Endpoint DLP Settings - Configure Endpoint DLP Settings (under Data Security). - Administrator Guide - Cortex XSIAM - Cortex

Endpoint DLP Settings - Configure Endpoint DLP Settings (under Data Security). - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM 3.x Documentation

Product

Cortex XSIAM

Creation date

2025-07-15

Last date published

2026-06-11

Caution

Modifications made on this page, such as changing the default action (allow/block file movement), adjusting rule suppression thresholds, or altering browser extension installation modes, will globally affect all Data-in-Motion Rules and overall DLP enforcement. Proceed with caution when adjusting thresholds.

For more information, see Configure endpoint DLP settings.

Permission	Description	Recommended Roles
None	Users cannot access the Endpoint DLP Settings page. These users cannot see any DLP settings, browser extension configurations, or default action settings.	SOC Tier-1 Analyst: DLP settings are outside Tier-1 scope. DLP engine settings management is outside the IT infrastructure administration scope.
View	Read-only access to view current settings. Users can view the default action configuration, corporate account domain names, browser extension installation modes, rule suppression thresholds, and user interaction notification settings.	SOC Tier-2 and 3 Analysts: May need to review DLP settings when troubleshooting DLP-related cases/advanced analysis. Threat Hunter: DLP settings are not typically relevant to threat hunting activities.
View/Edit	Full control over the DLP engine settings. Users can modify the default action, add/remove corporate domains, change browser extension modes, adjust rule suppression thresholds, and configure user notifications.	Security Engineer: Responsible for configuring and tuning DLP settings. Security Admin: Full administrative access to all DLP configurations.

Endpoint DLP Settings act as the global baseline for the DLP engine. To safely modify these settings, administrators need visibility into the specific rules that enforce the data security posture and the agents that deploy them.

Permission	Permission Level	Reason
Data-in-Motion Rules	View	Strongly recommended. Global DLP settings (like default actions and browser extensions) directly dictate how Data-in-Motion rules operate. Understanding the currently active rules provides critical context before making global changes.
Agent Administrations	View	Strongly recommended. Recommended. DLP settings and browser extensions are deployed via the endpoint agent. Viewing agent statuses helps administrators verify that global DLP configurations are being successfully deployed.
Data Classification	View	Recommended. Endpoint DLP Settings are closely related to the tenant's broader Data Classification configurations, which define what the DLP engine considers sensitive data.