials generated in the previous step.
          6. Check (enable) Long running instance.
          7. (Optional) Modify the automated Slack Bot Message.
          8. Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
            A Success is displayed when Cortex XSOAR successfully integrates with Enterprise DLP.
      • Panorama (Not TSG-enabled)
        1. On Cortex XSOAR, select MarketplaceBrowse and search for Enterprise DLP.
        2. Install the Enterprise DLP content pack.
        3. Select SettingsIntegrationsInstances and search for Enterprise DLP.
          Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
          1. Select a descriptive Name.
          2. For the Incident Type, verify Data Loss Prevention is selected.
            If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
          3. for the Mapper, verify that Data Loss Prevention is selected.
            If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
          4. Add the Access Token and Refresh Token you created in the previous step.
          5. Check (enable) Long running instance.
          6. (Optional) Modify the automated Slack Bot Message.
          7. Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
            A Success is displayed when Cortex XSOAR successfully integrates with Enterprise DLP.
    6. Configure the DLP Incident Feedback Loop Cortex XSOAR playbook
      1. In Dashboard & Reports, select Playbooks.
      2. Select DLP Incident Feedback LoopsPlaybook Triggered.
      3. Configure the Cortex XSOAR playbook.
        • For ApprovalTarget, enter Manager to send an exemption request to the sender's manager. This information is pulled from your preferred IP address directory service.
        • For the UserMessageApp, verify Slack is displayed.
        • For the ApproverMessageApp, enter Slack.
        • (Optional) For the DenyMessage, enter a custom response when a file extension is denied by the sender's manager,
      4. Save.
    7. Confirm the Cortex XSOAR integration with Enterprise DLP.
      • Strata Cloud Manager andPrisma Access (Managed by Panorama) (TSG-enabled)
        1. Log in to Strata Cloud Manager.
        2. Select ManageConfigurationData Loss PreventionSettingsAlertsXSOAR Integration Setup and check (enable) Confirm the status for XSOAR Integration.
      • Panorama (Not TSG-enabled)
        1. Log in to the DLP app on the hub.
          If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
        2. Select Settings and check (enable) Confirm the status for XSOAR Integration.
    8. Configure the End User Alerting with Cortex XSOAR exemption settings.
      1. Select ManageConfigurationData Loss PreventionSettingsAlertsConfiguration and configure the Exemption Duration.
        The file that prompted the End User Alerting with Cortex XSOAR notification that was exempted can be uploaded for the duration of the exemption duration. The default is 12 hours.
      2. Select ManageConfigurationData Loss PreventionSettingsAlertsConfiguration and configure whether to Include Snippets in Message.
        You can select Off (default) to not include a snippet of the sensitive data or On to include a snippet of the sensitive data in the automated message on Slack.

    Microsoft Teams

    Set up Cortex XSOAR to use Enterprise Data Loss Prevention (E-DLP) End User Alerting for Microsoft Teams.
    1. Set up the prerequisites needed to begin integrating Microsoft Teams with Cortex XSOAR.
      1. Integrate referred IP address directory service using one of the following procedures.
      2. Create the Demisto Bot in Microsoft Teams.
      3. Grant the Demisto Bot Permissions in Microsoft Graph.
      4. Configure Microsoft Teams on .
      5. Add the Demisto Bot to a Team.
    2. Integrate Microsoft Teams with Cortex XSOAR.
      You can use one of the following methods based on your preferences.
    3. Configure Enterprise DLP authentication.
      • Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
        Access the Common Services Identity and & Access settings and add a Service Account to generate the Client ID and Client Secret.
        If you already have a Service Account created, you can Reset Client Secret to recover a lost Client Secret.
        The Client ID and Client Secret are used for authentication.
        When you create the Service Account, the Client ID and Client Secret are displayed in the Client Credentials. You can manually copy the Client Credentials or Download CSV File to download the Client Credentials in plaintext locally to your device.
      • Panorama (Not TSG-enabled)
        1. Log in to the DLP app on the hub.
          If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
        2. Select API and Create Token.
        3. Enter a descriptive Token Name and Create the access token.
        4. Copy the Access Token and Refresh Token and save them in a secure location.
    4. Enable Enterprise DLP on Cortex XSOAR.
      • Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
        1. Add the Client Credentials to Cortex XSOAR.
          1. On Cortex XSOAR, select SettingsIntegrationsCredentials and add a New credential.
          2. Enter a descriptive Credential Name.
          3. For the Username, enter the Client ID created in the previous step.
          4. For the Password, enter the Client Secret created in the previous step.
          5. Save.
        2. Select MarketplaceBrowse and search for Enterprise DLP.
        3. Install the Enterprise DLP content pack.
        4. Select SettingsIntegrationsInstances and search for Enterprise DLP.
          Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
          1. Select a descriptive Name.
          2. For the Incident Type, verify Data Loss Prevention is selected.
            If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
          3. for the Mapper, verify that Data Loss Prevention is selected.
            If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
          4. Click Switch to credentials.
          5. Enter the Client Credentials generated in the previous step.
          6. Check (enable) Long running instance.
          7. Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
            A Success is displayed when Cortex XSOAR successfully integrates with Enterprise DLP.
      • Panorama (Not TSG-enabled)
        1. On Cortex XSOAR, select MarketplaceBrowse and search for Enterprise DLP.
        2. Install the Enterprise DLP content pack.
        3. Select SettingsIntegrationsInstances and search for Enterprise DLP.
          Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
          1. Select a descriptive Name.
          2. For the Incident Type, verify Data Loss Prevention is selected.
            If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
          3. for the Mapper, verify that Data Loss Prevention is selected.
            If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
          4. Add the Access Token and Refresh Token you created in the previous step.
          5. Check (enable) Long running instance.
          6. (Optional) Modify the automated Slack Bot Message.
          7. Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
            A Success is displayed when Cortex XSOAR successfully integrates with Enterprise DLP.
    5. Configure the DLP Incident Feedback Loop Cortex XSOAR playbook
      1. In Dashboard & Reports, select Playbooks.
      2. Select DLP Incident Feedback LoopsPlaybook Triggered.
      3. Configure the Cortex XSOAR playbook.
        • For ApprovalTarget, enter Manager to send an exemption request to the sender's manager. This information is pulled from your preferred IP address directory service.
        • For the UserMessageApp, verify Microsoft Teams is displayed.
        • For the ApproverMessageApp, enter Microsoft Teams.
        • (Optional) For the DenyMessage, enter a custom response when a file extension is denied by the sender's manager,
      4. Save.
    6. Confirm the Cortex XSOAR integration with Enterprise DLP.
      • Strata Cloud Manager and Prisma Access (Panorama Managed) (TSG-enabled)
        1. Log in to Strata Cloud Manager.
        2. Select ManageConfigurationData Loss PreventionSettingsAlertsXSOAR Integration Setup and check (enable) Confirm the status for XSOAR Integration.
      • Panorama (Not TSG-enabled)
        1. Log in to the DLP app on the hub.
          If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
        2. Select Settings and check (enable) Confirm the status for XSOAR Integration.
    7. Configure the End User Alerting with Cortex XSOAR exemption settings.
      1. Select ManageConfigurationData Loss PreventionSettingsAlertsConfiguration and configure the Exemption Duration.
        The file that prompted the End User Alerting with Cortex XSOAR notification that was exempted can be uploaded for the duration of the exemption duration. The default is 12 hours.
      2. Select ManageConfigurationData Loss PreventionSettingsAlertsConfiguration and configure whether to Include Snippets in Message.
        You can select Off (default) to not include a snippet of the sensitive data or On to include a snippet of the sensitive data in the automated message on Microsoft Teams.

    Email

    Set up Cortex XSOAR to use Enterprise Data Loss Prevention (E-DLP) End User Alerting for Email.
    1. Integrate referred IP address directory service using one of the following procedures.
    2. Configure Enterprise DLP authentication.
      • Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
        Access the Common Services Identity and & Access settings and add a Service Account to generate the Client ID and Client Secret.
        If you already have a Service Account created, you can Reset Client Secret to recover a lost Client Secret.
        The Client ID and Client Secret are used for authentication.
        When you create the Service Account, the Client ID and Client Secret are displayed in the Client Credentials. You can manually copy the Client Credentials or Download CSV File to download the Client Credentials in plaintext locally to your device.
      • Panorama (Not TSG-enabled)
        1. Log in to the DLP app on the hub.
          If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
        2. Select API and Create Token.
        3. Enter a descriptive Token Name and Create the access token.
        4. Copy the Access Token and Refresh Token and save them in a secure location.
    3. Enable Enterprise DLP on Cortex XSOAR.
      • Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
        1. Add the Client Credentials to Cortex XSOAR.
          1. On Cortex XSOAR, select SettingsIntegrationsCredentials and add a New credential.
          2. Enter a descriptive Credential Name.
          3. For the Username, enter the Client ID created in the previous step.
          4. For the Password, enter the Client Secret created in the previous step.
          5. Save.
        2. Select MarketplaceBrowse and search for Enterprise DLP.
        3. Install the Enterprise DLP content pack.
        4. Select SettingsIntegrationsInstances and search for Enterprise DLP.
          Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
          1. Select a descriptive Name.
          2. For the Incident Type, verify Data Loss Prevention is selected.
            If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
          3. for the Mapper, verify that Data Loss Prevention is selected.
            If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
          4. Click Switch to credentials.
          5. Enter the Client Credentials generated in the previous step.
          6. Check (enable) Long running instance.
          7. Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
            A Success is displayed when Cortex XSOAR successfully integrates with Enterprise DLP.
      • Panorama (Not TSG-enabled)
        1. On Cortex XSOAR, select MarketplaceBrowse and search for Enterprise DLP.
        2. Install the Enterprise DLP content pack.
        3. Select SettingsIntegrationsInstances and search for Enterprise DLP.
          Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
          1. Select a descriptive Name.
          2. For the Incident Type, verify Data Loss Prevention is selected.
            If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
          3. for the Mapper, verify that Data Loss Prevention is selected.
            If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
          4. Add the Access Token and Refresh Token you created in the previous step.
          5. Check (enable) Long running instance.
          6. (Optional) Modify the automated Slack Bot Message.
          7. Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
            A Success is displayed when Cortex XSOAR successfully integrates with Enterprise DLP.
    4. Configure the DLP Incident Feedback Loop Cortex XSOAR playbook
      1. In Dashboard & Reports, select Playbooks.
      2. Select DLP Incident Feedback LoopsPlaybook Triggered.
      3. Configure the Cortex XSOAR playbook.
        • For ApprovalTarget, enter Manager to send an exemption request to the sender's manager. This information is pulled from your preferred IP address directory service.
        • For the UserMessageApp, verify Email is displayed.
        • For the ApproverMessageApp, enter Email.
        • (Optional) For the DenyMessage, enter a custom response when a file extension is denied by the sender's manager,
      4. Save.
    5. Confirm the Cortex XSOAR integration with Enterprise DLP.
      • Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
        1. Log in to Strata Cloud Manager.
        2. Select ManageConfigurationData Loss PreventionSettingsAlertsXSOAR Integration Setup and check (enable) Confirm the status for XSOAR Integration.
      • Panorama (Not TSG-enabled)
        1. Log in to the DLP app on the hub.
          If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
        2. Select Settings and check (enable) Confirm the status for XSOAR Integration.
    6. Configure the End User Alerting with Cortex XSOAR exemption settings.
      1. Select ManageConfigurationData Loss PreventionSettingsAlertsConfiguration and configure the Exemption Duration.
        The file that prompted the End User Alerting with Cortex XSOAR notification that was exempted can be uploaded for the duration of the exemption duration. The default is 12 hours.
      2. Select ManageConfigurationData Loss PreventionSettingsAlertsConfiguration and configure whether to Include Snippets in Message.
        You can select Off (default) to not include a snippet of the sensitive data or On to include a snippet of the sensitive data in the automated message on Microsoft Teams.

    © 2024 Palo Alto Networks, Inc. All rights reserved.