Configuring DLP Notification Templates


Configuring DLP Notification Templates

Watch a video about DLP Notification Templates, including how to add a DLP notification template

To add a DLP notification template:

  1. Go to Administration > DLP Notification Templates.
  2. Click Add DLP Notification Template.
  3. In the Add DLP Notification Template window:
    1. Enter a Name for the notification.
    2. By default, the Subject line for the notification uses the text DLP Violation: with the ${ENGINES} macro, which will list the DLP engines that triggered. However this text can be modified, and you can include the ${USER} and ${URL} macros as well. For a complete list of macros, see step e below.
    3. Enable Attach Violating Content if you want an attachment of the violating content added to the notifications emailed to auditors.
    4. Enable Use TLS to use a TLS connection to send the notification email. If you enable this option, ensure that the email recipient's SMTP server supports TLS. Zscaler recommends that you use TLS because any you send email might contain sensitive content.

      These attachments and the violating content contained in them are never stored on disk. The attachments, violating content, and body of the notification emails are placed in RAM, and the Zscaler service creates and sends an encrypted email via TLS. All data is then deleted from RAM and no sensitive information is stored.

    5. In the Message as Plain Text or Message as HTML sections, you can create a customized message detailing why the content was blocked. This message is delivered via email (Delivery Status Notification) to the auditor when a policy triggers and blocks content.

      The following macros can be used in the message body and subject line:

      • ${CLIENT_IP}: This macro is used to specify the user's IP address, if available.
      • ${DICTIONARIES}: This macro is used to list the DLP dictionaries associated with the triggered policy, which includes the match count (for dictionaries such as Credit Cards) or score (for machine learning dictionaries such as Financial Statements or Source Code), for each dictionary triggered due to a content match. 
        See image.
      • ${DLPTRIGGERS}: This macro is used to list the content (up to 10 items) that matched a dictionary.
      • ${ENGINES}: This macro is used to list the DLP engines associated with the triggered policy.
      • ${TIMESTAMP}: This macro is used to specify the time the user attempted to send violating content.
      • ${TYPE}: This macro is used to specify the Cloud App category for the destination traffic. For example, "File Sharing" can be a type. If the destination does not match any Cloud App categories, the type will be "Web Posting". 
      • ${URL}: This macro is used to specify the destination URL (i.e., the URL accessed).
      • ${USER}: This macro is used to specify the name of the user, if any. If the user's name is unavailable, "unknown" is used.

The ${USER}${URL}, ${TYPE}${ENGINES}, and ${DICTIONARIES} macros are included in the notification by default.

See image.

  1. Click Save and activate the change.

To modify an existing DLP notification template:

  1. Go to Administration > DLP Notification Templates.
  2. Locate the notification template you want to modify in the table, and click the Edit icon.
  3. You can edit the Name, Subject, Message in Plain Text, and Message as HTML fields. You can also enable or disable the Attach Violating Content and Use TLS settings.
    See image.
  4. Click Save and activate the change.

Add DLP Notification Template page within the Admin Portal

Edit DLP Notification Template page within the Admin Portal