>
    Incident Case Management
    Focus
    Download PDF
    Focus
    1. Home
    2. Enterprise DLP
    3. Monitor Enterprise DLP
    4. Enterprise DLP Incident Management
    5. Incident Case Management
    Download PDF
    Enterprise DLP

    Incident Case Management

    Table of Contents

    Incident Case Management

    Manage incidents in the Incident Management dashboard to efficiently handle security incident resolution across all your security channels.
    On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
    You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Enterprise Data Loss Prevention (E-DLP) license
      Review the Supported Platforms for details on the required license for each enforcement point.
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
    Palo Alto Networks released the Unified Incident Manager for Enterprise DLP on June 28, 2025 for new Enterprise DLP users to enhance the way your data security administrators can manage your Enterprise DLP incidents.
    If you're an existing Enterprise DLP user as of June 28, 2025, Palo Alto Networks will deploy the new Unified Incident Manager to your tenant soon. Until then continue to use the Existing DLP incident management workflow.
    You can manage incidents in the Incident Management dashboard to efficiently handle security incident resolution across all your security channels. It employs a dedicated tracking system to manage incidents throughout their lifecycle, categorizing them by priority level to prioritize your response efforts. The Incident Management dashboard maintains a comprehensive record of each incident, from initial detection to resolution and postincident analysis. The Incident Management dashboard supports defined workflows, ensuring consistent incident handling across the organization, while providing collaboration tools for team communication. Integration with other security tools streamlines the response process, and strict access controls protect sensitive incident information. Regular reviews of the incident management process drive continuous improvement based on past experiences and evolving best practices. The Incident Management dashboard offers a centralized and adaptable framework for managing security incidents, ultimately enhancing the organization's overall security posture and incident response capabilities.
    Enterprise DLP supports two ways to manage your Enterprise DLP incidents.
    • Manual—Your security admins can manually assign, manage, and resolve an Enterprise DLP incident. You can use the Incident Management dashboard to manage a single DLP incident or select multiple DLP incidents and perform bulk management of similar DLP incidents.
    • Automatic—Your security admin can create a Enterprise DLP incident management rules to assign, manage, and resolve multiple Enterprise DLP incidents that match the incident scope configured in the automation rule. Enterprise DLP supports multiple automation rules.
      Automatic incident management rules take up to 5 minutes to take effect after creation. Automatic incident rules apply only to new DLP incidents generated after you create the rule and not to DLP incidents that existed before you created the rule.

    Manual Incident Case Management

    Manually manage incidents in the Incident Management dashboard to efficiently handle security incident resolution across all your security channels.
    1. Log in to Strata Cloud Manager.
    2. Select ManageConfigurationData Loss PreventionDLP Incidents.
    3. Filter the Incident Management dashboard to locate the incident you want to assign and manage.
    4. Perform bulk incident case management for multiple DLP incidents or perform incident case management for a single DLP incident.

    Bulk Incident Case Management

    Enterprise DLP supports incident case management for multiple DLP incidents. Bulk incident management eases the operational overhead of managing multiple DLP incidents. It helps reduce the time your security administrators spend on Enterprise DLP incident management by enabling them to assign and update that status for that you need to assign to the same team member or updating the case resolution status of similar DLP incidents.
    1. Select one or more Enterprise DLP incidents that you want to manage.
    2. Click Assign To to search for and select a security administrator to assign the incident to.
    3. Click Change Status and designate the most current resolution status.
      Enterprise DLP includes the following predefined incident statuses.
      • New
        Assigned by default to all new DLP incidents.
      • Open
      • Under Investigation
      • Closed
    4. Click Edit Notes to add, edit, review, or delete investigative notes for all selected DLP incidents to provide additional details and updates.
      • Save the new investigative note you added or editing an existing note.
      • Delete the existing investigative note.
      The investigative note displays no information if you select multiple DLP incidents that don't all have the same note. If a selected DLP incident already has a note, adding a new note for multiple DLP incidents overwrites the existing note. Enterprise DLP prompts the security administrator to confirm when overwriting an existing note.
      For example, you have three DLP incidents—Incident1, Incident2, and Incident3. Your security admin added the QA Testing Fix for Incident1 and Incident2, and Waiting for Customer Response for Incident3.
      Later, the security administrator selects Incident1, Incident2, and Incident3 and adds the note Fix Verified; Pending Release. This new note overwrites the existing notes for all three incidents.

    Individual Incident Case Management

    1. Click the Incident ID for the Enterprise DLP incident you want to manage.
      Enterprise DLP redirects you to the DLP incident details page.
    2. In the Assign To to field, search for and select a security administrator to assign the incident to.
      Enterprise DLP displays all users who have access to the Strata Cloud Manager tenant regardless of the role assigned. Palo Alto Networks recommends you enable role based access to ensure you don't over provision access to Enterprise DLP.
    3. Select the incident Priority level.
      You can select P1 (highest), P2, P3, P4, P5 (lowest).
    4. Select the Status to designate the most current resolution status.
      Enterprise DLP includes the following predefined incident statuses.
      • New
        Assigned by default to all new DLP incidents.
      • Open
      • Under Investigation
      • Closed
    5. In the Notes section, add investigative notes to provide additional details and updates.
      If a security administrator already added a note to a DLP incident, adding a new note using bulk incident management overwrites the existing note. Enterprise DLP prompts the security administrator to confirm when overwriting an existing note.
      For example, you have three DLP incidents—Incident1, Incident2, and Incident3. Your security admin added the QA Testing Fix for Incident1 and Incident2 using bulk incident management, and Waiting for Customer Response for Incident3.
      Later, the security administrator selects Incident1, Incident2, and Incident3 and adds the note Fix Verified; Pending Release. This new note overwrites the existing notes for all three incidents.
    6. Save.

    Automatic Incident Case Management

    Automatically manage incidents in the Incident Management dashboard to efficiently handle security incident resolution across all your security channels.
    1. Log in to Strata Cloud Manager.
    2. Select ManageConfigurationData Loss PreventionSettingsIncident Automation and Add Automation.
    3. Configure the Basic Information for the case management automation rule.
      1. Enter a descriptive Name for the case management automation rule.
      2. (Optional) Enter a Description for the case management automation rule.
      3. Keep the case management automation rule Enabled (default) after successful creation or toggle to disable the rule after creation.
      4. Click Next to continue.
    4. Configure the Enterprise DLP incident Scope to define which incidents the case management automation rule applies to.
      You apply filters to narrow down and define the Enterprise DLP incident scope. Enterprise DLP displays a preview of the recent Enterprise DLP incidents that match the rule to enable you to verify you configured the rule scope correctly. The case management automation rule retroactively applies only to future Enterprise DLP incidents.
      Click Add Filter to apply any combination of the following filters. Enterprise DLP supports selecting multiple filter options from each type of filter.
      • Action—Action taken by Enterprise DLP; Alert, Block, and Quarantine.
      • Severities—Severity of the Enterprise DLP incident; Critical, High, Medium, Low, and Lowest.
      • Channels—Enforcement channel where the Enterprise DLP incident occurred; Email DLP, Endpoint DLP, NGFW, Prisma Access, Prisma Access Browser, and SaaS API (Data Security)
      • Data Profile—All predefined and custom custom Enterprise DLP profiles.
      • Data Pattern—All predefined and custom Enterprise DLP data patterns.
      • Regions—Region where the Enterprise DLP incident occurred.
      In addition to the custom filters, you can specify a Data Asset or URL Domain that against which Enterprise DLP incidents are generated. You can enter a specific Data Asset or URL Domain in addition to custom filters, or not apply any customer filters and specify only a Data Asset or URL Domain. Enterprise DLP supports only one Data Asset or one URL Domain.
      Enterprise DLP requires you add at least one filter, Data Asset, or URL Domain to create the case management automation rule.
      Click Next to continue.
    5. Define the Automated Actions Enterprise DLP takes when a user generates an Enterprise DLP incident that matches the case management automation rule.
      1. For the Assign to field, search for and select the incident case manager you want to assign all incidents the automation rule to.
        The user must have access to Strata Cloud Manager.
      2. For the Set Status to field, select the resolution status you want to apply to the incident. You can select New (default), Open, Under Investigation, or Closed.
      3. For the Set Priority to field, select the case priority you want to apply to the incident. You can select P1 (highest), P2, P3, P4, or P5 (lowest).
      4. (Optional) Enter any Notes to describe the automatic case assignment for the Enterprise DLP incident.
      5. Click Next to continue.
    6. Review the case management automation rule Summary and Save.
      You can Edit any of the case management automation rule configuration settings if you notice any errors during your review.
    7. Select ManageConfigurationData Loss PreventionSettingsIncident Automation and verify Enterprise DLP successfully created your new case management automation rule.

    Manage Enterprise DLP Incidents

    Assign and manage Enterprise Data Loss Prevention (E-DLP) incidents escalations.
    On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.
    You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Panorama or Strata Cloud Manager)
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • Enterprise Data Loss Prevention (E-DLP) license
      Review the Supported Platforms for details on the required license for each enforcement point.
    Or any of the following licenses that include the Enterprise DLP license
    • Prisma Access CASB license
    • Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
    • Data Security license
    1. Log in to Strata Cloud Manager.
    2. Select ManageConfigurationData Loss PreventionDLP Incidents.
    3. View your Enterprise DLP incidents.
    4. (Optional) Add New Filter to filter the Enterprise DLP incidents.
    5. Select one or more Incidents and Assign To a team member.
      You can search and assign an incident to an existing user or type a new name to Create User. If you create a new user, the user must have access to Strata Cloud Manager.
    6. Change Resolution as your team works to resolve the incident that triggered Enterprise DLP enforcement.
      You can select one of the predefined incident resolution statues or type a new resolution status to Create Tag.
    7. For additional auditing and clarity for your team members, you can Edit Notes to provide further details.
      Save after you finish providing the additional information in your notes. The existing note is overwritten if you save a new note.
      Delete the note if no longer needed.

    © 2025 Palo Alto Networks, Inc. All rights reserved.