: Set Up Enterprise DLP End User Alerting with Cortex XSOAR for Slack
Focus
Focus

Set Up Enterprise DLP End User Alerting with Cortex XSOAR for Slack

Table of Contents

Set Up Enterprise DLP End User Alerting with Cortex XSOAR for Slack

Set up
Cortex XSOAR
to use
Enterprise Data Loss Prevention (E-DLP)
End User Alerting for Slack.
To set up
Enterprise Data Loss Prevention (E-DLP)
End User Alerting with
Cortex XSOAR
and set up automatic Slack alerts, you need to configure the Cloud Identity Engine to map IP addresses to emails to allow for automatic messages to be sent on Slack. After you configure the Cloud Identity Engine, you must enable Slack, email send integration, and
Enterprise DLP
with
Cortex XSOAR
. This chain of integration allows the DLP cloud service to automate sending Slack messages to team members who upload a file that matches your data profiles.
After you successfully integrate Slack, email send, and
Enterprise DLP
with
Cortex XSOAR
, you need to enable End User Alerting with
Cortex XSOAR
functionality on the DLP app on the hub or on
Prisma Access (Cloud Management)
and configure the End User Alerting settings as needed.
  1. Configure the platform on which you’re using
    Enterprise DLP
    to map IP addresses to email addresses.
    This is required to use
    Enterprise DLP
    End User Alerting with
    Cortex XSOAR
    . If Panorama, Prisma Access (Panorama Managed), or
    Prisma Access (Cloud Management)
    aren’t configured to map IP addresses to email addresses,
    Enterprise DLP
    can’t send automated messages using Slack.
    • Panorama (Next-Gen Firewalls)
    1. When you configure the User Attributes, you must set the
      Primary Username
      as
      Mail
      .
    1. Select
      Manage
      Configuration
      Cloud Identity Engine
      and edit the Cloud Identity Engine Settings.
    2. For the Primary User Name, select
      Mail
      .
      Configure the rest of the Cloud Identity Engine settings as needed.
    3. Save
      .
  2. Create the API access token.
    • DLP app on the hub
    1. Log in to the DLP app on the hub.
      If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
    2. Select
      API
      and
      Create Token
      .
    3. Enter a descriptive
      Token Name
      and
      Create
      the access token.
    4. Copy the
      Access Token
      and
      Refresh Token
      and save them in a secure location.
    • Prisma Access (Cloud Management)
    1. Select
      Configuration
      Security Services
      Data Loss Prevention
      Settings
      API Tokens
      and
      Create Token
      .
    2. Enter a descriptive
      Token Name
      and
      Create
      the access token.
    3. Copy the
      Access Token
      and
      Refresh Token
      and save them in a secure location.
      The access and refresh tokens are displayed only once after initial creation and can’t be viewed again. If you lose the access or refresh tokens, you must create a new access token.
  3. Enable
    Enterprise DLP
    on
    Cortex XSOAR
    .
    1. On
      Cortex XSOAR
      , select
      Marketplace
      Browse
      and search for
      Enterprise DLP
      .
    2. Install
      the
      Enterprise DLP
      content pack.
    3. Select
      Settings
      Integrations
      Instances
      and search for
      Enterprise DLP
      .
      Click
      Add Instance
      to integrate
      Enterprise DLP
      . See Integrate Enterprise DLP on XSOAR for more information.
      1. Select a descriptive
        Name
        .
      2. Add the
        Access Token
        and
        Refresh Token
        you created in the previous step.
      3. Check (enable)
        Long running instance
        .
      4. (
        Optional
        ) Add any data profiles to exclude from End User Alerting.
        Files that match data profiles added here aren’t offered block exemptions to the user who uploaded the file.
      5. (
        Optional)
        Modify the automated
        Slack Bot Message
        .
      6. Test
        to confirm
        Cortex XSOAR
        has successfully integrated with
        Enterprise DLP
        .
        A
        Success
        is displayed when
        Cortex XSOAR
        successfully integrates with
        Enterprise DLP
        .
    4. Save & Exit
      .
  4. Confirm the
    Cortex XSOAR
    integration with
    Enterprise DLP
    .
    • Panorama (Next-Gen Firewalls) and Prisma Access (Panorama Managed)
    1. Log in to the DLP app on the hub.
      If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
    2. Select
      Settings
      and check (enable)
      Confirm the status for XSOAR Integration
      .
    • Prisma Access (Cloud Management)
    1. Select
      Manage
      Configuration
      Data Loss Prevention
      Settings
      Alerts
      XSOAR Integration Setup
      and check (enable)
      Confirm the status for XSOAR Integration
      .
  5. Configure the End User Alerting with
    Cortex XSOAR
    exemption settings.
    1. Select
      Manage
      Configuration
      Data Loss Prevention
      Settings
      Alerts
      Configuration
      and configure the
      Exemption Duration
      .
      The file that prompted the End User Alerting with
      Cortex XSOAR
      notification that was exempted can be uploaded for the duration of the exemption duration. The default is 12 hours.
    2. Select
      Manage
      Configuration
      Data Loss Prevention
      Settings
      Alerts
      Configuration
      and configure whether to
      Include Snippets in Message
      .
      You can select
      Off
      (default) to not include a snippet of the sensitive data or
      On
      to include a snippet of the sensitive data in the automated message on Slack.

Recommended For You