User Coaching Notification Template

Table of Contents

User Coaching Notification Template

Centrally manage the end user notification templates to alert users through Autonomous DEM if the users generate an Enterprise Data Loss Prevention (E-DLP) incident.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)	GlobalProtect app version 6.3 or later Enterprise Data Loss Prevention (E-DLP) license Prisma Access Mobile Users License Prisma Access license Or any of the following licenses that include the Enterprise DLP license Prisma Access CASB license Next-Generation CASB for Prisma Access and NGFW (CASB-X) license

Where Can I Use This?

What Do I Need?

Prisma Access (Managed by Strata Cloud Manager)

GlobalProtect app version 6.3 or later
Enterprise Data Loss Prevention (E-DLP) license
Prisma Access Mobile Users License
Prisma Access license

Or any of the following licenses that include the Enterprise DLP license

Prisma Access CASB license
Next-Generation CASB for Prisma Access and NGFW (CASB-X) license

The End User Coaching Notification Template allows you to configure the notification displayed to your users in the Access Experience User Interface (UI) when they generate an Enterprise Data Loss Prevention (E-DLP) incident. An Enterprise DLP incident is generated when a file containing sensitive data is downloaded or uploaded, or if non-file based traffic containing sensitive data is posted in a web form.

To determine what is considered sensitive data, you add one or more Inline DLP Rules. DLP Rules containing the traffic match criteria that defines what is considered sensitive data. The DLP Rule is derived from the Enterprise DLP data profile of the same name. Additionally, you can configure custom messages for when a File Based or Non-File Based Enterprise DLP incident is generated. After an Enterprise DLP incident is generated, the user who generated the incident can view the Data Security notification for more information about the sensitive data uploaded, downloaded, or posted.

Only one notification is displayed per incident in a 30 second period regardless of how many times the user generates the same incident. For example, a user attempts to upload a file containing sensitive data to the Box Web application and Enterprise Data Loss Prevention (E-DLP) blocks the upload. The user then immediately tries to upload the same file 5 more times but is blocked each time. In this case only one Access Experience alert is generated even though the user was blocked from uploading a file containing sensitive date to the Box Web application 6 total times.

Contact your Palo Alto Networks representative to enable End User Coaching on your tenant.
Install the GlobalProtect app version6 6.3 or later on Windows or macOS.
Log in to Strata Cloud Manager.
Enable Autonomous DEM.
On Strata Cloud Manager, select WorkflowsPrisma Access SetupGlobalProtectGlobalProtect App and Add App Settings. You must configure these required settings to display notifications to your users in the Access Experience UI when they generate a DLP incident.
- Enable Autonomous DEM and GlobalProtect Log Collection for Troubleshooting
- DEM for Prisma Access (Windows and Mac Only)—Select Install and User Cannot Enable or Disable DEM
- DEM for Prisma Access version 6.3 and above (Windows and Mac Only)—Select Install the Agent
(macOS only) In the Access Experience UI, select SettingsNotifications and enable Allow notifications.

This setting must be enabled in the Access Experience UI for each user and is required to display notifications on the user's desktop. Configure the rest of the Access Experience notifications settings as needed.
Configure Enterprise DLP.
1. Create a decryption profile and policy rule.
  
  This is required for Enterprise DLP to decrypt and inspect traffic for sensitive data.
2. Create custom data patterns to define your match criteria.
  
  Alternatively, you can use the predefined data patterns instead of creating custom data patterns.
3. Create a data profile and add your data patterns.
  Only custom data profiles are supported. By default, all predefined DLP Rules' Action are set to Alert. If you must clone the predefined data profile to edit the DLP Rule Action.
4. Modify the DLP Rule.
  When modifying the DLP Rule, you must set the Action to Block. This is required to generate alerts in the Access Experience UI. No alerts are displayed if the Action is set to Alert.
  Add the DLP Rule to a Profile Group and attach the Profile Group to a Security policy rule. This is required for Enterprise DLP to generate a DLP incident that then generates a notification in the Access Experience UI.
Select ManageConfiguration NGFW and Prisma AccessGlobal SettingsUser Coaching Notification Template and Add Notification Template.
Configure the General Information.
1. Verify the Product Name is Inline DLP.
  
  This is the default setting and can't be changed
2. Select Enable Notification Template to enable the template after you save.
  
  This setting is enabled by default.
3. Enter a descriptive Notification Template Name.
4. (Optional) Enter a Description for the Notification Template.
5. (Optional) Select High Confidence Detections Only to only generate Access Experience alerts for high confidence traffic matches.
  
  High confidence matches reflect how confident Enterprise DLP is when detecting matched traffic. For regular expression (regex) patterns, this is based on the character distance to the configured proximity keywords. For machine learning (ML) patterns, this confidence level is calculated by the ML models.
Add one or more Applied Rules to the notification template.

DLP Rules must have the rule Action set to Block and be added to a Profile Group that is attached to a Security policy rule to generate an Access Experience notification. Only add DLP Rules added to a Profile Group that is associated with a Security policy rule. This is required for Enterprise DLP to generate a DLP incident that then generates a notification in the Access Experience UI. A single DLP Rule can be added to multiple User Coaching Notification Templates.

All DLP Rules added to the notification template generate the same Notification Message when Enterprise DLP blocks sensitive data that match the data profiles associated with the DLP Rule.

You can View Details for each DLP Rule you add to review the specific inspection details. This includes the traffic inspection Direction, applicable File Type, Action, and whether the DLP Rule is inspecting for File Based Match Criteria, Non-File Based Match Criteria, or both.
Define the Notification Message users receive when Enterprise DLP blocks sensitive data that match the data profiles associated with the DLP Rule.
The message templates are the Access Experience toast notifications users receive when Enterprise DLP blocks sensitive data. You can use the following variables in your message templates. You must include the brackets for each variable.
- [file name]—File name and extension containing sensitive data blocked by Enterprise DLP.
- (File Based only) [direction]—Specifies whether Enterprise DLP blocked a file upload or download.
- [app name]—Application user attempted to upload to, download from, or post non-file based content.
- [action]—Action Enterprise DLP took when sensitive data was detected. This value is always Blocked.
1. Define the Message Template for File based detections.
  
  Skip this step if the DLP Rule isn't configured for file based detections.
2. Define the Message Template for Non-File based detections.
  
  Skip this step if the DLP Rule isn't configured for non-file based detections.
3. Add a Support Link.
  
  You can add links directly into the Access Experience toast notification that describe your company policy for sharing or downloading sensitive data.
Save.
The user who generated the Enterprise DLP incident can view the Data Security notification to see a snippet of the sensitive data that was uploaded, downloaded, or posted.