End User Coaching for Endpoint DLP

1. Review the Setup Prerequisites for End User Coaching to ensure you're running the minimum required agent, endpoint software, and Enterprise DLP plugin versions to display notifications.
2. Contact your Palo Alto Networks representative to enable End User Coaching on your tenant.
3. Install the Prisma Access Agent on Windows or macOS.
4. Log in to Strata Cloud Manager.
5. Enable Autonomous DEM.

   On Strata Cloud Manager, select ConfigurationNGFW & Prisma AccessConfiguration ScopeAccess AgentPrisma Access Agent and Add Agent Settings. Configure the required settings to display notifications to your users in the Access Experience UI when they generate a DLP incident.

   Configure the following required App Configuration settings. Configure the rest of the Prisma Access Agent settings as needed.

   • Access Experience—Select Install.
   • Display ADEM Update Notification—Check Enable.

6. (macOS only) In the Access Experience UI, select SettingsNotifications and enable Allow notifications.

   This setting must be enabled in the Access Experience UI for each user and is required to display notifications when the user generates a DLP incident. Configure the rest of the Access Experience notifications settings as needed.
7. Configure Enterprise DLP.

   1. Create a decryption profile and policy rule.

      Enterprise DLP requires a decryption rule to decrypt and inspect traffic for sensitive data.
   2. Create custom data patterns to define your match criteria.

      Alternatively, you can use the predefined data patterns instead of creating custom data patterns.
   3. Create a data profile and add your data patterns.

      Only custom data profiles are supported. By default, all predefined DLP rules' Action are set to Alert. You must clone the predefined data profile to edit the DLP rule Action.
   4. Set up Endpoint DLP.

      1. Add a Peripheral.
      2. Create a Peripheral Group.
8. Create an Endpoint DLP notification template.

   The notification template defines the format of the coaching notification that will be displayed to end users when they generate an incident. Using the template, you can specify the contents of the notification message that is displayed when an Endpoint DLP policy rule blocks access to a peripheral device or blocks the transfer of sensitive files to a peripheral device. You can also enable localization in the template to send notifications in each user’s preferred language.

   1. Select ConfigurationEnd User Coaching.
   2. On the End User Coaching page, select the action to Create New notification template.
   3. Fill out the fields of the notification template.

      1. Enter a Template Name and a Template Description to explain the purpose of the notification.
      2. For the Product Name, select ENDPOINT_DLP.
      3. (Optional) If you want the message to display in the end user's preferred language, complete the following steps.
         1. Toggle the Allow for Language Localization setting to the on position.
         2. Select the languages you want to support.
         3. Apply your selected languages to the template.
         Notifications will display based on the individual user's device language, if you applied that language to the template. Otherwise the notification will display in English.
      4. Specify notification text for one or more security event types.
         You can specify coaching notifications for the following types of security events:
         • An attempt to transfer a file containing sensitive data to a peripheral device
         • An attempt to access a restricted peripheral device
         For each event type, complete the following steps:
         1. Toggle the Enable Agent Notification setting to the on position.
         2. Specify a Notification Title that users receive when Enterprise DLP blocks the transfer of sensitive data. For example, Sensitive Data Transfer Detected.
         3. Define the Notification Message that users receive when Enterprise DLP blocks the transfer of sensitive data.
            You can use the following variables in your message templates. Include the brackets for each variable.
            • (File transfer incidents only) [File Name]—File name and extension containing sensitive data blocked by Enterprise DLP.
            • (File transfer incidents only) [Transfer Method]—The type of file action the user attempted, such as an upload or download action.
            • [Peripheral Type]—Type of peripheral device associated with the Endpoint DLP incident.
            • [Peripheral Name]—Name of the peripheral device associated with the Endpoint DLP incident.
            • [Action]—Action Enterprise DLP took when sensitive data was detected. This value is always Blocked.
            • [Policy Name]—Name of the Endpoint DLP policy rule against which the Endpoint DLP incident was generated.
         4. Select one of the following notification display types:
            • Toast—The notification will disappear automatically without requiring user interaction. When you select this option, you can also select the screen location where the toast notification will appear.
            • Modal—The notification must be manually dismissed by the user.

         5. (File transfer incidents only) If you want the user to be able to bypass security policies for legitimate business needs, toggle the Enable Exemption Request setting to the on position.
            If the template has this setting enabled, users can request an exception for their file upload or download request. If the display type is Modal, the user can also specify the reason they are requesting an exemption.
            1. Specify whether Enterprise DLP will grant exemption requests automatically or will send the exemption request to an incident responder for approval.
            2. Specify the number of days that Enterprise DLP will allow the exemption before the user must re-request the exemption. The maximum period is 365 days.

   4. Show Preview to see how the coaching notification will appear to the user. If you applied additional languages to the template, select the respective language tabs on the preview to verify the translation and to make changes as needed.

   5. Save the Endpoint DLP notification template.
9. Create an Endpoint DLP Policy Rule to enable end user notification for the rule and to select the notification template for the rule.

   When a user action triggers an incident based on the DLP rule, the notification displayed to the user will be based on the notification template.
10. The user who generated the Endpoint DLP incident can view the Data Security notification for more information about the sensitive data uploaded, downloaded, or posted.

    A Data Security notification is displayed for 7 days. There is no limit to the number of notifications displayed.