Set Up Enterprise DLP End User Alerting with Cortex XSOAR for Slack
Table of Contents
Expand all | Collapse all
-
- Register and Activate Enterprise DLP on Prisma Access (Panorama Managed)
- Edit the Enterprise DLP Snippet Settings on the DLP App
- Enable Role Based Access to Enterprise DLP on Cloud Management
- Enable Optical Character Recognition on Cloud Management
- Enable Optical Character Recognition for Enterprise DLP
-
-
- Create a Data Profile on the DLP App
- Create a Data Profile with EDM Data Sets on the DLP App
- Create a Data Profile with Data Patterns and EDM Data Sets on the DLP App
- Create a Data Profile with Nested Data Profiles on the DLP App
- Create a Data Profile on Cloud Management
- Create a Data Profile with EDM Data Sets on Cloud Management
- Create a Data Profile with Data Patterns and EDM Data Sets on Cloud Management
- Create a Data Profile with Nested Data Profiles on Cloud Management
- Create a Data Filtering Profile on Panorama
- Create a Data Filtering Profile on Panorama for Non-File Detection
- Update a Data Profile on the DLP App
- Update a Data Profile on Cloud Management
- Update a Data Filtering Profile on Panorama
- Enable Existing Data Patterns and Filtering Profiles
-
- How Does Email DLP Work?
- Activate Email DLP
- Add an Enterprise DLP Email Policy
- Review Email DLP Incidents
-
- Monitor DLP Status with the DLP Health and Telemetry App
- View Enterprise DLP Log Details on the DLP App
- Manage Enterprise DLP Incidents on the DLP App
- View Enterprise DLP Audit Logs on the DLP App
- View Enterprise DLP Log Details on Cloud Management
- Manage Enterprise DLP Incidents on Cloud Management
- View Enterprise DLP Audit Logs on Cloud Management
- View Enterprise DLP Log Details on Panorama
Set Up Enterprise DLP End User Alerting with Cortex XSOAR
for Slack
Set up
Cortex XSOAR
to use Enterprise Data Loss Prevention (E-DLP)
End User Alerting for
Slack.To set up
Enterprise Data Loss Prevention (E-DLP)
End User Alerting with Cortex XSOAR
and set up
automatic Slack alerts, you need to configure the Cloud Identity Engine to map IP
addresses to emails to allow for automatic messages to be sent on Slack. After you
configure the Cloud Identity Engine, you must enable Slack, email send integration,
and Enterprise DLP
with Cortex XSOAR
. This chain of integration allows
the DLP cloud service to automate sending Slack messages to team members who upload
a file that matches your data profiles. After you successfully integrate Slack, email send, and
Enterprise DLP
with Cortex XSOAR
, you need to enable End User Alerting with Cortex XSOAR
functionality on the DLP app on the hub or on Prisma Access
(Cloud Management)
and configure the
End User Alerting settings as needed.- Configure the platform on which you’re usingEnterprise DLPto map IP addresses to email addresses.This is required to useEnterprise DLPEnd User Alerting withCortex XSOAR. If Panorama, Prisma Access (Panorama Managed), orPrisma Access (Cloud Management)aren’t configured to map IP addresses to email addresses,Enterprise DLPcan’t send automated messages using Slack.
- Panorama (Next-Gen Firewalls)
- When you configure the User Attributes, you must set thePrimary UsernameasMail.
- Prisma Access (Panorama Managed)- Get User and Group Information Using the Cloud Identity Engine
- Prisma Access (Cloud Management)
- Selectand edit the Cloud Identity Engine Settings.ManageConfigurationCloud Identity Engine
- For the Primary User Name, selectMail.Configure the rest of the Cloud Identity Engine settings as needed.
- Save.
- Create the API access token.
- DLP app on the hub
- Log in to the DLP app on the hub.If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
- SelectAPIandCreate Token.
- Enter a descriptiveToken NameandCreatethe access token.
- Copy theAccess TokenandRefresh Tokenand save them in a secure location.
- Prisma Access (Cloud Management)
- SelectandConfigurationSecurity ServicesData Loss PreventionSettingsAPI TokensCreate Token.
- Enter a descriptiveToken NameandCreatethe access token.
- Copy theAccess TokenandRefresh Tokenand save them in a secure location.The access and refresh tokens are displayed only once after initial creation and can’t be viewed again. If you lose the access or refresh tokens, you must create a new access token.
- EnableEnterprise DLPonCortex XSOAR.
- OnCortex XSOAR, selectand search forMarketplaceBrowseEnterprise DLP.
- InstalltheEnterprise DLPcontent pack.
- Selectand search forSettingsIntegrationsInstancesEnterprise DLP.ClickAdd Instanceto integrateEnterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
- Select a descriptiveName.
- Add theAccess TokenandRefresh Tokenyou created in the previous step.
- Check (enable)Long running instance.
- (Optional) Add any data profiles to exclude from End User Alerting.Files that match data profiles added here aren’t offered block exemptions to the user who uploaded the file.
- (Optional)Modify the automatedSlack Bot Message.
- Testto confirmCortex XSOARhas successfully integrated withEnterprise DLP.ASuccessis displayed whenCortex XSOARsuccessfully integrates withEnterprise DLP.
- Save & Exit.
- Confirm theCortex XSOARintegration withEnterprise DLP.
- Panorama (Next-Gen Firewalls) and Prisma Access (Panorama Managed)
- Log in to the DLP app on the hub.If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
- SelectSettingsand check (enable)Confirm the status for XSOAR Integration.
- Prisma Access (Cloud Management)
- Selectand check (enable)ManageConfigurationData Loss PreventionSettingsAlertsXSOAR Integration SetupConfirm the status for XSOAR Integration.
- Configure the End User Alerting withCortex XSOARexemption settings.
- Selectand configure theManageConfigurationData Loss PreventionSettingsAlertsConfigurationExemption Duration.The file that prompted the End User Alerting withCortex XSOARnotification that was exempted can be uploaded for the duration of the exemption duration. The default is 12 hours.
- Selectand configure whether toManageConfigurationData Loss PreventionSettingsAlertsConfigurationInclude Snippets in Message.You can selectOff(default) to not include a snippet of the sensitive data orOnto include a snippet of the sensitive data in the automated message on Slack.