Automatic Incident Case Management

1. Log in to Strata Cloud Manager.
2. Select ManageConfigurationData Loss PreventionSettingsIncident Automation and Add Automation.
3. Configure the Basic Information for the case management automation rule.

   1. Enter a descriptive Name for the case management automation rule.
   2. (Optional) Enter a Description for the case management automation rule.
   3. Keep the case management automation rule Enabled (default) after successful creation or toggle to disable the rule after creation.
   4. Click Next to continue.
4. Configure the Enterprise DLP incident Scope to define which incidents the case management automation rule applies to.

   You apply filters to narrow down and define the Enterprise DLP incident scope. Enterprise DLP displays a preview of the recent Enterprise DLP incidents that match the rule to enable you to verify you configured the rule scope correctly. The case management automation rule retroactively applies only to future Enterprise DLP incidents.

   Click Add Filter to apply any combination of the following filters. Enterprise DLP supports selecting multiple filter options from each type of filter.

   • Action—Action taken by Enterprise DLP; Alert, Block, and Quarantine.
   • Severities—Severity of the Enterprise DLP incident; Critical, High, Medium, Low, and Lowest.
   • Channels—Enforcement channel where the Enterprise DLP incident occurred; Email DLP, Endpoint DLP, NGFW, Prisma Access, Prisma Access Browser, and SaaS API (Data Security)
   • Data Profile—All predefined and custom custom Enterprise DLP profiles.
   • Data Pattern—All predefined and custom Enterprise DLP data patterns.
   • Regions—Region where the Enterprise DLP incident occurred.

   In addition to the custom filters, you can specify a Data Asset or URL Domain that against which Enterprise DLP incidents are generated. You can enter a specific Data Asset or URL Domain in addition to custom filters, or not apply any customer filters and specify only a Data Asset or URL Domain. Enterprise DLP supports only one Data Asset or one URL Domain.

   Enterprise DLP requires you add at least one filter, Data Asset, or URL Domain to create the case management automation rule.

   Click Next to continue.
5. Define the Automated Actions Enterprise DLP takes when a user generates an Enterprise DLP incident that matches the case management automation rule.

   1. For the Assign to field, search for and select the incident case manager you want to assign all incidents the automation rule to.

      The user must have access to Strata Cloud Manager.
   2. For the Set Status to field, select the resolution status you want to apply to the incident. You can select New (default), Open, Under Investigation, or Closed.
   3. For the Set Priority to field, select the case priority you want to apply to the incident. You can select P1 (highest), P2, P3, P4, or P5 (lowest).
   4. (Optional) Enter any Notes to describe the automatic case assignment for the Enterprise DLP incident.
   5. Click Next to continue.
6. Review the case management automation rule Summary and Save.

   You can Edit any of the case management automation rule configuration settings if you notice any errors during your review.
7. Select ManageConfigurationData Loss PreventionSettingsIncident Automation and verify Enterprise DLP successfully created your new case management automation rule.