Enhancements to Incident Group and Workflow Mappings

The following are enhancements to incident group and workflow mappings:

• Support for the date matching property (Termination Date) when adding an incident group mapping or a workflow mapping. This Termination Date property is only available if you select CSV as the primary user data source on the Account Settings page.
• When mapping a property, the values you can select are based on your organization's values, and they are filtered by source DLP type.

See image.

To learn more, see Managing Incident Group Mappings, Managing Workflow Mappings, Managing Account Settings, and Managing User Attributes.

Enhancements to Bulk Actions

On the Incidents page, two new actions, Assign to Me and Assign DLP Admin, are available when performing bulk actions.

• Assign to Me action allows you to assign yourself as the DLP admin to all incidents in the incident list table.
• Assign DLP Admin action allows you to assign a new DLP admin to all incidents in the incident list table.

See image.

Close

To learn more, see About Incidents.

Renamed Source DLP Type

Several pages (e.g., Incidents page, Incident Details page, and Incident Group Mapping page) in Workflow Automation either display or use the Source DLP Type incident attribute, which has a few different values. The Source DLP Type attribute value of SaaS Security API is renamed to SaaS Security on all those pages.

See image.

To learn more, see About Incidents, Viewing & Managing Incident Details, and Managing Incident Group Mappings.

The following are enhancements to the Data Protection features in Workflow Automation:

Enhancement to the Incidents Page

On the Incidents page, the Severity column is added to the incidents table. The severity of each incident appears in this column.

See image.

To learn more, see About Incidents.

Enhancement to the DLP Azure Application Integration Configuration

When you configure the DLP application integration using Azure, one of the steps is to add a DLP Azure application integration in Workflow Automation using the output from the bash script and the Azure resource manager stack. On the add Zscaler DLP Azure Integration page, a Validate button is added. When you click this button after populating the fields on this page, the Workflow Automation system validates the configuration.

See image.

To learn more, see Configuring the DLP Application Integration Using Azure and Managing DLP Azure Application Integrations in Workflow Automation.

Enhancement to the Incident Details Page

On the Incidents Details page, for incidents of Source DLP type Email, the Files section appears. The Files section displays the files sent to the recipients of the incident. In the Files section, the Policy column is added to the Files table. When you click the View icon in the Policy field for a file, the Policy window appears, displaying the engines and the dictionaries with their match count that were violated by the file.

See image.

To learn more, see Viewing & Managing Incident Details.

User Attribute Obfuscation

To protect the privacy and security of the user information associated with incidents in your organization, you can select the user attributes you want the Workflow Automation system to obfuscate for those incidents. You select the user attributes you want obfuscated for your organization in the Privacy and Security section of the Account Settings page. In addition, you can override the organization's obfuscation settings for an admin on the Admin Assignment page.

When you select user attributes for obfuscation, that selection affects the admin's visibility of those user attributes on incidents on the Incidents, Incident Details, and workflow pages. The obfuscated user attributes appear as several asterisks instead of the actual values for the attributes. For example, if you select to obfuscate the User Name attribute, the User Name appears as ****** instead of the user's actual name.

See image.

Close

To learn more, see Managing Account Settings, Managing Admin Assignments, About Incidents, and Viewing & Managing Incident Details.

Enhancements to the Audit Logs page

The Audit Logs page is enhanced with new Module and Resource filters. You can filter the audit logs based on the Csv Upload module entry and the Csv User Data resource entry.

See image.

Close

To learn more, see About Audit Logs.

The Workflow Automation Admin Portal is redesigned to have a more modern look and feel. All the pages within the portal are redesigned. The following is a list of changes made to the portal:

• A new color scheme is used for all pages (e.g., background color, text color, button color, and search bar color). In addition, the menu and submenu for the portal appear in the new color scheme.
• The same common icons are used for all pages (e.g., Delete icon and Edit icon).
• The Workflow Automation logo appears in the Zscaler brand colors.
• The same font and font size are used for page and section headers, table headers, body text, and label and field values.
• The table rows for a table appear in one color. There are no longer alternating row colors.

See image.

Close

On the Workflow Mappings page, Incident Group Mapping page, and Event Group Mappings page, the Property drop-down menu for a statement (i.e., rule) is redesigned to make the display and selection of properties more user friendly. The Property drop-down menu has the following improvements:

• Lines to illustrate the different levels of the property hierarchy.
• Shortened property names that appear in alphabetical order.
• Frozen header on top, which provides context on the complete property path when scrolling through the properties.

This enhancement applies to the Workflow Mappings page for Data Protection, Business Insights, and Digital Experience Monitoring (ZDX) integrations, the Incident Group Mapping page for Data Protection integration, and the Event Group Mappings page for Business Insights integration.

See image.

Close

To learn more, see Managing Workflow Mappings, Managing Incident Group Mappings, Managing Workflow Mappings for Events, Managing Event Group Mappings, and Managing Workflow Mappings for ZDX Alerts.

The following enhancements are available on the User Attributes page in the Workflow Automation Admin Portal:

• When the status of a CSV file is Partial Complete, you can use the Resume icon under the Status column to resume importing the pending user attributes.

  See image.

  

  Close

• When the status of a CSV file is Failed, you can use the Retry icon under the Status column to restart the import action for the CSV file.

  See image.

  

  Close

  You can only restart an import action a maximum of three times.

As part of this enhancement, you receive email notifications when your CSV file import is completed, partially completed, or has failed.

To learn more, see Managing User Attributes.

Support for Importing User Attributes as CSV File

Workflow Automation is enhanced to support importing user attributes as a CSV file. As part of this feature, the following updates are available:

• A new User Attributes (Setup > User Attributes) page is added to the left-side navigation of the Workflow Automation Admin Portal. This page allows you to import end user attributes as a CSV file. The attributes then display in the Workflow Automation Admin Portal.

  See image.

  

  Close

• Two new options, Primary User Data Source (SCIM or CSV) and Unique Identifier (email address or employee ID), are added to the Account Settings page. You must select a primary user data source and a unique identifier from which Workflow Automation fetches the user attributes that display on the Workflow Automation Admin Portal.

  See image.

  

  Close

• A new option, Additional Information, is added to the Violation Details section of the Incident Details page. This section displays additional data associated with the incident, such as end user details, manager details, and address. Workflow Automation fetches the additional information from the primary user date source (i.e, CSV or SCIM) selected during the incident generation.

  See image.

  

  Close

• The Property list on the Incident Group Mapping page and the Workflow Mapping page is enhanced. You can add additional userInfo, managerInfo, and userInfo.Skip Level Managers properties when configuring incident mappings and workflow mappings.

To learn more, see Managing User Attributes, Viewing & Managing Incident Details, Managing Account Settings, Managing Workflow Mappings, and Managing Incident Group Mappings.

Enhancement to the DLP Application Integration Configuration Using Amazon Web Services

When configuring the DLP application integration in Amazon Web Services (AWS), you have the option to create the AWS resources for this integration by creating a CloudFormation stack. Workflow Automation provides a template file that you can use to create the CloudFormation stack. Additional parameters are added to this template file for enhanced security and auditability and to define S3 retention (Lifecycle) policies. In addition, the Create Stack page is enhanced to support these new parameters. The following parameters are added:

• zirRoleARN
• lockRetentionMode
• lockRetentionDays
• enableCloudtrail
• cloudTrailLogsBucket
• enableExpiration
• expirationDaysCurrent
• expirationDaysNonCurrent
• incompleteMultipartDays

See image.

To learn more, see Configuring the DLP Application Integration Using Amazon Web Services.

The following are enhancements to the Data Protection features in Workflow Automation:

Enhancement to Closed Incidents

On the Incidents page, after an incident is closed (Status is Resolved), you can perform the following actions from the Actions drop-down menu for one or more incidents, but the status for those incidents remains Resolved:

• Assign DLP Admin
• Assign to Me
• Assign Priority
• Notify User
• Label

See image.

To learn more, see About Incidents.

Enhancement to Workflow Templates

When adding a workflow on the Workflow Settings page using the templates for Auto Escalate, Auto Notify User and Escalate, or Auto Notify User and Concurrently Escalate, you can select the approver for the workflow from the Approver Name drop-down menu. You must add approvers on the Approvers page in Workflow Automation before they are available to select in the Approver Name drop-down field for the workflow.

See image.

To learn more, see Managing Workflows and Managing Approvers.

On the Event tab of the Event Details page, the Users Count By Plan Type field is added to the Event Details section, replacing the Plan Type field. The User Count By Plan Type field lists the plan types for the application associated with the event along with the number of impacted users under those plan types for the event. If there are more than 5 plan types, a Show More link becomes available for the field. You can click this link to see the rest of the plan types with their user counts.

See image.

To learn more, see Managing Event Details.

The following are enhancements to the Data Protection features in Workflow Automation:

Enhancement to Closed Incidents

On the Incident Details page, after an incident is closed (Status=Resolved), you can perform the following actions from the Actions drop-down menu for the incident, but the incident status remains as Resolved:

• Notify User
• Assign to Me
• Assign DLP Admin
• Assign Priority
• Ticket
• Label

See image.

To learn more, see Viewing & Managing Incident Details.

Enhancement to Auto Create Tickets Workflow

On the Workflow Settings page, when adding a workflow using the Auto Create Tickets template, the Ticketing Configuration section on the page is enhanced to contain the following fields:

• Ticketing Service
• Default Ticketing System
• Jira Project (Appears only when JiraCloud is selected in the Ticketing Service field)
• Default Ticket Assignee Email

From the Default Ticket Assignee Email drop-down menu, you can select the assignee for the ticket that gets created in JiraCloud or ServiceNow.

See image.

Close

To learn more, see Managing Workflows and Managing Workflow Templates.

On the Events page, the Closed event status is added for an event.

See image.

Close

To learn more, see Managing Events.

The Event ID field format is changed everywhere it appears in the Workflow Automation Admin Portal for Business Insights events. The Customer ID prefix is removed from the Event ID field. The following image shows one example of where Event ID appears.

See image.

To learn more, see Managing Events, Managing Event Details, and Responding to an End User Notification for Events.

An Actions drop-down menu containing the Close Event action is added to the Event Details page for Business Insights events. You can select this action for a Business Insights event when you want to close it.

See image.

To learn more, see Managing Event Details.

The following enhancements were made in support of the Filewatcher:

• In Azure, when you are configuring the DLP application integration, you can run the Zscaler run-filewatcher.sh bash script to install or upgrade the container for the Filewatcher virtual machine using either the Docker or Podman platforms.

  See image.

  

  Close

• On the Notifications Center page, an alert notification appears on this page for the Filewatcher when its health status is unhealthy. This alert notification is removed from this page when the Filewatcher health status changes back to healthy.

  See image.

  

  Close

To learn more, see Viewing Alert Notifications and Configuring the DLP Application Integration Using Azure.

On the Incident Details page and the incident escalation notification, the format for the trigger data that is displayed has changed. The prefix and suffix for the trigger data are displayed along with the trigger data itself. The actual trigger data portion is highlighted.

See image.

To learn more, see Viewing & Managing Incident Details and Responding to an Escalation Notification.

The following enhancements were made to the incident data privacy settings in the Workflow Automation Admin Portal:

• On the DLP integration pages, all the field labels for the incident data privacy setting fields are changed to be more user-friendly.
• On the DLP integration pages, you can select the incident data privacy setting fields (Hide Evidence Data, Hide Trigger Data, and Hide Policy Details) for an admin, end user, and manager/approver. These privacy settings determine whether an admin, end user, or manager/approver can view the evidence data, trigger data, and policy details for the incidents that appear in the Workflow Automation Admin Portal.

See image.

Close

To learn more, see Configuring the DLP Application Integration Using Amazon Web Services and Configuring the DLP Application Integration Using Azure.

The following enhancements were made to the Incident Details page:

• The following fields are added to the Violation Details section:

  • Incidents of Source DLP type Inline
    • Application subsection
      • Referrer URL
      • Name
      • Category
  • Incidents of Source DLP type SaaS Security API
    • Content subsection
      • File Modification Time
      • File Size
      • Document Type

  See image.

  

  Close

• A Collaborators section is added for incidents of Source DLP type SaaS Security API. This section displays the internal and external collaborators for the incident and the collaborator scope.

  See image.

  

  Close

To learn more, see Viewing & Managing Incident Details.

The following filters are added to the Filters section of the Incidents page:

• Department
• Document Type
• File Source Location
• Referrer URL

You can filter incidents by adding multiple values (comma-separated) to the File Source Location and Referrer URL filters and selecting multiple options that appear for Department and Document Type filters.

See image.

To learn more, see About Incidents.

On the Notification Template page, an Update Template button is added when editing a published notification template. After editing the content or design for the published notification template, you click this button to update the notification template with the edits. This Update Template button replaces the Save as Draft and Publish Template buttons that were available before.

See image.

To learn more, see Managing Notification Templates.

You can delete a resolved incident by selecting the Delete action from the Actions drop-down menu on the Incident Details page. For resolved incidents, only the Reopen and Delete actions appear in the Actions drop-down menu.

See image.

To learn more, see Viewing & Managing Incident Details.

Workflow Automation is enhanced to display the home location and work location of the end user associated with an incident. As part of this feature, the following updates are available:

• On the Incidents page:

  • Two columns, Home Location and Work Location, are added to the incidents list table.

    See image.

    

    Close

  • Two filters, Home Location and Work Location, are added to the Filters Section.

    See image.

    

    Close

• On the Incident Details page, Home Location and Work Location attributes are added to the Violation Details section.

  See image

  

  Close

To learn more, see About Incidents and Viewing & Managing Incident Details.

On the Incidents page, Label action is available when performing bulk actions, which allows you to add labels to all incidents in the incident list table.

See image.

Close

To learn more, see About Incidents.

When Workflow Automation does not receive DLP incidents for a time period, the application triggers a health check for the user's system. If an unhealthy status is returned by the Incident Receiver, an alert is automatically logged on the Notification Center page.

See image.

Close

To learn more, see Viewing Alert Notifications.

A new Notes column is added to the Bulk Actions page, which displays any notes or information that the admin added when performing the bulk action.

See image.

Close

To learn more, see Managing Bulk Actions.

On the Incidents page, a new Assign to Me action is added to the Actions menu. This action allows admins to assign the selected incidents to themselves to investigate them.

See image.

Close

To learn more, see About Incidents.

The following enhancements are available on the Downloads and Bulk Actions pages in the Workflow Automation Admin Portal:

• When the status of an incident file download or bulk action is Partial Success, you can use the Resume option available in the Status column to restart the activity for the pending incidents.

  See image.

  

  Close

• When the status of an incident file download or bulk action is Failed, you can use the Try Again option available in the Status column to restart the activity.

  See image.

  

  Close

You can only restart an incident file download or bulk action for a maximum of three times.

To learn more, see Managing Bulk Actions and Managing Downloads.

In the Workflow Automation Admin Portal, the Integrations > DLP Azure > Zscaler DLP Azure Integration page is enhanced with the following updates:

• A new optional Custom Storage Endpoint URL field is added. This field allows you to use custom storage endpoints (i.e., private endpoints) to access the Azure storage accounts to minimize security risks.
• The Event Grid Topic Resource Id is renamed to Event Grid System Topic Resource Id.

See image.

Close

To learn more, see Configuring the DLP Application Integration Using Azure.

An Export icon is added to the Incident Analytics dashboard that allows you to export the incident analytics displayed on the page to a PDF file.

See image.

Close

To learn more, see About Incident Analytics Dashboard.

Workflow Automation is enhanced to send you email notifications when the incident file export is completed and the file is ready for download from the Downloads page.

See image.

Close

To learn more, see Managing Downloads.

A new Bulk Actions page (My Activity > Bulk Actions) is added to the Workflow Automation Admin Portal. This page allows you to monitor the status of the bulk actions performed on the Incidents page. It provides you with details such as the type of bulk action, the incident count, the generation date and time, and the status of the bulk action.

See image.

To learn more, see Managing Bulk Actions.

A new My Activity > Downloads page is added to the Workflow Automation Admin Portal. This page allows you to download the incidents that you export from the Incidents page to a CSV file. It provides you with details such as the incident file name, number of incidents exported, the generation time and date, the status of the incident file download, etc.

See image.

Close

To learn more, see Managing Downloads.

A new widget, All, is added to the Incidents page in the Workflow Automation Admin Portal. This widget displays the total number of incidents that have accrued in your organization regardless of the status (i.e., Open, Resolved, Waiting Feedback, and Escalated).

See image.

Close

To learn more, see About Incidents.

A new Auto Assign Incidents field is added to the Admin Assignment > Add Admin Assignment window. Enable this field if you want Workflow Automation to automatically assign incidents to the admin as the incidents occur.

See image.

Close

To learn more, see Managing Admin Assignments.

On the Add Role page, you can configure the permission for an admin role to delete an incident. For the Incidents category, you can select the Delete permission. For admins assigned to a role with incident delete permission, the Delete action is available to them on the Incident Details page. Otherwise, the Delete action is not available.

See image.

Close

To learn more, see Managing Roles and Permissions and Viewing & Managing Incident Details.

A new action, Assign to Me, is added to the Actions menu on the Incident Details page. Admins can assign incidents to themselves using the Assign to Me action that appears on the page.

See image.

To learn more, see Viewing & Managing Incident Details.

Email Data Loss Prevention (DLP) incidents are displayed in Workflow Automation. You can remediate these incidents using the various actions on the Incidents and Incident Details pages in Workflow Automation and through the predefined workflows that Workflow Automation provides.

See image.

To learn more, see About Incidents, Viewing & Managing Incident Details, and Understanding Workflows in Workflow Automation.

On the Incidents page, if applicable, additional details for an incident appear. The following fields might appear for an incident:

• Dictionary Match Count
• Username
• Client IP
• File Name
• File Type
• File MD5

See image.

Close

To learn more, see About Incidents.

On the Incidents page, two new filters are added to the Filters section: URL and Client IP. You can add multiple values (comma-separated) to the URL and Client IP filters to view the incidents corresponding to those values. These filters can do full-text matching for the values enter.

See image.

Close

To learn more, see About Incidents.

On the Incident Details page, under the Originating User section, you can click the username link to view all the incidents created by the same end user in the Incidents page. The end user's name is automatically applied in the Filters section, and the incidents table displays only the incidents that the end user is responsible for.

See image.

Close

To learn more, see Viewing & Managing Incident Details.

On the Incidents page:

• In the Filters section, a new Duplicated Incidents filter is added to filter only the incidents that have duplicate incidents.

  See image.

  

  Close

• If duplicate incidents exist for an incident, you can view the the total count of the duplicate incidents next to the Transaction ID in the incidents table.

  See image.

  

  Close

To learn more, see About Incidents.

A new Reset icon is added to the Workflow Automation Admin Portal, that can be used to reset all the applied filters. The new icon is added to the following pages:

• Notification Templates
• Survey Templates
• Audit Logs
• Incidents
• Incident Analytics Dashboard

See image.

Close

To learn more, see Managing Notification Templates, Managing Survey Templates, About Audit Logs, About Incidents, and About Incident Analytics Dashboard.

On the Incidents page, in the Filters section, you can filter the incidents list by adding multiple values (comma-separated) to the Hostname or Application, User, and File Name filters.

See image.

To learn more, see About Incidents.

The following enhancements are available for incidents of Source DLP types Inline and Endpoint in the Workflow Automation Admin Portal:

• On the Incidents page, a new Other Rule filter is added to the Filters section. You can use this filter to display the incidents that match the selected DLP rules.

  See image.

  

  Close

  To learn more, see About Incidents.

• On the Incidents Details page:

  • A new Other Matched Rules field is added to display the rules that match the violated DLP rule that created the incident.

    See image.

    

    Close

  • Under Violation Details, the following fields are added to Endpoint Source DLP type:

    • Device Name
    • Device OS
    • Device Trust Level
    • File Size
    • ZDP Mode
    • Expected Action
    • Confirm Action
    • Confirm Justification
    • Justification Text
    • Additional Information

    See image.

    

    Close

  To learn more, see Viewing & Managing Incident Details.

• On the Incidents Group Mappings and Workflow Mappings page, the Other Rules option is added to the Matching Policies property for Inline Source DLP type. When configuring an incident group or workflow mapping, you can select other DLP rules by rule name or the total number of rules.

  See image.

  

  Close

  To learn more, see Managing Incident Group Mappings and Managing Workflow Mappings.

A new Transalate Template icon is added to the Notification Templates and Survey Templates pages. This icon allows you to translate a published, system default, or draft template into a different language based on your requirements. You can also revert the tanslated template to its original language.

See image.

Close

To learn more, see Managing Notification Templates and Managing Survey Templates.

A new field, Product, is available when configuring new roles in the Workflow Automation Admin Portal. By default, the Product is DLP and you cannot change it. This field is also available as a column displaying the product of a role on the Roles page.

See image.

Close

To learn more, see Managing Roles and Permissions.

A new section, User Notification, is added to the Incidents > Incidents Details page. This section allows the Data Loss Prevention (DLP) admin to effortlessly track the incident's notification status to manage the incident. It provides a detailed log of the incident's notifications and escalations sent to the originating user, the user's manager or approver.

See image.

Close

To learn more, see Viewing & Managing Incident Details.

Two new filters, File Name and File Type, are added to the Filters section of the Incidents page.

See image.

Close

To learn more, see About Incidents.

A new Incident Analytics page is added to the Workflow Automation Admin Portal. The Incident Analytics dashboard provides high-level visibility and insight into your organization's Data Loss Prevention (DLP) incidents. It allows you to monitor and analyze various information about incidents over a specified time frame from a single location.

Only admins with full workflow access can monitor all the incidents through the dashboard. Admins with restricted workflow access can monitor only the incidents assigned to them.

See image.

Close

To learn more, see About Incident Analytics Dashboard.

The following updates are available in Workflow Automation as part of the Multiple Language support:

• On the Notification Template page and the Survey Template page:

  • A new option, Add Template, is added which allows you to create custom templates in addition to cloning system default templates.

    See image.

    

    Close

  • Two new filters, Template Family and Language, are added to the Filter section. The Category filter is renamed as Product in the Filter section.

    See image.

    

    Close

  • A new column, Template Family, is added. All system default templates are displayed under the Template Family column.

    See image.

    

    Close

  • A new option, Translate, is available when creating, editing, or cloning a template to translate the template into a different language.

    See image.

    

    Close

• On the Incident Details page, a Language drop-down is added to the Notify User and Escalate window. You can select a language in which the notification and escalation messages are displayed.

  See image.

  

  Close

• On the Workflows page, a Language drop-down is added to the Notification Channel field when you add a new workflow. You can select a language in which the notification and escalation messages are displayed.

  See image.

  

  Close

  To learn more, see Managing Notification Templates, Managing Survey Templates, Managing Workflows, and Viewing & Managing Incident Details.