Cortex Data Loss Prevention (DLP) module overview - Learn about Cortex Data Loss Prevention (DLP) module, which provides a solution to prevent sensitive data exfiltration. - Administrator Guide - Cortex - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation
Product
Cortex XDR
License
XDR + Cloud
Creation date
2025-07-13
Last date published
2026-06-11
Category
Administrator Guide
Abstract

Learn about Cortex Data Loss Prevention (DLP) module, which provides a solution to prevent sensitive data exfiltration.

The Cortex Data Loss Prevention (DLP) module provides a unified and flexible solution to prevent sensitive data exfiltration. It continuously enforces policies on endpoints (even offline) across web, local, and USB channels, protecting both on-premise and cloud environments.

After endpoint DLP is enabled, the DLP module is downloaded to all eligible endpoints.

This highlights Cortex's benefit of proactively safeguarding sensitive information. Future enhancements will include data-at-rest discovery, adaptive policies, and broader channel support.

Prerequisite

  • Endpoint DLP add-on license

  • Cortex agent 9.1 and above for Windows and macOS

Supported platforms

  • Supported browsers for the Cortex data security extensions: Google Chrome and Microsoft Edge.

  • Supported platforms:

    • Windows: x64 (ARM CPU architecture not supported)

    • macOS

Supported file types and extensions

Windows/macOS supported file types and extensions

Category/application

Supported formats and extensions

Microsoft Office

doc, docx, dotx, ppsx, potx, ppt, pptx, xls, xlsx, xsltx

Microsoft Visio

vsd, vsdm, vsdx

iWork

key, numbers, pages

Standard documents

csv, pdf, rtf, txt, xps, oxps

Image files and storage

bmp, jpeg, jpg, png, tif, tiff

Source code/development (C-family)

c, cpp, cxx, c++, h, hpp, cs, m

Source code/development (scripting and programming)

cgi, jav, java, js, pl, ps1, py, r, rb, vbs

Source code/development (hardware and assembly)

asm, s, v, verilog, vh, vhd1, vlg

Agent limitations

  • Supported platforms: Windows and macOS

  • Minimum agent version: 9.1.0

  • USB channel on Windows:

    • Before Windows 11 version 22H2, tracking is limited to files transferred to USB drives via File Explorer.

    • Starting with Windows 11 22H2, all transfers via the Windows CopyFile API are tracked. This does not include 3rd party copy applications.

  • Archived files are not supported

  • Supported file size: up to 50Mb (from version 9.2.0)

  • Local applications:

    • When the Dropbox Backup is enabled, it triggers a DLP alert when opening a sensitive file.

    • Certain predefined local applications, such as WhatsApp, Microsoft Teams, and Zoom, now use WebView2. Previously, this prevented the blocking and interception of uploads. Through parent-and-child process inheritance, you can now configure these applications within your predefined application definitions. This mechanism supports current and future applications that use WebView2.

Use cases

  • Protecting personal information: Protects information like names, addresses, and credit card numbers to adhere to privacy policies (like GDPR or HIPAA).

  • Guarding company secrets: Prevents valuable designs, formulas, and business plans from falling into the wrong hands (like competitors).

  • Meeting legal rules: Helps businesses in specific industries (like healthcare or finance) follow strict laws about handling data.

  • Stopping leaks (accidental or intentional): Catches employees trying to email sensitive files to their accounts or upload them to unauthorized websites. It also helps prevent cybercriminals from stealing data.

  • Seeing and controlling data: Helps you locate all your important data and allows you to determine who can access it and how it can be utilized.

User roles and permissions

Cortex DLP now includes two new out-of-the-box roles:

  • Data security admin: Defines the policy and its key components, including applications.

  • Data security viewer: Review and analyze DLP-related issues.

Refer to Personas workflow for DLP for the steps on how to create and manage endpoint DLP in your environment.

Verify that the user has the correct permissions in the linked role for access and configuration permissions to DLP capabilities.

  1. Go to SettingsConfigurationAccess ManagementRoles.

  2. Go to the relevant role, right-click and select Edit Role , and in the Components tab, verify under Data Security that the settings are configured to View/Edit.