zscaler.ziacloud.zia_dlp_web_rules module – Adds a new DLP policy rule.

Note

This module is part of the zscaler.ziacloud collection (version 1.3.1).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install zscaler.ziacloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: zscaler.ziacloud.zia_dlp_web_rules.

New in zscaler.ziacloud 1.0.0

Synopsis

  • Adds a new DLP policy rule.

Requirements

The below requirements are needed on the host that executes this module.

Parameters

Parameter

Comments

action

string

The action taken when traffic matches the DLP policy rule criteria.

Choices:

  • "ANY"

  • "BLOCK"

  • "ALLOW"

  • "ICAP_RESPONSE"

api_key

string

A string that contains the obfuscated API key.

auditor

list / elements=integer

The auditor to which the DLP policy rule must be applied.

cloud

string

The Zscaler cloud name was provisioned for your organization.

Choices:

  • "zscloud"

  • "zscaler"

  • "zscalerone"

  • "zscalertwo"

  • "zscalerthree"

  • "zscalerbeta"

  • "zscalergov"

  • "zscalerten"

cloud_applications

list / elements=string

The list of cloud applications to which the DLP policy rule must be applied.

departments

list / elements=integer

The departments to which the DLP policy rule must be applied.

description

string

The description of the DLP policy rule.

dlp_download_scan_enabled

boolean

If this field is set to true, DLP scan is enabled for file downloads from cloud applications configured in the rule.

If this field is set to false, DLP scan is disabled for downloads from the cloud applications.

Choices:

  • false

  • true

dlp_engines

list / elements=integer

The list of DLP engines to which the DLP policy rule must be applied.

enabled

boolean

Enables or disables the DLP policy rule.

Choices:

  • false

  • true

exclude_domain_profiles

list / elements=integer

The list of domain profiles that must be added to the DLP rule criteria in order to apply the DLP rules.

It applies to all domains excluding the domains that are part of the specified profiles.

A maximum of 8 profiles can be selected.

excluded_departments

list / elements=integer

The departments that are excluded from the DLP policy rule.

excluded_groups

list / elements=integer

The groups that are excluded from the DLP policy rule.

excluded_users

list / elements=integer

The users that are excluded from the DLP policy rule.

external_auditor_email

string

The email address of an external auditor to whom DLP email notifications are sent..

file_types

list / elements=string

The list of file types to which the DLP policy rule must be applied.

groups

list / elements=integer

The groups to which the DLP policy rule must be applied.

icap_server

list / elements=integer

The DLP server using ICAP to which the transaction content is forwarded.

id

integer

The unique identifier for the DLP policy rule.

include_domain_profiles

list / elements=integer

The list of domain profiles that must be added to the DLP rule criteria in order to apply the DLP rules.

Only to domains that are part of the specified profiles.

A maximum of 8 profiles can be selected.

labels

list / elements=integer

The rule labels associated to the DLP policy rule.

location_groups

list / elements=integer

The locations groups to which the DLP policy rule must be applied.

locations

list / elements=integer

The locations to which the DLP policy rule must be applied.

match_only

boolean

The match only criteria for DLP engines.

Choices:

  • false

  • true

min_size

integer

The minimum file size (in KB) used for evaluation of the DLP policy rule..

name

string / required

The DLP policy rule name.

notification_template

list / elements=integer

The template used for DLP notification emails.

ocr_enabled

boolean

Enables or disables image file scanning.

Choices:

  • false

  • true

order

integer

The rule order of execution for the DLP policy rule with respect to other rules.

parent_rule

integer

The unique identifier of the parent rule under which an exception rule is added.

password

string

A string that contains the password for the API admin.

protocols

list / elements=string

The protocol criteria specified for the DLP policy rule

Choices:

  • "ANY_RULE"

  • "FTP_RULE"

  • "HTTPS_RULE"

  • "HTTP_RULE"

provider

dictionary

A dict object containing connection details. This is optional; credentials can also be provided directly at the top level.

api_key

string

A string that contains the obfuscated API key.

cloud

string

The Zscaler cloud name was provisioned for your organization.

Choices:

  • "zscloud"

  • "zscaler"

  • "zscalerone"

  • "zscalertwo"

  • "zscalerthree"

  • "zscalerbeta"

  • "zscalergov"

  • "zscalerten"

password

string

A string that contains the password for the API admin.

sandbox_token

string

A string that contains the Sandbox API Key.

username

string

A string that contains the email ID of the API admin.

rank

integer

The admin rank of the admin who created the DLP policy rule.

Default: 7

sandbox_token

string

A string that contains the Sandbox API Key.

severity

string

Indicates the severity selected for the DLP rule violation.

Choices:

  • "RULE_SEVERITY_HIGH"

  • "RULE_SEVERITY_MEDIUM"

  • "RULE_SEVERITY_LOW"

  • "RULE_SEVERITY_INFO"

state

string

Specifies the desired state of the resource.

Choices:

  • "present" ← (default)

  • "absent"

sub_rules

list / elements=string

The list of exception rules added to a parent rule

All attributes within the WebDlpRule model are applicable to the sub-rules. Values for each rule are specified by using the WebDlpRule object.

Exception rules can be configured only when the inline DLP rule evaluation type is set to evaluate all DLP rules in the DLP Advanced Settings.

time_windows

list / elements=integer

The time windows to which the DLP policy rule must be applied.

url_categories

list / elements=integer

The list of URL categories to which the DLP policy rule must be applied.

user_risk_score_levels

list / elements=string

Indicates the user risk level selected for the DLP rule violation.

Choices:

  • "LOW"

  • "MEDIUM"

  • "HIGH"

  • "CRITICAL"

username

string

A string that contains the email ID of the API admin.

users

list / elements=integer

The users to which the DLP policy rule must be applied.

without_content_inspection

boolean

Indicates a DLP policy rule without content inspection, when the value is set to true.

Choices:

  • false

  • true

workload_groups

list / elements=integer

The list of preconfigured workload groups to which the policy must be applied.

zcc_notifications_enabled

boolean

If this field is set to true, Zscaler Client Connector notification is enabled for the block action triggered by the web DLP rule.

If this field is set to false, Zscaler Client Connector notification is disabled.

Choices:

  • false

  • true

zscaler_incident_receiver

boolean

Indicates whether a Zscaler Incident Receiver is associated to the DLP policy rule.

Choices:

  • false

  • true

Notes

Note

  • Check mode is supported.

Examples

- name: Create/Update/Delete DLP Web Rules
  zscaler.ziacloud.zia_dlp_web_rules:
    provider: '{{ provider }}'
    name: "Example"
    description: "Example"
    action: "ALLOW"
    enabled: true
    without_content_inspection: false
    zscaler_incident_receiver: false
    order: 1
    rank: 7
    user_risk_score_levels:
      - CRITICAL
      - HIGH
      - LOW
      - MEDIUM
    protocols:
      - FTP_RULE
      - HTTPS_RULE
      - HTTP_RULE
    min_size: 0
    cloud_applications:
      - WINDOWS_LIVE_HOTMAIL
    file_types:
      - "ASM"
      - "MATLAB_FILES"
      - "SAS"
      - "SCALA"
    locations:
      - 61188118
      - 61188119
    groups:
      - 76662385
      - 76662401
    users:
      - 45513075
      - 76676944
    departments:
      - 45513014
      - 76676875

Authors

  • William Guilherme (@willguibr)