Configure the endpoint DLP settings to manage your organization's DLP policies.
In Default Actions & Thresholds, there are two parts.
Data-in-motion default action and threshold configurations:
Select the fallback policy for instances when the DLP process fails or times out:
Allow file movement (fail-open): Specifies the default action that allows the file to transfer, preventing service interruption.
Block file movement (fail-close): Specifies the default action that blocks the file from transferring.
Note
When a fail-close action occurs, the system creates a Data movement blocked by Endpoint DLP fail-close action issue.
Auto disablement of rule threshold
This setting refers to rule suppression. When the number of hits exceeds the set number, the rule is disabled.
Click Reset to revert to the default threshold as configured in the system.
If a rule was suppressed, you can view details in → .
For Corporate Account Domain, add the web application resources.
Cortex Data Security Extension (Web DLP Channel): This option enables you to manage how the DLP browser extension is installed/uninstalled. You can configure Chrome and Edge separately using one of the two modes. By default, MDM deploys the extension to the selected endpoints. Refer here to the steps on how to install the DLP browser extension.
MDM: This option is the default for distributing and installing the extension on the selected endpoints using one of the supported management tools, such as Microsoft Intune for Windows or JAMF for macOS.
After installation, the agent then communicates with the extension to activate endpoint DLP.
Forced activation (by XDR): This option automatically installs the browser extension if it detects that it is missing, acting as a backup to ensure the extension is installed on the selected endpoints. The endpoint must be associated with a domain.
Note
The agent does not force-install the extension if it is already managed by the MDM on the endpoint.
The XDR agent ensures full coverage by force-installing the extension on both managed and unmanaged browsers. But if a browser becomes officially managed by the organization later, the extension must be redeployed through the central management console to maintain control.
Disable: The extension is disabled.
Note
In the case of MDM, the extension is user-managed, so Cortex doesn’t remove an installed MDM extension, it only disables communication with the DLP extension.
In the End User Dialog section, you can add the default pop-up message for each of the following events:
Enable User Interaction
Note
You can specify the end-user message per rule.
Reporting Mismatch (FP)
Rule Overide
For each of the options, enter the default text to display in the end-user dialog for each event.
In the Title, enter the default name for the dialog.
In the Body, enter the message to display in the dialog. You can choose to use the system's default text. This is also relevant for Reporting Mismatch and Rule Override
In the Admin Email Link, enter the default admin email that will be added to the body.
In the Dialog Main Button Label, enter the text to use for the button to close the window.