>
    End User Coaching
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Monitor Enterprise DLP
    4. End User Coaching
    Download PDF
    Enterprise DLP

    End User Coaching

    Table of Contents

    End User Coaching

    Create an end user notification template to generate a notification in Access Experience User Interface for a user when they generate an Enterprise Data Loss Prevention (E-DLP) or Endpoint DLP incident.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • GlobalProtect app version 6.3 or later
    • Enterprise Data Loss Prevention (E-DLP) license
    • Prisma Access Mobile Users License
    • Prisma Access license
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    End User Coaching allows you to display notifications to your users in the Access Experience User Interface (UI) when they generate an Enterprise Data Loss Prevention (E-DLP) or Endpoint DLP incident.
    To determine what is considered sensitive data, you add one or more Inline DLP Rules or Endpoint DLP Rules. These rules contain the traffic match criteria that define what is considered sensitive data. For the Inline DLP Rules, the rule name is derived from the Enterprise DLP data profile of the same name. For the Endpoint DLP Rules, it is based on the name you configured when you created the policy rule. Additionally, you can configure custom messages for when an Enterprise DLP or Endpoint DLP incident is generated. After an incident is generated, the user who generated the incident can view the Data Security notification for more information about the sensitive data uploaded, downloaded, or posted.
    Only one notification is displayed per DLP incident in a 30 second period regardless of how many times the user generates the same incident. For example, a user attempts to upload a file containing sensitive data to the Box Web application and Enterprise DLP blocks the upload. The user then immediately tries to upload the same file 5 more times but is blocked each time. In this case only one Access Experience alert is generated even though the user was blocked from uploading a file containing sensitive date to the Box Web application 6 total times.

    End User Coaching for Enterprise DLP

    Create an end user notification template to generate a notification in Access Experience User Interface for a user when they generate an Enterprise Data Loss Prevention (E-DLP) incident.
    1. Contact your Palo Alto Networks representative to enable End User Coaching on your tenant.
    2. Install the GlobalProtect app version 6.3 or later on Windows or macOS.
    3. Log in to Strata Cloud Manager.
    4. Enable Autonomous DEM.
      On Strata Cloud Manager, select WorkflowsPrisma Access SetupGlobalProtectGlobalProtect App and Add App Settings. You must configure these required settings to display notifications to your users in the Access Experience UI when they generate a DLP incident.
      • Enable Autonomous DEM and GlobalProtect Log Collection for Troubleshooting
      • DEM for Prisma Access (Windows and Mac Only)—Select Install and User Cannot Enable or Disable DEM
      • DEM for Prisma Access version 6.3 and above (Windows and Mac Only)—Select Install the Agent
    5. (macOS only) In the Access Experience UI, select SettingsNotifications and enable Allow notifications.
      This setting must be enabled in the Access Experience UI for each user and is required to display notifications when the user generates a DLP incident. Configure the rest of the Access Experience notifications settings as needed.
    6. Configure Enterprise DLP.
      1. Create a decryption profile and policy rule.
        This is required for Enterprise DLP to decrypt and inspect traffic for sensitive data.
      2. Create custom data patterns to define your match criteria.
        Alternatively, you can use the predefined data patterns instead of creating custom data patterns.
      3. Create a data profile and add your data patterns.
        Only custom data profiles are supported. By default, all predefined DLP Rules' Action are set to Alert. You must clone the predefined data profile to edit the DLP Rule Action.
      4. Modify the DLP Rule.
        • When modifying the DLP Rule, you must set the Action to Block. This is required to generate alerts in the Access Experience UI. No alerts are displayed if the Action is set to Alert.
        • Add the DLP Rule to a Profile Group and attach the Profile Group to a Security policy rule. This is required for Enterprise DLP to generate a DLP incident which then generates a notification in the Access Experience UI.
    7. Select ManageConfiguration NGFW and Prisma AccessGlobal SettingsUser Coaching Notification Template and create an End User Notification Template.
      The end user notification template defines which DLP Rules generate a notification in the Access Experience UI and the contents of the notification. You should only add DLP Rules added to a Profile Group that is associated with a Security policy rule. This is required for Enterprise DLP to generate a DLP incident which then generates a notification in the Access Experience UI. A single DLP Rule can be added to multiple User Coaching Notification Templates.
      1. For the Product Name, select Inline Data Loss Prevention.
      2. Check (enable) Enable Notification Template to enable the template after creation.
        This setting is enabled by default.
      3. Enter a Notification Template Name.
      4. (Optional) Check (enable) High Confidence Detections Only.
        High confidence matches reflect how confident Enterprise DLP is when detecting matched traffic. For regular expression (regex) patterns, this is based on the character distance to the configured proximity keywords. For machine learning (ML) patterns, this confidence level is calculated by the ML models.
      5. Add one or more Applied Rules to the notification template.
        You must add at least one DLP Rule to the notification template. The end user notification template defines which DLP Rules generate a notification in the Access Experience UI and the contents of the notification. You should only add DLP Rules added to a Profile Group that is associated with a Security policy rule. This is required for Enterprise DLP to generate a DLP incident which then generates a notification in the Access Experience UI. A single DLP Rule can be added to multiple User Coaching Notification Templates
        You can View Details for each DLP rule or Endpoint DLP policy rule you add to review the specific inspection details. This includes the traffic inspection Direction, applicable File Type, Action, and whether the DLP Rule is inspecting for File Based Match Criteria, Non-File Based Match Criteria, or both.
      6. Define the Notification Message users receive when Enterprise DLP blocks sensitive data that match the data profiles associated with the DLP Rule.
        The message templates are the Access Experience toast notifications users receive when Enterprise DLP blocks sensitive data. You can use the following variables in your message templates. You must include the brackets for each variable.
        • [file name]—File name and extension containing sensitive data blocked by Enterprise DLP.
        • (File Based only) [direction]—Specifies whether Enterprise DLP blocked a file upload or download.
        • [app name]—Application user attempted to upload to, download from, or post non-file based content.
        • [action]—Action Enterprise DLP took when sensitive data was detected. This value is always Blocked.
        1. Define the Message Template for File based detections.
          Skip this step if the DLP Rule isn't configured for file based detections.
        2. Define the Message Template for Non-File based detections.
          Skip this step if the DLP Rule isn't configured for non-file based detections.
        3. Add a Support Link.
          You can add links directly into the Access Experience toast notification that describe your company policy for sharing or downloading sensitive data.
    8. Save.
    9. The user who generated the Enterprise DLP incident can view the Data Security notification for more information about the sensitive data uploaded, downloaded, or posted.
      A Data Security notification is displayed for 7 days. There is no limit to the number of notifications displayed.

    End User Coaching for Endpoint DLP

    Create an end user notification template to generate a notification in Access Experience User Interface for a user when they generate an Endpoint DLP incident.
    1. Contact your Palo Alto Networks representative to enable End User Coaching on your tenant.
    2. Install the GlobalProtect app version 6.3 or later on Windows or macOS.
    3. Log in to Strata Cloud Manager.
    4. Enable Autonomous DEM.
      On Strata Cloud Manager, select WorkflowsPrisma Access SetupGlobalProtectGlobalProtect App and Add App Settings. You must configure these required settings to display notifications to your users in the Access Experience UI when they generate a DLP incident.
      • Enable Autonomous DEM and GlobalProtect Log Collection for Troubleshooting
      • DEM for Prisma Access (Windows and Mac Only)—Select Install and User Cannot Enable or Disable DEM
      • DEM for Prisma Access version 6.3 and above (Windows and Mac Only)—Select Install the Agent
    5. (macOS only) In the Access Experience UI, select SettingsNotifications and enable Allow notifications.
      This setting must be enabled in the Access Experience UI for each user and is required to display notifications when the user generates a DLP incident. Configure the rest of the Access Experience notifications settings as needed.
    6. Configure Enterprise DLP.
      1. Create a decryption profile and policy rule.
        This is required for Enterprise DLP to decrypt and inspect traffic for sensitive data.
      2. Create custom data patterns to define your match criteria.
        Alternatively, you can use the predefined data patterns instead of creating custom data patterns.
      3. Create a data profile and add your data patterns.
        Only custom data profiles are supported. By default, all predefined DLP Rules' Action are set to Alert. You must clone the predefined data profile to edit the DLP Rule Action.
      4. Set up Endpoint DLP.
        1. Add a Peripheral.
        2. Create a Peripheral Group.
        3. Create an Endpoint DLP Policy Rule.
    7. Select ManageConfiguration NGFW and Prisma AccessGlobal SettingsUser Coaching Notification Template and create an End User Notification Template.
      The end user notification template defines which DLP Rules generate a notification in the Access Experience UI and the contents of the notification. You should only add DLP Rules added to a Profile Group that is associated with a Security policy rule. This is required for Enterprise DLP to generate a DLP incident which then generates a notification in the Access Experience UI. A single DLP Rule can be added to multiple User Coaching Notification Templates.
      1. For the Product Name, select Endpoint Data Loss Prevention.
      2. Check (enable) Enable Notification Template to enable the template after creation.
        This setting is enabled by default.
      3. Enter a Notification Template Name.
      4. (Optional) Check (enable) High Confidence Detections Only.
        High confidence matches reflect how confident Enterprise DLP is when detecting matched traffic. For regular expression (regex) patterns, this is based on the character distance to the configured proximity keywords. For machine learning (ML) patterns, this confidence level is calculated by the ML models.
      5. Add one or more Applied Rules to the notification template.
        You must add at least one Endpoint DLP policy rule to the notification template. The end user notification template defines which Endpoint DLP policy rules generate a notification in the Access Experience UI and the contents of the notification.
        You can View Details for each DLP rule or Endpoint DLP policy rule you add to review the specific inspection details. This includes associated Data Profile, impacted users and peripheral device types, Action, the Incident Assignee, and the Notification email recipient when an Endpoint DLP incident is generated.
      6. Define the Notification Message users receive when Enterprise DLP blocks sensitive data that match the data profiles associated with the DLP Rule.
        The message templates are the Access Experience toast notifications users receive when Enterprise DLP blocks sensitive data. You can use the following variables in your message templates. You must include the brackets for each variable.
        • [File Name]—File name and extension containing sensitive data blocked by Enterprise DLP.
        • [Transfer Method]—Application user attempted to upload to, download from, or post non-file based content.
        • [Peripheral Type]—Type of peripheral device associated with the Endpoint DLP incident.
        • [Peripheral Name]—Name of the peripheral device associated with the Endpoint DLP incident.
        • [Action]—Action Enterprise DLP took when sensitive data was detected. This value is always Blocked.
        • [Policy Name]—Name of the Endpoint DLP policy rule against which the Endpoint DLP incident was generated.
        1. Define the Message Template for File.
          This is the message displayed when traffic matches a Data in Motion Endpoint DLP policy rule.
        2. Define the Message Template for Peripheral Control based detections.
          This is the message displayed when traffic matches a Peripheral Control Endpoint DLP policy rule.
        3. Add a Support Link.
          You can add links directly into the Access Experience toast notification that describe your company policy for sharing or downloading sensitive data.
    8. Save.
    9. The user who generated the Endpoint DLP incident can view the Data Security notification for more information about the sensitive data uploaded, downloaded, or posted.
      A Data Security notification is displayed for 7 days. There is no limit to the number of notifications displayed.

    © 2025 Palo Alto Networks, Inc. All rights reserved.