Strata Cloud Manager
User Coaching Notification Template
Table of Contents
User Coaching Notification Template
Centrally manage the end user notification templates to alert users through
Autonomous DEM
if the users generate an Enterprise Data Loss Prevention (E-DLP)
incident.Where Can I Use This? | What Do I Need? |
---|---|
|
Or any of the following licenses that include the Enterprise DLP license
|
The End User Coaching Notification Template allows you to configure the notification
displayed to your users in the Access Experience User Interface (UI) when
they generate an
Enterprise Data Loss Prevention (E-DLP)
incident. An Enterprise DLP
incident
is generated when a file containing sensitive data is downloaded or uploaded, or if
non-file based traffic containing sensitive data is posted in a web form. To determine what is considered sensitive data, you add one or more
Inline
DLP Rules
. DLP Rules containing the traffic match
criteria that defines what is considered sensitive data. The DLP Rule is derived
from the Enterprise DLP
data profile of the same name.
Additionally, you can configure custom messages for when a File
Based
or Non-File Based
Enterprise DLP
incident is generated. After an Enterprise DLP
incident is
generated, the user who generated the incident can view the Data Security notification for more
information about the sensitive data uploaded, downloaded, or posted.- Contact yourPalo Alto Networksrepresentative to enable End User Coaching on your tenant.
- Log in toStrata Cloud Manager.
- EnableAutonomous DEM.In, you must configure these required settings to display notifications to your users in the Access Experience UI.App SettingsUser BehaviorDigital Experience Management (DEM)
- EnableAutonomous DEM and GlobalProtect Log Collection for Troubleshooting
- DEM for Prisma Access (Windows and Mac Only)—SelectInstall and User Cannot Enable or Disable DEM
- DEM for Prisma Access version 6.3 and above (Windows and Mac Only)—SelectInstall the Agent
- ConfigureEnterprise DLP.
- This is required forEnterprise DLPto decrypt and inspect traffic for sensitive data.
- Create custom data patterns to define your match criteria.Alternatively, you can use the predefined data patterns instead of creating custom data patterns.
- Create a data profile and add your data patterns.Only custom data profiles are supported. By default, all predefined DLP Rules'Actionare set toAlert. If you must clone the predefined data profile to edit the DLP RuleAction.
- When modifying the DLP Rule, you must set theActiontoBlock. This is required to generate alerts in the Access Experience UI. No alerts are displayed if theActionis set toAlert.
- Add the DLP Rule to a Profile Group and attach the Profile Group to a Security policy rule. This is required forEnterprise DLPto generate a DLP incident that then generates a notification in the Access Experience UI.
- SelectandManageConfigurationNGFW and Prisma AccessGlobal SettingsUser Coaching Notification TemplateAdd Notification Template.
- Configure theGeneral Information.
- Verify theProduct NameisInline DLP.This is the default setting and can't be changed
- SelectEnable Notification Templateto enable the template after you save.This setting is enabled by default.
- Enter a descriptiveNotification Template Name.
- (Optional) Enter aDescriptionfor the Notification Template.
- (Optional) SelectHigh Confidence Detections Onlyto only generate Access Experience alerts for high confidence traffic matches.High confidence matches reflect how confidentEnterprise DLPis when detecting matched traffic. For regular expression (regex) patterns, this is based on the character distance to the configured proximity keywords. For machine learning (ML) patterns, this confidence level is calculated by the ML models.
- Add one or moreApplied Rulesto the notification template.DLP Rules must have the ruleActionset toBlockand be added to a Profile Group that is attached to a Security policy rule to generate an Access Experience notification. Only add DLP Rules added to a Profile Group that is associated with a Security policy rule. This is required forEnterprise DLPto generate a DLP incident that then generates a notification in the Access Experience UI. A single DLP Rule can be added to multiple User Coaching Notification Templates.All DLP Rules added to the notification template generate the sameNotification MessagewhenEnterprise DLPblocks sensitive data that match the data profiles associated with the DLP Rule.You canView Detailsfor each DLP Rule you add to review the specific inspection details. This includes the traffic inspectionDirection, applicableFile Type,Action, and whether the DLP Rule is inspecting forFile Based Match Criteria,Non-File Based Match Criteria, or both.
- Define theNotification Messageusers receive whenEnterprise DLPblocks sensitive data that match the data profiles associated with the DLP Rule.The message templates are the Access Experience toast notifications users receive whenEnterprise DLPblocks sensitive data. You can use the following variables in your message templates. You must include the brackets for each variable.
- [file name]—File name and extension containing sensitive data blocked byEnterprise DLP.
- (File Based only)[direction]—Specifies whetherEnterprise DLPblocked a file upload or download.
- [app name]—Application user attempted to upload to, download from, or post non-file based content.
- [action]—ActionEnterprise DLPtook when sensitive data was detected. This value is alwaysBlocked.
- Define theMessage Template for Filebased detections.Skip this step if the DLP Rule isn't configured for file based detections.
- Define theMessage Template for Non-Filebased detections.Skip this step if the DLP Rule isn't configured for non-file based detections.
- Add aSupport Link.You can add links directly into the Access Experience toast notification that describe your company policy for sharing or downloading sensitive data.
- Save.
- The user who generated theEnterprise DLPincident can view the Data Security notification to see a snippet of the sensitive data that was uploaded, downloaded, or posted.