Enterprise DLP
Set Up Enterprise DLP End User Alerting with Cortex XSOAR
Table of Contents
Set Up Enterprise DLP End User Alerting with Cortex XSOAR
Cortex XSOAR
Set up
Cortex XSOAR
to use Enterprise Data Loss Prevention (E-DLP)
End User
Alerting.Where Can I Use
This? | What Do I
Need? |
---|---|
|
Or any of the following licenses that include
the Enterprise DLP license
|
Integrate
Enterprise Data Loss Prevention (E-DLP)
with Cortex XSOAR
to use
the Enterprise DLP
End User Alerting.(
Slack
) To set up Enterprise Data Loss Prevention (E-DLP)
End User Alerting with Cortex XSOAR
and set up automatic Slack alerts, you need to
integrate your preferred IP address directory service to map IP addresses to
emails to allow for automatic messages to be sent on Slack. After
integration, you must enable Slack, email send integration, and Enterprise DLP
with Cortex XSOAR
. This chain of integration
allows the DLP cloud service to automate sending Slack messages to team
members who upload a file that matches your data profiles. (
Microsoft Teams
) To set up Enterprise Data Loss Prevention (E-DLP)
End User Alerting
with Cortex XSOAR
and set up automatic Microsoft Teams alerts, you
need to set up integration with Microsoft Teams and Enterprise DLP
with
Cortex XSOAR
. This is integration allows the DLP cloud
service to automate sending Microsoft Teams messages to team members who
upload a file that matches your data profiles. (
Email
) To set up Enterprise Data Loss Prevention (E-DLP)
End User Alerting with Cortex XSOAR
and set up automatic email alerts, you need to
integrate your preferred IP address directory service and Enterprise DLP
with Cortex XSOAR
. This is integration allows the DLP cloud
service to automate sending email messages to team members who upload a file
that matches your data profiles. After you successfully integrate Slack, Microsoft Teams, or your Email provider
and
Enterprise DLP
with Cortex XSOAR
, you need to enable End
User Alerting with Cortex XSOAR
functionality on the DLP app on the
hub or on Strata Cloud Manager
and configure the End User Alerting settings
as needed.Slack
Set up
Cortex XSOAR
to use Enterprise Data Loss Prevention (E-DLP)
End User Alerting for
Slack.- Integrate your preferred IP address directory service using one of the following procedures.
- ConfigureEnterprise DLPauthentication.
- Strata Cloud ManagerandPrisma Access (Managed by Panorama)(TSG-enabled)Access the Common Services Identity and & Access settings and add a Service Account to generate theClient IDandClient Secret.If you already have a Service Account created, you can Reset Client Secret to recover a lostClient Secret.TheClient IDandClient Secretare used for authentication.When you create the Service Account, theClient IDandClient Secretare displayed in theClient Credentials. You can manually copy the Client Credentials orDownload CSV Fileto download the Client Credentials in plaintext locally to your device.
- Panorama(Not TSG-enabled)
- Log in to the DLP app on the hub.If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
- SelectAPIandCreate Token.
- Enter a descriptiveToken NameandCreatethe access token.
- Copy theAccess TokenandRefresh Tokenand save them in a secure location.
- EnableEnterprise DLPonCortex XSOAR.
- Strata Cloud ManagerandPrisma Access (Managed by Panorama)(TSG-enabled)
- Add the Client Credentials toCortex XSOAR.
- OnCortex XSOAR, selectand add aSettingsIntegrationsCredentialsNewcredential.
- Enter a descriptiveCredential Name.
- For theUsername, enter theClient IDcreated in the previous step.
- For thePassword, enter theClient Secretcreated in the previous step.
- Save.
- Selectand search forMarketplaceBrowseEnterprise DLP.
- InstalltheEnterprise DLPcontent pack.
- Selectand search forSettingsIntegrationsInstancesEnterprise DLP.ClickAdd Instanceto integrateEnterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
- Select a descriptiveName.
- For the Incident Type, verifyData Loss Preventionis selected.IfData Loss Preventionis not displayed, hover your mouse over the field to display the list of available incident types to search for and selectData Loss Prevention.
- for theMapper, verify thatData Loss Preventionis selected.IfData Loss Preventionis not displayed, hover your mouse over the field to display the list of available incident types to search for and selectData Loss Prevention.
- ClickSwitch to credentials.
- Enter the Client Credentials generated in the previous step.
- Check (enable)Long running instance.
- (Optional)Modify the automatedSlack Bot Message.
- Testto confirmCortex XSOARhas successfully integrated withEnterprise DLP.ASuccessis displayed whenCortex XSOARsuccessfully integrates withEnterprise DLP.
- Panorama(Not TSG-enabled)
- OnCortex XSOAR, selectand search forMarketplaceBrowseEnterprise DLP.
- InstalltheEnterprise DLPcontent pack.
- Selectand search forSettingsIntegrationsInstancesEnterprise DLP.ClickAdd Instanceto integrateEnterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
- Select a descriptiveName.
- For the Incident Type, verifyData Loss Preventionis selected.IfData Loss Preventionis not displayed, hover your mouse over the field to display the list of available incident types to search for and selectData Loss Prevention.
- for theMapper, verify thatData Loss Preventionis selected.IfData Loss Preventionis not displayed, hover your mouse over the field to display the list of available incident types to search for and selectData Loss Prevention.
- Add theAccess TokenandRefresh Tokenyou created in the previous step.
- Check (enable)Long running instance.
- (Optional)Modify the automatedSlack Bot Message.
- Testto confirmCortex XSOARhas successfully integrated withEnterprise DLP.ASuccessis displayed whenCortex XSOARsuccessfully integrates withEnterprise DLP.
- Configure the DLP Incident Feedback LoopCortex XSOARplaybook
- In Dashboard & Reports, selectPlaybooks.
- Select.DLP Incident Feedback LoopsPlaybook Triggered
- Configure theCortex XSOARplaybook.
- ForApprovalTarget, enterManagerto send an exemption request to the sender's manager. This information is pulled from your preferred IP address directory service.
- For theUserMessageApp, verifySlackis displayed.
- For theApproverMessageApp, enterSlack.
- (Optional) For theDenyMessage, enter a custom response when a file extension is denied by the sender's manager,
- Save.
- Confirm theCortex XSOARintegration withEnterprise DLP.
- Strata Cloud ManagerandPrisma Access (Managed by Panorama)(TSG-enabled)
- Log in toStrata Cloud Manager.
- Selectand check (enable)ManageConfigurationData Loss PreventionSettingsAlertsXSOAR Integration SetupConfirm the status for XSOAR Integration.
- Panorama(Not TSG-enabled)
- Log in to the DLP app on the hub.If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
- SelectSettingsand check (enable)Confirm the status for XSOAR Integration.
- Configure the End User Alerting withCortex XSOARexemption settings.
- Selectand configure theManageConfigurationData Loss PreventionSettingsAlertsConfigurationExemption Duration.The file that prompted the End User Alerting withCortex XSOARnotification that was exempted can be uploaded for the duration of the exemption duration. The default is 12 hours.
- Selectand configure whether toManageConfigurationData Loss PreventionSettingsAlertsConfigurationInclude Snippets in Message.You can selectOff(default) to not include a snippet of the sensitive data orOnto include a snippet of the sensitive data in the automated message on Slack.
Microsoft Teams
Set up
Cortex XSOAR
to use Enterprise Data Loss Prevention (E-DLP)
End User Alerting for
Microsoft Teams.- Set up the prerequisites needed to begin integrating Microsoft Teams withCortex XSOAR.
- Integrate referred IP address directory service using one of the following procedures.
- Integrate Microsoft Teams withCortex XSOAR.You can use one of the following methods based on your preferences.
- ConfigureEnterprise DLPauthentication.
- Strata Cloud ManagerandPrisma Access (Managed by Panorama)(TSG-enabled)Access the Common Services Identity and & Access settings and add a Service Account to generate theClient IDandClient Secret.If you already have a Service Account created, you can Reset Client Secret to recover a lostClient Secret.TheClient IDandClient Secretare used for authentication.When you create the Service Account, theClient IDandClient Secretare displayed in theClient Credentials. You can manually copy the Client Credentials orDownload CSV Fileto download the Client Credentials in plaintext locally to your device.
- Panorama(Not TSG-enabled)
- Log in to the DLP app on the hub.If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
- SelectAPIandCreate Token.
- Enter a descriptiveToken NameandCreatethe access token.
- Copy theAccess TokenandRefresh Tokenand save them in a secure location.
- EnableEnterprise DLPonCortex XSOAR.
- Strata Cloud ManagerandPrisma Access (Managed by Panorama)(TSG-enabled)
- Add the Client Credentials toCortex XSOAR.
- OnCortex XSOAR, selectand add aSettingsIntegrationsCredentialsNewcredential.
- Enter a descriptiveCredential Name.
- For theUsername, enter theClient IDcreated in the previous step.
- For thePassword, enter theClient Secretcreated in the previous step.
- Save.
- Selectand search forMarketplaceBrowseEnterprise DLP.
- InstalltheEnterprise DLPcontent pack.
- Selectand search forSettingsIntegrationsInstancesEnterprise DLP.ClickAdd Instanceto integrateEnterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
- Select a descriptiveName.
- For the Incident Type, verifyData Loss Preventionis selected.IfData Loss Preventionis not displayed, hover your mouse over the field to display the list of available incident types to search for and selectData Loss Prevention.
- for theMapper, verify thatData Loss Preventionis selected.IfData Loss Preventionis not displayed, hover your mouse over the field to display the list of available incident types to search for and selectData Loss Prevention.
- ClickSwitch to credentials.
- Enter the Client Credentials generated in the previous step.
- Check (enable)Long running instance.
- Testto confirmCortex XSOARhas successfully integrated withEnterprise DLP.ASuccessis displayed whenCortex XSOARsuccessfully integrates withEnterprise DLP.
- Panorama(Not TSG-enabled)
- OnCortex XSOAR, selectand search forMarketplaceBrowseEnterprise DLP.
- InstalltheEnterprise DLPcontent pack.
- Selectand search forSettingsIntegrationsInstancesEnterprise DLP.ClickAdd Instanceto integrateEnterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
- Select a descriptiveName.
- For the Incident Type, verifyData Loss Preventionis selected.IfData Loss Preventionis not displayed, hover your mouse over the field to display the list of available incident types to search for and selectData Loss Prevention.
- for theMapper, verify thatData Loss Preventionis selected.IfData Loss Preventionis not displayed, hover your mouse over the field to display the list of available incident types to search for and selectData Loss Prevention.
- Add theAccess TokenandRefresh Tokenyou created in the previous step.
- Check (enable)Long running instance.
- (Optional)Modify the automatedSlack Bot Message.
- Testto confirmCortex XSOARhas successfully integrated withEnterprise DLP.ASuccessis displayed whenCortex XSOARsuccessfully integrates withEnterprise DLP.
- Configure the DLP Incident Feedback LoopCortex XSOARplaybook
- In Dashboard & Reports, selectPlaybooks.
- Select.DLP Incident Feedback LoopsPlaybook Triggered
- Configure theCortex XSOARplaybook.
- ForApprovalTarget, enterManagerto send an exemption request to the sender's manager. This information is pulled from your preferred IP address directory service.
- For theUserMessageApp, verifyMicrosoft Teamsis displayed.
- For theApproverMessageApp, enterMicrosoft Teams.
- (Optional) For theDenyMessage, enter a custom response when a file extension is denied by the sender's manager,
- Save.
- Confirm theCortex XSOARintegration withEnterprise DLP.
- Strata Cloud Managerand Prisma Access (Panorama Managed) (TSG-enabled)
- Log in toStrata Cloud Manager.
- Selectand check (enable)ManageConfigurationData Loss PreventionSettingsAlertsXSOAR Integration SetupConfirm the status for XSOAR Integration.
- Panorama(Not TSG-enabled)
- Log in to the DLP app on the hub.If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
- SelectSettingsand check (enable)Confirm the status for XSOAR Integration.
- Configure the End User Alerting withCortex XSOARexemption settings.
- Selectand configure theManageConfigurationData Loss PreventionSettingsAlertsConfigurationExemption Duration.The file that prompted the End User Alerting withCortex XSOARnotification that was exempted can be uploaded for the duration of the exemption duration. The default is 12 hours.
- Selectand configure whether toManageConfigurationData Loss PreventionSettingsAlertsConfigurationInclude Snippets in Message.You can selectOff(default) to not include a snippet of the sensitive data orOnto include a snippet of the sensitive data in the automated message on Microsoft Teams.
Email
Set up
Cortex XSOAR
to use Enterprise Data Loss Prevention (E-DLP)
End User Alerting for
Email.- Integrate referred IP address directory service using one of the following procedures.
- ConfigureEnterprise DLPauthentication.
- Strata Cloud ManagerandPrisma Access (Managed by Panorama)(TSG-enabled)Access the Common Services Identity and & Access settings and add a Service Account to generate theClient IDandClient Secret.If you already have a Service Account created, you can Reset Client Secret to recover a lostClient Secret.TheClient IDandClient Secretare used for authentication.When you create the Service Account, theClient IDandClient Secretare displayed in theClient Credentials. You can manually copy the Client Credentials orDownload CSV Fileto download the Client Credentials in plaintext locally to your device.
- Panorama(Not TSG-enabled)
- Log in to the DLP app on the hub.If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
- SelectAPIandCreate Token.
- Enter a descriptiveToken NameandCreatethe access token.
- Copy theAccess TokenandRefresh Tokenand save them in a secure location.
- EnableEnterprise DLPonCortex XSOAR.
- Strata Cloud ManagerandPrisma Access (Managed by Panorama)(TSG-enabled)
- Add the Client Credentials toCortex XSOAR.
- OnCortex XSOAR, selectand add aSettingsIntegrationsCredentialsNewcredential.
- Enter a descriptiveCredential Name.
- For theUsername, enter theClient IDcreated in the previous step.
- For thePassword, enter theClient Secretcreated in the previous step.
- Save.
- Selectand search forMarketplaceBrowseEnterprise DLP.
- InstalltheEnterprise DLPcontent pack.
- Selectand search forSettingsIntegrationsInstancesEnterprise DLP.ClickAdd Instanceto integrateEnterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
- Select a descriptiveName.
- For the Incident Type, verifyData Loss Preventionis selected.IfData Loss Preventionis not displayed, hover your mouse over the field to display the list of available incident types to search for and selectData Loss Prevention.
- for theMapper, verify thatData Loss Preventionis selected.IfData Loss Preventionis not displayed, hover your mouse over the field to display the list of available incident types to search for and selectData Loss Prevention.
- ClickSwitch to credentials.
- Enter the Client Credentials generated in the previous step.
- Check (enable)Long running instance.
- Testto confirmCortex XSOARhas successfully integrated withEnterprise DLP.ASuccessis displayed whenCortex XSOARsuccessfully integrates withEnterprise DLP.
- Panorama(Not TSG-enabled)
- OnCortex XSOAR, selectand search forMarketplaceBrowseEnterprise DLP.
- InstalltheEnterprise DLPcontent pack.
- Selectand search forSettingsIntegrationsInstancesEnterprise DLP.ClickAdd Instanceto integrateEnterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
- Select a descriptiveName.
- For the Incident Type, verifyData Loss Preventionis selected.IfData Loss Preventionis not displayed, hover your mouse over the field to display the list of available incident types to search for and selectData Loss Prevention.
- for theMapper, verify thatData Loss Preventionis selected.IfData Loss Preventionis not displayed, hover your mouse over the field to display the list of available incident types to search for and selectData Loss Prevention.
- Add theAccess TokenandRefresh Tokenyou created in the previous step.
- Check (enable)Long running instance.
- (Optional)Modify the automatedSlack Bot Message.
- Testto confirmCortex XSOARhas successfully integrated withEnterprise DLP.ASuccessis displayed whenCortex XSOARsuccessfully integrates withEnterprise DLP.
- Configure the DLP Incident Feedback LoopCortex XSOARplaybook
- In Dashboard & Reports, selectPlaybooks.
- Select.DLP Incident Feedback LoopsPlaybook Triggered
- Configure theCortex XSOARplaybook.
- ForApprovalTarget, enterManagerto send an exemption request to the sender's manager. This information is pulled from your preferred IP address directory service.
- For theUserMessageApp, verifyEmailis displayed.
- For theApproverMessageApp, enterEmail.
- (Optional) For theDenyMessage, enter a custom response when a file extension is denied by the sender's manager,
- Save.
- Confirm theCortex XSOARintegration withEnterprise DLP.
- Strata Cloud ManagerandPrisma Access (Managed by Panorama)(TSG-enabled)
- Log in toStrata Cloud Manager.
- Selectand check (enable)ManageConfigurationData Loss PreventionSettingsAlertsXSOAR Integration SetupConfirm the status for XSOAR Integration.
- Panorama(Not TSG-enabled)
- Log in to the DLP app on the hub.If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
- SelectSettingsand check (enable)Confirm the status for XSOAR Integration.
- Configure the End User Alerting withCortex XSOARexemption settings.
- Selectand configure theManageConfigurationData Loss PreventionSettingsAlertsConfigurationExemption Duration.The file that prompted the End User Alerting withCortex XSOARnotification that was exempted can be uploaded for the duration of the exemption duration. The default is 12 hours.
- Selectand configure whether toManageConfigurationData Loss PreventionSettingsAlertsConfigurationInclude Snippets in Message.You can selectOff(default) to not include a snippet of the sensitive data orOnto include a snippet of the sensitive data in the automated message on Microsoft Teams.