On the DLP Advanced Settings page, you can configure settings for a variety of Data Loss Prevention (DLP) features for the Zscaler service.

To configure DLP advanced settings:

1. Go to Policies > Data Protection > Common Resources > Advanced Settings.
2. Configure as needed:
   • Cloud App & URL Exceptions for DLP

     The Zscaler DLP policy allows you to create rules to monitor content for specific data being sent to cloud applications and websites.

     You can stop the Zscaler service from inspecting specific cloud applications and websites by adding them to the Cloud Apps & URL Exceptions for DLP list.

     The exemptions you configure on the DLP Advanced Settings page override the rules you create for the DLP policy. For example, one admin creates an exemption for a cloud application by adding it to the Cloud Apps & URL Exceptions for DLP list. Another admin creates a DLP policy rule to inspect the same application. When users send content to the application, the Zscaler service doesn’t inspect these transactions.

     Under Cloud Apps & URL Exceptions for DLP, complete the following fields:

     • Exempted Cloud Applications: The cloud applications that you want to exempt from DLP evaluation. You can search for and select up to 256 applications.

       By default, this field displays the first 100 cloud applications. The subsequent 100 cloud applications are displayed when you click the Click to see more link at the bottom of the list. You can repeat this process to view the remaining cloud applications.

       See image.

       

       Close

     • Exempted URLs: Enter the URLs that you want to exempt from DLP evaluation and click Add Items. You can enter multiple entries. Press the Enter key after each entry. You can add up to 256 URLs. For guidance on entering URLs, see the URL format guidelines.
     • Exempted User-Defined URL Categories: The custom URL categories you want to exempt from DLP evaluation. You can search for and select up to 256 custom URL categories.
     • Exempt URL Encoded Data: Enable this option to exempt all URL encoded data from DLP evaluation.

     Close
   • Exact Data Match

     Exact Data Match (EDM) uses index templates with primary and secondary fields by default. This can be changed in the DLP Advanced Settings so that EDM does not use primary or secondary keys or can be configured with EDM Check for Popular Formats.

     • With no primary keys: If enabled, you select the fields from the template that must match, fields that are optional, and how many optional fields are required to match. Before enabling EDM with no primary keys, all existing EDM schema (templates, dictionaries, engines, and policies) must be deleted or unassigned. New schema with no primary keys functionality can be created after the feature is enabled.
     • Enable EDM Check for Popular Formats: If enabled, the EDM scans SSN, SIN, and CCN dictionaries for a popular format, and the EDM match only succeeds if the entered format matches the popular data format type. To learn about which data types are supported, see Creating an EDM template.

     To configure EDM:

     1. Delete or unassign any existing EDM templates, dictionaries, engines, and policies.
     2. Go to Administration > DLP Advanced Settings.
     3. Enable EDM
        • Configure EDM with No Primary Keys

          1. Enable EDM with No Primary Keys.

             See image.

             

             Close

          2. Create an EDM template. In the index tool, you do not need to specify primary or secondary fields.

             See image.

             

             Close

          3. Create a DLP dictionary using the EDM template you created (or any other EDM template with no primary keys). When creating a DLP EDM dictionary with no primary keys enabled, specify Fields that must Match On, Optional Fields to Match On, and the Match Type for optional fields. You must make a selection in at least one of either Fields that must Match On or Optional Fields to Match On.

             See image.

             

             Close

          4. Create a DLP engine using any EDM dictionaries with no primary keys.
          5. Create policies with content inspection using any EDM engines with no primary keys.

          Close
        • Configure EDM Check for Popular Formats

          1. Enable Check for Popular Formats.

             See image.

             Close

          2. Create an EDM template. In the index tool, specify the data type you are enabling.

             See image.

             

             Close

          3. Create a DLP dictionary using the EDM template you created. For Fields that must Match On, you must specify the data type (e.g., SSN, CCN, or CSIN) as the primary field and Name as the second field.

             See image.

             

             Close

          Close
     4. Select Save.

     Close
   • Optical Character Recognition (OCR)

     The Zscaler service allows you to use optical character recognition (OCR) to scan images for sensitive text data as part of your inline Data Loss Prevention (DLP), SaaS Security API DLP, and Outbound Email DLP policies. You configure OCR settings for your organization, and those settings apply to all DLP policies that you create. If OCR options are not enabled, DLP rules don't apply to image files.

     DLP engines support OCR scanning of PNG, JPEG, TIFF, and BMP files.

     Under Optical Character Recognition (OCR), configure the following settings:

     • Inline DLP: Enable this option to allow the Zscaler DLP engines to scan images for text content in data in transit. To learn more, see About Data Loss Prevention.
     • SaaS Security API: Enable this option to allow the Zscaler DLP engines to scan images for text content in data at rest. To learn more, see About SaaS Security API DLP.
     • Outbound Email DLP: Enable this option to allow the Zscaler DLP engines to scan images for text content in outbound emails sent to external domains. To learn more, see What Is Zscaler Outbound Email DLP?

     Close
   • Inline DLP Rule Evaluation

     This setting appears only in organizations with Evaluate All Rules mode enabled. To access this feature, contact your Zscaler Account team. To learn more, see Configuring DLP Policy Rules with Evaluate All Rules Mode Enabled.

     Under Inline DLP Rule Evaluation, specify how DLP engines evaluate the rules you configure:

     • By Rule Order: Select this option if you want DLP engines to rely on rule order during evaluation. When the engine finds a matching rule, evaluation stops.
     • Evaluate All Rules: Select this option if you want DLP engines to evaluate all rules. If multiple rules match, the rule engine selects the rule with the most restrictive action.

     The evaluation method you select is applied to all inline DLP rules for your organization. If you want to change the evaluation method, you must first delete all existing inline DLP rules.

     Close
   • Inspect HTTP Get Requests

     To access this feature, contact your Zscaler Account team.

     To enable the User-Defined custom URL category in the policy, you must first go to the DLP Advanced Settings page and select which URL category to associate with Inspect HTTP GET Requests. To learn more, see Configuring DLP Policy Rules with Content Inspection and Configuring DLP Policy Rules with Evaluate All Rules Mode Enabled.

     To inspect HTTP GET Query Parameters for sensitive data:

     1. On the Custom URL drop-down menu, select a URL category from the list. To create a custom URL category, see Configuring Custom URL Categories.

        See image.

        

        Close

     2. Click Save.

     Close
3. Click Save and activate the change.