Set Up Enterprise DLP End User Alerting with Cortex XSOAR for Microsoft Teams

Set up XSOAR to leverage Enterprise data loss prevention (DLP) End User Alerting for Microsoft Teams.
To set up Enterprise data loss prevention (DLP) End User Alerting with Cortex XSOAR and set up automatic Microsoft Teams alerts, you need to set up integration with Microsoft Teams and Enterprise DLP with Cortex XSOAR. This is integration allows the DLP cloud service to automate sending Microsoft Teams messages to team members who upload a file that matches your data profiles.
After you successfully integrate Microsoft Teams and Enterprise DLP with Cortex XSOAR, you need to enable End User Alerting with Cortex XSOAR functionality on the DLP app on the hub or on Prisma Access (Cloud Managed) and configure the End User Alerting settings as needed.
  1. Integrate Microsoft Teams with Cortex XSOAR.
  2. Create the API access token.
    • DLP app on the hub
    1. Log in to the DLP app on the hub.
      If you do not already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
    2. Select
      API
      and
      Create Token
      .
    3. Enter a descriptive
      Token Name
      and
      Create
      the access token.
    4. Copy the
      Access Token
      and
      Refresh Token
      and save them in a secure location.
    • Prisma Access (Cloud Managed)
    1. Select
      Configuration
      Security Services
      Data Loss Prevention
      Settings
      API Tokens
      and
      Create Token
      .
    2. Enter a descriptive
      Token Name
      and
      Create
      the access token.
    3. Copy the
      Access Token
      and
      Refresh Token
      and save them in a secure location.
      The access and refresh tokens are displayed only once after initial creation and cannot be viewed again. If you lose the access or refresh tokens, you must create a new access token.
  3. Enable Enterprise DLP on Cortex XSOAR.
    1. On Cortex XSOAR, select
      Marketplace
      Browse
      and search for Enterprise DLP.
    2. Install
      the Enterprise DLP content pack.
    3. Select
      Settings
      Integrations
      Instances
      and search for
      Enterprise DLP
      .
      Click
      Add Instance
      to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
      1. Select a descriptive
        Name
        .
      2. Add the
        Access Token
        and
        Refresh Token
        you created in the previous step.
      3. Check (enable)
        Long running instance
        .
      4. (
        Optional
        ) Add any data profiles to exclude from End User Alerting.
        Files that match data profiles added here are not offered block exemptions to the user who uploaded the file.
      5. (
        Optional)
        Modify the automated
        Teams Bot Message
      6. Test
        to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
        A
        Success
        is displayed when Cortex XSOAR successfully integrates with Enterprise DLP.
    4. Save & Exit
      .
  4. Confirm the Cortex XSOAR integration with Enterprise DLP.
    • Panorama (Next-Gen Firewalls) and Prisma Access (Panorama Managed)
    1. Log in to the DLP app on the hub.
      If you do not already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
    2. Select
      Settings
      and check (enable)
      Confirm the status for XSOAR Integration
    • Prisma Access (Cloud Managed)
    1. Select
      Manage
      Configuration
      Data Loss Prevention
      Settings
      Alerts
      XSOAR Integration Setup
      and check (enable)
      Confirm the status for XSOAR Integration
      .
  5. Configure the End User Alerting with Cortex XSOAR exemption settings.
    1. Select
      Manage
      Configuration
      Data Loss Prevention
      Settings
      Alerts
      Configuration
      and configure the
      Exemption Duration
      .
      The file that prompted the End User Alerting with Cortex XSOAR notification that was exempted can be uploaded for the duration of the exemption duration. The default is 12 hours.
    2. Select
      Manage
      Configuration
      Data Loss Prevention
      Settings
      Alerts
      Configuration
      and configure whether to
      Include Snippets in Message
      .
      You can select
      Off
      (default) to not include a snippet of the sensitive data or
      On
      to include a snippet of the sensitive data in the automated message on Microsoft Teams.

Recommended For You