Enterprise DLP by Palo Alto Networks

Details
Content
Dependencies
Version History

Palo Alto Networks Enterprise DLP Integration

Palo Alto Networks Enterprise DLP Content Pack

This content pack enables Cortex XSOAR to integrate with Palo Alto Networks Enterprise DLP. Using this content pack, you can fetch DLP incidents and update DLP incidents with user feedback. This pack includes the Palo Alto Networks Enterprise DLP integration and a sample playbook to gather user feedback for a DLP incident using Slack.

Palo Alto Networks Enterprise DLP Integration

Integrates with the Enterprise DLP service to get details about DLP violations and to update DLP incidents with user feedback.

The integration includes commands to:

Fetch DLP incidents from the "NGFW" and "Prisma Access" channels.
Fetch DLP reports with data pattern match details.
Fetch DLP reports with data pattern match details and snippets from the file.
Update a DLP incident with user feedback and approval process.
Check if the option to exempt the violation should be provided for a given DLP data profile name.
Get approval for any exemption requests.
Send a customized Slack bot message to the user to ask for feedback.
Reset the last run.

Palo Alto Networks Enterprise DLP Content Pack

This content pack enables Cortex to integrate with Palo Alto Networks Enterprise DLP. Using this content pack, you can fetch DLP incidents and update DLP incidents with user feedback. This pack includes the Palo Alto Networks Enterprise DLP integration and a sample playbook to gather user feedback for a DLP incident using Slack.

Palo Alto Networks Enterprise DLP Integration

Integrates with the Enterprise DLP service to get details about DLP violations and to update DLP incidents with user feedback.

The integration includes commands to:

Fetch DLP incidents from the "NGFW" and "Prisma Access" channels.
Fetch DLP reports with data pattern match details.
Fetch DLP reports with data pattern match details and snippets from the file.
Update a DLP incident with user feedback and approval process.
Check if the option to exempt the violation should be provided for a given DLP data profile name.
Get approval for any exemption requests.
Send a customized Slack bot message to the user to ask for feedback.
Reset the last run.

Automations

Name	Description
DlpAskFeedback	Sends a message via Slack or MS Teams to the user whose activity violated DLP policies and triggered the incident.

Classifiers

Name	Description
Data Loss Prevention	A mapper that maps raw DLP incident fields into Cortex XSOAR incident fields

Incident Fields

Name	Description
PAN DLP Action
PAN DLP Incident ID
PAN DLP Channel
PAN DLP Incident Feedback	User provided feedback to the DLP incident, such as true positive or false positive
PAN DLP Incident Region
PAN DLP Report ID
DLP Detections	Detected violations snippets.
PAN DLP Tenant ID
PAN DLP Data Profile Name
PAN DLP Previous Feedback

Incident Types

Name	Description
Data Loss Prevention

Integrations

Name	Description
Palo Alto Networks Enterprise DLP	Palo Alto Networks Enterprise DLP discovers and protects company data across every data channel and repository. Integrated Enterprise DLP enables data protection and compliance everywhere without complexity.

Layouts

Name	Description
Palo Alto Networks Enterprise DLP Incident Layout

Playbooks

Name	Description
DLP - User Message App Check	Check if the given message app exists and is configured and retrieve the user details from it.
DLP Incident Feedback Loop	This playbook handles Palo Alto Networks Enterprise DLP incidents. It Collects feedback from the user about blocked activities and automates the approval process, if required. Supported communication methods are Slack, Microsoft Teams and Email.
DLP - Get User Feedback via Email	Get the user feedback via email on a blocked file, whether it is false or true positive and if an exemption is needed.
DLP - Get Approval	Get an approver response for an exemption request from a user.
DLP - Get User Feedback	Get the user feedback on a blocked file, whether it is false or true positive and if an exemption is needed.

Automations

Name	Description
DlpAskFeedback	Sends a message via Slack or MS Teams to the user whose activity violated DLP policies and triggered the incident.

Classifiers

Name	Description
Data Loss Prevention	A mapper that maps raw DLP incident fields into Cortex incident fields

Incident Fields

Name	Description
PAN DLP Channel
PAN DLP Tenant ID
PAN DLP Incident Feedback	User provided feedback to the DLP incident, such as true positive or false positive
PAN DLP Incident Region
PAN DLP Previous Feedback
DLP Detections	Detected violations snippets.
PAN DLP Report ID
PAN DLP Data Profile Name
PAN DLP Action
PAN DLP Incident ID

Incident Types

Name	Description
Data Loss Prevention

Integrations

Name	Description
Palo Alto Networks Enterprise DLP	Palo Alto Networks Enterprise DLP discovers and protects company data across every data channel and repository. Integrated Enterprise DLP enables data protection and compliance everywhere without complexity.

Playbooks

Name	Description
DLP Alert Feedback Loop	This playbook handles Palo Alto Networks Enterprise DLP alerts. It Collects feedback from the user about blocked activities and automates the approval process, if required. Supported communication methods are Slack, Microsoft Teams and Email.
DLP - User Message App Check	Check if the given message app exists and is configured and retrieve the user details from it.
DLP - Get User Feedback	Get the user feedback on a blocked file, whether it is false or true positive and if an exemption is needed.
DLP - Get Approval	Get an approver response for an exemption request from a user.
DLP - Get User Feedback via Email	Get the user feedback via email on a blocked file, whether it is false or true positive and if an exemption is needed.

Required Content Packs (6)

Pack Name	Pack By
Base	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Microsoft Teams	By: Cortex XSOAR
Slack	By: Cortex XSOAR

Optional Content Packs (1)

Pack Name	Pack By
Common Types	By: Cortex XSOAR

All level dependencies (9)

Pack Name	Pack By
Common Scripts	By: Cortex XSOAR
Filters And Transformers	By: Cortex XSOAR
Slack	By: Cortex XSOAR
Common Playbooks	By: Cortex XSOAR
Cortex REST API	By: Cortex XSOAR
Microsoft Teams	By: Cortex XSOAR
Aggregated Scripts	By: Cortex XSOAR
Rasterize	By: Cortex XSOAR
Base	By: Cortex XSOAR

2.2.0 - 8937460 (May 12, 2026)

Integrations

Palo Alto Networks Enterprise DLP

Added support for the Fetch Lookback Window (minutes) parameter, which can be used to configure the number of minutes to look back during each fetch to capture late-indexed incidents.

Related pull requests:
- 44223

Download

2.1.3 - 8592679 (April 29, 2026)

Integrations

Palo Alto Networks Enterprise DLP

Added the DataProfiles output to the pan-dlp-get-report command, surfacing the data_profiles array from the API response including profile trigger status and per-pattern match details.
Added the MatchedConfidenceLevel field to the DataPatternMatches output of the pan-dlp-get-report command.
Updated the Docker image to: demisto/python3:3.12.13.8428455.

Related pull requests:
- 44060

Download

2.1.2 - 8542515 (April 28, 2026)

Integrations

Palo Alto Networks Enterprise DLP

Improved the implementation of the incident ID-based deduplication mechanism to reduce duplicate incidents during fetch.

Related pull requests:
- 44061

Download

2.1.1 - 8429843 (April 23, 2026)

Integrations

Palo Alto Networks Enterprise DLP

Documentation and metadata improvements.

Related pull requests:
- 43991

Download

2.1.0 - 8288718 (April 15, 2026)

Integrations

Palo Alto Networks Enterprise DLP

Added support for the following parameters:
- Server URL
- Authentication URL
- First Fetch Timestamp
- Maximum number of incidents per fetch
Fixed an issue where incidents were missing by implementing time-based querying and ID-based deduplication.
Breaking Change: Migrated from fetching DLP incidents via long-running execution to periodic fetching based on the Incidents Fetch Interval. Ensure the Fetch Incidents checkbox is checked.
Deprecated the pan-dlp-reset-last-run command. Reset the "last run" timestamp via the integration instance configuration window.
Updated the Docker image to: demisto/python3:3.12.13.7444307.

Related pull requests:
- 43401

Download

2.0.26 - 7843807 (March 22, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

2.0.25 - R7270993 (February 22, 2026)

Integrations

Palo Alto Networks Enterprise DLP

Added support for Incident type parameter.

Related pull requests:
- 43190
- 43106

Download

2.0.24 - 6615618 (January 8, 2026)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 42522

Download

2.0.23 - 6105231 (December 2, 2025)

Integrations

Palo Alto Networks Enterprise DLP

Added support for the Paris and Switzerland DLP regions.
Deprecated the France DLP region (replaced by the new Paris region).
Deprecated the Singapore DLP region (included in the Asia-Pacific region).

Related pull requests:
- 42111

Download

2.0.22 - 6025169 (November 26, 2025)

Integrations

Palo Alto Networks Enterprise DLP

Added support for the Brazil and Singapore DLP regions.

Related pull requests:
- 42052

Download

2.0.21 - 5801457 (November 10, 2025)

Integrations

Palo Alto Networks Enterprise DLP

Fixed an issue where creating incidents would occasionally fail due to a parsing error when the userId field was missing from the raw DLP notification.
Updated the Docker image to: demisto/python3:3.12.12.5490952.

Related pull requests:
- 41853

Download

2.0.20 - 5636304 (October 29, 2025)

Changes are not relevant for XSOAR marketplace.

Related pull requests:
- 41629

Download

2.0.19 - R5469292 (October 20, 2025)

Scripts

DlpAskFeedback

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40498

Download

2.0.18 - 3838742 (June 17, 2025)

Integrations

Palo Alto Networks Enterprise DLP

Fixed an issue where the integration would loop on authorization errors due to expired access token.
Updated the Docker image to: demisto/python3:3.12.8.3720084.

Related pull requests:
- 40277

Download

2.0.17 - R3414854 (May 15, 2025)

Integrations

Palo Alto Networks Enterprise DLP

Metadata and documentation improvements.

Scripts

DlpAskFeedback

Metadata and documentation improvements.

Related pull requests:
- 39077

Download

2.2.0 - 8937460 (May 12, 2026)

Integrations

Palo Alto Networks Enterprise DLP

Added support for the Fetch Lookback Window (minutes) parameter, which can be used to configure the number of minutes to look back during each fetch to capture late-indexed incidents.

Related pull requests:
- 44223

Download

2.1.3 - 8592679 (April 29, 2026)

Integrations

Palo Alto Networks Enterprise DLP

Added the DataProfiles output to the pan-dlp-get-report command, surfacing the data_profiles array from the API response including profile trigger status and per-pattern match details.
Added the MatchedConfidenceLevel field to the DataPatternMatches output of the pan-dlp-get-report command.
Updated the Docker image to: demisto/python3:3.12.13.8428455.

Related pull requests:
- 44060

Download

2.1.2 - 8542515 (April 28, 2026)

Integrations

Palo Alto Networks Enterprise DLP

Improved the implementation of the incident ID-based deduplication mechanism to reduce duplicate incidents during fetch.

Related pull requests:
- 44061

Download

2.1.1 - 8429843 (April 23, 2026)

Integrations

Palo Alto Networks Enterprise DLP

Documentation and metadata improvements.

Related pull requests:
- 43991

Download

2.1.0 - 8288718 (April 15, 2026)

Integrations

Palo Alto Networks Enterprise DLP

Added support for the following parameters:
- Server URL
- Authentication URL
- First Fetch Timestamp
- Maximum number of incidents per fetch
Fixed an issue where incidents were missing by implementing time-based querying and ID-based deduplication.
Breaking Change: Migrated from fetching DLP incidents via long-running execution to periodic fetching based on the Incidents Fetch Interval. Ensure the Fetch Incidents checkbox is checked.
Deprecated the pan-dlp-reset-last-run command. Reset the "last run" timestamp via the integration instance configuration window.
Updated the Docker image to: demisto/python3:3.12.13.7444307.

Related pull requests:
- 43401

Download

2.0.26 - 7850318 (March 23, 2026)

Documentation and metadata improvements.

Related pull requests:
- 43568

Download

2.0.25 - R7270993 (February 22, 2026)

Integrations

Palo Alto Networks Enterprise DLP

Added support for Incident type parameter.

Related pull requests:
- 43106
- 43190

Download

2.0.24 - 6615618 (January 8, 2026)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 42522

Download

2.0.23 - 6105231 (December 2, 2025)

Integrations

Palo Alto Networks Enterprise DLP

Added support for the Paris and Switzerland DLP regions.
Deprecated the France DLP region (replaced by the new Paris region).
Deprecated the Singapore DLP region (included in the Asia-Pacific region).

Related pull requests:
- 42111

Download

2.0.22 - 6025169 (November 26, 2025)

Integrations

Palo Alto Networks Enterprise DLP

Added support for the Brazil and Singapore DLP regions.

Related pull requests:
- 42052

Download

2.0.21 - 5801457 (November 10, 2025)

Integrations

Palo Alto Networks Enterprise DLP

Fixed an issue where creating incidents would occasionally fail due to a parsing error when the userId field was missing from the raw DLP notification.
Updated the Docker image to: demisto/python3:3.12.12.5490952.

Related pull requests:
- 41853

Download

2.0.20 - 5636304 (October 29, 2025)

Changes are not relevant for XSIAM marketplace.

Related pull requests:
- 41629

Download

2.0.19 - R5469292 (October 20, 2025)

Scripts

DlpAskFeedback

Updated the Docker image to: demisto/python3:3.12.8.3296088.

Related pull requests:
- 40498

Download

2.0.18 - 3838742 (June 17, 2025)

Integrations

Palo Alto Networks Enterprise DLP

Fixed an issue where the integration would loop on authorization errors due to expired access token.
Updated the Docker image to: demisto/python3:3.12.8.3720084.

Related pull requests:
- 40277

Download

2.0.17 - R3414854 (May 15, 2025)

Integrations

Palo Alto Networks Enterprise DLP

Metadata and documentation improvements.

Scripts

DlpAskFeedback

Metadata and documentation improvements.

Related pull requests:
- 39077

Download

PUBLISHER

PLATFORMS

Cortex XSOARCortex XSIAM

INFO

Certification	Certified	Read more
Supported By	Cortex
Created	November 20, 2020
Last Release	May 12, 2026

WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER

By downloading or using Marketplace content, you agree to the applicable Terms of Use and End User License Agreement. Third-party content is provided by its publisher, and Palo Alto Networks does not warrant, endorse, support, or assume responsibility for content not expressly identified as owned by Palo Alto Networks.