>
    Strata Copilot
    End User Coaching
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Administration
    4. Monitor Enterprise DLP
    5. End User Coaching
    Download PDF
    Enterprise DLP

    End User Coaching

    Table of Contents

    End User Coaching

    Create an end user notification template to generate a notification in the Access Experience User Interface for a user when they generate an Enterprise Data Loss Prevention (E-DLP) or Endpoint DLP incident.
    On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
    You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • One of the following:
      • GlobalProtect
      • Prisma Access Agent
    • Enterprise Data Loss Prevention (E-DLP) license
    • Prisma Access Mobile Users License
    • Prisma Access license
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    End User Coaching allows you to display notifications to your users in the Access Experience User Interface (UI) when they generate an Enterprise Data Loss Prevention (E-DLP) or Endpoint DLP incident.
    To determine what is considered sensitive data, you add one or more Inline DLP Rules or Endpoint DLP Rules. These rules contain the traffic match criteria that define what is considered sensitive data. For the Inline DLP Rules, the rule name is derived from the Enterprise DLP data profile of the same name. For the Endpoint DLP Rules, it's based on the name you configured when you created the policy rule. Additionally, you can configure custom messages for when an Enterprise DLP or Endpoint DLP incident is generated. After an incident is generated, the user who generated the incident can view the Data Security notification for more information about the sensitive data uploaded, downloaded, or posted.
    Access Experience User Interface displays only one notification per DLP incident in a 30 second period regardless of how many times the user generates the same incident. For example, a user attempts to upload a file containing sensitive data to the Box Web app and Enterprise DLP blocks the upload. The user then immediately tries to upload the same file 5 more times but is blocked each time. In this case only one Access Experience alert is generated even though the user was blocked from uploading a file containing sensitive date to the Box Web app 6 total times.
    Enterprise DLP supports requesting and granting exceptions for DLP incidents generated for Enterprise DLP only. End users can't request, and data security administrators can't grant, exceptions for DLP incidents generated for Endpoint DLP.

    Set Up End User Coaching for Enterprise DLP

    Create an end user notification template to generate a notification in Access Experience User Interface for a user when they generate an Enterprise Data Loss Prevention (E-DLP) incident.
    1. Review the Setup Prerequisites for End User Coaching to ensure you're running the minimum required agent, endpoint software, and Enterprise DLP plugin versions to display notifications.
    2. Contact your Palo Alto Networks representative to enable End User Coaching on your tenant.
    3. Install the GlobalProtect app or Prisma Access Agent.
      • GlobalProtect—App version 6.2.7 or later on Windows or macOS
      • Prisma Access AgentInstall the Prisma Access Agent on Windows or macOS
    4. Log in to Strata Cloud Manager.
    5. Enable Autonomous DEM.
      • GlobalProtect
        (GlobalProtect only) On Strata Cloud Manager, select ConfigurationNGFW & Prisma AccessConfiguration ScopeGlobalProtectGlobalProtect App and Add App Settings. Configure the required settings to display notifications to your users in the Access Experience UI when they generate a DLP incident.
        (GlobalProtect and Prisma Access Agent) On Strata Cloud Manager, select ConfigurationNGFW & Prisma AccessConfiguration ScopeAccess AgentGlobalProtect App and Add App Settings. Configure the required settings to display notifications to your users in the Access Experience UI when they generate a DLP incident.
        Configure the following required App Configuration settings. Configure the rest of the GlobalProtect settings as needed.
        • Check (enable) Autonomous DEM and GlobalProtect Log Collection for Troubleshooting
        • Select Show Advanced OptionsApp and check (enable) Display ADEM Updates Notification Message
        • Select Show Advanced OptionsUser Behavior and for the DEM for Prisma Access (Windows and Mac Only) setting, select Install and User Can’t Enable or Disable DEM
        • Select Show Advanced OptionsUser Behavior and for the DEM for Prisma Access version 6.3 and above (Windows and Mac Only) setting, select Install the Agent
      • Prisma Access Agent
        On Strata Cloud Manager, select ConfigurationNGFW & Prisma AccessConfiguration ScopeAccess AgentPrisma Access Agent and Add Agent Settings. Configure the required settings to display notifications to your users in the Access Experience UI when they generate a DLP incident.
        Configure the following required App Configuration settings. Configure the rest of the Prisma Access Agent settings as needed.
        • Access Experience—Select Install.
        • Display ADEM Update Notification—Check Enable.
    6. (macOS only) In the Access Experience UI, select SettingsNotifications and enable Allow notifications.
      You must enable this setting in the Access Experience UI for each user and is required to display notifications when the user generates a DLP incident. Configure the rest of the Access Experience notifications settings as needed.
    7. Configure Enterprise DLP.
      1. Create a decryption profile and policy rule.
        Enterprise DLP requires a decryption rule to decrypt and inspect traffic for sensitive data.
      2. Create custom data patterns to define your match criteria.
        Alternatively, you can use the predefined data patterns instead of creating custom data patterns.
      3. Create a data profile and add your data patterns.
        Only custom data profiles are supported. By default, all predefined DLP Rules' Action are set to Alert. You must clone the predefined data profile to edit the DLP rule Action.
      4. Modify the DLP rule.
        • When modifying the DLP rule, you must set the Action to Alert or Block. This is required to generate alerts in the Access Experience UI.
        • Add the DLP rule to a Profile Group and attach the Profile Group to a Security policy rule. This is required for Enterprise DLP to generate a DLP incident that then generates a notification in the Access Experience UI.
    8. Select Configuration NGFW and Prisma Access and in the Configuration Scope, select Global
    9. Select Setup and edit the End User Coaching Notification Template.
      The end user notification template defines which DLP rules generate a notification in the Access Experience UI and the contents of the notification. You should only add DLP rules added to a Profile Group that is associated with a Security policy rule. This is required for Enterprise DLP to generate a DLP incident that then generates a notification in the Access Experience UI. You can add a single DLP rule to multiple User Coaching Notification Templates.
      1. For the Product Name, select Inline Data Loss Prevention.
      2. Check (enable) Enable Notification Template to enable the template after creation.
        This setting is enabled by default.
      3. Enter a Notification Template Name.
      4. (Optional) Enter a Description
      5. Configure whether end users can request an exemption when they generate a DLP incident.
        End User Coaching exemptions give the end user the opportunity to provide context or business justification for traffic that generates an Alert or Block DLP incident. This enables your data security administrator to refine DLP rules, or an opportunity to describe if the DLP incident is a false positive detection.
        • Exemption Settings
          • Allow Exemption Requests—Allows end users to request a temporary exemption from the DLP rule that generated an Alert or Block DLP incident.
          • Allow Feedback on Alert—Allows the end user to submit feedback when they request an exemption for an Alert DLP incident.
            Select Allowed to make feedback on an exemption for an Alert DLP rule optional. Select Required to require feedback on an exemption for an Alert DLP rule.
          • Allow Feedback on Block—Allows the end user to submit feedback when they request an exemption for a file that generated a Block DLP incident.
            Select Allowed to make feedback on an exemption for a Block DLP rule optional. Select Required to require feedback on an exemption for a Block DLP rule.
      6. (Optional) Check (enable) High Confidence Detections Only.
        High confidence matches reflect how confident Enterprise DLP is when detecting matched traffic. For regular expression (regex) patterns, this is based on the character distance to the configured proximity keywords. For machine learning (ML) patterns, the ML models calculate the confidence level.
      7. Add one or more Applied Rules to the notification template.
        Add at least one DLP rule to the notification template. The end user notification template defines which DLP rules generate a notification in the Access Experience UI and the contents of the notification. Only add DLP rules added to a Profile Group that is associated with a Security policy rule. This is required for Enterprise DLP to generate a DLP incident that then generates a notification in the Access Experience UI. You can add a single DLP rule to multiple User Coaching Notification Templates.
        You can View Details for each DLP rule or Endpoint DLP policy rule you add to review the specific inspection details. This includes the traffic inspection Direction, applicable File Type, Action, and whether the DLP rule is inspecting for File Based Match Criteria, Non-File Based Match Criteria, or both.
      8. Define the Notification Message users receive when Enterprise DLP blocks sensitive data that match the data profiles associated with the DLP rule.
        The message templates are the Access Experience toast notifications users receive when Enterprise DLP blocks sensitive data. You can use the following variables in your message templates. Include the brackets for each variable.
        • [file name]—File name and extension containing sensitive data blocked by Enterprise DLP.
        • (File Based only) [direction]—Specifies whether Enterprise DLP blocked a file upload or download.
        • [app name]—Application user attempted to upload to, download from, or post non-file based content.
          When you add the [app name], Autonomous DEM also displays the URL domain for the app associated with the DLP incident.
        • [action]—Action Enterprise DLP took when sensitive data was detected. This value is always Blocked.
        1. Define the Message Template for File based detections.
          Skip this step if the DLP rule isn't configured for file-based detections.
        2. Define the Message Template for Non-File based detections.
          Skip this step if the DLP rule isn't configured for non-file based detections.
        3. Add a Support Link.
          You can add links directly into the Access Experience toast notification that describe your company policy for sharing or downloading sensitive data.
    10. Save.
    11. The user who generated the Enterprise DLP incident can view the Data Security notification for more information about the sensitive data uploaded, downloaded, or posted.
      A Data Security notification is displayed for seven days. There is no limit to the number of notifications displayed.

    End User Coaching for Endpoint DLP

    Create an end user notification template to generate a notification in Access Experience User Interface for a user when they generate an Endpoint DLP incident.
    1. Review the Setup Prerequisites for End User Coaching to ensure you're running the minimum required agent, endpoint software, and Enterprise DLP plugin versions to display notifications.
    2. Contact your Palo Alto Networks representative to enable End User Coaching on your tenant.
    3. Install the Prisma Access Agent on Windows or macOS.
    4. Log in to Strata Cloud Manager.
    5. Enable Autonomous DEM.
      On Strata Cloud Manager, select ConfigurationNGFW & Prisma AccessConfiguration ScopeAccess AgentPrisma Access Agent and Add Agent Settings. Configure the required settings to display notifications to your users in the Access Experience UI when they generate a DLP incident.
      Configure the following required App Configuration settings. Configure the rest of the Prisma Access Agent settings as needed.
      • Access Experience—Select Install.
      • Display ADEM Update Notification—Check Enable.
    6. (macOS only) In the Access Experience UI, select SettingsNotifications and enable Allow notifications.
      This setting must be enabled in the Access Experience UI for each user and is required to display notifications when the user generates a DLP incident. Configure the rest of the Access Experience notifications settings as needed.
    7. Configure Enterprise DLP.
      1. Create a decryption profile and policy rule.
        Enterprise DLP requires a decryption rule to decrypt and inspect traffic for sensitive data.
      2. Create custom data patterns to define your match criteria.
        Alternatively, you can use the predefined data patterns instead of creating custom data patterns.
      3. Create a data profile and add your data patterns.
        Only custom data profiles are supported. By default, all predefined DLP rules' Action are set to Alert. You must clone the predefined data profile to edit the DLP rule Action.
      4. Set up Endpoint DLP.
        1. Add a Peripheral.
        2. Create a Peripheral Group.
        3. Create an Endpoint DLP Policy Rule.
    8. Select Configuration NGFW and Prisma Access and in the Configuration Scope, select Global
    9. Select Setup and edit the End User Coaching Notification Template.
      The end user notification template defines which DLP rules generate a notification in the Access Experience UI and the contents of the notification. You should only add DLP rules added to a Profile Group that is associated with a Security policy rule. This is required for Enterprise DLP to generate a DLP incident which then generates a notification in the Access Experience UI. A single DLP rule can be added to multiple User Coaching Notification Templates.
      1. For the Product Name, select Endpoint Data Loss Prevention.
      2. Check (enable) Enable Notification Template to enable the template after creation.
        This setting is enabled by default.
      3. Enter a Notification Template Name.
      4. (Optional) Check (enable) High Confidence Detections Only.
        High confidence matches reflect how confident Enterprise DLP is when detecting matched traffic. For regular expression (regex) patterns, this is based on the character distance to the configured proximity keywords. For machine learning (ML) patterns, this confidence level is calculated by the ML models.
      5. Add one or more Applied Rules to the notification template.
        You must add at least one Endpoint DLP policy rule to the notification template. The end user notification template defines which Endpoint DLP policy rules generate a notification in the Access Experience UI and the contents of the notification.
        You can View Details for each DLP rule or Endpoint DLP policy rule you add to review the specific inspection details. This includes associated Data Profile, impacted users and peripheral device types, Action, the Incident Assignee, and the Notification email recipient when an Endpoint DLP incident is generated.
      6. Define the Notification Message users receive when Enterprise DLP blocks sensitive data that match the data profiles associated with the DLP rule.
        The message templates are the Access Experience toast notifications users receive when Enterprise DLP blocks sensitive data. You can use the following variables in your message templates. You must include the brackets for each variable.
        • [File Name]—File name and extension containing sensitive data blocked by Enterprise DLP.
        • [Transfer Method]—Application user attempted to upload to, download from, or post non-file based content.
        • [Peripheral Type]—Type of peripheral device associated with the Endpoint DLP incident.
        • [Peripheral Name]—Name of the peripheral device associated with the Endpoint DLP incident.
        • [Action]—Action Enterprise DLP took when sensitive data was detected. This value is always Blocked.
        • [Policy Name]—Name of the Endpoint DLP policy rule against which the Endpoint DLP incident was generated.
        1. Define the Message Template for File.
          This is the message displayed when traffic matches a Data in Motion Endpoint DLP policy rule.
        2. Define the Message Template for Peripheral Control based detections.
          This is the message displayed when traffic matches a Peripheral Control Endpoint DLP policy rule.
        3. Add a Support Link.
          You can add links directly into the Access Experience toast notification that describe your company policy for sharing or downloading sensitive data.
    10. Save.
    11. The user who generated the Endpoint DLP incident can view the Data Security notification for more information about the sensitive data uploaded, downloaded, or posted.
      A Data Security notification is displayed for 7 days. There is no limit to the number of notifications displayed.

    Request an End User Coaching Exemption

    Request an exemption for traffic that generated an Alert or Block DLP incident using End User Coaching.
    Your security administrator must configure the End User Coaching notification template to allow exemption requests for traffic that generated an Alert or Block DLP incident.
    The end user who generated the DLP incident must request the exemption from the endpoint that generated the incident.
    1. On the endpoint, open Access Experience User Interface.
    2. Navigate to the Data Security notification you want to submit an exemption for.
      A Data Security notification with a red incident status means the notification is pending and requires the end user's review. The incident status remains red until the end user submits an exemption request or feedback.
    3. Check (enable) Request an exemption and enter the business justification or reason for why your data security administrator should grant the exemption.
      The request to provide feedback depends on how your data security administrator configured the End User Coaching notification template. For auditing purposes, Palo Alto Networks recommends end users provide a business justification or reason for all exemption requests.
      Submit the exemption request.
    4. The incident status for the Data Security notification turns to orange after submitting the exemption request. Wait for your data security administrator to review your pending exemption request.
    5. Return to the Access Experience User Interface to review your exemption request status. The data security incident status turns to green after your data security administrator grants or denies your exemption request.
      If your data security administrator granted the exemption request, the exemption expiration timestamp (date and time) displays for the data security incident. You can now reattempt the activity that generated the DLP incident that was granted an exemption.

    Review an End User Coaching Exemption

    Data security administrators can review an exemption for traffic that generated an Alert or Block DLP incident using End User Coaching to allow or deny an exemption for the end user.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationData Loss PreventionDLP Incidents and review your Enterprise DLP incidents.
    3. In the Incidents list, review the Response Status column and locate the DLP incidents with an Exception requested.
    4. Click the Incident ID for the DLP incident to view the incident details.
    5. The Response Management section displays the following information.
      • Request Date—Date end user requested an exemption from the DLP rule that blocked a file upload.
        Format is YYYY-Month-DD HH:MM:SS UTC.
      • Requested By—User-ID for the end user that requested the exemption. User-ID derived from GlobalProtect or Prisma Access Agent user mapping.
    6. In the Response Management section, respond to the exemption request.
      • Approve—Grants the end user an exemption for the specific traffic that generated the DLP incident. The end user can now reattempt the traffic that generated the DLP incident.
      • Deny—Denies the end user an exemption for the specific traffic that generated the DLP incident.
      • No Change—Selected by default when an end user requests an exemption but the exemption has not been approved or denied by an admin.
    7. Save.

    © 2026 Palo Alto Networks, Inc. All rights reserved.