You have purchased the DLP Cloud Detection Service - and intend to use a REST CDS to accept requests from a data source other than the CloudSOC/CASB service.

There are a few valid cases for Custom Rest integrations - these are listed in the Environment section below.

Each of these requires a Cloud Detector to have additional configuration(s) after being provisioned as a CDS for CASB.

The CDS for Custom REST is a regular CDS for CASB that has been converted to accept requests from a different data source.

These are currently FIRST provisioned as a CDS for CASB, but are afterward updated in a new configuration, in order for the Custom REST Client to accept traffic from the additional sources listed in this article.

NOTE: As of Oct. 2025, only Enforce-Managed Cloud Detectors can have this configuration! Custom-REST is not yet available as a Cloud Managed CDS.

The below details summarize the steps to get one of these "alternative" CDS for REST types configured.

Firstly, a valid entitlement in the Enterprise Console, for a CDS for REST - this must be a separate and in addition to any entitlement for an already provisioned CDS for CASB.

1. If there is an available entitlement for a CDS for CASB in Enterprise Console, submit request.
2. At this point, the status in the Console should show as "In-Progress". This is because the DLP Cloud Operations team is manually provisioning the CDS.
   
3. Before this is provisioned, open a Technical Support case with your Partner (or directly with Broadcom if you have that ability).
4. As provisioning is taking place, TechSupport will need to follow up with Cloud Ops to have CDS for CASB converted to a Custom REST CDS.
   
5. TechSupport will confirm the following (via internal tools):
   • Verify Detector is provisioned, setup and converted correctly.
   • Verify Application Detection Filter is correctly setup in Enforce (see "Additonal info" section, for linked KB for setup of Filter GUID).

Overview of steps for integration of a DLP CDS with other products

Method for Web Isolation integration, or for any other Custom REST Client 

• Web Isolation requires a client certificate, instructions for which are included in the Welcome Email.
• No token is utilized.
• Follow the steps in the KB linked below to obtain Filter IDs from Enforce to Web Isolation portal.

Method for CASB, integration with the CloudSOC - default option

• Use the token from your Welcome Email.
• No additional certificate is required.
• Scan Filter IDs are sent automatically to CASB when Policy Groups are assigning for Application Detection via Enforce.

Method for Zero Trust Network Access (aka "Secure Access Cloud") integration

• Use the token from your Welcome Email.
• No additional certificate is required.
• Follow the steps in the KB linked below to obtain Filter IDs from Enforce to the Secure Access Cloud portal.
• Note: SAC and CDS must both be provisioned in the same region (EU vs US). If they are not, errors will ensue with the token:
  You are trying to register your DLP Custom REST CDS with the Secure Access Console and receive an unexpected error

For Web Isolation and ZTNA systems, the following KB covers additional configuration that is required in Enforce:

Cloud Detection Service for REST API with error for Scan Filter is not receiving detection requests (broadcom.com)