The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy allows you to create rules to discover and protect sensitive data at rest in sanctioned SaaS applications.

To inspect content based on a configured policy rule's specifications, you must add it to a scan schedule. The Zscaler service does not inspect content until you configure a scan. To learn more, see About SaaS Security Scan Configuration.

To configure the Data at Rest Scanning DLP policy:

1. Go to Policies > Data Protection > Policy > Out-of-band CASB.
2. Choose one of the following SaaS application types from the drop-down menu:
   • Collaboration

     To add a DLP rule for collaboration applications:

     1. Click Add DLP Rule.

        The Add DLP Rule window appears.

     2. Enter the rule attributes:
        • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the rule order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Ranking, then the assigned admin rank determines the rule order values you can select.
        • Admin Rank: Enter a value from 0–7 (0 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s admin rank determines the value you can select in rule order, so that a rule with a higher admin rank always precedes a rule with a lower admin rank.
        • Rule Name: Enter a unique name for the DLP rule.
        • Rule Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the rule order, the service skips it and moves to the next rule.
        • Rule Label: Select a rule label to associate it with the rule. To learn more, see About Rule Labels.
     3. Define the criteria:

        • SaaS Application Tenant: Select the SaaS application tenants to which you want to apply the rule. You can also search for application tenants.

          For Microsoft Team, Slack, and Webex Teams, keywords within a file are detected irrespective of the character length. However, there is a restriction for terms searched in a message or chat to 8 bytes, below which the term or string is not detected by the DLP action.

        • Components: The components that the Zscaler service inspects for sensitive data. Choose Any to inspect all components, or choose to only inspect Attachments or Messages.
        • Senders: The users who sent the attachments or messages containing sensitive data. Select Any to apply the rule to all users, or select up to 4 users under General Users. You can search for users or click the Add icon to add a new user.
        • Groups: The groups of the users who sent the attachments or messages containing sensitive data. Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
        • Departments: The departments of the users who sent the attachments or messages containing sensitive data. Select Any to apply the rule to all departments, or select up to 8 departments. You can search for departments or click the Add icon to add a new department.
        • DLP Engines: Select Any to choose all DLP engines for this rule, or select up to 4 engines. You can search for DLP engines.
        • Content Location: The location for the content that the Zscaler service inspects for sensitive data. Choose Any to inspect all content locations or choose a content location.
        • Domains: This field only appears when you select Shared Channels for Content Location. Enter the domain for the external organization sharing the channel and then click Add Items. If you want to add multiple domains, separate the domains with commas.
     4. (Optional) Define the DLP Incident Receiver:
        • If you don't have a third-party DLP solution or don't want to forward content, leave the Zscaler Incident Receiver field as None.

        • If you want to forward the transactions captured by this policy rule to an on-premises DLP incident receiver, select the applicable Zscaler Incident Receiver from the drop-down menu. You must configure your Zscaler Incident Receivers to complete this step.

          Ensure that in your third-party DLP solution, you've configured a rule that detects the same data type as the rule you configure here. For example, if you configure a Zscaler DLP rule blocking credit card data, you must also configure a rule in your third-party solution blocking credit card data.
          Otherwise, the information Zscaler sends to your solution regarding a particular rule violation does not appear in your on-premises solution's dashboard. However, the rules do not need to correspond exactly. You don't need to ensure that other criteria for the rules, beyond the data type, correspond. For example, if a Zscaler DLP rule blocks credit card numbers going to a specific URL category, the rule in your on-premises DLP solution must also block credit card numbers, but needn't match the URL category criteria.

     5. Define the action:
        • Action: Choose the action the rule takes upon detecting content that matches the criteria. The number of actions available depends on the selected SaaS Application Tenant.
          • Notify Users Only: The rule notifies the users about the incident.
            • For Slack, the custom Slack bot notifies the users.
            • For Microsoft Teams, the Microsoft Teams bot notifies the users.
            • For Webex Teams, the custom Webex Teams bot notifies the users.
          • Quarantine: (Slack, Webex Teams) Select this option to quarantine sensitive messages and files. When you select this option, the Tombstone Template drop-down menu appears.
          • Report Incident Only: The rule reports the incident only.
        • Tombstone Template: (Slack, Webex Teams) If you select Quarantine as the Action for sensitive content, you must select a tombstone template from the drop-down list. The quarantine action creates a tombstone message that end users see in Slack or Webex Teams. After a message or file has been quarantined, admins can use the SaaS Security Assets Report to review and remove the quarantined content. To learn more, see About Quarantine Tombstone File Templates and SaaS Assets Report: Assets with Incidents.

        • Severity: Select a severity level (i.e., High, Medium, Low, or Information) for the incidents that match this rule.

          The Information level allows you to track low-risk incidents that must be observed.

     6. (Optional) Configure the email notification for the rule. If you do not select an auditor and notification template, a notification is not sent for this rule.
        1. For Auditor Type, select whether the auditor is from a Hosted database or External to your organization.
        2. Select the Auditor:
           • If the auditor is from a hosted database, select or search for the auditor.
           • If the auditor is external, enter the auditor’s email address.
        3. Select a Notification Template, if you configured one. You can also search for a notification template or click the Add icon to add a new notification template.
     7. (Optional) Enter a Description including additional notes or information. The description cannot exceed 10,240 characters.
     8. Click Save and activate the change.

     Close
   • CRM

     To add a DLP rule for CRM applications:

     1. Click Add DLP Rule.

        The Add DLP Rule window appears.

     2. Enter the rule attributes:
        • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the rule order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Ranking, then the assigned admin rank determines the rule order values you can select.
        • Admin Rank: Enter a value from 0–7 (0 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s admin rank determines the value you can select in rule order, so that a rule with a higher admin rank always precedes a rule with a lower admin rank.
        • Rule Name: Enter a unique name for the DLP rule.
        • Rule Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the rule order, the service skips it and moves to the next rule.
        • Rule Label: Select a rule label to associate it with the rule. To learn more, see About Rule Labels.
     3. Define the criteria:
        • SaaS Application Tenant: Select the SaaS application tenants to which you want to apply the rule. You can also search for application tenants.
        • Components: The components that the Zscaler service inspects for sensitive data. Choose Any to inspect all components, or choose to only inspect Attachments in Objects or Chatter Messages.
        • Owners: The users who own the objects containing sensitive data or sent the Chatter messages containing sensitive data. Select Any to apply the rule to all users, or select up to 4 users under General Users. You can search for users or click the Add icon to add a new user.
        • Groups: The groups of the users who own the objects containing sensitive data or sent the Chatter messages containing sensitive data. Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
        • Departments: The departments of the users who own the objects containing sensitive data or sent the Chatter messages containing sensitive data. Select Any to apply the rule to all departments, or select up to 8 departments. You can search for departments or click the Add icon to add a new department.
        • DLP Engines: Select Any to choose all DLP engines for this rule, or select up to 4 engines. You can search for DLP engines.
        • Collaboration Scope: The collaboration scopes and permissions for SaaS tenant files that contain sensitive data. Select Any to apply the rule to files with all collaboration levels, or select any number of the following collaboration scopes and specify the permissions (View, Edit) for each scope:
          • External Collaborators: Files that are shared with specific collaborators outside of your organization.
          • External Link: Files with shareable links that allow anyone outside your organization to find the files and have access.
          • Internal Collaborators: Files that are shared with specific collaborators or are discoverable within your organization.
          • Internal Link: Files with shareable links that allow anyone within your organization to find the files and have access.
          • Private: Files that are only accessible to the owner.
        • Object Type: Choose Any to inspect all object types or choose an object type.
     4. (Optional) Define the DLP Incident Receiver:
        • If you don't have a third-party DLP solution or don't want to forward content, leave the Zscaler Incident Receiver field below as None.

        • If you want to forward the transactions captured by this policy rule to an on-premises DLP incident receiver, select the applicable Zscaler Incident Receiver from the drop-down menu. You must configure your Zscaler Incident Receivers to complete this step.

          Ensure that in your third-party DLP solution, you've configured a rule that detects the same data type as the rule you configure here. For example, if you configure a Zscaler DLP rule blocking credit card data, you must also configure a rule in your third-party solution blocking credit card data.
          Otherwise, the information Zscaler sends to your solution regarding a particular rule violation does not appear in your on-premises solution's dashboard. However, the rules do not need to correspond exactly. You don't need to ensure that other criteria for the rules, beyond the data type, correspond. For example, if a Zscaler DLP rule blocks credit card numbers going to a specific URL category, the rule in your on-premises DLP solution must also block credit card numbers, but needn't match the URL category criteria.

     5. Define the action:
        • Action: Select the action the rule takes upon detecting content that matches the criteria.
          • Change to Read Only for All Collaborators: The rule reports the incident and changes the file’s collaboration scope for all collaborators to read only.
          • Change to Read Only for External Collaborators: The rule reports the incident and changes the file’s collaboration scope for external collaborators to read only.
          • Change to Read Only for Internal Collaborators: The rule reports the incident and changes the file’s collaboration scope for internal collaborators to read only.

          • Quarantine: The Zscaler service quarantines suspicious files.

            When you choose this action, the Quarantine Location field appears. Enter a location to move all the quarantined files and take necessary actions by either deleting or restoring the data.

          • Remove: The Zscaler service deletes the file.
          • Remove External Collaborators and Shareable Link: The rule reports the incident and removes all of the file’s external collaborators and any shareable links.
          • Remove Internal Collaborators and Shareable Link: The rule reports the incident and removes all internal collaborators and any shareable links.
          • Remove Public Shareable Link: The rule reports the incident and removes the file’s public shareable link. Existing collaborators are unaffected.
          • Remove Sharing: The rule reports the incident and removes all of the file’s collaborators and any shareable links.
          • Report Incident Only: The rule reports the incident only and makes no changes to the file’s collaboration scope.

          • Severity: Select a severity level (i.e., High, Medium, Low, or Information) for the incidents that match this rule.

            The Information level allows you to track low-risk incidents that must be observed.

        • Tombstone Template: Select a tombstone template from the drop-down list. The quarantine action creates a tombstone file template in the quarantine location and adds the description from the tombstone template created in the Quarantine page. To learn more, see About Quarantine Tombstone File Templates.
     6. (Optional) Configure the email notification for the rule. If you do not select an auditor and notification template, a notification is not sent for this rule.
        1. For Auditor Type, select whether the auditor is from a Hosted database or External to your organization.
        2. Select the Auditor:
           • If the auditor is from a hosted database, select or search for the auditor.
           • If the auditor is external, enter the auditor’s email address.
        3. Select a Notification Template, if you configured one. You can also search for a notification template or click the Add icon to add a new notification template.
     7. (Optional) Enter a Description including additional notes or information. The description cannot exceed 10,240 characters.
     8. Click Save and activate the change.

     Close
   • Email

     To add a DLP rule for email applications:

     1. Click Add DLP Rule.

        The Add DLP Rule window appears.

     2. Enter the rule attributes:
        • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the rule order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Ranking, then the assigned admin rank determines the rule order values you can select.
        • Admin Rank: Enter a value from 0–7 (0 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s admin rank determines the value you can select in rule order, so that a rule with a higher admin rank always precedes a rule with a lower admin rank.
        • Rule Name: Enter a unique name for the DLP rule.
        • Rule Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the rule order, the service skips it and moves to the next rule.
        • Rule Label: Select a rule label to associate it with the rule. To learn more, see About Rule Labels.
     3. Define the criteria:

        • SaaS Application Tenant: Select the SaaS application tenants to which you want to apply the rule. You can also search for application tenants.

          For each DLP rule you create, you can only add tenants from the same SaaS application provider. For example, you have a tenant for Gmail and a tenant for Exchange. You can only create a rule for the Gmail tenant and a rule for the Exchange tenant. You cannot create one rule for both the Gmail tenant and Exchange tenant.

        • Components: This field cannot be changed. The Zscaler service inspects the body, attachments, and subject for emails containing sensitive data.
        • Senders: The users who sent the emails containing sensitive data. Select Any to apply the rule to all users, or select up to 4 users under General Users. You can search for users or click the Add icon to add a new user.
        • Recipients: This field cannot be changed. This rule only applies when at least one email recipient is from outside your organization, and that recipient is not an external trusted user or is not using an external trusted domain. To learn more, see Adding SaaS Application Tenants.
        • Groups: The groups of the users who sent the emails containing sensitive data. Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
        • Departments: The departments of the users sent emails containing sensitive data. Select Any to apply the rule to all departments, or select up to 8 departments. You can search for departments or click the Add icon to add a new department.
        • DLP Engines: Select Any to choose all DLP engines for this rule, or select up to 4 engines. You can search for DLP engines.
     4. (Optional) Define the DLP Incident Receiver:
        • If you don't have a third-party DLP solution or don't want to forward content, leave the Zscaler Incident Receiver field below as None.

        • If you want to forward the transactions captured by this policy rule to an on-premises DLP incident receiver, select the applicable Zscaler Incident Receiver from the drop-down menu. You must configure your Zscaler Incident Receivers to complete this step.

          Ensure that in your third-party DLP solution, you've configured a rule that detects the same data type as the rule you configure here. For example, if you configure a Zscaler DLP rule blocking credit card data, you must also configure a rule in your third-party solution blocking credit card data.
          Otherwise, the information Zscaler sends to your solution regarding a particular rule violation does not appear in your on-premises solution's dashboard. However, the rules do not need to correspond exactly. You don't need to ensure that other criteria for the rules, beyond the data type, correspond. For example, if a Zscaler DLP rule blocks credit card numbers going to a specific URL category, the rule in your on-premises DLP solution must also block credit card numbers, but needn't match the URL category criteria.

     5. Define the action:
        • Action: Select the action the rule takes upon detecting content that matches the criteria.

          • Apply Email Tag: The rule reports the incident and applies an email tag to it.

            When you choose this action, the Label Name field appears. From this drop-down menu, you can choose an email label you want the rule to apply to the emails. The Zscaler service automatically creates an email category or an email label in the users’ email account if it hasn’t already been created.

            See image.

            

            Close

          • Report Incident Only: The rule reports the incident only.

        • Severity: Select a severity level (i.e., High, Medium, Low, or Information) for the incidents that match this rule.

          The Information level allows you to track low-risk incidents that must be observed.

     6. (Optional) Configure the email notification for the rule. If you do not select an auditor and notification template, a notification is not sent for this rule.
        1. For Auditor Type, select whether the auditor is from a Hosted database or External to your organization.
        2. Select the Auditor:
           • If the auditor is from a hosted database, select or search for the auditor.
           • If the auditor is external, enter the auditor’s email address.
        3. Select a Notification Template, if you configured one. You can also search for a notification template or click the Add icon to add a new notification template.
     7. (Optional) Enter a Description including additional notes or information. The description cannot exceed 10,240 characters.
     8. Click Save and activate the change.

     Close
   • File Sharing

     To add a DLP rule for file sharing applications:

     1. Click Add DLP Rule.

        The Add DLP Rule window appears.

     2. Enter the rule attributes:
        • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the rule order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Ranking, then the assigned admin rank determines the rule order values you can select.
        • Admin Rank: Enter a value from 0–7 (0 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s admin rank determines the value you can select in rule order, so that a rule with a higher admin rank always precedes a rule with a lower admin rank.
        • Rule Name: Enter a unique name for the DLP rule.
        • Rule Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the rule order, the service skips it and moves to the next rule.
        • Rule Label: Select a rule label to associate it with the rule. To learn more, see About Rule Labels.
     3. Define the criteria:

        • SaaS Application Tenant: Select the SaaS application tenants to which you want to apply the rule. You can also search for application tenants.

          For each DLP rule you create, you can only add tenants from the same SaaS application provider. For example, you have a tenant for SharePoint and a tenant for OneDrive. You can only create a rule for the SharePoint tenant and a rule for the OneDrive tenant. You cannot create one rule for both the SharePoint tenant and OneDrive tenant.

        • Site: Select the sites to which you want to apply the rule. You can search for a site or select all sites.
        • Owners: The users who own the files containing sensitive data. Select Any to apply the rule to all users, or select up to 4 users under General Users. You can search for users or click the Add icon to add a new user.
        • Groups: The groups of the users who own the files containing sensitive data. Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
        • Departments: The departments of the users who own the files containing sensitive data. Select Any to apply the rule to all departments, or select up to 8 departments. You can search for departments or click the Add icon to add a new department.
        • DLP Engines: Select Any to choose all DLP engines for this rule, or select up to 4 engines. You can search for DLP engines.
        • File Type: Select files types to which you want to apply the rule. You can select any number of file types and also search for file types.
        • Collaboration Scope: The collaboration scopes and permissions for SaaS tenant files that contain sensitive data. Select Any to apply the rule to files with all collaboration levels, or select any number of the following collaboration scopes and specify the permissions (View, Edit) for each scope:
          • External Collaborators: Files that are shared with specific collaborators outside of your organization.
          • External Link: Files with shareable links that allow anyone outside your organization to find the files and have access.
          • Internal Collaborators: Files that are shared with specific collaborators or are discoverable within your organization.
          • Internal Link: Files with shareable links that allow anyone within your organization to find the files and have access.
          • Private: Files that are only accessible to the owner.
     4. (Optional) Define the DLP Incident Receiver:
        • If you don't have a third-party DLP solution or don't want to forward content, leave the Zscaler Incident Receiver field below as None.

        • If you want to forward the transactions captured by this policy rule to an on-premises DLP incident receiver, select the applicable Zscaler Incident Receiver from the drop-down menu. You must configure your Zscaler Incident Receivers to complete this step.

          Ensure that in your third-party DLP solution, you've configured a rule that detects the same data type as the rule you configure here. For example, if you configure a Zscaler DLP rule blocking credit card data, you must also configure a rule in your third-party solution blocking credit card data.
          Otherwise, the information Zscaler sends to your solution regarding a particular rule violation does not appear in your on-premises solution's dashboard. However, the rules do not need to correspond exactly. You don't need to ensure that other criteria for the rules, beyond the data type, correspond. For example, if a Zscaler DLP rule blocks credit card numbers going to a specific URL category, the rule in your on-premises DLP solution must also block credit card numbers, but needn't match the URL category criteria.

     5. Define the action:
        • Action: Choose the action the rule takes upon detecting content that matches the criteria. The number of actions available depends on the selected SaaS Application Tenant.

          • Apply MIP Label: This action is only applicable for OneDrive and SharePoint tenants. The rule reports the incident and applies the chosen classification label to the file.

            When you choose this action, the Apply Classification Label field appears. From this drop-down menu, you can choose the classification label you want the rule to apply to files. The Zscaler service collects the active labels from the list of all authorized MIP labels.

            See image.

            

            Close

            To see this action, you must choose from the list of OneDrive and SharePoint tenants. This action is only applicable for Microsoft Excel, Microsoft Word, and PDF file types.

          • Apply Box Classification Label: This action is only applicable for Box tenants with Box Shield enabled. The rule reports the incident and applies the chosen Box classification label to the file.

            When you choose this action, the Apply Classification Label field appears. From this drop-down menu, you can choose the Box classification label you want the rule to apply to files. The Zscaler service collects these labels when you onboard the Box tenant. Deleted labels appear with a strikethrough line in the drop-down menu and cannot be applied to a rule.

            See image.

            

            Close

            To see this action, you must choose a single Box tenant with defined classification labels from the SaaS Application Tenant drop-down menu. This action is unavailable if you choose a tenant without defined labels or select multiple Box tenants.

          • Apply Google Drive Label: This action is only applicable for Google Drive tenants. The rule reports the incident and applies the chosen Google Drive label to the file.

            When you choose this action, the Apply Classification Label field appears. From this drop-down menu, you can choose the Google Drive classification label you want the rule to apply to files. The Zscaler service collects these labels when you onboard the Google Drive tenant. Deleted labels appear with a strikethrough line in the drop-down menu and cannot be applied to a rule.

            See image.

            

            Close
            • To see this action, you must choose a single Google Drive tenant with defined labels from the SaaS Application Tenant drop-down menu. This action is unavailable if you choose a tenant without defined labels or select multiple Google Drive tenants.
            • Before you can use labels in a Google Drive tenant that you have already onboarded, you must reauthorize the tenant so that Zscaler can identify all available labels. To learn more, see About SaaS Application Tenants.

          • Apply Atlassian Classification Label: This action is only applicable to Confluence tenants. The rule reports the incident and applies the chosen Atlassian label to the file.

            When you choose this action, the Apply Classification Label field appears. From this drop-down menu, you can choose the Atlassian Classification label you want the rule to apply to files. Deleted labels appear with a strikethrough line in the drop-down menu and cannot be applied to a rule.

            See image.

            

            Close
            • To see this action, you must choose a tenant with defined labels from the SaaS Application Tenant drop-down menu. This action is not available if you choose a tenant without defined labels or if you select multiple tenants.
            • Before you can use Atlassian Classification labels that you have already onboarded, you must reauthorize the tenant so that Zscaler can identify all available labels. To learn more, see About SaaS Application Tenants.
          • Change to Read Only for All Collaborators: The rule reports the incident and changes the file’s collaboration scope for all collaborators to read only.
          • Change to Read Only for External Collaborators: The rule reports the incident and changes the file’s collaboration scope for external collaborators to read only.
          • Change to Read Only for Internal Collaborators: The rule reports the incident and changes the file’s collaboration scope for internal collaborators to read only.
          • Move to Restricted Folder: For Confluence, the rule reports the incident and moves all the scanned files (pages, blogs, and attachments) to a restricted page under the user's personal space.
          • Quarantine to User Root Folder: The rule reports the incident and quarantines sensitive content to a user's root folder. When you select this option, the Tombstone Template drop-down menu appears.
          • Remove: For Confluence, the rule reports the incident and removes all the attachments from the pages and blogs of the space.
          • Remove All Collaborators: The rule reports the incident and removes all of the file’s external and internal collaborators.
          • Remove External Collaborators: The rule reports the incident and removes all of the file’s external collaborators.
          • Remove External Collaborators and Shareable Link: The rule reports the incident and removes all of the file’s external collaborators and any shareable links.
          • Remove Internal Collaborators and Shareable Link: The rule reports the incident and removes all internal collaborators and any shareable links.
          • Remove Internal Shareable Link: The rule reports the incident and removes the file’s internal shareable link. Existing collaborators are unaffected.
          • Remove Public Shareable Link: The rule reports the incident and removes the file’s public shareable link. Existing collaborators are unaffected.
          • Remove Sharing: The rule reports the incident and removes all of the file’s collaborators and any shareable links.
          • Report Incident Only: The rule reports the incident only and makes no changes to the file’s collaboration scope.
          • Update to Not Discoverable Externally: The rule reports the incident and changes the file’s collaboration scope to prevent it from being discoverable through public search engines.
          • Update to Not Discoverable for All: The rule reports the incident and changes the file’s collaboration scope to prevent it from being discoverable through public search engines or within your organization.
          • Update to Not Discoverable Internally: The rule reports the incident and changes the file’s collaboration scope to prevent it from being discoverable within your organization.

          • Severity: Select a severity level (i.e., High, Medium, Low, or Information) for the incidents that match this rule.

            The Information level allows you to track low-risk incidents that must be observed.

        • Email Recipient Domain Profiles: If you select Remove External Collaborators for the action, you can then select the desired domain profiles and whether you want to Include or Exclude them from the action.
        • Tombstone Template: Select a tombstone template from the drop-down list. The quarantine action creates a tombstone file template in the original location and adds the description from the tombstone template created in the Quarantine page. To learn more, see About Quarantine Tombstone File Templates.
     6. (Optional) Configure the email notification for the rule. If you do not select an auditor and notification template, a notification is not sent for this rule.
        1. For Auditor Type, select whether the auditor is from a Hosted database or External to your organization.
        2. Select the Auditor:
           • If the auditor is from a hosted database, select or search for the auditor.
           • If the auditor is external, enter the auditor’s email address.
        3. Select a Notification Template, if you configured one. You can also search for a notification template or click the Add icon to add a new notification template.
     7. (Optional) Enter a Description including additional notes or information. The description cannot exceed 10,240 characters.
     8. Click Save and activate the change.

     Close
   • Gen AI

     The scanning exceptions for Generative AI:

     • Includes attachments uploaded via Custom GPT and predefined GPT but does not include DLP and malware scans, as the download URL is unavailable and there is no policy action
     • Includes Eicar files, but there is no policy action as the download URL is unavailable
     • Excludes the scanning of text fields such as Description, Instructions, Name, or Conversation Starters
     • Excludes the scanning of malware content present in the prompt of a conversation

     To add a DLP rule for Generative AI applications:

     1. Click Add DLP Rule.

        The Add DLP Rule window appears.

     2. Enter the rule attributes:
        • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the rule order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Ranking, then the assigned admin rank determines the rule order values you can select.
        • Admin Rank: Enter a value from 0–7 (0 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s admin rank determines the value you can select in rule order, so that a rule with a higher admin rank always precedes a rule with a lower admin rank.
        • Rule Name: Enter a unique name for the DLP rule.
        • Rule Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the rule order, the service skips it and moves to the next rule.
        • Rule Label: Select a rule label to associate it with the rule. To learn more, see About Rule Label.
     3. Define the criteria:
        • DLP Engines: Select Any to choose all DLP engines for this rule, or select up to 4 engines. You can search for DLP engines.
        • SaaS Application Tenant: Select the SaaS application tenants to which you want to apply the rule.
        • Components: The components that the Zscaler service inspects for sensitive data. Choose Any to inspect all components, or choose to only inspect Attachments or Messages.
        • Owners: The users who own the objects containing sensitive data. Select Any to apply the rule to all users, or select up to 4 users under General Users. You can search for users or click the Add icon to add a new user.
        • Groups: The groups of the users own the objects containing sensitive data. Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
        • Departments: The departments of the users own the objects containing sensitive data. Select Any to apply the rule to all departments, or select up to 8 departments. You can search for departments or click the Add icon to add a new department.
        • File Type: Select file types to which you want to apply the rule. You can select any number of file types and also search for file types.
     4. (Optional) Define the DLP Incident Receiver:
        1. If you don't have a third-party DLP solution or don't want to forward content, leave the Zscaler Incident Receiver field below as None.

        2. If you want to forward the transactions captured by this policy rule to an on-premises DLP incident receiver, select the applicable Zscaler Incident Receiver from the drop-down menu. You must configure your Zscaler Incident Receivers to complete this step.

           Ensure that in your third-party DLP solution, you've configured a rule that detects the same data type as the rule you configure here. For example, if you configure a Zscaler DLP rule blocking credit card data, you must also configure a rule in your third-party solution blocking credit card data.
           Otherwise, the information Zscaler sends to your solution regarding a particular rule violation does not appear in your on-premises solution's dashboard. However, the rules do not need to correspond exactly. You don't need to ensure that other criteria for the rules, beyond the data type, correspond. For example, if a Zscaler DLP rule blocks credit card numbers going to a specific URL category, the rule in your on-premises DLP solution must also block credit card numbers, but needn't match the URL category criteria.

     5. Define the action:
        1. Action: This field cannot be changed. The Zscaler service reports the incident only.

        2. Severity: Select a severity level (i.e., High, Medium, Low, or Information) for the incidents that match this rule.

           The Information level allows you to track low-risk incidents that must be observed.

     6. (Optional) Configure the email notification for the rule. If you do not select an auditor and notification template, a notification is not sent for this rule.
        1. For Auditor Type, select whether the auditor is from a Hosted database or External to your organization.
        2. Select the Auditor:
           1. If the auditor is from a hosted database, select or search for the auditor.
           2. If the auditor is external, enter the auditor’s email address.
        3. Select a Notification Template, if you configured one. You can also search for a notification template or click the Add icon to add a new notification template.
     7. (Optional) Enter a Description including additional notes or information. The description cannot exceed 10,240 characters.
     8. Click Save and activate the change.

     Close
   • ITSM

     To add a DLP rule for ITSM applications:

     1. Click Add DLP Rule.

        The Add DLP Rule window appears.

     2. Enter the rule attributes:
        • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the rule order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Ranking, then the assigned admin rank determines the rule order values you can select.
        • Admin Rank: Enter a value from 0–7 (0 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s admin rank determines the value you can select in rule order, so that a rule with a higher admin rank always precedes a rule with a lower admin rank.
        • Rule Name: Enter a unique name for the DLP rule.
        • Rule Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the rule order, the service skips it and moves to the next rule.
        • Rule Label: Select a rule label to associate it with the rule. To learn more, see About Rule Labels.
     3. Define the criteria:
        • SaaS Application Tenant: Select the SaaS application tenants to which you want to apply the rule.
        • Components: The components that the Zscaler service inspects for sensitive data. Choose Any to inspect all components, or choose to only inspect Attachments or Objects.
        • Owners: The users who own the objects containing sensitive data. Select Any to apply the rule to all users, or select up to 4 users under General Users. You can search for users or click the Add icon to add a new user.
        • Groups: The groups of the users own the objects containing sensitive data. Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
        • Departments: The departments of the users own the objects containing sensitive data. Select Any to apply the rule to all departments, or select up to 8 departments. You can search for departments or click the Add icon to add a new department.
        • DLP Engines: Select Any to choose all DLP engines for this rule, or select up to 4 engines. You can search for DLP engines.
        • Collaboration Scope: The collaboration scopes and permissions for SaaS tenant files that contain sensitive data. Select Any to apply the rule to files with all collaboration levels, or select any number of the following collaboration scopes and specify the permissions (View, Edit) for each scope:
          • External Collaborators: Files that are shared with specific collaborators outside of your organization.
          • External Link: Files with shareable links that allow anyone outside your organization to find the files and have access.
          • Internal Collaborators: Files that are shared with specific collaborators or are discoverable within your organization.
          • Internal Link: Files with shareable links that allow anyone within your organization to find the files and have access.
          • Private: Files that are only accessible to the owner.

        • Object Type: Choose Any to inspect all object types or choose an object type.

          If the object type you want to select is not listed, you can edit the ServiceNow tenant and add more object types. To learn more, see Adding Object Types for ServiceNow Tenants.

     4. (Optional) Define the DLP Incident Receiver:
        • If you don't have a third-party DLP solution or don't want to forward content, leave the Zscaler Incident Receiver field below as None.

        • If you want to forward the transactions captured by this policy rule to an on-premises DLP incident receiver, select the applicable Zscaler Incident Receiver from the drop-down menu. You must configure your Zscaler Incident Receivers to complete this step.

          Ensure that in your third-party DLP solution, you've configured a rule that detects the same data type as the rule you configure here. For example, if you configure a Zscaler DLP rule blocking credit card data, you must also configure a rule in your third-party solution blocking credit card data.
          Otherwise, the information Zscaler sends to your solution regarding a particular rule violation does not appear in your on-premises solution's dashboard. However, the rules do not need to correspond exactly. You don't need to ensure that other criteria for the rules, beyond the data type, correspond. For example, if a Zscaler DLP rule blocks credit card numbers going to a specific URL category, the rule in your on-premises DLP solution must also block credit card numbers, but needn't match the URL category criteria.

     5. Define the action:
        • Action: Select the action the rule takes upon detecting content that matches the criteria:

          • Quarantine: The Zscaler service quarantines suspicious files.

            When you choose this action, the Quarantine Location field appears. Enter a location to move all the quarantined files and take necessary actions by either deleting or restoring the data.

          • Remove: The Zscaler service removes suspicious files.
          • Report Incident Only: The Zscaler service reports the incident only.

          • Severity: Select a severity level (i.e., High, Medium, Low, or Information) for the incidents that match this rule.

            The Information level allows you to track low-risk incidents that must be observed.

        • Tombstone Template: Select a tombstone template from the drop-down list. The quarantine action creates a tombstone file template in the quarantine location and adds the description from the tombstone template created in the Quarantine page. To learn more, see About Quarantine Tombstone File Templates.
     6. (Optional) Configure the email notification for the rule. If you do not select an auditor and notification template, a notification is not sent for this rule.
        1. For Auditor Type, select whether the auditor is from a Hosted database or External to your organization.
        2. Select the Auditor:
           • If the auditor is from a hosted database, select or search for the auditor.
           • If the auditor is external, enter the auditor’s email address.
        3. Select a Notification Template, if you configured one. You can also search for a notification template or click the Add icon to add a new notification template.
     7. (Optional) Enter a Description including additional notes or information. The description cannot exceed 10,240 characters.
     8. Click Save and activate the change.

     Close
   • Public Cloud Storage

     To enable Amazon S3, Google Cloud Platform, and Microsoft Azure for your organization, contact your Zscaler Account team.

     To add a DLP rule for public cloud storage applications:

     1. Click Add DLP Rule.

        The Add DLP Rule window appears.

     2. Enter the rule attributes:
        • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the rule order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Ranking, then the assigned admin rank determines the rule order values you can select.
        • Admin Rank: Enter a value from 0–7 (0 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s admin rank determines the value you can select in rule order, so that a rule with a higher admin rank always precedes a rule with a lower admin rank.
        • Rule Name: Enter a unique name for the DLP rule.
        • Rule Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the rule order, the service skips it and moves to the next rule.
        • Rule Label: Select a rule label to associate it with the rule. To learn more, see About Rule Labels.
     3. Define the criteria:
        • SaaS Application Tenant: Choose the SaaS application tenant to which you want to apply the rule.
        • Buckets: This is only applicable for Amazon S3 and Google Cloud Platform tenants. Select the buckets for the Zscaler service to inspect for sensitive data. You can select up to 1000 buckets. To learn more, see Ranges & Limitations.

        • Bucket Owner: This is only applicable for Amazon S3 and Google Cloud Platform tenants. Choose a user to inspect their buckets for sensitive data. When you choose a user, their buckets are available in the Buckets field.

          Before you can select buckets or choose a bucket owner, you must have saved this rule and created a scan schedule. To learn more, see Configuring the Data at Rest Scanning Policy.

        • Blob Containers: This is only applicable for Microsoft Azure tenants. Select the blob containers for the Zscaler service to inspect for sensitive data. You can select up to 1000 blob containers. To learn more, see Ranges & Limitations.

        • Blob Container Owner: This is only applicable for Microsoft Azure tenants. Choose a user to inspect their blob containers for sensitive data. When you choose a user, their blob containers are available in the Blob Containers field.

          Before you can select blob containers or choose a blob container owner, you must have saved this rule and created a scan schedule. To learn more, see Configuring the Data at Rest Scanning Policy.

        • DLP Engines: Select Any to choose all DLP engines for this rule, or select up to 4 engines. You can search for DLP engines.
        • Collaboration Scope: The collaboration scopes and permissions for SaaS tenant files that contain sensitive data. Select Any to apply the rule to files with all collaboration levels, or select any number of the following collaboration scopes and specify the permissions (View, Edit) for each scope:
          • External Collaborators: Files that are shared with specific collaborators outside of your organization.
          • External Link: Files with shareable links that allow anyone outside your organization to find the files and have access.
          • Internal Collaborators: Files that are shared with specific collaborators or are discoverable within your organization.
          • Internal Link: Files with shareable links that allow anyone within your organization to find the files and have access.
          • Private: Files that are only accessible to the owner.
     4. (Optional) Define the DLP Incident Receiver:
        • If you don't have a third-party DLP solution or don't want to forward content, leave the Zscaler Incident Receiver field below as None.

        • If you want to forward the transactions captured by this policy rule to an on-premises DLP incident receiver, select the applicable Zscaler Incident Receiver from the drop-down menu. You must configure your Zscaler Incident Receivers to complete this step.

          Ensure that in your third-party DLP solution, you've configured a rule that detects the same data type as the rule you configure here. For example, if you configure a Zscaler DLP rule blocking credit card data, you must also configure a rule in your third-party solution blocking credit card data.
          Otherwise, the information Zscaler sends to your solution regarding a particular rule violation does not appear in your on-premises solution's dashboard. However, the rules do not need to correspond exactly. You don't need to ensure that other criteria for the rules, beyond the data type, correspond. For example, if a Zscaler DLP rule blocks credit card numbers going to a specific URL category, the rule in your on-premises DLP solution must also block credit card numbers, but needn't match the URL category criteria.

     5. Define the action:
        • Action: Choose the action the rule takes upon detecting content that matches the criteria. The number of actions available depends on the selected SaaS Application Tenant.
          • Change to Read Only for All Collaborators: The rule reports the incident and changes the file’s collaboration scope for all collaborators to read only.
          • Change to Read Only for External Collaborators: The rule reports the incident and changes the file’s collaboration scope for external collaborators to read only.
          • Change to Read Only for Internal Collaborators: The rule reports the incident and changes the file’s collaboration scope for internal collaborators to read only.
          • Remove All Collaborators: The rule reports the incident and removes all of the file’s external and internal collaborators.
          • Remove External Collaborators and Shareable Link: The rule reports the incident and removes all of the file’s external collaborators and any shareable links.
          • Remove Internal Collaborators and Shareable Link: The rule reports the incident and removes all internal collaborators and any shareable links.
          • Remove Public Shareable Link: The rule reports the incident and removes the bucket’s public shareable link. Existing collaborators are unaffected.
          • Remove Sharing: The rule reports the incident and removes all of the file’s collaborators and any shareable links.
          • Report Incident Only: The rule reports the incident only and makes no changes to the bucket’s collaboration scope.

        • Severity: Select a severity level (i.e., High, Medium, Low, or Information) for the incidents that match this rule.

          The Information level allows you to track low-risk incidents that must be observed.

     6. (Optional) Configure the email notification for the rule. If you do not select an auditor and notification template, a notification is not sent for this rule.
        1. For Auditor Type, select whether the auditor is from a Hosted database or External to your organization.
        2. Select the Auditor:
           • If the auditor is from a hosted database, select or search for the auditor.
           • If the auditor is external, enter the auditor’s email address.
        3. Select a Notification Template, if you configured one. You can also search for a notification template or click the Add icon to add a new notification template.
     7. (Optional) Enter a Description including additional notes or information. The description cannot exceed 10,240 characters.
     8. Click Save and activate the change.

     Close
   • Source Code Repository

     To add a DLP rule for source code repository applications:

     1. Click Add DLP Rule.

        The Add DLP Rule window appears.

     2. Enter the rule attributes:
        • Rule Order: Policy rules are evaluated in ascending numerical order (Rule 1 before Rule 2, and so on), and the rule order reflects this rule’s place in the order. You can change the value, but if you’ve enabled Admin Ranking, then the assigned admin rank determines the rule order values you can select.
        • Admin Rank: Enter a value from 0–7 (0 is the highest rank). Your assigned admin rank determines the values you can select. You cannot select a rank that is higher than your own. The rule’s admin rank determines the value you can select in rule order, so that a rule with a higher admin rank always precedes a rule with a lower admin rank.
        • Rule Name: Enter a unique name for the DLP rule.
        • Rule Status: An enabled rule is actively enforced. A disabled rule is not actively enforced but does not lose its place in the rule order, the service skips it and moves to the next rule.
        • Rule Label: Select a rule label to associate it with the rule. To learn more, see About Rule Labels.
     3. Define the criteria:
        • SaaS Application Tenant: Select the SaaS application tenants to which you want to apply the rule. You can also search for application tenants.
        • Buckets: This is only applicable for GitLab tenants. Select the buckets for the Zscaler service to inspect for sensitive data. You can select up to 32 buckets.

        • Bucket Owner: This is only applicable for GitLab tenants. Choose a user to inspect their buckets for sensitive data. When you choose a user, their buckets are available in the Buckets field.

          Before you can select buckets or choose a bucket owner, you must have saved this rule and created a scan schedule. To learn more, see Configuring the Data at Rest Scanning Policy.

        • Editors: The users who own the files containing sensitive data. Select Any to apply the rule to all users, or select up to 4 users under General Users. You can search for users or click the Add icon to add a new user.
        • Groups: The groups of the users who own the files containing sensitive data. Select Any to apply the rule to all groups, or select up to 8 groups. You can search for groups or click the Add icon to add a new group.
        • Departments: The departments of the users who own the files containing sensitive data. Select Any to apply the rule to all departments, or select up to 8 departments. You can search for departments or click the Add icon to add a new department.
        • DLP Engines: Select Any to choose all DLP engines for this rule, or select up to 4 engines. You can search for DLP engines.
        • File Type: Select files types to which you want to apply the rule. You can select any number of file types and also search for file types.
        • Collaboration Scope: The collaboration scopes and permissions for SaaS tenant files that contain sensitive data. Select Any to apply the rule to files with all collaboration levels, or select any number of the following collaboration scopes and specify the permissions (View, Edit) for each scope:
          • External Collaborators: Files that are shared with specific collaborators outside of your organization.
          • External Link: Files with shareable links that allow anyone outside your organization to find the files and have access.
          • Internal Collaborators: Files that are shared with specific collaborators or are discoverable within your organization.
          • Internal Link: Files with shareable links that allow anyone within your organization to find the files and have access.
          • Private: Files that are only accessible to the owner.
     4. (Optional) Define the DLP Incident Receiver:
        • If you don't have a third-party DLP solution or don't want to forward content, leave the Zscaler Incident Receiver field below as None.

        • If you want to forward the transactions captured by this policy rule to an on-premises DLP incident receiver, select the applicable Zscaler Incident Receiver from the drop-down menu. You must configure your Zscaler Incident Receivers to complete this step.

          Ensure that in your third-party DLP solution, you've configured a rule that detects the same data type as the rule you configure here. For example, if you configure a Zscaler DLP rule blocking credit card data, you must also configure a rule in your third-party solution blocking credit card data.
          Otherwise, the information Zscaler sends to your solution regarding a particular rule violation does not appear in your on-premises solution's dashboard. However, the rules do not need to correspond exactly. You don't need to ensure that other criteria for the rules, beyond the data type, correspond. For example, if a Zscaler DLP rule blocks credit card numbers going to a specific URL category, the rule in your on-premises DLP solution must also block credit card numbers, but needn't match the URL category criteria.

     5. Define the action:
        • Action: This field cannot be changed. The Zscaler service reports the incident only.

        • Severity: Select a severity level (i.e., High, Medium, Low, or Information) for the incidents that match this rule.

          The Information level allows you to track low-risk incidents that must be observed.

     6. (Optional) Configure the email notification for the rule. If you do not select an auditor and notification template, a notification is not sent for this rule.
        1. For Auditor Type, select whether the auditor is from a Hosted database or External to your organization.
        2. Select the Auditor:
           • If the auditor is from a hosted database, select or search for the auditor.
           • If the auditor is external, enter the auditor’s email address.
        3. Select a Notification Template, if you configured one. You can also search for a notification template or click the Add icon to add a new notification template.
     7. (Optional) Enter a Description including additional notes or information. The description cannot exceed 10,240 characters.
     8. Click Save and activate the change.

     Close