About Inspection of Contextual Secrets
Use Enterprise Data Loss Prevention (E-DLP) to inspect contextual messages to detect and prevent
exfiltration of passwords communicated through chat-based applications.
On
May 7, 2025,
Palo Alto Networks is introducing new
Evidence Storage and
Syslog Forwarding service IP
addresses to improve performance and expand availability for these services
globally.
| Where Can I Use This? | What Do I Need? |
|---|
- NGFW (Managed by Panorama or Strata Cloud Manager)
- Prisma Access (Managed by Panorama or Strata Cloud Manager)
Prisma Browser
|
Enterprise Data Loss Prevention (E-DLP) license
Or any of the following licenses that include the Enterprise DLP license
- Prisma Access CASB license
- Next-Generation
CASB for Prisma Access and NGFW (CASB-X) license
- Data Security license
|
Use
Enterprise Data Loss Prevention (E-DLP) to inspection contextual chat messages to monitor sharing of
sensitive passwords over chat-based applications.
Enterprise DLP uses contextual
messages to understand instances where a password might have been shared. When
Enterprise DLP detects that a password was shared, a
DLP
Incident is generated that displays a snippet of the response containing the
password.
Which Chat Applications Are Supported?
The
Slack V2 chat application is currently
supported for inspection of contextual secrets.
Which Data Patterns and Profiles Detect Passwords?
Data Patterns:
Data Profiles
A
data profile containing the
Application Credentials data pattern.
What Kind of Contextual Messages Are Supported?
Enterprise DLP supports inspection of one contextual message and one immediate
response message containing a password in a private channel or public channel, and
includes inspection of threaded replies. For
Enterprise DLP to detect a shared
password, the response message containing the password must be sent within 60
minutes of the contextual message. Review the
Contextual Chat Examples
for more information on the types of contextual messages that trigger inspection by
Enterprise DLP.
For example, James asks Justin for a password. At 8:45
AM, Justin responds with the password James requested. At
10:11 AM, Justin again replies but this time in a
threaded response to the contextual message and shares a second password. In this
example, Enterprise DLP is able to detect and generate a DLP Incident when
Justin shares with James the first password at 8:45 AM.
However, Enterprise DLP can’t detect the second password Justin shared with
James because the contextual message was already associated with the first response
message and the second threaded response exceeds the 60-minute time limit.
The contextual message, and password shared in response to a contextual message, must
be in text format for Enterprise DLP to detect and generate a DLP Incident. Enterprise DLP can’t detect if a password was shared in a response to a
contextual message if:
