Set Up Enterprise DLP End User Alerting with Cortex XSOAR
for Slack
Configure the Panorama™ management server, Prisma Access
(Panorama Managed) or Prisma Access (Cloud Managed) to map IP addresses
to email addresses and set up XSOAR to leverage Enterprise data
loss prevention (DLP) End User Alerting for Slack.
To set up Enterprise data loss prevention
(DLP) End User Alerting with Cortex XSOAR and set up automatic Slack
alerts, you need to configure the Cloud Identity Engine to map IP
addresses to emails to allow for automatic messages to be sent on
Slack. After you configure the Cloud Identity Engine, you must enable
Slack, email send integration, and Enterprise DLP with Cortex XSOAR.
This chain of integration allows the DLP cloud service to automate
sending Slack messages to team members who upload a file that matches
your data profiles.
After you successfully integrate Slack,
email send, and Enterprise DLP with Cortex XSOAR, you need to enable
End User Alerting with Cortex XSOAR functionality on the DLP app
on the hub or on Prisma Access (Cloud Managed) and configure the
End User Alerting settings as needed.
- Configure the platform on which you are leveraging Enterprise DLP to map IP addresses to email addresses.This is required to leverage Enterprise DLP End User Alerting with Cortex XSOAR. If Panorama, Prisma Access (Panorama Managed), or Prisma Access (Cloud Managed) are not configured to map IP addresses to email addresses, Enterprise DLP cannot send automated messages using Slack.
- Panorama (Next-Gen Firewalls)
- When you configure the User Attributes, you must set thePrimary UsernameasMail.
- Prisma Access (Panorama Managed)- Get User and Group Information Using the Cloud Identity Engine
- Prisma Access (Cloud Managed)
- Select and edit the Cloud Identity Engine Settings.
- For the Primary User Name, selectMail.Configure the rest of the Cloud Identity Engine settings as needed.
- Save.
- Create the API access token.
- DLP app on the hub
- Log in to the DLP app on the hub.If you do not already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
- SelectAPIandCreate Token.
- Enter a descriptiveToken NameandCreatethe access token.
- Copy theAccess TokenandRefresh Tokenand save them in a secure location.
- Prisma Access (Cloud Managed)
- Select andCreate Token.
- Enter a descriptiveToken NameandCreatethe access token.
- Copy theAccess TokenandRefresh Tokenand save them in a secure location.The access and refresh tokens are displayed only once after initial creation and cannot be viewed again. If you lose the access or refresh tokens, you must create a new access token.
- Enable Enterprise DLP on Cortex XSOAR.
- On Cortex XSOAR, select and search for Enterprise DLP.
- Installthe Enterprise DLP content pack.
- Select and search forEnterprise DLP.ClickAdd Instanceto integrate Enterprise DLP. See Integrate Enterprise DLP on XSOAR for more information.
- Select a descriptiveName.
- Add theAccess TokenandRefresh Tokenyou created in the previous step.
- Check (enable)Long running instance.
- (Optional) Add any data profiles to exclude from End User Alerting.Files that match data profiles added here are not offered block exemptions to the user who uploaded the file.
- (Optional)Modify the automatedSlack Bot Message
- Testto confirm Cortex XSOAR has successfully integrated with Enterprise DLP.ASuccessis displayed when Cortex XSOAR successfully integrates with Enterprise DLP.
- Save & Exit.
- Confirm the Cortex XSOAR integration with Enterprise DLP.
- Panorama (Next-Gen Firewalls) and Prisma Access (Panorama Managed)
- Log in to the DLP app on the hub.If you do not already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
- SelectSettingsand check (enable)Confirm the status for XSOAR Integration
- Prisma Access (Cloud Managed)
- Select and check (enable)Confirm the status for XSOAR Integration.
- Configure the End User Alerting with Cortex XSOAR exemption settings.
- Select and configure theExemption Duration.The file that prompted the End User Alerting with Cortex XSOAR notification that was exempted can be uploaded for the duration of the exemption duration. The default is 12 hours.
- Select and configure whether toInclude Snippets in Message.You can selectOff(default) to not include a snippet of the sensitive data orOnto include a snippet of the sensitive data in the automated message on Slack.
