Respond to Blocked Traffic Using Enterprise DLP End User Alerting with Cortex XSOAR

Table of Contents

Set Up Enterprise DLP End User Alerting with Cortex XSOAR

View the Enterprise DLP End User Alerting with Cortex XSOAR Response History

Respond to Blocked Traffic Using Enterprise DLP End User Alerting with Cortex XSOAR

Request an exemption for an uploaded file using the Enterprise Data Loss Prevention (E-DLP) Bot on Slack.

Where Can I Use This?	What Do I Need?
NGFW (Managed by Panorama or Strata Cloud Manager) Prisma Access (Managed by Panorama or Strata Cloud Manager)	Enterprise Data Loss Prevention (E-DLP) license Review the Supported Platforms for details on the required license for each enforcement point. Or any of the following licenses that include the Enterprise DLP license Prisma Access CASB license Next-Generation CASB for Prisma Access and NGFW (CASB-X) license Data Security license

Where Can I Use This?

What Do I Need?

NGFW (Managed by Panorama or Strata Cloud Manager)
Prisma Access (Managed by Panorama or Strata Cloud Manager)

Enterprise Data Loss Prevention (E-DLP) license
Review the Supported Platforms for details on the required license for each enforcement point.

Or any of the following licenses that include the Enterprise DLP license

Prisma Access CASB license
Next-Generation CASB for Prisma Access and NGFW (CASB-X) license
Data Security license

After you Set Up Enterprise DLP End User Alerting with Cortex XSOAR and a file upload matches your data profile, the team member who uploaded the file is automatically alerted on Slack to confirm whether the file they uploaded contains sensitive information.

The DLP cloud service maintains a response history for all files that trigger End User Alerting with Cortex XSOAR based on your response.

Confirmed Sensitive - End user confirmed that Yes,, the file contains sensitive data but No, the end user didn’t request an exemption.
For all future uploads of the file, the file upload remains blocked and end users aren’t prompted to request for an exemption.
Exception Requested - End user confirmed that Yes, the file contains sensitive data and Yes, the end user requested an exemption.
For all future uploads of the file, end users aren’t prompted to confirm the file contains sensitive data but are prompted to request for an exemption.
Confirmed False Positive - End user confirmed that No, the file doesn’t contain sensitive data.
For all future uploads of the file, the file uploads remain blocked and end users aren’t prompted to confirm if the file contains sensitive data.

This procedure assumes you have already created a data profile and have successfully set up Enterprise DLP End User Alerting with Cortex XSOAR.

Upload a file containing sensitive data that matches a data profile.
On Slack, the Enterprise DLP Bot sends an automated message to the team member who uploaded the file containing sensitive data.

Select Yes to confirm that the uploaded file containing sensitive data and to request an exemption.

Select No to confirm that the uploaded files doesn’t contain sensitive data and flag the file as a false positive. If you select No, the file remains as blocked for any future upload of the same file. You will receive confirmation for the Enterprise DLP Bot that your response was successfully received.
If you selected Yes and the file contains sensitive information, select Yes when prompted to request a temporary exemption for the uploaded file.
Select No if you don’t want to request a temporary exemption for the file. The file upload remains blocked.
Skip this step if you selected No in the previous step and the file doesn’t contain sensitive data.
The Enterprise DLP Bot confirms that the exemption was granted.

You can now reupload the file as needed for the length of the Exemption Duration.