Cortex DLP threat detection and issues - Administrator Guide - Cortex XSIAM - Cortex - Cortex CLOUD - Cortex - Security Operations

Cortex Cloud Runtime Security Documentation
Product
Cortex Cloud Application Security > Cortex CLOUD
License
Cloud Runtime Security
Creation date
2024-12-24
Last date published
2026-06-04
Category
Administrator Guide

The Cortex DLP module prevents sensitive data exfiltration. If instances of data-in-motion rules have been violated, a DLP issue is generated. To view the DLP Issues, go to Data SecurityData Security IssuesThreats. The Detection Method is set to DLP.

DLP issues provide visibility into instances where Data-in-motion rules issues have been violated.

From Data SecurityData Security IssuesThreats, you can view the DLP issues. The Detection Method is set to DLP.

Note

Access to this page is restricted to users with the roles: Data Security Admin, Instance Administrator, and Account Admin.

The parameters configured during rule creation are shown as issue attributes on this page. These include:

  • Name: Taken from the Raised Issue Name field defined when creating the rule.

  • Severity: The assigned severity level of the Issue.

  • Description: The predefined description from the rule.

  • Detection method: When an issue arises from a data-in-motion rule violation, its Detection Method is DLP.

  • Action: How the rule responded to the issue: Prevented (Blocked), Allow, or Report.

Note

If the default action configured in Endpoint DLP Settings is set to Block file movement (fail-close), an issue is raised where the assigned severity is set to low, and includes the Name Data movement blocked by Endpoint DLP default action

View the DLP issue card panel

Click a DLP issue to open the DLP security card, where you can investigate the issue, take any actions required, and see the remediation suggestions.

From the three-dot menu, you can open the issue in a new tab, copy the issue URL, retrieve the file, or view raw data (JSON).

Some other important actions:

  • Retrieve File: From the asset card, click Image_20-01-2026_at_10_16.jpeg to obtain a copy of the file that triggered the security alert.

  • Click Image_22-01-2026_at_16_43.jpeg to open the related rule that triggered the issue.

At the top of the card, you can view information about the issue, including the severity, detection tags, category, and detection method. In the tabs, you can see more information about the cause of the issue, take any actions required, and see the remediation suggestions.

You can also see the details of the user who logged into the browser.

Overview

Displays a description of the issue and provides key information, such as the assignee, status, action taken, and time that the issue was created and updated.

You can also see the following:

  • Evidence: which includes data classification details such as Data Profiles, Data Patterns, Classification Status and Profile Indicators.

    Click the Profile Indicators link to view the list of sensitive data contained in the file.

    The graph enables you to view information on the relevant file and logged-in user details.

  • File that includes the Name, Hash, Path , and Data Volume of the file.

    The path shows the full path of the uploaded file.

  • Local Applications , which include Process Name, Signer, Application Name, and Application Group Name.

  • User Interaction that includes User Response.

War Room

A comprehensive collection of all investigation actions, artifacts, and collaboration. It is a chronological journal of the issue investigation. For information, see Use the War Room in an investigation

Work Plan

A visual representation of the running playbook that is assigned to the issue. For more information, see Use the Work Plan in an investigation.