Focus

Enterprise DLP

Set Up Enterprise DLP End User Alerting with Cortex XSOAR

Table of Contents

About Enterprise DLP End User Alerting with Cortex XSOAR

Respond to Blocked Traffic Using Enterprise DLP End User Alerting with Cortex XSOAR

Set Up Enterprise DLP End User Alerting with Cortex XSOAR

Set up Cortex XSOAR to use Enterprise Data Loss Prevention (E-DLP) End User Alerting.

On May 7, 2025, Palo Alto Networks is introducing new Evidence Storage and Syslog Forwarding service IP addresses to improve performance and expand availability for these services globally.

You must allow these new service IP addresses on your network to avoid disruptions for these services. Review the Enterprise DLP Release Notes for more information.

Where Can I Use This?	What Do I Need?
NGFW (Managed by Panorama or Strata Cloud Manager) Prisma Access (Managed by Panorama or Strata Cloud Manager) Prisma Browser	Enterprise Data Loss Prevention (E-DLP) license Review the Supported Platforms for details on the required license for each enforcement point. Or any of the following licenses that include the Enterprise DLP license Prisma Access CASB license Next-Generation CASB for Prisma Access and NGFW (CASB-X) license Data Security license

Where Can I Use This?

What Do I Need?

NGFW (Managed by Panorama or Strata Cloud Manager)
Prisma Access (Managed by Panorama or Strata Cloud Manager)
Prisma Browser

Enterprise Data Loss Prevention (E-DLP) license
Review the Supported Platforms for details on the required license for each enforcement point.

Or any of the following licenses that include the Enterprise DLP license

Prisma Access CASB license
Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
Data Security license

Integrate Enterprise Data Loss Prevention (E-DLP) with Cortex XSOAR to use the Enterprise DLP End User Alerting.

(Slack) To set up Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR and set up automatic Slack alerts, you need to integrate your preferred IP address directory service to map IP addresses to emails to allow for automatic messages to be sent on Slack. After integration, you must enable Slack, email send integration, and Enterprise DLP with Cortex XSOAR. This chain of integration allows the DLP cloud service to automate sending Slack messages to team members who upload a file that matches your data profiles.

(Microsoft Teams) To set up Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR and set up automatic Microsoft Teams alerts, you need to set up integration with Microsoft Teams and Enterprise DLP with Cortex XSOAR. This is integration allows the DLP cloud service to automate sending Microsoft Teams messages to team members who upload a file that matches your data profiles.

(Email) To set up Enterprise Data Loss Prevention (E-DLP) End User Alerting with Cortex XSOAR and set up automatic email alerts, you need to integrate your preferred IP address directory service and Enterprise DLP with Cortex XSOAR. This is integration allows the DLP cloud service to automate sending email messages to team members who upload a file that matches your data profiles.

After you successfully integrate Slack, Microsoft Teams, or your Email provider and Enterprise DLP with Cortex XSOAR, you need to enable End User Alerting with Cortex XSOAR functionality on Strata Cloud Manager and configure the End User Alerting settings as needed.

Slack

Set up Cortex XSOAR to use Enterprise Data Loss Prevention (E-DLP) End User Alerting for Slack.

Integrate your preferred IP address directory service using one of the following procedures.
Enable Slack Integration with XSOAR.
Configure Enterprise DLP authentication.
- Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
  Access the Common Services Identity and & Access settings and add a Service Account to generate the Client ID and Client Secret.
  
  If you already have a Service Account created, you can Reset Client Secret to recover a lost Client Secret.
  
  The Client ID and Client Secret are used for authentication.
  When you create the Service Account, the Client ID and Client Secret are displayed in the Client Credentials. You can manually copy the Client Credentials or Download CSV File to download the Client Credentials in plaintext locally to your device.
- Panorama (Not TSG-enabled)
  1. Log in to the DLP app on the hub.
    If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
  2. Select API and Create Token.
  3. Enter a descriptive Token Name and Create the access token.
  4. Copy the Access Token and Refresh Token and save them in a secure location.
Enable Enterprise DLP on Cortex XSOAR.
- Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
  1. Add the Client Credentials to Cortex XSOAR.
    On Cortex XSOAR, select SettingsIntegrationsCredentials and add a New credential.
    Enter a descriptive Credential Name.
    For the Username, enter the Client ID created in the previous step.
    For the Password, enter the Client Secret created in the previous step.
    Save.
  2. Select MarketplaceBrowse and search for Enterprise DLP.
  3. Install the Enterprise DLP content pack.
  4. Select SettingsIntegrationsInstances and search for Enterprise DLP.
    Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
    Select a descriptive Name.
    For the Incident Type, verify Data Loss Prevention is selected.
    If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
    for the Mapper, verify that Data Loss Prevention is selected.
    If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
    Click Switch to credentials.
    Enter the Client Credentials generated in the previous step.
    Check (enable) Long running instance.
    (Optional) Modify the automated Slack Bot Message.
    Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
    A Success is displayed when Cortex XSOAR successfully integrates with Enterprise DLP.
- Panorama (Not TSG-enabled)
  1. On Cortex XSOAR, select MarketplaceBrowse and search for Enterprise DLP.
  2. Install the Enterprise DLP content pack.
  3. Select SettingsIntegrationsInstances and search for Enterprise DLP.
    Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
    Select a descriptive Name.
    For the Incident Type, verify Data Loss Prevention is selected.
    If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
    for the Mapper, verify that Data Loss Prevention is selected.
    If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
    Add the Access Token and Refresh Token you created in the previous step.
    Check (enable) Long running instance.
    (Optional) Modify the automated Slack Bot Message.
    Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
    A Success is displayed when Cortex XSOAR successfully integrates with Enterprise DLP.
Configure the DLP Incident Feedback Loop Cortex XSOAR playbook
1. In Dashboard & Reports, select Playbooks.
2. Select DLP Incident Feedback LoopsPlaybook Triggered.
3. Configure the Cortex XSOAR playbook.
  For ApprovalTarget, enter Manager to send an exemption request to the sender's manager. This information is pulled from your preferred IP address directory service.
  For the UserMessageApp, verify Slack is displayed.
  For the ApproverMessageApp, enter Slack.
  (Optional) For the DenyMessage, enter a custom response when a file extension is denied by the sender's manager,
4. Save.
Confirm the Cortex XSOAR integration with Enterprise DLP.
1. Log in to Strata Cloud Manager.
2. Select ConfigurationData Loss PreventionSettingsAlertsXSOAR Integration Setup and expand the Setup Instructions section.
3. Toggle the Confirm the status for XSOAR Integration setting to On.
Expand the Configuration section to define the Exemption Duration for exempted files that prompt the End User Alerting with Cortex XSOAR notification.
This setting defines how long a specific file is granted an block exemption when your administrator responds to blocked traffic. The default is 12 hours.

Microsoft Teams

Set up Cortex XSOAR to use Enterprise Data Loss Prevention (E-DLP) End User Alerting for Microsoft Teams.

Set up the prerequisites needed to begin integrating Microsoft Teams with Cortex XSOAR.
1. Integrate referred IP address directory service using one of the following procedures.
  Integrate AWS - Identity and Access Management
  Integrate MSGraphAzure Users
  Integrate Okta v2
  Integrate PingOne
  Integrate SailPoint IdentityIQ
  Integrate SailPoint IdentityNow
2. Create the Demisto Bot in Microsoft Teams.
3. Grant the Demisto Bot Permissions in Microsoft Graph.
4. Configure Microsoft Teams on .
5. Add the Demisto Bot to a Team.
Integrate Microsoft Teams with Cortex XSOAR.
You can use one of the following methods based on your preferences.
Configure Enterprise DLP authentication.
- Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
  Access the Common Services Identity and & Access settings and add a Service Account to generate the Client ID and Client Secret.
  
  If you already have a Service Account created, you can Reset Client Secret to recover a lost Client Secret.
  
  The Client ID and Client Secret are used for authentication.
  When you create the Service Account, the Client ID and Client Secret are displayed in the Client Credentials. You can manually copy the Client Credentials or Download CSV File to download the Client Credentials in plaintext locally to your device.
- Panorama (Not TSG-enabled)
  1. Log in to the DLP app on the hub.
    If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
  2. Select API and Create Token.
  3. Enter a descriptive Token Name and Create the access token.
  4. Copy the Access Token and Refresh Token and save them in a secure location.
Enable Enterprise DLP on Cortex XSOAR.
- Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
  1. Add the Client Credentials to Cortex XSOAR.
    On Cortex XSOAR, select SettingsIntegrationsCredentials and add a New credential.
    Enter a descriptive Credential Name.
    For the Username, enter the Client ID created in the previous step.
    For the Password, enter the Client Secret created in the previous step.
    Save.
  2. Select MarketplaceBrowse and search for Enterprise DLP.
  3. Install the Enterprise DLP content pack.
  4. Select SettingsIntegrationsInstances and search for Enterprise DLP.
    Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
    Select a descriptive Name.
    For the Incident Type, verify Data Loss Prevention is selected.
    If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
    for the Mapper, verify that Data Loss Prevention is selected.
    If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
    Click Switch to credentials.
    Enter the Client Credentials generated in the previous step.
    Check (enable) Long running instance.
    Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
    A Success is displayed when Cortex XSOAR successfully integrates with Enterprise DLP.
- Panorama (Not TSG-enabled)
  1. On Cortex XSOAR, select MarketplaceBrowse and search for Enterprise DLP.
  2. Install the Enterprise DLP content pack.
  3. Select SettingsIntegrationsInstances and search for Enterprise DLP.
    Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
    Select a descriptive Name.
    For the Incident Type, verify Data Loss Prevention is selected.
    If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
    for the Mapper, verify that Data Loss Prevention is selected.
    If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
    Add the Access Token and Refresh Token you created in the previous step.
    Check (enable) Long running instance.
    (Optional) Modify the automated Slack Bot Message.
    Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
    A Success is displayed when Cortex XSOAR successfully integrates with Enterprise DLP.
Configure the DLP Incident Feedback Loop Cortex XSOAR playbook
1. In Dashboard & Reports, select Playbooks.
2. Select DLP Incident Feedback LoopsPlaybook Triggered.
3. Configure the Cortex XSOAR playbook.
  For ApprovalTarget, enter Manager to send an exemption request to the sender's manager. This information is pulled from your preferred IP address directory service.
  For the UserMessageApp, verify Microsoft Teams is displayed.
  For the ApproverMessageApp, enter Microsoft Teams.
  (Optional) For the DenyMessage, enter a custom response when a file extension is denied by the sender's manager,
4. Save.
Confirm the Cortex XSOAR integration with Enterprise DLP.
1. Log in to Strata Cloud Manager.
2. Select ConfigurationData Loss PreventionSettingsAlertsXSOAR Integration Setup and expand the Setup Instructions section.
3. Toggle the Confirm the status for XSOAR Integration setting to On.
Expand the Configuration section to define the Exemption Duration for exempted files that prompt the End User Alerting with Cortex XSOAR notification.
This setting defines how long a specific file is granted an block exemption when your administrator responds to blocked traffic. The default is 12 hours.

Email

Set up Cortex XSOAR to use Enterprise Data Loss Prevention (E-DLP) End User Alerting for Email.

Integrate referred IP address directory service using one of the following procedures.
Enable Mail Send Integration with Cortex XSOAR.
Configure Enterprise DLP authentication.
- Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
  Access the Common Services Identity and & Access settings and add a Service Account to generate the Client ID and Client Secret.
  
  If you already have a Service Account created, you can Reset Client Secret to recover a lost Client Secret.
  
  The Client ID and Client Secret are used for authentication.
  When you create the Service Account, the Client ID and Client Secret are displayed in the Client Credentials. You can manually copy the Client Credentials or Download CSV File to download the Client Credentials in plaintext locally to your device.
- Panorama (Not TSG-enabled)
  1. Log in to the DLP app on the hub.
    If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
  2. Select API and Create Token.
  3. Enter a descriptive Token Name and Create the access token.
  4. Copy the Access Token and Refresh Token and save them in a secure location.
Enable Enterprise DLP on Cortex XSOAR.
- Strata Cloud Manager and Prisma Access (Managed by Panorama) (TSG-enabled)
  1. Add the Client Credentials to Cortex XSOAR.
    On Cortex XSOAR, select SettingsIntegrationsCredentials and add a New credential.
    Enter a descriptive Credential Name.
    For the Username, enter the Client ID created in the previous step.
    For the Password, enter the Client Secret created in the previous step.
    Save.
  2. Select MarketplaceBrowse and search for Enterprise DLP.
  3. Install the Enterprise DLP content pack.
  4. Select SettingsIntegrationsInstances and search for Enterprise DLP.
    Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
    Select a descriptive Name.
    For the Incident Type, verify Data Loss Prevention is selected.
    If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
    for the Mapper, verify that Data Loss Prevention is selected.
    If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
    Click Switch to credentials.
    Enter the Client Credentials generated in the previous step.
    Check (enable) Long running instance.
    Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
    A Success is displayed when Cortex XSOAR successfully integrates with Enterprise DLP.
- Panorama (Not TSG-enabled)
  1. On Cortex XSOAR, select MarketplaceBrowse and search for Enterprise DLP.
  2. Install the Enterprise DLP content pack.
  3. Select SettingsIntegrationsInstances and search for Enterprise DLP.
    Click Add Instance to integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
    Select a descriptive Name.
    For the Incident Type, verify Data Loss Prevention is selected.
    If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
    for the Mapper, verify that Data Loss Prevention is selected.
    If Data Loss Prevention is not displayed, hover your mouse over the field to display the list of available incident types to search for and select Data Loss Prevention.
    Add the Access Token and Refresh Token you created in the previous step.
    Check (enable) Long running instance.
    (Optional) Modify the automated Slack Bot Message.
    Test to confirm Cortex XSOAR has successfully integrated with Enterprise DLP.
    A Success is displayed when Cortex XSOAR successfully integrates with Enterprise DLP.
Configure the DLP Incident Feedback Loop Cortex XSOAR playbook
1. In Dashboard & Reports, select Playbooks.
2. Select DLP Incident Feedback LoopsPlaybook Triggered.
3. Configure the Cortex XSOAR playbook.
  For ApprovalTarget, enter Manager to send an exemption request to the sender's manager. This information is pulled from your preferred IP address directory service.
  For the UserMessageApp, verify Email is displayed.
  For the ApproverMessageApp, enter Email.
  (Optional) For the DenyMessage, enter a custom response when a file extension is denied by the sender's manager,
4. Save.
Confirm the Cortex XSOAR integration with Enterprise DLP.
1. Log in to Strata Cloud Manager.
2. Select ConfigurationData Loss PreventionSettingsAlertsXSOAR Integration Setup and expand the Setup Instructions section.
3. Toggle the Confirm the status for XSOAR Integration setting to On.
Expand the Configuration section to define the Exemption Duration for exempted files that prompt the End User Alerting with Cortex XSOAR notification.
This setting defines how long a specific file is granted an block exemption when your administrator responds to blocked traffic. The default is 12 hours.

About Enterprise DLP End User Alerting with Cortex XSOAR

Respond to Blocked Traffic Using Enterprise DLP End User Alerting with Cortex XSOAR

Enterprise DLP Docs

Set Up Enterprise DLP End User Alerting with Cortex XSOAR

Enterprise DLP Docs

Set Up Enterprise DLP End User Alerting with Cortex XSOAR

Slack

Microsoft Teams

Email

Activation & Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner