Set Up Enterprise DLP End User Alerting with Cortex XSOAR
Focus
Focus
Enterprise DLP

Set Up Enterprise DLP End User Alerting with Cortex XSOAR

Table of Contents

Set Up Enterprise DLP End User Alerting with
Cortex XSOAR

Set up
Cortex XSOAR
to use
Enterprise Data Loss Prevention (E-DLP)
End User Alerting.
Where Can I Use This?
What Do I Need?
  • NGFW (Panorama Managed)
  • Prisma Access (Cloud Management)
  • SaaS Security
  • NGFW (Cloud Managed)
  • Enterprise Data Loss Prevention (E-DLP)
    license
  • NGFW (Panorama Managed)
    —Support and
    Panorama
    device management licenses
  • Prisma Access (Cloud Management)
    Prisma Access
    license
  • SaaS Security
    SaaS Security
    license
  • NGFW (Cloud Managed)
    —Support and
    AIOps for NGFW Premium
    licenses
Or any of the following licenses that include the
Enterprise DLP
license
  • Prisma Access
    CASB license
  • Next-Generation CASB for Prisma Access and NGFW (CASB-X)
    license
  • Data Security
    license
Integrate
Enterprise Data Loss Prevention (E-DLP)
with
Cortex XSOAR
to use the
Enterprise DLP
End User Alerting.
(
Slack
) To set up
Enterprise Data Loss Prevention (E-DLP)
End User Alerting with
Cortex XSOAR
and set up automatic Slack alerts, you need to integrate your preferred IP address directory service to map IP addresses to emails to allow for automatic messages to be sent on Slack. After integration, you must enable Slack, email send integration, and
Enterprise DLP
with
Cortex XSOAR
. This chain of integration allows the DLP cloud service to automate sending Slack messages to team members who upload a file that matches your data profiles.
(
Microsoft Teams
) To set up
Enterprise Data Loss Prevention (E-DLP)
End User Alerting with
Cortex XSOAR
and set up automatic Microsoft Teams alerts, you need to set up integration with Microsoft Teams and
Enterprise DLP
with
Cortex XSOAR
. This is integration allows the DLP cloud service to automate sending Microsoft Teams messages to team members who upload a file that matches your data profiles.
(
Email
) To set up
Enterprise Data Loss Prevention (E-DLP)
End User Alerting with
Cortex XSOAR
and set up automatic email alerts, you need to integrate your preferred IP address directory service and
Enterprise DLP
with
Cortex XSOAR
. This is integration allows the DLP cloud service to automate sending email messages to team members who upload a file that matches your data profiles.
After you successfully integrate Slack, Microsoft Teams, or your Email provider and
Enterprise DLP
with
Cortex XSOAR
, you need to enable End User Alerting with
Cortex XSOAR
functionality on the DLP app on the hub or on
Strata Cloud Manager
and configure the End User Alerting settings as needed.

Slack

Set up
Cortex XSOAR
to use
Enterprise Data Loss Prevention (E-DLP)
End User Alerting for Slack.
  1. Configure
    Enterprise DLP
    authentication.
    • Strata Cloud Manager
      and
      Prisma Access (Panorama Managed)
      (TSG-enabled)
      Access the Common Services Identity and & Access settings and add a Service Account to generate the
      Client ID
      and
      Client Secret
      .
      If you already have a Service Account created, you can Reset Client Secret to recover a lost
      Client Secret
      .
      The
      Client ID
      and
      Client Secret
      are used for authentication.
      When you create the Service Account, the
      Client ID
      and
      Client Secret
      are displayed in the
      Client Credentials
      . You can manually copy the Client Credentials or
      Download CSV File
      to download the Client Credentials in plaintext locally to your device.
    • Panorama
      (Not TSG-enabled)
      1. Log in to the DLP app on the hub.
        If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
      2. Select
        API
        and
        Create Token
        .
      3. Enter a descriptive
        Token Name
        and
        Create
        the access token.
      4. Copy the
        Access Token
        and
        Refresh Token
        and save them in a secure location.
  2. Enable
    Enterprise DLP
    on
    Cortex XSOAR
    .
    • Strata Cloud Manager
      and
      Prisma Access (Panorama Managed)
      (TSG-enabled)
      1. Add the Client Credentials to
        Cortex XSOAR
        .
        1. On
          Cortex XSOAR
          , select
          Settings
          Integrations
          Credentials
          and add a
          New
          credential.
        2. Enter a descriptive
          Credential Name
          .
        3. For the
          Username
          , enter the
          Client ID
          created in the previous step.
        4. For the
          Password
          , enter the
          Client Secret
          created in the previous step.
        5. Save
          .
      2. Select
        Marketplace
        Browse
        and search for
        Enterprise DLP
        .
      3. Install
        the
        Enterprise DLP
        content pack.
      4. Select
        Settings
        Integrations
        Instances
        and search for
        Enterprise DLP
        .
        Click
        Add Instance
        to integrate
        Enterprise DLP
        . See Integrate Enterprise DLP on XSOAR for more information.
        1. Select a descriptive
          Name
          .
        2. For the Incident Type, verify
          Data Loss Prevention
          is selected.
          If
          Data Loss Prevention
          is not displayed, hover your mouse over the field to display the list of available incident types to search for and select
          Data Loss Prevention
          .
        3. for the
          Mapper
          , verify that
          Data Loss Prevention
          is selected.
          If
          Data Loss Prevention
          is not displayed, hover your mouse over the field to display the list of available incident types to search for and select
          Data Loss Prevention
          .
        4. Click
          Switch to credentials
          .
        5. Enter the Client Credentials generated in the previous step.
        6. Check (enable)
          Long running instance
          .
        7. (
          Optional)
          Modify the automated
          Slack Bot Message
          .
        8. Test
          to confirm
          Cortex XSOAR
          has successfully integrated with
          Enterprise DLP
          .
          A
          Success
          is displayed when
          Cortex XSOAR
          successfully integrates with
          Enterprise DLP
          .
    • Panorama
      (Not TSG-enabled)
      1. On
        Cortex XSOAR
        , select
        Marketplace
        Browse
        and search for
        Enterprise DLP
        .
      2. Install
        the
        Enterprise DLP
        content pack.
      3. Select
        Settings
        Integrations
        Instances
        and search for
        Enterprise DLP
        .
        Click
        Add Instance
        to integrate
        Enterprise DLP
        . See Integrate Enterprise DLP on XSOAR for more information.
        1. Select a descriptive
          Name
          .
        2. For the Incident Type, verify
          Data Loss Prevention
          is selected.
          If
          Data Loss Prevention
          is not displayed, hover your mouse over the field to display the list of available incident types to search for and select
          Data Loss Prevention
          .
        3. for the
          Mapper
          , verify that
          Data Loss Prevention
          is selected.
          If
          Data Loss Prevention
          is not displayed, hover your mouse over the field to display the list of available incident types to search for and select
          Data Loss Prevention
          .
        4. Add the
          Access Token
          and
          Refresh Token
          you created in the previous step.
        5. Check (enable)
          Long running instance
          .
        6. (
          Optional)
          Modify the automated
          Slack Bot Message
          .
        7. Test
          to confirm
          Cortex XSOAR
          has successfully integrated with
          Enterprise DLP
          .
          A
          Success
          is displayed when
          Cortex XSOAR
          successfully integrates with
          Enterprise DLP
          .
  3. Configure the DLP Incident Feedback Loop
    Cortex XSOAR
    playbook
    1. In Dashboard & Reports, select
      Playbooks
      .
    2. Select
      DLP Incident Feedback Loops
      Playbook Triggered
      .
    3. Configure the
      Cortex XSOAR
      playbook.
      • For
        ApprovalTarget
        , enter
        Manager
        to send an exemption request to the sender's manager. This information is pulled from your preferred IP address directory service.
      • For the
        UserMessageApp
        , verify
        Slack
        is displayed.
      • For the
        ApproverMessageApp
        , enter
        Slack
        .
      • (
        Optional
        ) For the
        DenyMessage
        , enter a custom response when a file extension is denied by the sender's manager,
    4. Save
      .
  4. Confirm the
    Cortex XSOAR
    integration with
    Enterprise DLP
    .
    • Strata Cloud Manager
      and
      Prisma Access (Panorama Managed)
      (TSG-enabled)
      1. Log in to
        Strata Cloud Manager
        .
      2. Select
        Manage
        Configuration
        Data Loss Prevention
        Settings
        Alerts
        XSOAR Integration Setup
        and check (enable)
        Confirm the status for XSOAR Integration
        .
    • Panorama
      (Not TSG-enabled)
      1. Log in to the DLP app on the hub.
        If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
      2. Select
        Settings
        and check (enable)
        Confirm the status for XSOAR Integration
        .
  5. Configure the End User Alerting with
    Cortex XSOAR
    exemption settings.
    1. Select
      Manage
      Configuration
      Data Loss Prevention
      Settings
      Alerts
      Configuration
      and configure the
      Exemption Duration
      .
      The file that prompted the End User Alerting with
      Cortex XSOAR
      notification that was exempted can be uploaded for the duration of the exemption duration. The default is 12 hours.
    2. Select
      Manage
      Configuration
      Data Loss Prevention
      Settings
      Alerts
      Configuration
      and configure whether to
      Include Snippets in Message
      .
      You can select
      Off
      (default) to not include a snippet of the sensitive data or
      On
      to include a snippet of the sensitive data in the automated message on Slack.

Microsoft Teams

Set up
Cortex XSOAR
to use
Enterprise Data Loss Prevention (E-DLP)
End User Alerting for Microsoft Teams.
  1. Integrate Microsoft Teams with
    Cortex XSOAR
    .
    You can use one of the following methods based on your preferences.
  2. Configure
    Enterprise DLP
    authentication.
    • Strata Cloud Manager
      and
      Prisma Access (Panorama Managed)
      (TSG-enabled)
      Access the Common Services Identity and & Access settings and add a Service Account to generate the
      Client ID
      and
      Client Secret
      .
      If you already have a Service Account created, you can Reset Client Secret to recover a lost
      Client Secret
      .
      The
      Client ID
      and
      Client Secret
      are used for authentication.
      When you create the Service Account, the
      Client ID
      and
      Client Secret
      are displayed in the
      Client Credentials
      . You can manually copy the Client Credentials or
      Download CSV File
      to download the Client Credentials in plaintext locally to your device.
    • Panorama
      (Not TSG-enabled)
      1. Log in to the DLP app on the hub.
        If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
      2. Select
        API
        and
        Create Token
        .
      3. Enter a descriptive
        Token Name
        and
        Create
        the access token.
      4. Copy the
        Access Token
        and
        Refresh Token
        and save them in a secure location.
  3. Enable
    Enterprise DLP
    on
    Cortex XSOAR
    .
    • Strata Cloud Manager
      and
      Prisma Access (Panorama Managed)
      (TSG-enabled)
      1. Add the Client Credentials to
        Cortex XSOAR
        .
        1. On
          Cortex XSOAR
          , select
          Settings
          Integrations
          Credentials
          and add a
          New
          credential.
        2. Enter a descriptive
          Credential Name
          .
        3. For the
          Username
          , enter the
          Client ID
          created in the previous step.
        4. For the
          Password
          , enter the
          Client Secret
          created in the previous step.
        5. Save
          .
      2. Select
        Marketplace
        Browse
        and search for
        Enterprise DLP
        .
      3. Install
        the
        Enterprise DLP
        content pack.
      4. Select
        Settings
        Integrations
        Instances
        and search for
        Enterprise DLP
        .
        Click
        Add Instance
        to integrate
        Enterprise DLP
        . See Integrate Enterprise DLP on XSOAR for more information.
        1. Select a descriptive
          Name
          .
        2. For the Incident Type, verify
          Data Loss Prevention
          is selected.
          If
          Data Loss Prevention
          is not displayed, hover your mouse over the field to display the list of available incident types to search for and select
          Data Loss Prevention
          .
        3. for the
          Mapper
          , verify that
          Data Loss Prevention
          is selected.
          If
          Data Loss Prevention
          is not displayed, hover your mouse over the field to display the list of available incident types to search for and select
          Data Loss Prevention
          .
        4. Click
          Switch to credentials
          .
        5. Enter the Client Credentials generated in the previous step.
        6. Check (enable)
          Long running instance
          .
        7. Test
          to confirm
          Cortex XSOAR
          has successfully integrated with
          Enterprise DLP
          .
          A
          Success
          is displayed when
          Cortex XSOAR
          successfully integrates with
          Enterprise DLP
          .
    • Panorama
      (Not TSG-enabled)
      1. On
        Cortex XSOAR
        , select
        Marketplace
        Browse
        and search for
        Enterprise DLP
        .
      2. Install
        the
        Enterprise DLP
        content pack.
      3. Select
        Settings
        Integrations
        Instances
        and search for
        Enterprise DLP
        .
        Click
        Add Instance
        to integrate
        Enterprise DLP
        . See Integrate Enterprise DLP on XSOAR for more information.
        1. Select a descriptive
          Name
          .
        2. For the Incident Type, verify
          Data Loss Prevention
          is selected.
          If
          Data Loss Prevention
          is not displayed, hover your mouse over the field to display the list of available incident types to search for and select
          Data Loss Prevention
          .
        3. for the
          Mapper
          , verify that
          Data Loss Prevention
          is selected.
          If
          Data Loss Prevention
          is not displayed, hover your mouse over the field to display the list of available incident types to search for and select
          Data Loss Prevention
          .
        4. Add the
          Access Token
          and
          Refresh Token
          you created in the previous step.
        5. Check (enable)
          Long running instance
          .
        6. (
          Optional)
          Modify the automated
          Slack Bot Message
          .
        7. Test
          to confirm
          Cortex XSOAR
          has successfully integrated with
          Enterprise DLP
          .
          A
          Success
          is displayed when
          Cortex XSOAR
          successfully integrates with
          Enterprise DLP
          .
  4. Configure the DLP Incident Feedback Loop
    Cortex XSOAR
    playbook
    1. In Dashboard & Reports, select
      Playbooks
      .
    2. Select
      DLP Incident Feedback Loops
      Playbook Triggered
      .
    3. Configure the
      Cortex XSOAR
      playbook.
      • For
        ApprovalTarget
        , enter
        Manager
        to send an exemption request to the sender's manager. This information is pulled from your preferred IP address directory service.
      • For the
        UserMessageApp
        , verify
        Microsoft Teams
        is displayed.
      • For the
        ApproverMessageApp
        , enter
        Microsoft Teams
        .
      • (
        Optional
        ) For the
        DenyMessage
        , enter a custom response when a file extension is denied by the sender's manager,
    4. Save
      .
  5. Confirm the
    Cortex XSOAR
    integration with
    Enterprise DLP
    .
    • Strata Cloud Manager
      and Prisma Access (Panorama Managed) (TSG-enabled)
      1. Log in to
        Strata Cloud Manager
        .
      2. Select
        Manage
        Configuration
        Data Loss Prevention
        Settings
        Alerts
        XSOAR Integration Setup
        and check (enable)
        Confirm the status for XSOAR Integration
        .
    • Panorama
      (Not TSG-enabled)
      1. Log in to the DLP app on the hub.
        If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
      2. Select
        Settings
        and check (enable)
        Confirm the status for XSOAR Integration
        .
  6. Configure the End User Alerting with
    Cortex XSOAR
    exemption settings.
    1. Select
      Manage
      Configuration
      Data Loss Prevention
      Settings
      Alerts
      Configuration
      and configure the
      Exemption Duration
      .
      The file that prompted the End User Alerting with
      Cortex XSOAR
      notification that was exempted can be uploaded for the duration of the exemption duration. The default is 12 hours.
    2. Select
      Manage
      Configuration
      Data Loss Prevention
      Settings
      Alerts
      Configuration
      and configure whether to
      Include Snippets in Message
      .
      You can select
      Off
      (default) to not include a snippet of the sensitive data or
      On
      to include a snippet of the sensitive data in the automated message on Microsoft Teams.

Email

Set up
Cortex XSOAR
to use
Enterprise Data Loss Prevention (E-DLP)
End User Alerting for Email.
  1. Configure
    Enterprise DLP
    authentication.
    • Strata Cloud Manager
      and
      Prisma Access (Panorama Managed)
      (TSG-enabled)
      Access the Common Services Identity and & Access settings and add a Service Account to generate the
      Client ID
      and
      Client Secret
      .
      If you already have a Service Account created, you can Reset Client Secret to recover a lost
      Client Secret
      .
      The
      Client ID
      and
      Client Secret
      are used for authentication.
      When you create the Service Account, the
      Client ID
      and
      Client Secret
      are displayed in the
      Client Credentials
      . You can manually copy the Client Credentials or
      Download CSV File
      to download the Client Credentials in plaintext locally to your device.
    • Panorama
      (Not TSG-enabled)
      1. Log in to the DLP app on the hub.
        If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
      2. Select
        API
        and
        Create Token
        .
      3. Enter a descriptive
        Token Name
        and
        Create
        the access token.
      4. Copy the
        Access Token
        and
        Refresh Token
        and save them in a secure location.
  2. Enable
    Enterprise DLP
    on
    Cortex XSOAR
    .
    • Strata Cloud Manager
      and
      Prisma Access (Panorama Managed)
      (TSG-enabled)
      1. Add the Client Credentials to
        Cortex XSOAR
        .
        1. On
          Cortex XSOAR
          , select
          Settings
          Integrations
          Credentials
          and add a
          New
          credential.
        2. Enter a descriptive
          Credential Name
          .
        3. For the
          Username
          , enter the
          Client ID
          created in the previous step.
        4. For the
          Password
          , enter the
          Client Secret
          created in the previous step.
        5. Save
          .
      2. Select
        Marketplace
        Browse
        and search for
        Enterprise DLP
        .
      3. Install
        the
        Enterprise DLP
        content pack.
      4. Select
        Settings
        Integrations
        Instances
        and search for
        Enterprise DLP
        .
        Click
        Add Instance
        to integrate
        Enterprise DLP
        . See Integrate Enterprise DLP on XSOAR for more information.
        1. Select a descriptive
          Name
          .
        2. For the Incident Type, verify
          Data Loss Prevention
          is selected.
          If
          Data Loss Prevention
          is not displayed, hover your mouse over the field to display the list of available incident types to search for and select
          Data Loss Prevention
          .
        3. for the
          Mapper
          , verify that
          Data Loss Prevention
          is selected.
          If
          Data Loss Prevention
          is not displayed, hover your mouse over the field to display the list of available incident types to search for and select
          Data Loss Prevention
          .
        4. Click
          Switch to credentials
          .
        5. Enter the Client Credentials generated in the previous step.
        6. Check (enable)
          Long running instance
          .
        7. Test
          to confirm
          Cortex XSOAR
          has successfully integrated with
          Enterprise DLP
          .
          A
          Success
          is displayed when
          Cortex XSOAR
          successfully integrates with
          Enterprise DLP
          .
    • Panorama
      (Not TSG-enabled)
      1. On
        Cortex XSOAR
        , select
        Marketplace
        Browse
        and search for
        Enterprise DLP
        .
      2. Install
        the
        Enterprise DLP
        content pack.
      3. Select
        Settings
        Integrations
        Instances
        and search for
        Enterprise DLP
        .
        Click
        Add Instance
        to integrate
        Enterprise DLP
        . See Integrate Enterprise DLP on XSOAR for more information.
        1. Select a descriptive
          Name
          .
        2. For the Incident Type, verify
          Data Loss Prevention
          is selected.
          If
          Data Loss Prevention
          is not displayed, hover your mouse over the field to display the list of available incident types to search for and select
          Data Loss Prevention
          .
        3. for the
          Mapper
          , verify that
          Data Loss Prevention
          is selected.
          If
          Data Loss Prevention
          is not displayed, hover your mouse over the field to display the list of available incident types to search for and select
          Data Loss Prevention
          .
        4. Add the
          Access Token
          and
          Refresh Token
          you created in the previous step.
        5. Check (enable)
          Long running instance
          .
        6. (
          Optional)
          Modify the automated
          Slack Bot Message
          .
        7. Test
          to confirm
          Cortex XSOAR
          has successfully integrated with
          Enterprise DLP
          .
          A
          Success
          is displayed when
          Cortex XSOAR
          successfully integrates with
          Enterprise DLP
          .
  3. Configure the DLP Incident Feedback Loop
    Cortex XSOAR
    playbook
    1. In Dashboard & Reports, select
      Playbooks
      .
    2. Select
      DLP Incident Feedback Loops
      Playbook Triggered
      .
    3. Configure the
      Cortex XSOAR
      playbook.
      • For
        ApprovalTarget
        , enter
        Manager
        to send an exemption request to the sender's manager. This information is pulled from your preferred IP address directory service.
      • For the
        UserMessageApp
        , verify
        Email
        is displayed.
      • For the
        ApproverMessageApp
        , enter
        Email
        .
      • (
        Optional
        ) For the
        DenyMessage
        , enter a custom response when a file extension is denied by the sender's manager,
    4. Save
      .
  4. Confirm the
    Cortex XSOAR
    integration with
    Enterprise DLP
    .
    • Strata Cloud Manager
      and
      Prisma Access (Panorama Managed)
      (TSG-enabled)
      1. Log in to
        Strata Cloud Manager
        .
      2. Select
        Manage
        Configuration
        Data Loss Prevention
        Settings
        Alerts
        XSOAR Integration Setup
        and check (enable)
        Confirm the status for XSOAR Integration
        .
    • Panorama
      (Not TSG-enabled)
      1. Log in to the DLP app on the hub.
        If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
      2. Select
        Settings
        and check (enable)
        Confirm the status for XSOAR Integration
        .
  5. Configure the End User Alerting with
    Cortex XSOAR
    exemption settings.
    1. Select
      Manage
      Configuration
      Data Loss Prevention
      Settings
      Alerts
      Configuration
      and configure the
      Exemption Duration
      .
      The file that prompted the End User Alerting with
      Cortex XSOAR
      notification that was exempted can be uploaded for the duration of the exemption duration. The default is 12 hours.
    2. Select
      Manage
      Configuration
      Data Loss Prevention
      Settings
      Alerts
      Configuration
      and configure whether to
      Include Snippets in Message
      .
      You can select
      Off
      (default) to not include a snippet of the sensitive data or
      On
      to include a snippet of the sensitive data in the automated message on Microsoft Teams.

Recommended For You