: Set Up Enterprise DLP End User Alerting with Cortex XSOAR for Email
Focus
Focus

Set Up Enterprise DLP End User Alerting with Cortex XSOAR for Email

Table of Contents

Set Up Enterprise DLP End User Alerting with
Cortex XSOAR
for Email

Set up
Cortex XSOAR
to use
Enterprise Data Loss Prevention (E-DLP)
End User Alerting for Email.
Where Can I Use This?
What Do I Need?
  • Panorama
  • Strata Cloud Manager
  • Enterprise Data Loss Prevention (E-DLP)
    license
  • Cortex XSOAR
    license
  • (
    Panorama
    ) Device management license
  • (
    Panorama
    ) Support license
  • (
    Strata Cloud Manager
    )
    Prisma Access
    license
  • (
    Strata Cloud Manager
    )
    AIOps for NGFW Premium
    license
  • (
    Strata Cloud Manager
    )
    AIOps for NGFW Free
    license
To set up
Enterprise Data Loss Prevention (E-DLP)
End User Alerting with
Cortex XSOAR
and set up automatic email alerts, you need to integrate your preferred IP address directory service and
Enterprise DLP
with
Cortex XSOAR
. This is integration allows the DLP cloud service to automate sending email messages to team members who upload a file that matches your data profiles.
After you successfully integrate Microsoft Teams and
Enterprise DLP
with
Cortex XSOAR
, you need to enable End User Alerting with
Cortex XSOAR
functionality on the DLP app on the hub or on
Strata Cloud Manager
and configure the End User Alerting settings as needed.
  1. Configure
    Enterprise DLP
    authentication.
    • Strata Cloud Manager
      and
      Prisma Access (Panorama Managed)
      (TSG-enabled)
      Access the Common Services Identity and & Access settings and add a Service Account to generate the
      Client ID
      and
      Client Secret
      .
      If you already have a Service Account created, you can Reset Client Secret to recover a lost
      Client Secret
      .
      The
      Client ID
      and
      Client Secret
      are used for authentication.
      When you create the Service Account, the
      Client ID
      and
      Client Secret
      are displayed in the
      Client Credentials
      . You can manually copy the Client Credentials or
      Download CSV File
      to download the Client Credentials in plaintext locally to your device.
    • Panorama
      (Not TSG-enabled)
      1. Log in to the DLP app on the hub.
        If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
      2. Select
        API
        and
        Create Token
        .
      3. Enter a descriptive
        Token Name
        and
        Create
        the access token.
      4. Copy the
        Access Token
        and
        Refresh Token
        and save them in a secure location.
  2. Enable
    Enterprise DLP
    on
    Cortex XSOAR
    .
    • Strata Cloud Manager
      and
      Prisma Access (Panorama Managed)
      (TSG-enabled)
      1. Add the Client Credentials to
        Cortex XSOAR
        .
        1. On
          Cortex XSOAR
          , select
          Settings
          Integrations
          Credentials
          and add a
          New
          credential.
        2. Enter a descriptive
          Credential Name
          .
        3. For the
          Username
          , enter the
          Client ID
          created in the previous step.
        4. For the
          Password
          , enter the
          Client Secret
          created in the previous step.
        5. Save
          .
      2. Select
        Marketplace
        Browse
        and search for
        Enterprise DLP
        .
      3. Install
        the
        Enterprise DLP
        content pack.
      4. Select
        Settings
        Integrations
        Instances
        and search for
        Enterprise DLP
        .
        Click
        Add Instance
        to integrate
        Enterprise DLP
        . See Integrate Enterprise DLP on XSOAR for more information.
        1. Select a descriptive
          Name
          .
        2. For the Incident Type, verify
          Data Loss Prevention
          is selected.
          If
          Data Loss Prevention
          is not displayed, hover your mouse over the field to display the list of available incident types to search for and select
          Data Loss Prevention
          .
        3. for the
          Mapper
          , verify that
          Data Loss Prevention
          is selected.
          If
          Data Loss Prevention
          is not displayed, hover your mouse over the field to display the list of available incident types to search for and select
          Data Loss Prevention
          .
        4. Click
          Switch to credentials
          .
        5. Enter the Client Credentials generated in the previous step.
        6. Check (enable)
          Long running instance
          .
        7. Test
          to confirm
          Cortex XSOAR
          has successfully integrated with
          Enterprise DLP
          .
          A
          Success
          is displayed when
          Cortex XSOAR
          successfully integrates with
          Enterprise DLP
          .
    • Panorama
      (Not TSG-enabled)
      1. On
        Cortex XSOAR
        , select
        Marketplace
        Browse
        and search for
        Enterprise DLP
        .
      2. Install
        the
        Enterprise DLP
        content pack.
      3. Select
        Settings
        Integrations
        Instances
        and search for
        Enterprise DLP
        .
        Click
        Add Instance
        to integrate
        Enterprise DLP
        . See Integrate Enterprise DLP on XSOAR for more information.
        1. Select a descriptive
          Name
          .
        2. For the Incident Type, verify
          Data Loss Prevention
          is selected.
          If
          Data Loss Prevention
          is not displayed, hover your mouse over the field to display the list of available incident types to search for and select
          Data Loss Prevention
          .
        3. for the
          Mapper
          , verify that
          Data Loss Prevention
          is selected.
          If
          Data Loss Prevention
          is not displayed, hover your mouse over the field to display the list of available incident types to search for and select
          Data Loss Prevention
          .
        4. Add the
          Access Token
          and
          Refresh Token
          you created in the previous step.
        5. Check (enable)
          Long running instance
          .
        6. (
          Optional)
          Modify the automated
          Slack Bot Message
          .
        7. Test
          to confirm
          Cortex XSOAR
          has successfully integrated with
          Enterprise DLP
          .
          A
          Success
          is displayed when
          Cortex XSOAR
          successfully integrates with
          Enterprise DLP
          .
  3. Configure the DLP Incident Feedback Loop
    Cortex XSOAR
    playbook
    1. In Dashboard & Reports, select
      Playbooks
      .
    2. Select
      DLP Incident Feedback Loops
      Playbook Triggered
      .
    3. Configure the
      Cortex XSOAR
      playbook.
      • For
        ApprovalTarget
        , enter
        Manager
        to send an exemption request to the sender's manager. This information is pulled from your preferred IP address directory service.
      • For the
        UserMessageApp
        , verify
        Email
        is displayed.
      • For the
        ApproverMessageApp
        , enter
        Email
        .
      • (
        Optional
        ) For the
        DenyMessage
        , enter a custom response when a file extension is denied by the sender's manager,
    4. Save
      .
  4. Confirm the
    Cortex XSOAR
    integration with
    Enterprise DLP
    .
    • Strata Cloud Manager
      and
      Prisma Access (Panorama Managed)
      (TSG-enabled)
      1. Log into
        Strata Cloud Manager
        .
      2. Select
        Manage
        Configuration
        Data Loss Prevention
        Settings
        Alerts
        XSOAR Integration Setup
        and check (enable)
        Confirm the status for XSOAR Integration
        .
    • Panorama
      (Not TSG-enabled)
      1. Log in to the DLP app on the hub.
        If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
      2. Select
        Settings
        and check (enable)
        Confirm the status for XSOAR Integration
        .
  5. Configure the End User Alerting with
    Cortex XSOAR
    exemption settings.
    1. Select
      Manage
      Configuration
      Data Loss Prevention
      Settings
      Alerts
      Configuration
      and configure the
      Exemption Duration
      .
      The file that prompted the End User Alerting with
      Cortex XSOAR
      notification that was exempted can be uploaded for the duration of the exemption duration. The default is 12 hours.
    2. Select
      Manage
      Configuration
      Data Loss Prevention
      Settings
      Alerts
      Configuration
      and configure whether to
      Include Snippets in Message
      .
      You can select
      Off
      (default) to not include a snippet of the sensitive data or
      On
      to include a snippet of the sensitive data in the automated message on Microsoft Teams.

Recommended For You