End User Coaching for Enterprise DLP

1. Contact your Palo Alto Networks representative to enable End User Coaching on your tenant.
2. Install the GlobalProtect app version 6.3 or later on Windows or macOS.
3. Log in to Strata Cloud Manager.
4. Enable Autonomous DEM.

   On Strata Cloud Manager, select WorkflowsPrisma Access SetupGlobalProtectGlobalProtect App and Add App Settings. You must configure these required settings to display notifications to your users in the Access Experience UI when they generate a DLP incident.

   • Enable Autonomous DEM and GlobalProtect Log Collection for Troubleshooting
   • DEM for Prisma Access (Windows and Mac Only)—Select Install and User Cannot Enable or Disable DEM
   • DEM for Prisma Access version 6.3 and above (Windows and Mac Only)—Select Install the Agent
5. (macOS only) In the Access Experience UI, select SettingsNotifications and enable Allow notifications.

   This setting must be enabled in the Access Experience UI for each user and is required to display notifications when the user generates a DLP incident. Configure the rest of the Access Experience notifications settings as needed.
6. Configure Enterprise DLP.

   1. Create a decryption profile and policy rule.

      This is required for Enterprise DLP to decrypt and inspect traffic for sensitive data.
   2. Create custom data patterns to define your match criteria.

      Alternatively, you can use the predefined data patterns instead of creating custom data patterns.
   3. Create a data profile and add your data patterns.

      Only custom data profiles are supported. By default, all predefined DLP Rules' Action are set to Alert. You must clone the predefined data profile to edit the DLP Rule Action.
   4. Modify the DLP Rule.

      • When modifying the DLP Rule, you must set the Action to Block. This is required to generate alerts in the Access Experience UI. No alerts are displayed if the Action is set to Alert.
      • Add the DLP Rule to a Profile Group and attach the Profile Group to a Security policy rule. This is required for Enterprise DLP to generate a DLP incident which then generates a notification in the Access Experience UI.
7. Select ManageConfiguration NGFW and Prisma AccessGlobal SettingsUser Coaching Notification Template and create an End User Notification Template.

   The end user notification template defines which DLP Rules generate a notification in the Access Experience UI and the contents of the notification. You should only add DLP Rules added to a Profile Group that is associated with a Security policy rule. This is required for Enterprise DLP to generate a DLP incident which then generates a notification in the Access Experience UI. A single DLP Rule can be added to multiple User Coaching Notification Templates.

   1. For the Product Name, select Inline Data Loss Prevention.
   2. Check (enable) Enable Notification Template to enable the template after creation.

      This setting is enabled by default.
   3. Enter a Notification Template Name.
   4. (Optional) Check (enable) High Confidence Detections Only.

      High confidence matches reflect how confident Enterprise DLP is when detecting matched traffic. For regular expression (regex) patterns, this is based on the character distance to the configured proximity keywords. For machine learning (ML) patterns, this confidence level is calculated by the ML models.

   5. Add one or more Applied Rules to the notification template.

      You must add at least one DLP Rule to the notification template. The end user notification template defines which DLP Rules generate a notification in the Access Experience UI and the contents of the notification. You should only add DLP Rules added to a Profile Group that is associated with a Security policy rule. This is required for Enterprise DLP to generate a DLP incident which then generates a notification in the Access Experience UI. A single DLP Rule can be added to multiple User Coaching Notification Templates

      You can View Details for each DLP rule or Endpoint DLP policy rule you add to review the specific inspection details. This includes the traffic inspection Direction, applicable File Type, Action, and whether the DLP Rule is inspecting for File Based Match Criteria, Non-File Based Match Criteria, or both.

   6. Define the Notification Message users receive when Enterprise DLP blocks sensitive data that match the data profiles associated with the DLP Rule.

      The message templates are the Access Experience toast notifications users receive when Enterprise DLP blocks sensitive data. You can use the following variables in your message templates. You must include the brackets for each variable.

      • [file name]—File name and extension containing sensitive data blocked by Enterprise DLP.
      • (File Based only) [direction]—Specifies whether Enterprise DLP blocked a file upload or download.
      • [app name]—Application user attempted to upload to, download from, or post non-file based content.
      • [action]—Action Enterprise DLP took when sensitive data was detected. This value is always Blocked.

      1. Define the Message Template for File based detections.
         Skip this step if the DLP Rule isn't configured for file based detections.
      2. Define the Message Template for Non-File based detections.
         Skip this step if the DLP Rule isn't configured for non-file based detections.
      3. Add a Support Link.
         You can add links directly into the Access Experience toast notification that describe your company policy for sharing or downloading sensitive data.

8. Save.
9. The user who generated the Enterprise DLP incident can view the Data Security notification for more information about the sensitive data uploaded, downloaded, or posted.

   A Data Security notification is displayed for 7 days. There is no limit to the number of notifications displayed.