How do I configure DLP notifications?


How do I configure DLP notifications?

Click to watch a video about DLP Notification Templates, including how to add a DLP notification template.

Adding a DLP notification template is one of the tasks you must complete when configuring DLP policy rules. See How do I configure a policy using Zscaler DLP engines? and How do I configure a policy using external DLP engines? for the full list of tasks.

To add a DLP notification template, follow the instructions below.

  1. Go to Administration > Resources > DLP Notification Templates.
  2. Click Add DLP Notification Template and complete the following:
    • Enter a notification Name.
    • Enable Attach Violating Content if you want an attachment of the violating content added to the notifications emailed to auditors.
      • Enable Use TLS to use a TLS connection to send email. If you enable this option, ensure that the customer's SMTP server supports TLS. Zscaler recommends that you use TLS because email (sent by you) might contain sensitive content.

        These attachments and the violating content contained in them are never stored on disk. The attachments, violating content, and body of the notification emails are placed in RAM, and the Zscaler service creates and sends an encrypted email via TLS. All data is then deleted from RAM, and no sensitive information is ever stored.

    • Subject contains a macro - ${ENGINES}  that is used to list the DLP engines that were triggered.
    • In the Message as Plain Text or Message as HTML sections, you can create a customized message detailing why the content was blocked. This message is delivered via email (Delivery Status Notification) to the auditor when a policy triggers and blocks content. The following macros are in the message:
      • ${CLIENT_IP}: This macro is used to specify the user's IP address (if available).
      • ${DICTIONARIES}: This macro is used to list the DLP dictionaries that were triggered.
      • ${DLPTRIGGERS}: This macro is used to list the content (up to 10 items) that matched the dictionary.
      • ${ENGINES}: This macro is used to list the DLP engines that were triggered.
      • ${TIMESTAMP}: This macro is used to specify the time the user attempted to send violating content.
      • ${TYPE}: This macro is used to specify the type of attachment. For example, “Web posting” could a type for posts.
      • ${URL}: This macro is used to specify the destination URL (that is, the URL accessed).
      • ${USER}: This macro is used to specify the name of the user (if any). If user name is unavailable, “unknown” is used.
  3. Click Save and activate the change.