Set Up Enterprise DLP End User Alerting with Cortex XSOAR
Focus
Focus
Enterprise DLP

Set Up Enterprise DLP End User Alerting with Cortex XSOAR

Table of Contents

Set Up Enterprise DLP End User Alerting with Cortex XSOAR

Set up Cortex XSOAR to use Enterprise Data Loss Prevention (E-DLP) End User Alerting.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama or Strata Cloud Manager)
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • Enterprise Data Loss Prevention (E-DLP) license
    Review the Supported Platforms for details on the required license for each enforcement point.
Or any of the following licenses that include the Enterprise DLP license
  • Prisma Access CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
  • Data Security license
Integrate Enterprise Data Loss Prevention (E-DLP) with Cortex XSOAR to use the Enterprise DLP End User Alerting.
(Slack) To set up Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR and set up automatic Slack alerts, you need to integrate your preferred IP address directory service to map IP addresses to emails to allow for automatic messages to be sent on Slack. After integration, you must enable Slack, email send integration, and Enterprise DLP with Cortex XSOAR. This chain of integration allows the DLP cloud service to automate sending Slack messages to team members who upload a file that matches your data profiles.
(Microsoft Teams) To set up Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR and set up automatic Microsoft Teams alerts, you need to set up integration with Microsoft Teams and Enterprise DLP with Cortex XSOAR. This is integration allows the DLP cloud service to automate sending Microsoft Teams messages to team members who upload a file that matches your data profiles.
(Email) To set up Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR and set up automatic email alerts, you need to integrate your preferred IP address directory service and Enterprise DLP with Cortex XSOAR. This is integration allows the DLP cloud service to automate sending email messages to team members who upload a file that matches your data profiles.
After you successfully integrate Slack, Microsoft Teams, or your Email provider and Enterprise DLP with Cortex XSOAR, you need to enable End User Alerting with Cortex XSOAR functionality on Strata Cloud Manager and configure the End User Alerting settings as needed.

Slack

Set up Cortex XSOAR to use Enterprise Data Loss Prevention (E-DLP) End User Alerting for Slack.
  1. Configure Enterprise DLP authentication.
    • Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
      Access the Common Services Identity and & Access settings and add a Service Account to generate the Client ID and Client Secret.
      If you already have a Service Account created, you can Reset Client Secret to recover a lost Client Secret.
      The Client ID and Client Secret are used for authentication.
      When you create the Service Account, the Client ID and Client Secret are displayed in the Client Credentials. You can manually copy the Client Credentials or Download CSV File to download the Client Credentials in plaintext locally to your device.
    • Panorama (Not TSG-enabled)
      1. Log in to the DLP app on the hub.
        If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
      2. Select API and Create Token.
      3. Enter a descriptive Token Name and Create the access token.
      4. Copy the Access Token and Refresh Token and save them in a secure location.
  2. Enable Enterprise DLP on Cortex XSOAR.
    • Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
      1. Add the Client Credentials to Cortex XSOAR.
        1. On Cortex XSOAR, select SettingsIntegrationsCredentials and add a New credential.
        2. Enter a descriptive Credential Name.
        3. For the Username, enter the Client ID created in the previous step.
        4. For the Password, enter the Client Secret created in the previous step.
        5. Save.
      2. Select MarketplaceBrowse and search for Enterprise DLP.
      3. Install the Enterprise DLP content pack.
      4. Select SettingsIntegrationsInstances and search for Enterprise DLP.
        Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
        1. Select a descriptive Name.
        2. For the Incident Type, verify Data Loss Prevention is selected.
          If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
        3. for the Mapper, verify that Data Loss Prevention is selected.
          If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
        4. Click Switch to credentials.
        5. Enter the Client Credentials generated in the previous step.
        6. Check (enable) Long running instance.
        7. (Optional) Modify the automated Slack Bot Message.
        8. Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
          A Success is displayed when Cortex XSOAR successfully integrates with Enterprise DLP.
    • Panorama (Not TSG-enabled)
      1. On Cortex XSOAR, select MarketplaceBrowse and search for Enterprise DLP.
      2. Install the Enterprise DLP content pack.
      3. Select SettingsIntegrationsInstances and search for Enterprise DLP.
        Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
        1. Select a descriptive Name.
        2. For the Incident Type, verify Data Loss Prevention is selected.
          If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
        3. for the Mapper, verify that Data Loss Prevention is selected.
          If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
        4. Add the Access Token and Refresh Token you created in the previous step.
        5. Check (enable) Long running instance.
        6. (Optional) Modify the automated Slack Bot Message.
        7. Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
          A Success is displayed when Cortex XSOAR successfully integrates with Enterprise DLP.
  3. Configure the DLP Incident Feedback Loop Cortex XSOAR playbook
    1. In Dashboard & Reports, select Playbooks.
    2. Select DLP Incident Feedback LoopsPlaybook Triggered.
    3. Configure the Cortex XSOAR playbook.
      • For ApprovalTarget, enter Manager to send an exemption request to the sender's manager. This information is pulled from your preferred IP address directory service.
      • For the UserMessageApp, verify Slack is displayed.
      • For the ApproverMessageApp, enter Slack.
      • (Optional) For the DenyMessage, enter a custom response when a file extension is denied by the sender's manager,
    4. Save.
  4. Confirm the Cortex XSOAR integration with Enterprise DLP.
    • Strata Cloud Manager andPrisma Access (Managed by Panorama) (TSG-enabled)
      1. Log in to Strata Cloud Manager.
      2. Select ManageConfigurationData Loss PreventionSettingsAlertsXSOAR Integration Setup and check (enable) Confirm the status for XSOAR Integration.
    • Panorama (Not TSG-enabled)
      1. Log in to the DLP app on the hub.
        If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
      2. Select Settings and check (enable) Confirm the status for XSOAR Integration.
  5. Configure the End User Alerting with Cortex XSOAR exemption settings.
    1. Select ManageConfigurationData Loss PreventionSettingsAlertsConfiguration and configure the Exemption Duration.
      The file that prompted the End User Alerting with Cortex XSOAR notification that was exempted can be uploaded for the duration of the exemption duration. The default is 12 hours.
    2. Select ManageConfigurationData Loss PreventionSettingsAlertsConfiguration and configure whether to Include Snippets in Message.
      You can select Off (default) to not include a snippet of the sensitive data or On to include a snippet of the sensitive data in the automated message on Slack.

Microsoft Teams

Set up Cortex XSOAR to use Enterprise Data Loss Prevention (E-DLP) End User Alerting for Microsoft Teams.
  1. Integrate Microsoft Teams with Cortex XSOAR.
    You can use one of the following methods based on your preferences.
  2. Configure Enterprise DLP authentication.
    • Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
      Access the Common Services Identity and & Access settings and add a Service Account to generate the Client ID and Client Secret.
      If you already have a Service Account created, you can Reset Client Secret to recover a lost Client Secret.
      The Client ID and Client Secret are used for authentication.
      When you create the Service Account, the Client ID and Client Secret are displayed in the Client Credentials. You can manually copy the Client Credentials or Download CSV File to download the Client Credentials in plaintext locally to your device.
    • Panorama (Not TSG-enabled)
      1. Log in to the DLP app on the hub.
        If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
      2. Select API and Create Token.
      3. Enter a descriptive Token Name and Create the access token.
      4. Copy the Access Token and Refresh Token and save them in a secure location.
  3. Enable Enterprise DLP on Cortex XSOAR.
    • Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
      1. Add the Client Credentials to Cortex XSOAR.
        1. On Cortex XSOAR, select SettingsIntegrationsCredentials and add a New credential.
        2. Enter a descriptive Credential Name.
        3. For the Username, enter the Client ID created in the previous step.
        4. For the Password, enter the Client Secret created in the previous step.
        5. Save.
      2. Select MarketplaceBrowse and search for Enterprise DLP.
      3. Install the Enterprise DLP content pack.
      4. Select SettingsIntegrationsInstances and search for Enterprise DLP.
        Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
        1. Select a descriptive Name.
        2. For the Incident Type, verify Data Loss Prevention is selected.
          If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
        3. for the Mapper, verify that Data Loss Prevention is selected.
          If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
        4. Click Switch to credentials.
        5. Enter the Client Credentials generated in the previous step.
        6. Check (enable) Long running instance.
        7. Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
          A Success is displayed when Cortex XSOAR successfully integrates with Enterprise DLP.
    • Panorama (Not TSG-enabled)
      1. On Cortex XSOAR, select MarketplaceBrowse and search for Enterprise DLP.
      2. Install the Enterprise DLP content pack.
      3. Select SettingsIntegrationsInstances and search for Enterprise DLP.
        Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
        1. Select a descriptive Name.
        2. For the Incident Type, verify Data Loss Prevention is selected.
          If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
        3. for the Mapper, verify that Data Loss Prevention is selected.
          If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
        4. Add the Access Token and Refresh Token you created in the previous step.
        5. Check (enable) Long running instance.
        6. (Optional) Modify the automated Slack Bot Message.
        7. Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
          A Success is displayed when Cortex XSOAR successfully integrates with Enterprise DLP.
  4. Configure the DLP Incident Feedback Loop Cortex XSOAR playbook
    1. In Dashboard & Reports, select Playbooks.
    2. Select DLP Incident Feedback LoopsPlaybook Triggered.
    3. Configure the Cortex XSOAR playbook.
      • For ApprovalTarget, enter Manager to send an exemption request to the sender's manager. This information is pulled from your preferred IP address directory service.
      • For the UserMessageApp, verify Microsoft Teams is displayed.
      • For the ApproverMessageApp, enter Microsoft Teams.
      • (Optional) For the DenyMessage, enter a custom response when a file extension is denied by the sender's manager,
    4. Save.
  5. Confirm the Cortex XSOAR integration with Enterprise DLP.
    • Strata Cloud Manager and Prisma Access (Panorama Managed) (TSG-enabled)
      1. Log in to Strata Cloud Manager.
      2. Select ManageConfigurationData Loss PreventionSettingsAlertsXSOAR Integration Setup and check (enable) Confirm the status for XSOAR Integration.
    • Panorama (Not TSG-enabled)
      1. Log in to the DLP app on the hub.
        If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
      2. Select Settings and check (enable) Confirm the status for XSOAR Integration.
  6. Configure the End User Alerting with Cortex XSOAR exemption settings.
    1. Select ManageConfigurationData Loss PreventionSettingsAlertsConfiguration and configure the Exemption Duration.
      The file that prompted the End User Alerting with Cortex XSOAR notification that was exempted can be uploaded for the duration of the exemption duration. The default is 12 hours.
    2. Select ManageConfigurationData Loss PreventionSettingsAlertsConfiguration and configure whether to Include Snippets in Message.
      You can select Off (default) to not include a snippet of the sensitive data or On to include a snippet of the sensitive data in the automated message on Microsoft Teams.

Email

Set up Cortex XSOAR to use Enterprise Data Loss Prevention (E-DLP) End User Alerting for Email.
  1. Configure Enterprise DLP authentication.
    • Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
      Access the Common Services Identity and & Access settings and add a Service Account to generate the Client ID and Client Secret.
      If you already have a Service Account created, you can Reset Client Secret to recover a lost Client Secret.
      The Client ID and Client Secret are used for authentication.
      When you create the Service Account, the Client ID and Client Secret are displayed in the Client Credentials. You can manually copy the Client Credentials or Download CSV File to download the Client Credentials in plaintext locally to your device.
    • Panorama (Not TSG-enabled)
      1. Log in to the DLP app on the hub.
        If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
      2. Select API and Create Token.
      3. Enter a descriptive Token Name and Create the access token.
      4. Copy the Access Token and Refresh Token and save them in a secure location.
  2. Enable Enterprise DLP on Cortex XSOAR.
    • Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
      1. Add the Client Credentials to Cortex XSOAR.
        1. On Cortex XSOAR, select SettingsIntegrationsCredentials and add a New credential.
        2. Enter a descriptive Credential Name.
        3. For the Username, enter the Client ID created in the previous step.
        4. For the Password, enter the Client Secret created in the previous step.
        5. Save.
      2. Select MarketplaceBrowse and search for Enterprise DLP.
      3. Install the Enterprise DLP content pack.
      4. Select SettingsIntegrationsInstances and search for Enterprise DLP.
        Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
        1. Select a descriptive Name.
        2. For the Incident Type, verify Data Loss Prevention is selected.
          If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
        3. for the Mapper, verify that Data Loss Prevention is selected.
          If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
        4. Click Switch to credentials.
        5. Enter the Client Credentials generated in the previous step.
        6. Check (enable) Long running instance.
        7. Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
          A Success is displayed when Cortex XSOAR successfully integrates with Enterprise DLP.
    • Panorama (Not TSG-enabled)
      1. On Cortex XSOAR, select MarketplaceBrowse and search for Enterprise DLP.
      2. Install the Enterprise DLP content pack.
      3. Select SettingsIntegrationsInstances and search for Enterprise DLP.
        Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
        1. Select a descriptive Name.
        2. For the Incident Type, verify Data Loss Prevention is selected.
          If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
        3. for the Mapper, verify that Data Loss Prevention is selected.
          If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
        4. Add the Access Token and Refresh Token you created in the previous step.
        5. Check (enable) Long running instance.
        6. (Optional) Modify the automated Slack Bot Message.
        7. Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
          A Success is displayed when Cortex XSOAR successfully integrates with Enterprise DLP.
  3. Configure the DLP Incident Feedback Loop Cortex XSOAR playbook
    1. In Dashboard & Reports, select Playbooks.
    2. Select DLP Incident Feedback LoopsPlaybook Triggered.
    3. Configure the Cortex XSOAR playbook.
      • For ApprovalTarget, enter Manager to send an exemption request to the sender's manager. This information is pulled from your preferred IP address directory service.
      • For the UserMessageApp, verify Email is displayed.
      • For the ApproverMessageApp, enter Email.
      • (Optional) For the DenyMessage, enter a custom response when a file extension is denied by the sender's manager,
    4. Save.
  4. Confirm the Cortex XSOAR integration with Enterprise DLP.
    • Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
      1. Log in to Strata Cloud Manager.
      2. Select ManageConfigurationData Loss PreventionSettingsAlertsXSOAR Integration Setup and check (enable) Confirm the status for XSOAR Integration.
    • Panorama (Not TSG-enabled)
      1. Log in to the DLP app on the hub.
        If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
      2. Select Settings and check (enable) Confirm the status for XSOAR Integration.
  5. Configure the End User Alerting with Cortex XSOAR exemption settings.
    1. Select ManageConfigurationData Loss PreventionSettingsAlertsConfiguration and configure the Exemption Duration.
      The file that prompted the End User Alerting with Cortex XSOAR notification that was exempted can be uploaded for the duration of the exemption duration. The default is 12 hours.
    2. Select ManageConfigurationData Loss PreventionSettingsAlertsConfiguration and configure whether to Include Snippets in Message.
      You can select Off (default) to not include a snippet of the sensitive data or On to include a snippet of the sensitive data in the automated message on Microsoft Teams.