🔐 Zscaler Release Notes

Advanced SSPM supports a new platform, Lucidchart. You can onboard a Lucidchart tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/connecti...

Advanced SSPM supports Zendesk as an API-based platform. You can onboard a Zendesk tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/conne...

Organizations face a significant security risk when users inadvertently overshare or mishandle sensitive internal files. The integration of AI tools, such as Microsoft Copilot, intensifies this risk, as these tools can access information within the improperly shared files, leadin...

Workday tenants now support RaaS-based API access which enables secure, programmatic retrieval of data and management through web services. Existing Workday tenants need to be reauthenticated by editing the tenant and revalidating. To learn more, see <a href="https://help.zscaler.com/zia/ad...

The SaaS Security Data at Rest Scanning policy supports a new option to quarantine sensitive content in Microsoft Teams. You can specify a tombstone message that end users see when messages or files in Microsoft Teams are quarantined. <a class="image-icon" href="#ZIA-Webex-...

You can configure Advanced SaaS Security Posture Management (SSPM) for Oracle Financials Cloud tenants. Select the SSPM Scan checkbox when onboarding a tenant to enable the Advanced SSPM scan capability for the specific tenant. <a class="image-icon" href="#Oracle-sspm-onboa...

Zscaler&#039;s Application Investigation is a solution that provides comprehensive visibility and automated risk management for an organization&#039;s application ecosystem by delivering a clear view of all software in use, including unauthorized AI tools and unapproved browsers....

The Zscaler DLP Operational page (Analytics > Endpoint Data Scan > DLP Operational) provides insights into the endpoint&#039;s status, thereby ensuring that the system functions properly and as designed to avoid sensitive data leakage. <a class="image-icon" href="#D...

Zscaler has introduced Exact Data Matching (EDM) for Endpoint Data Loss Prevention (DLP) which provides protection for structured sensitive data. This feature utilizes a unique hybrid architecture where the endpoint performs local prefiltering to identify candidate files for clou...

Administrators can filter data on the Endpoint Data Scan page (Analytics > Endpoint Data Scan > Endpoint Data Scan) by a specific user group. See image. To learn more, see <a href="https://help.zscaler.com/legacy-zia/abo...

Web Insights are enhanced to allow users to view the latency caused by bandwidth control on transactions in the ZIA Admin Portal. Web Insights LogsThe following new columns and filters are available in the Web Insights Logs: • Request Latency Due to Bandwi...

Share Files Externally provides a capability for Endpoint DLP that allows authorized users to securely share sensitive files with external partners by encrypting the data into a secure HTML format, ensuring that only verified recipients can access the content. You can acces...

The Zscaler service supports using Classless Inter-Domain Routing (CIDR) ranges and regular expressions for advanced matching when creating or editing network shares for Endpoint Data Loss Prevention (DLP) resources. The following image shows a regular expression that matches all...

The Zscaler service supports specifying a network type (e.g., Trusted, Off-Trusted, VPN) for the Network Share, Printing, and Device Control channels when creating policy rules for Endpoint Data Loss Prevention (DLP). • Endpoints must be running Zscaler...

A new query parameter, "ruleLabelId", is available for the "GET /firewallFilteringRules" and "GET /firewallFilteringRules/count" endpoints. The "ruleLabelId" query parameter allows you to filter Firewall Filtering rules based on the rule label ID. To le...

On the Internet & SaaS > Role Management page, in the Policy & Components > Access Control tab, the URL Filtering and Cloud App Control policy permissions are separated to provide admins more granular control over those features. <a class="image-icon" href=...

Advanced SaaS Security Posture Management (SSPM) expands its coverage for Salesforce with three new SSPM controls, providing deeper visibility and stronger security posture assessment....

The labels SSL Inspection and SSL policy are renamed to SSL/TLS Inspection and SSL/TLS policy. See image. Refer to the following table for a list of updated labels: Old UI Labels...

When you create a custom Zscaler connector for a Microsoft application, you have the option to choose whether you want to provide a client secret or a private key in the Zscaler Admin Console so that the Zscaler service can access the application. SharePoint, Copilot, and Microso...

You can create, update, and delete recipient email profiles, retrieve a list of all recipient email profiles, and obtain the count of recipient email profiles for an organization using the following endpoints: • "GET /emailRecipientProfile" • "POST...

The SaaS application tenants GitHub, Jira, Okta, Confluence, Trello, Webex Teams, and Google Workspace now have the option to onboard for SaaS Security Posture Management (SSPM) scan by choosing Read-only or Read/Write (full access) for the connector role...

The following enhancements are available in Zscaler Endpoint Data Loss Prevention (DLP) for macOS: Support for Endpoint DLP Block Action for Printing on macOSThe Zscaler service supports the Block action for printing from macOS devices in Endpoint DLP rules with co...

Proper neutralization of user input in specific input fields in the ZIA Admin Portal no longer allows an authenticated administrator to access unauthorized internal information in rare conditions (CVE-2026-22568)....

You can configure Advanced SaaS Security Posture Management (SSPM) for JumpCloud tenants. Select the SSPM Scan checkbox when onboarding a JumpCloud tenant to enable the Advanced SSPM scan capability for the specific tenant. <a class="image-icon" href="#JumpCloud-sspm-onboar...

The Insights Logs pages now feature asynchronous log retrieval. This enhancement allows users to continue working without interruption while queries are executed in the background, significantly improving their user experience. The following enhancements are available for I...

Advanced SSPM supports a new platform, Airtable. You can onboard an Airtable tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integrating...

Advanced SSPM supports a new platform, Bitwarden. You can onboard a Bitwarden tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integratin...

Advanced SSPM supports a new platform, Sentry. You can onboard a Sentry tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integrating-sent...

New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...

Advanced SSPM supports OneLogin as an API-based platform. You can onboard a OneLogin tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/int...

The application activity MCP is added to the Web Insights Logs to log Model Context Protocol (MCP) transactions in the ZIA Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/web-insights-logs...

The custom URL category supports regex patterns, enabling you to match multiple URLs with a single pattern and flexible configuration of custom URL categories. As part of this update, in the Administration > URL Categories > Add URL Category window, the URL Type toggle has been a...

The File Type Control and Data Loss Prevention (DLP) policies now support MSIX files in the Executable category. • File Type Control • DLP - Rule without Content Matching <p...

Extranet Application Support can be configured bidirectionally, allowing partners to access your organization&#039;s resources securely. Extranet Application Support is a feature in limited availability. To access Extranet Application Support, contact your Zsca...

Zscaler supports comprehensive logging of Sandbox analysis activities through Insights Logs and the Nanolog Streaming Service (NSS). You can log and view details of all files that went through behavioral analysis regardless of the verdict (e.g., Suspicious Content, Benign). With the following enh...

You can apply either "OR" or "AND" logical operator between the Users, Groups, and Departments criteria in the URL Filtering Policy rules. This allows you to create granular policy rules using a combination of logical operators (i.e., "OR" or <cod...

The Zscaler Cloud Performance Test Tool allows you to view only the domain part of the traffic or email, and the user name is hidden. For example, johndoe@zscaler.com is visible as xxxxxxx@zscaler.com. See image. To learn m...

You can add up to 512 account IDs per tenant profile for AWS and there can be a maximum of 4,096 account IDs across all profiles. To learn more, see Adding Tenant Profiles and <a href="https://help.zscaler...

Zscaler’s Nanolog Streaming Service (NSS) supports the configuration and deployment of an NSS virtual machine (VM) on Hyper-V. After deploying an NSS VM, you can stream your organization’s web or firewall logs from the Zscaler cloud to your security information and event ma...

Zscaler’s Nanolog Streaming Service (NSS) supports the configuration and deployment of an NSS virtual machine (VM) on Nutanix. After deploying an NSS VM, you can stream your organization’s Web or Firewall logs from the Zscaler cloud to your security information and event ma...

The following enhancements are available in 3rd-Party App Governance and Advanced SSPM: SettingsThe SaaS Tenants and Notifications tabs are added to the Settings page. These tabs allow you to view and manage the onboarded SaaS tenants and also configure Slack and e...

Zscaler Isolation now supports password-protected PDF files to be <a href="https://help.zscaler.com/zia/about-sandbox" target="_blank" data-entity-type="node" data-entity-uuid="b6501cfa-e4fc-40ad-9568-c79e8ff2240e" data-entity-subst...

The following policies are deprecated for Microsoft 365 in both SaaS Security Posture Management (SSPM) Essentials and Advanced SSPM: • Set Automated Notifications for New and Trending Cloud Applications in Our Organization • Set Automated Notification for New OAuth Applications Co...

This enhancement allows you to view logs for individual members within a collaborator group. As part of the update, the following changes are available in the ZIA Admin Portal: SaaS Security Insights Logs and SaaS Security Assets with IncidentsWhen an individual file is shared with...

On the URL Filtering Policy page (Policy > URL & Cloud App Control > URL Filtering Policy), the URL Filtering rules are paginated with up to 100 rules displayed per page. See image. You can filter and search for URL Filteri...

The following platforms support 64 GB of RAM and 3 antivirus (AV) engines per Virtual Service Edge: • <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-clusters" target="_blank" data-entity-type="node" data-entity-uuid="0f1a169d-6547-4d25-a778-b2f20da57fa4" data-enti...

Generative AI (Gen AI) prompts that are displayed in the Web Insights Logs can be obfuscated when adding admin roles. <p...

You can allow or block the use of embedded AI applications on Atlassian sites and enable or disable Zscaler to store the generative AI prompts entered in these embedded AI applications per cloud app control rule. As part of this feature, the following fields appear in the Add/Edi...

The following enhancements are available for Insights and NSS Feeds in the ZIA Admin Portal to record the time Zscaler either received or sent an email response. Insights LogsNew columns Zscaler Sent Time and Zscaler Received Time are added to Email DLP Insights Lo...

For custom Data Loss Prevention (DLP) dictionaries that use patterns with lookaround constructs (also known as zero-length assertions), the Zscaler service now enforces the following restrictions: • You must select Match Any Patterns and Any Phrases as the Match Type.</l...

When scheduling a scan for SaaS applications tenants (Policy > SaaS Security > Scan Configuration > Add Scan Schedule), you can also configure the polling interval based on how often you want the system to scan the application. <a class="image-icon" href="#polling-intervals...

The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports the number of internal and external collaborators as scoping criteria for all file sharing applications, including Box, Dropbox, Confluence, ShareFile, and Smartsheet. Administrators can monitor fi...

The support for quarantining files in a desired location has been extended to all file sharing apps, including Box, Dropbox, Confluence, ShareFile, and Smartsheet. This feature was already available for Google Drive, OneDrive, and SharePoint apps. You can specify a quarantine loc...

Automatic language translation is globally available for Isolation. The isolated session localizes the language based on the user&#039;s browser language settings, and displays that language on the rendered web page. To learn more, see <a href="https://help.zscaler.com/isolation/understandi...

Original URL has replaced Local Browser Rendering in Isolation. It is now an option that admins can configure in isolation profiles. This means that the user of the isolation profile sees the native browser URL of the web p...

If Turbo Mode is enabled on an isolation profile and the user also has hardware acceleration enabled, the appearance of the zGPU icon next to the Turbo Mode command is displayed in the Isolation Bar. See image. To...

On the Firewall Insights page (Analytics > Firewall Insights), the maximum number of rules displayed for the Rule Name data type has been increased. When using bar or table charts, you can view up to the top 4,000 rules (in increments of 500, 1,000, 2,000, and 4,000) by selecting...

You can create a virtual machine (VM) in Amazon Web Services (AWS) using the Virtual Service Edge Terraform modules. To learn more, see <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-amazon-web-services" target="_blank" data-entity-type="node" data-entity-uuid="64393...

Zscaler&#039;s Gen AI prompt configuration is extended to the Claude and Mistral generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen-ai-...

In the App Inventory and User Inventory, and on the Posture page, the filter options that don&#039;t currently exist in your organization display separately and do not return results. You can still select them when creating new views and policies. If a new app i...

The Users page displays multiple emails in addition to public emails for GitHub users. These emails are associated with the domain of the organization that owns the GitHub account. This enhancement improves the ability to find user and admin emails from outside the domain.</span...

You can segregate your Google Workspace integration by organizational units (OUs) in 3rd-Party App Governance. This segregation ensures that each OU can access only its relevant users, applications, and posture data, while maintaining consolidated tenant management f...

The 3rd-Party App Governance API adds a new endpoint, "/app_views/{appViewId}/accounts", to retrieve users&#039; email addresses associated with specific app IDs. "/app_views/{appViewId}/apps_extended" provides the total number of enabled users "totalenabledusers<...

The following enhancements are available in Zscaler Endpoint Data Loss Prevention (DLP) for Windows: Endpoint DLP Support for Clipboard and Application File AccessTo access this feature, contact your Zscaler Account team. Endpoint DLP supports mo...

The number of SaaS Security Posture Management (SSPM) controls for GitHub in Advanced SSPM has been increased. Eleven new SSPM controls are supported for GitHub....

The Zscaler service can capture traffic in multiple ways: • Traffic Capture Essentials: Capture traffic as PCAP files with supported actions in ZIA policies when traffic matches policy criteria. • Traffic Capture for Network Detection and Response (NDR): Capture tr...

The DNS Control policy includes an option to display a notification to end users when the policy blocks access to specific domains. Zscaler hosts this End User Notification (EUN) page, eliminating the need for organizations to host their own EUN web page. The DNS EUN web page inf...

For file sharing applications OneDrive and SharePoint, you can apply the MIP label as a manual remediation action from the SaaS Security Assets with Incidents page (Analytics > SaaS Security > Assets > click an application or tenant). <a class="image-icon" href="#apply_mip_...

You can identify and report not only the owner of the file, but also the user who last modified or shared a file that caused a DLP violation, in the ZIA Admin Portal. As part of this feature, the following enhancements are available for Insights Logs and NSS Feeds: Insight...

You can create a virtual machine (VM) in Azure using the Virtual Service Edge Terraform modules. To learn more, see Configuring Virtual Service Edge for Microsoft Azure....

When creating and saving a custom view in 3rd-Party App Governance, you can update the saved view to include your current tenant selection on the global platform filters. See image. To learn more, see <...

Zscaler supports Creative Commons (CC) search for certain search engines (i.e., Bing, Google, and Yahoo). This allows you to see only search results that are licensed under CC. The Enable Creative Commons Search Results option is added to the Policy > URL & Cloud App Control > Ad...

Beginning with Zscaler Client Connector version 4.8 for Windows, ZIA Firewall policies—including Firewall Filtering, DNS Control, and IPS Control—support end user notifications (EUNs) via Zscaler Client Connector. When configuring these policy rules, you can select to show a noti...

You can define scope types and values to map the workload traffic to a sublocation. Defining scopes allows you to apply granular ZIA and Cloud Connector security policies to the workload traffic from that sublocation. You can configure scopes only for Workload traffic type subloc...

JSON Web Token (JWT) authentication is available for Zscaler Cloud & Branch Connector workloads. JWT authentication is enabled when configuring locations. <a class="image-icon" href="#enable-jw...

The ZIA Admin Portal supports a new method, JWT authentication, to authenticate workloads from Cloud & Branch Connector. In the Management Portal for Partners, you can enable this feature in ZIA for your tenants by using the JWT Auth for Workload field on the Tenant Details...

The Zscaler service supports the Enhanced Driver&#039;s License (United States) predefined Data Loss Prevention (DLP) dictionary. The parent dictionary contains predefined sub-dictionaries for all 50 U.S. states, plus the District of Columbia, and each sub-dictionary can be indiv...

You can retrieve the SaaS Security Scan Configuration information and the validation status of a SaaS application tenant using the following endpoints: • "GET /casbTenant/scanInfo" • "GET /casbTenant/validate/status/{tenantId}" To...

Isolated sessions now automatically restore their web pages if they time out on a user&#039;s device. If a session is idle for longer than the timeout of 10 minutes, the isolated page automatically refreshes itself, and the user does not have to sign in again. When this action occurs, the banner...

The UI is updated so that when users enter an isolated session, they now see the original URL of the website they are on instead of the isolation web page URL. This change provides users with an experience with a look and feel more like a native browser compared to the container view of being iso...

New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...

AI or machine language classification is extended to support around 200 new document types across 10 common document categories. As part of this extended support, Insights Logs and the Nanolog Streaming Service (NSS) are enhanced to provide enriched auto-classification of documents that are...

SafeSearch allows granular control of applications. This allows you to apply SafeSearch to specific applications. As part of this change, on the Advanced Policy Settings page (Policies > URL & Cloud App Control > Advanced Policy Settings), the SafeSearch Applications drop-down ap...

The File Type Control and Data Loss Prevention (DLP) policies support the following file types in the Other category: • UTF-8 BOM • UTF-16 LE • UTF-16 BE The file types are available when creating the following policies: <l...

Zscaler includes support for identifying several new network applications using deep packet inspection and controlling the network application traffic using Firewall Filtering rules. These network applications are listed on the Network Applications page (Administration > Network...

You can view information about the number of transactions per application based on their status (blocked or allowed) in the Cloud Applications table of the Shadow IT Report. A new column, No. of Transactions, is added to the Cloud Applications table. <a class="image-i...

Adaptive Access Engine dynamically manages access based on real-time assessments of risk and trust by continuously evaluating contextual signals, user behavior, device health, location, and other factors to determine whether to allow or block access to websites or apps at any giv...

You can create custom file types and use them when creating Data Loss Prevention (DLP) and File Type Control policies. You can then filter and view logs for these custom file types in Web Insights Logs and the Nanolog Streaming Service (NSS). <a class="image-icon" href="#ad...

The File Type Control and Data Loss Prevention (DLP) policies now support custom file types with extension-based detection. On the Management Portal for Partners, partner tenants can see a new field, Custom File Type Limit, in their Technical Information section. The Custom...

The SaaS Security Data at Rest Scanning DLP and Malware policies support specifying the location to quarantine files for the file sharing applications Google Drive, Microsoft OneDrive, and Microsoft SharePoint. SaaS Application Tenant OnboardingOnboarding a SaaS ap...

The number of SaaS Security Posture Management (SSPM) controls for Snowflake in Advanced SSPM has been increased. Forty-six new SSPM controls are supported for Snowflake....

Zscaler is proactively preparing for post-quantum cryptography (PQC) by evaluating quantum-safe algorithms, supporting hybrid encryption systems, and enabling scalable integration of quantum-resilient technologies across its cloud infrastructure. Zscaler collaborates globally wit...

For organizations that have thousands of locations or sublocations, the loading time on the Locations page and in any policy that references locations when selected might incur noticeable loading time to retrieve and display the full location list. To learn more, see <a href="https://help.z...

A new query parameter "override" is available for the "PUT /ipDestinationGroups/{ipGroupId}" endpoint. The "override" parameter is a Boolean that you can set to override IPs when required. To learn more, go to "PUT /ipDestinationGroups/{ipGroupId}</code...

Gen AI is added as an application category in NSS and Cloud NSS feeds for SaaS Security Logs. When configuring a feed, you can select the Gen AI application category and available generative AI SaaS applications (e.g., ChatGPT) to stream the related logs from Zscaler to your secu...

The Cloud Nanolog Streaming Service (NSS) endpoint category in the cloud service API includes a new endpoint, "GET /nssDownload/{nssId}", that enables you to download the NSS virtual appliance information based on the specified NSS server ID. To learn more about...

You can create, update, and delete a ZIA Virtual Service Edge and retrieve the Virtual Service Edge for an organization using the following endpoints: • "GET /virtualZenNodes" • "POST /virtualZenNodes" • "GET /virtualZenNodes/{virtu...

You can add workload groups for an organization and update, delete, and retrieve the workload groups by specifying the ID using the following endpoints: • "POST /workloadGroups" • "GET /workloadGroups/{workloadGroupId}" • "PUT /wor...

New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...

Docusign is supported as a SaaS application tenant and can be onboarded for Advanced SaaS Security Posture Management (SSPM) scans. See image. When onboarding a Docusign tenant, you can enable Advanced SSPM scanning by selec...

You can specify the type of IoT devices to perform or bypass SSL Inspection. Admins can create an SSL Inspection policy based on IoT AI/ML classifications to perform or bypass SSL Insepction. This enhancement requires IoT enablement for your organization. <p...

Microsoft Copilot is supported as a SaaS application tenant and can be onboarded for Advanced SaaS Security Posture Management (SSPM) scans. See image. When onboarding a Microsoft Copilot tenant, you can enable Advanced S...

To obtain access to this feature, contact Zscaler Support. You can configure Data Loss Prevention (DLP) Exact Data Match (EDM) to have strict checking against popular date formats. This feature supports 6- to 8-digit date formats that contain hyphens (<co...

The default limit of Users, Groups, Locations and Departments in policies has been increased to 32 from 4 and 8. This limit can be further expanded on a need basis. You can contact the Zscaler Sales or Zscaler Account team to further increase this limit, if required. On the Management Porta...

You can select the countries from which traffic originates for the URL Filtering rules. This allows you to control the traffic originating from specific countries. As part of this change, the Source Countries field is added to the Add URL Filtering Rule window (Policies > URL & C...

The limit of users, groups, departments, and locations for a rule is increased to 32 from 4 users, 8 groups, 8 departments, and 8 locations. You can contact Zscaler Support to increase this limit further as needed. The following categories under the policy are supported: • Bandwidt...

A Notes tab is added to the App Panel in 3rd-Party App Governance and the Control Panel in Advanced SaaS Security Posture Management (SSPM). This tab allows you to communicate with and leave notes for multiple other users. You can add notes to each app or control and also comment...

The 3rd-Party App Governance API adds the following new endpoints to perform bulk actions as well as retrieve scan results and lists of filters and controls from the Posture page in the 3rd-Party App Governance Admin Portal: • "/posture/controls/status" • "/posture/...

You can now forward information about transactions that violate various Data Loss Prevention (DLP) incidents directly to your appliances you&#039;ve defined in the ZIA Admin Portal by going to Administration > Data Loss Prevention and selecting Cloud-to-Cloud Forwarding. <a...

The Gen AI Security Report is improved, making it interactive and intuitive, with the following enhancements: • Option to view the sanctioned and unsanctioned Gen AI application usage. • Prompt Classification to categorize the prompts used in the Gen AI application...

To help improve incident management on the Zscaler Incident Receiver, the JSON file that contains Data Loss Prevention (DLP) policy scan metadata for Inline Web DLP policy violations (with Evaluate All Rules mode enabled) has been updated with the following fields: • "otherMatchedRu...

Zscaler supports lookup for uncategorized URLs using a third-party database. You can control the lookup for such uncategorized URLs using the newly added Enable 3rd-Party URL Category Lookup option on the Advanced Policy Settings tab (Policy > URL & Cloud App Control). <a c...

The Data Loss Prevention (DLP) policies support the OpenOffice Drawings (.odg, .otg) file type in the OpenOffice category: • DLP - Rule with Content Inspection To learn more, see <a href="https://h...

You can search for configuration changes on the Audit Logs page by selecting Changes from the search options. See image. The configuration change search applies to JSON attribute values, not a...

The following update is applicable only to tenants approved for an increased rule limit of up to 4,000 Firewall Filtering rules, based on qualified use cases. On the Firewall Filtering Policy page (Policy > Firewall Control), the search is updated to include th...

The cloud service API includes the Activation endpoint category to extend programmatic access to retrieve the EUSA acceptance status using the following endpoints: • "GET /eusaStatus/latest" • "PUT /eusaStatus/{eusaStatusId}" To le...

When a folder&#039;s permissions are modified or a folder is shared with a new collaborator, files previously in violation of the SaaS Security DLP policy rules in the folder are rescanned against those rules. This feature is presently being rolled out to Microsoft OneDrive and SharePoint applica...

You can filter and view logs to learn which specific SSL Inspection policy r...

Users can now upload multiple files simultaneously while in an isolated session. There is no minimum or maximum limit while uploading. See image. To learn more, see <a class="url-external" href="https://help.zscaler....

In the Policy > Forwarding Control > Add Forwarding Rule window, under the General section, a new Device Groups criterion is added. This criterion allows you to select device groups based on the device platform to which the configured forwarding rule applies. <a class="imag...

Step-up authentication is a security mechanism that ensures users can only access sensitive or high-risk resources after completing an additional level of identity verification. Conditional access is supported for step-up authentication in the ZIA Admin Portal when configuring UR...

You can filter and view logs for External Collaborator Group and Internal Collaborator Group for the File Sharing Applications category. As part of the update, the following changes are available in the ZIA Admin Portal: SaaS Security Insights LogsFilters and colum...

The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports the number of internal and external collaborators as scoping criteria for Google Drive. Administrators can apply the scope to collaborators by choosing a range for the number of internal and extern...

You can choose a content location as a match criteria to target specific sections of a file or transaction when defining a Data Loss Prevention (DLP) rule. To enable this feature, contact Zscaler Support. • File• Document Properties: Matches are...

Multiple enhancements have been made to improve the load time and performance of the Users page in 3rd-Party App Governance. This significantly improves the user experience. To learn more, see <a href="https://help.zscaler.com/zia/about-user-inventory" target="_blank" data-entity-type="node...

A new tab, Files, is added to the User Panel in 3rd-Party App Governance. This tab provides visibility into files associated with Data Loss Prevention (DLP) violations for a given user over a selected period of time. You can quickly identify the top files with DLP violations, ena...

Multiple improvements help to automatically detect internal apps and relate publishers to those internal apps in 3rd-Party App Governance. To learn more, see <a href="https://help.zscaler.com/zia/about-app-inventory" target="_blank" data-entity-type="node" data-entity-uuid="acfb521d-0327-4a...

A new finding, Excessive Data Permissions, is created for GitHub apps in 3rd-Party App Governance. Applications with excessive data permissions can access or modify multiple data types like emails, files, chats, and calendars, which puts the organization at risk of non-compliance and malicious ac...

You can add and manage labels for Software as a Service (SaaS) application tenants from the Integrations banner in 3rd-Party App Governance and Advanced SSPM. You can also filter the platforms by label. This allows you to identify the differences between the tenants for effective...

You can view the Software as a Service (SaaS) dashboard when you access Zscaler Advanced SaaS Security Posture Management (SSPM). The dashboard displays information about the overall posture score and risk score across all apps, platforms, and user accounts. It also displays the...

You can now add comments to malicious URLs you have added to Advanced Threat Protection (ATP) Blocked Malicious URLs. To learn more, see <a href="https://help.zscaler.com/zia/adding-urls-denylist" target="_blank" data-entity-type="node" data-entity-uuid="b78a03b4-6f84-4726-...

You can now create and manage multiple user confirmation templates for enhanced policy-level customization in the ZIA Admin Portal by going to Administration > Notification Templates > User Confirmation and clicking Add Custom Message. When configuring Endpoint DLP or Inline Web...

The Zscaler Data Loss Prevention (DLP) Exact Data Match (EDM) dictionary search score total "matchCount" has been enhanced to be based on the number of unique sets of matches found in the content. Previously, "matchCount" was determined by the number o...

You can now view and download the latest Zscaler ThreatLabz updates of all newly generated or updated content by the Zscaler ThreatlabZ team in a PDF from the Cybersecurity Insights page. See image. To learn more, see <a h...

You can filter and view logs for File Type Control policy rules that use the Allow action and have been triggered by the transaction. The following changes are available in the ZIA Admin Portal:</p...

On the Print All Policies page (Administration > Print All Policies), you can download your organization&#039;s configured policies as JSON files by selecting the ZIP file format. A single ZIP file containing JSON representation of the policies is downloaded, with one JSON file c...

A Location Groups filter is added to NSS and Cloud NSS feeds for Web, Firewall, and DNS logs as well as Microsoft Cloud App Security (MCAS) NSS feeds. You can use the filter when configuring a feed to limit the logs to specific location groups. <a class="image-icon" href="#...

In Firewall and Forwarding rules, the Department field was accessible to some customers without the appropriate entitlement (requires Advanced Firewall). An update has been made to ensure that this field availability matches the admin’s entitlement to the field licensed with Advanced Firewall. Fo...

The following predefined DLP and EDM dictionaries now support an additional format for Australian Passport numbers: AAn(6), where AA is a combination of two letters (PA - PF, PU, PW, PX, PZ, and RA - RZ) and n is a combination of 6 digits. A delimiter (hyphen, spaces, or pe...

Single sign-on (SSO) can be configured for the ZIA Index Tool when adding or editing an Index Tool configuration. See image. To learn more, see...

When creating your Zscaler Data Loss Prevention (DLP) EDM templates, you can now select the following data types: • National Document ID (Uruguay) • National Identification Number (Chile) • National Identification Number (Peru) To learn more, see...

The File Type Control policy rules support Custom Browser end user notifications (EUN). You can create a custom EUN template for the File Type Control policy and associate it with the policy rules. This allows you to show the custom notification messages on the endpoints when the...

Zscaler 3rd-Party App Governance supports Microsoft as an identity provider (IdP) to authenticate admins and users logging in to the 3rd-Party App Governance Admin Portal. You can select Microsoft as the IdP when connecting a web-based platform to Advanced SaaS Security Posture M...

The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy for file sharing applications supports redacting sensitive data in supported file types. To use this functionality, you first create a redaction profile that specifies whether the Zscaler service uses an as...

The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports specifying trusted users (i.e., users with email addresses outside your organization) and trusted domains (i.e., domains outside your organization) as part of your policy rules. The Zscaler service...

New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...

You can apply the None action to exception rules in Endpoint Data Loss Prevention (DLP) to exclude specific activities that match exception rule criteria from being reported (i.e., you might want to exclude specific users or groups from reporting incidents). <a class="image...

The following are new predefined DLP dictionaries that use ML-based detection: • ID Card • Medical Imaging • Satellite Data • Schematic Data To learn more, see <a href="https://help.zscaler....

The Zscaler service now supports the following existing predefined Data Loss Prevention (DLP) dictionaries for Endpoint DLP: • CNPJ Number (Brazil) • Mexico Unique Population Registration Code • National Economic Registry Number...

The Remediate option is removed from the policy drawer and Asset Summary tab on the Posture Management page. This option is available only if you subscribed to the Advanced SSPM service. See image. To learn more, see <a...

The Zscaler service supports custom, client-side connector onboarding for access to both sandbox and production Salesforce tenants. With this functionality, instead of requiring full administrator credentials, the Zscaler service can use a minimum set of credentials to access Sal...

Zscaler added three new inline web DLP macros for your DLP notification templates: • "${DEPARTMENT}": Shows the department of the user who triggered the DLP rule. • "${FILESIZE}": Specifies the size of the file that triggered the DLP rule.</li...

The Zscaler service supports using Exact Data Match (EDM) and Indexed Document Match (IDM) dictionaries and engines in your Outbound Email Data Loss Prevention (DLP) policy rules. See image. To le...

The Zscaler service supports using Patterns and Phrases Data Loss Prevention (DLP) dictionaries to create custom parent dictionaries and sub-dictionaries as a means of grouping similar dictionaries. For parent dictionaries, you can define patterns or phrases, or you can leave the...

Administrators can now define Device Control rules criteria (Analytics > Endpoint Data Scan > Device Control) based on User Groups and Departments. See image. To learn more, see <a href="https://help.zscaler.com/z...

You can embed links and add line breaks in the custom messages for Zscaler Client Connector-based End User Notifications (EUNs) (Administration > End User Notifications > Client Connector) and User Confirmation notifications (Administration > Notification Templates > User Confirm...

The cloud service API includes the following endpoint categories to extend programmatic access to various ZIA features and functionalities: • SaaS Security API To learn more about each endpoint, see th...

Tenancy restriction support is extended to Amazon Web Services CLI. To learn more, see Adding Te...

Zscaler Sandbox (Administration > Cloud Service API Security > Sandbox API Token) supports up to 5 Sandbox API Tokens. The Sandbox token name field has a limit of 10 characters. See image. Web Insight Logs (Analytics >...

Users can now add URLs and MD5 file hashes to an Allowlist for Advanced Threat Protection (ATP) to explicitly allow or deny access to specific URLs or files. See image. To learn more, see <a href="https://help.zscale...

A filter to include or exclude selected cloud applications has been added to the existing Cloud Applications filter in NSS and Cloud NSS feeds for web logs as well as Microsoft Cloud App Security (MCAS) NSS feeds. When configuring a feed, you can select cloud applications and inc...

Zscaler&#039;s Gen AI prompt configuration is extended to the Writer and Deepseek generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen-ai...

The default limit of File Type Control Policy rules has been increased to 2,048 from 1,024. To learn more, see Ranges & Limitations....

The SaaS Security Data at Rest Scanning DLP and Malware policies support configuring tenants for Zoom, a collaboration application. See image. To learn more, see <a href="https://help.zscaler.com/zia/ab...

You can now choose the Tombstone Template when quarantining files to the user root folder in the Assets Report (Analytics > SaaS Security > Assets). See image. To learn more, see <a href="https://help.zscaler.co...

A new query parameter "fetchLocations" is available for the "GET /locations/groups" endpoint. The "fetchLocations" parameter is a Boolean that you can set to fetch locations associated with the group. To learn more, go to "GET /locations/groups" f...

When importing custom IPS signature rules using CSV files (Administration > Custom IPS), you must enclose comma-separated values for individual fields within three single quotes ("&#039;&#039;&#039;") instead of double quotes ("""). This update has been made...

The Zscaler-managed Business Continuity Cloud is a fully managed private cloud solution that is built on the isolated and dedicated ZIA and Zscaler Private Access (ZPA) infrastructures to ensure consistent cyber and data protection during critical outages. Zscaler deploys and hosts the private ZI...

You can configure Advanced SaaS Security Posture Management (SSPM) for Workday tenants. Select the SSPM Scan checkbox when onboarding a Workday tenant to enable the Advanced SSPM scan capability for the specific tenant....

Zscaler&#039;s Gen AI prompt configuration is extended to the Grok AI generative AI application. You can enable prompts for this application to categorize and store the prompts for it. See image. To learn more, see <a h...

You can configure the SaaS Security Posture Management (SSPM) Scan for Webex Teams tenants. Select the SSPM Scan checkbox when onboarding a Webex Teams tenant to enable the SSPM scan capability for the specific tenant. S...

The Dedicated IP feature allows organizations to subscribe to dedicated IP addresses for the Zscaler data centers of their choice. Users can use these dedicated IP addresses (unique to the organization) as their source IP address to reach destinations that require source IP-based access. Th...

Web Insights includes additional information for Bandwidth Control with the new filter Bandwidth by Data Center. See image. To learn more, see <a href="https://help.zscaler.com/zia/web-data-types-and-filters...

You can onboard, edit, and delete new Software as a Service (SaaS) application tenants enabled with 3rd-Party App Governance or the Advanced SaaS Security Posture Management (SSPM) feature from the Add SaaS Application Tenant page in the ZIA Admin Portal. You can continue editing...

On the App Panel header, you can hover over the risk score to view a breakdown of the score. On the Control Panel header, you can hover over the control severity level to view a breakdown of the severity. These actions allow you to view the components and criteria used to calcula...

As part of a continuous review, Zscaler has updated cloud applications across various cloud application categories. To obtain the list of updated cloud applications, download the list: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase...

New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...

Zscaler Outbound Email DLP supports System for Cross-domain Identity Management (SCIM)-based user lookup to map email addresses with ZIA login names. To learn more, see <a href="https://help.zscaler.com/zia/step-step-configuration-guide-zscaler-outbound-email-dlp#prerequisites" target="_bla...

The Tenant Profiles feature supports Zoom. This allows granular control of actions (e.g., disable file transfer in meetings, disable recording locally on the device, etc.) in Zoom. See image. To learn more, see <a href="htt...

The File Type Control and Data Loss Prevention (DLP) policies now support the Appinstaller Files (.appinstaller) file type in the Other Documents category. • File Type Control • <a href="#dlp...

You can configure file type control rules based on Password-Protected criteria. This criteria is applicable for the following formats: • Password-Protected/Encrypted • Portable Document Format (.pdf) • Encrypted Office Documents • ZIP • RAR <l...

Isolation allows microphone and camera functionality on the user&#039;s device while in an isolated browser. This can be enabled per isolation profile if Turbo Mode is also enabled. See image. To learn more, see...

To enable this feature for your organization, contact Zscaler Support. On the Data at Rest Scanning page (Policy > Saas Security > Data at Rest Scanning), you can create Data at Rest Scanning Data Loss Prevention (DLP) policies without content matching. <...

SaaS Application Tenants (Administration > SaaS Application Tenants > Manage SaaS Application Components) supports the management of SharePoint tenant Sites and Site Groups. In the Components tab, you can view a list of the SharePoint sites that are available under the selected S...

The following enhancements are made to the Endpoint Data Scan page (Analytics > Endpoint Data Scan): Nearby SharingZscaler Device Control is enhanced to prevent nearby sharing between endpoints and devices that are close by. The Nearby Sharing rule restricts the us...

The HTTP Header Control feature allows you to create URL Filtering policy rules based on HTTP headers. As part of this change, the following profiles are added to the ZIA Admin Portal: • HTTP Header Profile (Administration > HTTP Header Control) • HTTP Header Inser...

Zscaler Client Connector-based End User Notifications (EUNs) and user confirmation messages for Inline Web DLP and Cloud App Control policies can be enabled without having an Endpoint DLP subscription. These policy EUNs are supported (without requiring Endpoint DLP) on the following Zscaler...

You can enable the service to send alerts for unknown or suspicious C2 traffic. This feature is enabled by default. See image. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanc...

The Administration > Role Management page is enhanced to provide admins more granular access to major ZIA features. Super admins or admins with full access to the ZIA Admin Portal can assign admins field-wise permissions (Full, View Only, and None) to access individual ZIA featur...

The Instance Discovery Report provides visibility into the instances accessed by users at the various levels of hierarchy for different SaaS applications. The Instance Discovery Report includes the following enhancements: • New applications are supported with vario...

The cloud service API includes the following new endpoints to create, update, and delete cloud application instances: • "POST /cloudApplicationInstances" • "PUT /cloudApplicationInstances/{instanceId}" • "DELETE /cloudApplicationInstances/{instanceI...

The rate limit for the "GET /users" request within the cloud service API has been updated to 10 calls/minute and up to 40 calls/hour. To learn more, see the API Rate Limit Summary....

The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Alerts • Bandwidth Control & Cl...

The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Service Edges To learn more about each endpoint, see...

The Trigger Multi-Factor Authentication action under Adding Alert Rule for UEBA Alert is deprecated and alert triggers with Multi-Factor Authentication is no longer supported. You can choose between Trigger an Alert or Place user in group to trigger the alert rule. <a class...

You can choose either WebSocket or WebSocket SSL/TLS as a protocol type when defining a Data Loss Prevention (DLP) rule. On the Policy > URL Filtering & Cloud App Control > Advanced Policy Settings tab, a Microsoft Copilot toggle is added under the Gen AI Prompt Configuration sec...

The Tenant Profiles feature is extended to the ChatGPT application. This allows you to provide access to specific workspace IDs for ChatGPT. See image. To learn more, see <a href="https://help.zscaler.com/zia/ad...

The Sandbox Scanning Portal is now more secure with the change to an HTTPS URL: https://filecheck.zscaler.com/ If you have bookmarks to the previous URL for the Sandbox Scanning Portal, update them as they no...

When creating a policy, you can choose to send an email through one or more default email addresses to notify the users whenever the policy is triggered. See image. To learn more, see <a href="https://help.zscaler.co...

You can assign a new predefined role called Viewer to a user. When assigned this role, the user can only view data and export reports across the 3rd-Party App Governance Admin Portal, but cannot take any action or make changes. To manage role assignments, contact Zscaler Suppor...

When you revoke or ban an app for users in your organization, you can send an email to notify them that the previously accessible app is revoked or banned. You can also select the email address from which you want to send the email. <a class="image-icon" href="#Revoke/Ban-C...

You can configure notification templates so that email notifications are sent automatically to specified auditors when outbound email transactions trigger Outbound Email DLP rules. On the Notification Templates page (Administration > Notification Templates > DLP), you can c...

SaaS Application tenant onboarding for SaaS Security API now supports configuring external trusted domains and users. See image. To learn more, see <a href="https://help.zscaler.com/zia/about-email-profiles" target="_bla...

The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports the number of internal and external collaborators as a scoping criteria for SharePoint and OneDrive to monitor file sharing among collaborators. Administrators can choose a range for the number of...

The Developer Tools predefined URL category is added to the Information Technology super category. It consists of sites that provide tools used by developers for coding, debugging, testing, and managing software projects. This category is enabled from the backe...

You can refresh the status of a scheduled SaaS Security DLP or malware scan by clicking the Refresh icon next to the status of an ongoing scan on the SaaS Security Scan Configuration page. See image. To learn more,...

The following are new predefined DLP engines available on the DLP Engines page (Administration > DLP Dictionaries & Engines > DLP Engines). These engines are available by default for customers with tenants enabled on April 4, 2025, or later. For enablement on e...

For file sharing applications, you can configure MIP labels on PowerPoint files from the Data at Rest Scanning DLP policy in the Add DLP Rule window (Policy > Data at Rest Scanning > Data Loss Prevention). Choose from the list of OneDrive and SharePoint tenants to see this action...

Twilio and Trello are supported as SaaS application tenants. Both can only be configured for SSPM scan which requires an Advanced SSPM license. If you don&#039;t have the correct license, a message to upgrade your license appears next to the SSPM Scan checkbox during the onboardi...

Unified Communications as a Service (UCaaS) one-click configuration support is now extended to the Talkdesk cloud application. See image. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanced-url...

The following policy actions seen in the Insights and NSS Reports have changed to ensure consistency with the field values from the Web Insights in the ZIA Admin Portal: Old Policy ReasonNew Policy Reason<td style="overflow:hidden;pad...

The Zscaler Sandbox supports additional file types: • Python Source Code file (.py) • Pickle files (.p, .pkl, and .pickle) • Python Dynamic Module file (.pyd) • Python Script file (.pyw) See image....

The field "%s{ednsreq}" is available when adding an NSS or Cloud NSS feed for DNS logs. The field output is the hex-encoded FQDN in the DNS request. To learn more, see <a href="https://help.zscaler.com/zia/nss-feed-output-format-dns-logs" target="_blank" data-entity-type="node" d...

To provide a unified and streamlined API experience through Zscaler OneAPI, our centralized API management solution for the Zscaler platform, Zscaler is applying the following changes to ZIA: • Going fo...

The cloud service API is updated to include a new "GET /locations/supportedCountries" endpoint that retrieves an up-to-date list of countries supported in location configuration. To learn more, see the API Reference...

The cloud service API includes updates to the following categories of endpoints to extend programmatic access to specific ZIA features and functionalities: • Admin & Role Management • S...

The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy now supports the number of collaborators as a scoping criteria for file sharing applications. When enabled for a partner tenant, the CASB Collaborator Count field under Special Settings of the Tenant Detail...

Using the DNS Control policy, you can redirect users to a new Zscaler-provided end user notification (EUN) web page to inform users of your organization policy when they access restricted domains. You can do this by selecting the Redirect Response action in the DNS Control rule a...

The following are new predefined DLP Dictionaries: • National Identification Number (Chile RUN) • National Identification Number (Peru CUI) • National Document ID (Uruguay) To learn more, see <a href="https://help.zscaler.com/zia/understanding-pre...

In ZIA isolation profiles, the cookie persistence toggle has been updated to be called Persistent State. See image. To learn more, see <a href="https://help.zscaler.com/isolation/using-persistent-state-isolation" targe...

You can configure granular Smart Browser Isolation policies for specific users or groups from the Secure Browsing page. As part of this change, the following fields are added to the Smart Isolate tab (Policy > Secure Browsing > Smart Isolate): • Users • Groups...

Isolation creates preconfigured profiles for admins. These profiles can configure only the URL category "Miscellaneous and Unknown" in their Zscaler Internet Access (ZIA) policy. Some fields in this profile are permanently enabled, others permanently disabled, and some the admin can <a href="http...

The Firewall policy allows you to manage outbound and inbound traffic for cloud service providers such as Amazon Web Services (AWS) and Google Cloud Platform (GCP), along with their subservices, using the newly added AWS and GCP application service groups. These application servi...

For Advanced Sandbox users, all malicious samples are analyzed twice automatically, first through an unpatched vulnerable VM (Zero Day Report or Fully Patched VM Report) and then a second time through the fully patched secured VM (Regular Report). This allows you to compare the r...

The Zscaler service displays a notification when Remote Assistance is enabled. See image. The maximum time limit for both view-only and full access is 90 days. To learn more, see <a href="https://help.zscaler.com...

The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Admin & Role Management • User Manage...

The existing predefined Credit Card dictionary and EDM data type now support the additional popular formats: • Credit Card Number (China UnionPay) • Debit Card Number (Maestro) To learn more, see <a href="https://help.zscaler.com/zia/creating-exact-data-match-template"...

The Enable HTTP/2 option is enabled by default when configuring an SSL Inspection rule. This feature is only available when it is enabled for your organization. See image. To learn more, see <a href="https://help.zscaler.com...

Additional Firewall Control and Logging capabilities have been added for scenarios where an organization&#039;s roaming user (i.e., remote user from a Home tenant) is a guest user visiting another organization&#039;s tenant location (i.e., Host tenant) in the same Zscaler cloud and that Host tena...

The DNS Control policy includes a new action, Block with Response Code, which allows you to block DNS traffic and send a response code to the client. The response code can be chosen from a predefined list that appears in a new Response Code field when this action is selected. Whe...

Zscaler now supports the SSH key, ED25519. To learn more on upgrading the SSH key to ED25519, see <a href="https://help.zscaler.com/zia/configuring-zscaler-incident-receiver" target="_blank" data-entity-type="node" data-entity-uuid="1b3f21b1-0d52-4d5a-911b-61d5deeca357" data-entity-substitu...

The Complexity column and filter are added to the Posture page. You can view the complexity level of a control and filter the controls displayed in the table by using this filter option. The Control Panel header for each control displays its c...

The Assets tab of the Control Panel in Advanced SSPM includes the following enhancements: • You can export the assets report to a CSV file. • You can copy the asset evidence or download it as a JSON file. <a class="image-icon" href="#ZIA-Assets-Tab-Enha...

The cloud service API includes the following new endpoints to support excluding a Zscaler data center (DC) in the event of service disruption by disabling all tunnels terminating at a virtual IP (VIP) address of the DC. Using these endpoints, you can add, modify, and delete DC exclusions and retr...

When configuring ZIA admins and <a href="https://help.zscaler.com/zia/adding-zia-super-admins" target="...

The IoT Report has been enhanced to report IoT policy status and statistics for IoT devices. To learn more, see About the IoT Report. You can get an overview of the IoT web policies...

The resource access quota for retrieving Sandbox Detail Reports is increased to 3,000 requests per day, with a rate limit of 2/sec and 1,000/hour. To learn more, see the Obtaining San...

You can filter and view logs for Source IP Countries, Destination IP Countries, Is Source IP Country Risky? and Is Destination IP Country Risky? As part of the update, the following changes are available in the ZIA Admin Portal: Web Insights LogsThe following filte...

The cloud service API includes a new "POST /exportPolicies" endpoint for exporting rules configured for various policy types to JSON files. To learn more, see the API Reference. The Postman collection has...

Zscaler supports real-time Data Loss Prevention (DLP) for messages and file attachments sent via Webex Teams. To learn more, see Step-by-Step Configuration Guide for Webex Teams Re...

Zscaler supports case-sensitive URL logging for select domains. Some sites and services, such as URL shorteners, use case sensitivity within the URL path when generating links. For example, "bit.ly/ABcDEf" has a different destination URL than "bit.ly/abcdef". With added supp...

When exporting the controls report to a CSV file from the Posture page, you can view additional attributes like Description, Tenant Name, Platform, Severity, etc. in the exported file. To learn more, see <a href="https://help.zscaler.com/zia/about-posture" target="_blank" data-entity-type="...

Optical Character Recognition (OCR) SupportThe Zscaler service supports OCR for Endpoint DLP to scan PNG, JPEG, TIFF, and BMP files for sensitive text data. This functionality does not require configuration and is automatically available based on whether your subscription includes the ZS...

You can configure Advanced SaaS Security Posture Management (SSPM) for Zoom tenants. Select the SSPM Scan checkbox when onboarding a Zoom tenant to enable the Advanced SSPM scan capability for the specific tenant. Existing users can also enable Advanced SSPM support by selecting...

To access Extranet Application Support, contact your Zscaler Account team. Zscaler Extranet Application Support provides organizations with a secure way to access resources from partners that are not using the Zscaler service. This is typically accomplished wit...

Advanced SSPM supports a new platform, Lucidchart. You can onboard a Lucidchart tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/connecti...

Advanced SSPM supports Zendesk as an API-based platform. You can onboard a Zendesk tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/conne...

Custom IPS is supported on Zscaler&#039;s public cloud, allowing you to create and deploy custom IPS signature rules without requiring any additional infrastructure (previously required a Private Service Edge deployment). You can inspect traffic transiting the Zscaler cloud again...

Web Insights are enhanced to allow users to view the latency caused by bandwidth control on transactions in the ZIA Admin Portal. Web Insights LogsThe following new columns and filters are available in the Web Insights Logs: • Request Latency Due to Bandwi...

A new query parameter "onPremNss" is available for the following Nanolog Streaming Service (NSS) feed endpoints: • "GET /nssFeeds" • "POST /nssFeeds" • "GET /nssFeeds/{feedId}" • "PUT /nssFeeds/{feedId}" • <co...

A new query parameter, "ruleLabelId", is available for the "GET /firewallFilteringRules" and "GET /firewallFilteringRules/count" endpoints. The "ruleLabelId" query parameter allows you to filter Firewall Filtering rules based on the rule label ID. To le...

On the Internet & SaaS > Role Management page, in the Policy & Components > Access Control tab, the URL Filtering and Cloud App Control policy permissions are separated to provide admins more granular control over those features. <a class="image-icon" href=...

The labels SSL Inspection and SSL policy are renamed to SSL/TLS Inspection and SSL/TLS policy. See image. Refer to the following table for a list of updated labels: Old UI Labels...

You can create, update, and delete recipient email profiles, retrieve a list of all recipient email profiles, and obtain the count of recipient email profiles for an organization using the following endpoints: • "GET /emailRecipientProfile" • "POST...

Proper neutralization of user input in specific input fields in the ZIA Admin Portal no longer allows an authenticated administrator to access unauthorized internal information in rare conditions (CVE-2026-22568)....

The Insights Logs pages now feature asynchronous log retrieval. This enhancement allows users to continue working without interruption while queries are executed in the background, significantly improving their user experience. The following enhancements are available for I...

Advanced SSPM supports a new platform, Airtable. You can onboard an Airtable tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integrating...

Advanced SSPM supports a new platform, Bitwarden. You can onboard a Bitwarden tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integratin...

Advanced SSPM supports a new platform, Sentry. You can onboard a Sentry tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integrating-sent...

New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...

Advanced SSPM supports OneLogin as an API-based platform. You can onboard a OneLogin tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/int...

The application activity MCP is added to the Web Insights Logs to log Model Context Protocol (MCP) transactions in the ZIA Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/web-insights-logs...

The File Type Control and Data Loss Prevention (DLP) policies now support MSIX files in the Executable category. • File Type Control • DLP - Rule without Content Matching <p...

Extranet Application Support can be configured bidirectionally, allowing partners to access your organization&#039;s resources securely. Extranet Application Support is a feature in limited availability. To access Extranet Application Support, contact your Zsca...

Zscaler supports comprehensive logging of Sandbox analysis activities through Insights Logs and the Nanolog Streaming Service (NSS). You can log and view details of all files that went through behavioral analysis regardless of the verdict (e.g., Suspicious Content, Benign). With the following enh...

You can apply either "OR" or "AND" logical operator between the Users, Groups, and Departments criteria in the URL Filtering Policy rules. This allows you to create granular policy rules using a combination of logical operators (i.e., "OR" or <cod...

The Zscaler Cloud Performance Test Tool allows you to view only the domain part of the traffic or email, and the user name is hidden. For example, johndoe@zscaler.com is visible as xxxxxxx@zscaler.com. See image. To learn m...

You can add up to 512 account IDs per tenant profile for AWS and there can be a maximum of 4,096 account IDs across all profiles. To learn more, see Adding Tenant Profiles and <a href="https://help.zscaler...

Zscaler’s Nanolog Streaming Service (NSS) supports the configuration and deployment of an NSS virtual machine (VM) on Hyper-V. After deploying an NSS VM, you can stream your organization’s web or firewall logs from the Zscaler cloud to your security information and event ma...

Zscaler’s Nanolog Streaming Service (NSS) supports the configuration and deployment of an NSS virtual machine (VM) on Nutanix. After deploying an NSS VM, you can stream your organization’s Web or Firewall logs from the Zscaler cloud to your security information and event ma...

The following enhancements are available in 3rd-Party App Governance and Advanced SSPM: SettingsThe SaaS Tenants and Notifications tabs are added to the Settings page. These tabs allow you to view and manage the onboarded SaaS tenants and also configure Slack and e...

Zscaler Isolation now supports password-protected PDF files to be <a href="https://help.zscaler.com/zia/about-sandbox" target="_blank" data-entity-type="node" data-entity-uuid="b6501cfa-e4fc-40ad-9568-c79e8ff2240e" data-entity-subst...

The custom URL category supports regex patterns, enabling you to match multiple URLs with a single pattern and flexible configuration of custom URL categories. As part of this update, in the Administration > URL Categories > Add URL Category window, the URL Type toggle has been a...

You can allow or block the use of embedded AI applications on Atlassian sites and enable or disable Zscaler to store the generative AI prompts entered in these embedded AI applications per cloud app control rule. As part of this feature, the following fields appear in the Add/Edi...

Automatic language translation is globally available for Isolation. The isolated session localizes the language based on the user&#039;s browser language settings, and displays that language on the rendered web page. To learn more, see <a href="https://help.zscaler.com/isolation/understandi...

If Turbo Mode is enabled on an isolation profile and the user also has hardware acceleration enabled, the appearance of the zGPU icon next to the Turbo Mode command is displayed in the Isolation Bar. See image. To...

On the URL Filtering Policy page (Policy > URL & Cloud App Control > URL Filtering Policy), the URL Filtering rules are paginated with up to 100 rules displayed per page. See image. You can filter and search for URL Filteri...

The following platforms support 64 GB of RAM and 3 antivirus (AV) engines per Virtual Service Edge: • <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-clusters" target="_blank" data-entity-type="node" data-entity-uuid="0f1a169d-6547-4d25-a778-b2f20da57fa4" data-enti...

Generative AI (Gen AI) prompts that are displayed in the Web Insights Logs can be obfuscated when adding admin roles. <p...

For custom Data Loss Prevention (DLP) dictionaries that use patterns with lookaround constructs (also known as zero-length assertions), the Zscaler service now enforces the following restrictions: • You must select Match Any Patterns and Any Phrases as the Match Type.</l...

You can create a virtual machine (VM) in Amazon Web Services (AWS) using the Virtual Service Edge Terraform modules. To learn more, see <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-amazon-web-services" target="_blank" data-entity-type="node" data-entity-uuid="64393...

On the Firewall Insights page (Analytics > Firewall Insights), the maximum number of rules displayed for the Rule Name data type has been increased. When using bar or table charts, you can view up to the top 4,000 rules (in increments of 500, 1,000, 2,000, and 4,000) by selecting...

In the App Inventory and User Inventory, and on the Posture page, the filter options that don&#039;t currently exist in your organization display separately and do not return results. You can still select them when creating new views and policies. If a new app i...

The Users page displays multiple emails in addition to public emails for GitHub users. These emails are associated with the domain of the organization that owns the GitHub account. This enhancement improves the ability to find user and admin emails from outside the domain.</span...

You can segregate your Google Workspace integration by organizational units (OUs) in 3rd-Party App Governance. This segregation ensures that each OU can access only its relevant users, applications, and posture data, while maintaining consolidated tenant management f...

The 3rd-Party App Governance API adds a new endpoint, "/app_views/{appViewId}/accounts", to retrieve users&#039; email addresses associated with specific app IDs. "/app_views/{appViewId}/apps_extended" provides the total number of enabled users "totalenabledusers<...

Zscaler&#039;s Gen AI prompt configuration is extended to the Claude and Mistral generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen-ai-...

The Zscaler service can capture traffic in multiple ways: • Traffic Capture Essentials: Capture traffic as PCAP files with supported actions in ZIA policies when traffic matches policy criteria. • Traffic Capture for Network Detection and Response (NDR): Capture tr...

The DNS Control policy includes an option to display a notification to end users when the policy blocks access to specific domains. Zscaler hosts this End User Notification (EUN) page, eliminating the need for organizations to host their own EUN web page. The DNS EUN web page inf...

You can create a virtual machine (VM) in Azure using the Virtual Service Edge Terraform modules. To learn more, see Configuring Virtual Service Edge for Microsoft Azure....

When creating and saving a custom view in 3rd-Party App Governance, you can update the saved view to include your current tenant selection on the global platform filters. See image. To learn more, see <...

Zscaler supports Creative Commons (CC) search for certain search engines (i.e., Bing, Google, and Yahoo). This allows you to see only search results that are licensed under CC. The Enable Creative Commons Search Results option is added to the Policy > URL & Cloud App Control > Ad...

Beginning with Zscaler Client Connector version 4.8 for Windows, ZIA Firewall policies—including Firewall Filtering, DNS Control, and IPS Control—support end user notifications (EUNs) via Zscaler Client Connector. When configuring these policy rules, you can select to show a noti...

The Zscaler service supports the Enhanced Driver&#039;s License (United States) predefined Data Loss Prevention (DLP) dictionary. The parent dictionary contains predefined sub-dictionaries for all 50 U.S. states, plus the District of Columbia, and each sub-dictionary can be indiv...

JSON Web Token (JWT) authentication is available for Zscaler Cloud & Branch Connector workloads. JWT authentication is enabled when configuring locations. <a class="image-icon" href="#enable-jw...

The ZIA Admin Portal supports a new method, JWT authentication, to authenticate workloads from Cloud & Branch Connector. In the Management Portal for Partners, you can enable this feature in ZIA for your tenants by using the JWT Auth for Workload field on the Tenant Details...

Adaptive Access Engine dynamically manages access based on real-time assessments of risk and trust by continuously evaluating contextual signals, user behavior, device health, location, and other factors to determine whether to allow or block access to websites or apps at any giv...

Isolated sessions now automatically restore their web pages if they time out on a user&#039;s device. If a session is idle for longer than the timeout of 10 minutes, the isolated page automatically refreshes itself, and the user does not have to sign in again. When this action occurs, the banner...

The UI is updated so that when users enter an isolated session, they now see the original URL of the website they are on instead of the isolation web page URL. This change provides users with an experience with a look and feel more like a native browser compared to the container view of being iso...

A new query parameter "override" is available for the "PUT /ipDestinationGroups/{ipGroupId}" endpoint. The "override" parameter is a Boolean that you can set to override IPs when required. To learn more, go to "PUT /ipDestinationGroups/{ipGroupId}</code...

The Cloud Nanolog Streaming Service (NSS) endpoint category in the cloud service API includes a new endpoint, "GET /nssDownload/{nssId}", that enables you to download the NSS virtual appliance information based on the specified NSS server ID. To learn more about...

You can retrieve the SaaS Security Scan Configuration information and the validation status of a SaaS application tenant using the following endpoints: • "GET /casbTenant/scanInfo" • "GET /casbTenant/validate/status/{tenantId}" To...

New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...

Zscaler includes support for identifying several new network applications using deep packet inspection and controlling the network application traffic using Firewall Filtering rules. These network applications are listed on the Network Applications page (Administration > Network...

The number of SaaS Security Posture Management (SSPM) controls for Snowflake in Advanced SSPM has been increased. Forty-six new SSPM controls are supported for Snowflake....

Zscaler is proactively preparing for post-quantum cryptography (PQC) by evaluating quantum-safe algorithms, supporting hybrid encryption systems, and enabling scalable integration of quantum-resilient technologies across its cloud infrastructure. Zscaler collaborates globally wit...

SafeSearch allows granular control of applications. This allows you to apply SafeSearch to specific applications. As part of this change, on the Advanced Policy Settings page (Policies > URL & Cloud App Control > Advanced Policy Settings), the SafeSearch Applications drop-down ap...

New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...

You can create custom file types and use them when creating Data Loss Prevention (DLP) and File Type Control policies. You can then filter and view logs for these custom file types in Web Insights Logs and the Nanolog Streaming Service (NSS). <a class="image-icon" href="#ad...

The File Type Control and Data Loss Prevention (DLP) policies now support custom file types with extension-based detection. On the Management Portal for Partners, partner tenants can see a new field, Custom File Type Limit, in their Technical Information section. The Custom...

AI or machine language classification is extended to support around 200 new document types across 10 common document categories. As part of this extended support, Insights Logs and the Nanolog Streaming Service (NSS) are enhanced to provide enriched auto-classification of documents that are...

The File Type Control and Data Loss Prevention (DLP) policies support the following file types in the Other category: • UTF-8 BOM • UTF-16 LE • UTF-16 BE The file types are available when creating the following policies: <l...

You can view information about the number of transactions per application based on their status (blocked or allowed) in the Cloud Applications table of the Shadow IT Report. A new column, No. of Transactions, is added to the Cloud Applications table. <a class="image-i...

You can specify the type of IoT devices to perform or bypass SSL Inspection. Admins can create an SSL Inspection policy based on IoT AI/ML classifications to perform or bypass SSL Insepction. This enhancement requires IoT enablement for your organization. <p...

The default limit of Users, Groups, Locations and Departments in policies has been increased to 32 from 4 and 8. This limit can be further expanded on a need basis. You can contact the Zscaler Sales or Zscaler Account team to further increase this limit, if required. On the Management Porta...

The limit of users, groups, departments, and locations for a rule is increased to 32 from 4 users, 8 groups, 8 departments, and 8 locations. You can contact Zscaler Support to increase this limit further as needed. The following categories under the policy are supported: • Bandwidt...

For organizations that have thousands of locations or sublocations, the loading time on the Locations page and in any policy that references locations when selected might incur noticeable loading time to retrieve and display the full location list. To learn more, see <a href="https://help.z...

Gen AI is added as an application category in NSS and Cloud NSS feeds for SaaS Security Logs. When configuring a feed, you can select the Gen AI application category and available generative AI SaaS applications (e.g., ChatGPT) to stream the related logs from Zscaler to your secu...

You can select the countries from which traffic originates for the URL Filtering rules. This allows you to control the traffic originating from specific countries. As part of this change, the Source Countries field is added to the Add URL Filtering Rule window (Policies > URL & C...

You can create, update, and delete a ZIA Virtual Service Edge and retrieve the Virtual Service Edge for an organization using the following endpoints: • "GET /virtualZenNodes" • "POST /virtualZenNodes" • "GET /virtualZenNodes/{virtu...

You can add workload groups for an organization and update, delete, and retrieve the workload groups by specifying the ID using the following endpoints: • "POST /workloadGroups" • "GET /workloadGroups/{workloadGroupId}" • "PUT /wor...

The 3rd-Party App Governance API adds the following new endpoints to perform bulk actions as well as retrieve scan results and lists of filters and controls from the Posture page in the 3rd-Party App Governance Admin Portal: • "/posture/controls/status" • "/posture/...

The Data Loss Prevention (DLP) policies support the OpenOffice Drawings (.odg, .otg) file type in the OpenOffice category: • DLP - Rule with Content Inspection To learn more, see <a href="https://h...

The Gen AI Security Report is improved, making it interactive and intuitive, with the following enhancements: • Option to view the sanctioned and unsanctioned Gen AI application usage. • Prompt Classification to categorize the prompts used in the Gen AI application...

To help improve incident management on the Zscaler Incident Receiver, the JSON file that contains Data Loss Prevention (DLP) policy scan metadata for Inline Web DLP policy violations (with Evaluate All Rules mode enabled) has been updated with the following fields: • "otherMatchedRu...

Zscaler supports lookup for uncategorized URLs using a third-party database. You can control the lookup for such uncategorized URLs using the newly added Enable 3rd-Party URL Category Lookup option on the Advanced Policy Settings tab (Policy > URL & Cloud App Control). <a c...

You can filter and view logs to learn which specific SSL Inspection policy r...

Users can now upload multiple files simultaneously while in an isolated session. There is no minimum or maximum limit while uploading. See image. To learn more, see <a class="url-external" href="https://help.zscaler....

You can search for configuration changes on the Audit Logs page by selecting Changes from the search options. See image. The configuration change search applies to JSON attribute values, not a...

In the Policy > Forwarding Control > Add Forwarding Rule window, under the General section, a new Device Groups criterion is added. This criterion allows you to select device groups based on the device platform to which the configured forwarding rule applies. <a class="imag...

Step-up authentication is a security mechanism that ensures users can only access sensitive or high-risk resources after completing an additional level of identity verification. Conditional access is supported for step-up authentication in the ZIA Admin Portal when configuring UR...

The following update is applicable only to tenants approved for an increased rule limit of up to 4,000 Firewall Filtering rules, based on qualified use cases. On the Firewall Filtering Policy page (Policy > Firewall Control), the search is updated to include th...

The cloud service API includes the Activation endpoint category to extend programmatic access to retrieve the EUSA acceptance status using the following endpoints: • "GET /eusaStatus/latest" • "PUT /eusaStatus/{eusaStatusId}" To le...

The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports the number of internal and external collaborators as scoping criteria for Google Drive. Administrators can apply the scope to collaborators by choosing a range for the number of internal and extern...

Multiple enhancements have been made to improve the load time and performance of the Users page in 3rd-Party App Governance. This significantly improves the user experience. To learn more, see <a href="https://help.zscaler.com/zia/about-user-inventory" target="_blank" data-entity-type="node...

A new tab, Files, is added to the User Panel in 3rd-Party App Governance. This tab provides visibility into files associated with Data Loss Prevention (DLP) violations for a given user over a selected period of time. You can quickly identify the top files with DLP violations, ena...

Multiple improvements help to automatically detect internal apps and relate publishers to those internal apps in 3rd-Party App Governance. To learn more, see <a href="https://help.zscaler.com/zia/about-app-inventory" target="_blank" data-entity-type="node" data-entity-uuid="acfb521d-0327-4a...

A new finding, Excessive Data Permissions, is created for GitHub apps in 3rd-Party App Governance. Applications with excessive data permissions can access or modify multiple data types like emails, files, chats, and calendars, which puts the organization at risk of non-compliance and malicious ac...

You can add and manage labels for Software as a Service (SaaS) application tenants from the Integrations banner in 3rd-Party App Governance and Advanced SSPM. You can also filter the platforms by label. This allows you to identify the differences between the tenants for effective...

You can view the Software as a Service (SaaS) dashboard when you access Zscaler Advanced SaaS Security Posture Management (SSPM). The dashboard displays information about the overall posture score and risk score across all apps, platforms, and user accounts. It also displays the...

You can choose a content location as a match criteria to target specific sections of a file or transaction when defining a Data Loss Prevention (DLP) rule. To enable this feature, contact Zscaler Support. • File• Document Properties: Matches are...

You can now add comments to malicious URLs you have added to Advanced Threat Protection (ATP) Blocked Malicious URLs. To learn more, see <a href="https://help.zscaler.com/zia/adding-urls-denylist" target="_blank" data-entity-type="node" data-entity-uuid="b78a03b4-6f84-4726-...

On the Print All Policies page (Administration > Print All Policies), you can download your organization&#039;s configured policies as JSON files by selecting the ZIP file format. A single ZIP file containing JSON representation of the policies is downloaded, with one JSON file c...

You can now view and download the latest Zscaler ThreatLabz updates of all newly generated or updated content by the Zscaler ThreatlabZ team in a PDF from the Cybersecurity Insights page. See image. To learn more, see <a h...

You can filter and view logs for File Type Control policy rules that use the Allow action and have been triggered by the transaction. The following changes are available in the ZIA Admin Portal:</p...

The following predefined DLP and EDM dictionaries now support an additional format for Australian Passport numbers: AAn(6), where AA is a combination of two letters (PA - PF, PU, PW, PX, PZ, and RA - RZ) and n is a combination of 6 digits. A delimiter (hyphen, spaces, or pe...

A Location Groups filter is added to NSS and Cloud NSS feeds for Web, Firewall, and DNS logs as well as Microsoft Cloud App Security (MCAS) NSS feeds. You can use the filter when configuring a feed to limit the logs to specific location groups. <a class="image-icon" href="#...

When creating your Zscaler Data Loss Prevention (DLP) EDM templates, you can now select the following data types: • National Document ID (Uruguay) • National Identification Number (Chile) • National Identification Number (Peru) To learn more, see...

In Firewall and Forwarding rules, the Department field was accessible to some customers without the appropriate entitlement (requires Advanced Firewall). An update has been made to ensure that this field availability matches the admin’s entitlement to the field licensed with Advanced Firewall. Fo...

Zscaler 3rd-Party App Governance supports Microsoft as an identity provider (IdP) to authenticate admins and users logging in to the 3rd-Party App Governance Admin Portal. You can select Microsoft as the IdP when connecting a web-based platform to Advanced SaaS Security Posture M...

The File Type Control policy rules support Custom Browser end user notifications (EUN). You can create a custom EUN template for the File Type Control policy and associate it with the policy rules. This allows you to show the custom notification messages on the endpoints when the...

The following are new predefined DLP dictionaries that use ML-based detection: • ID Card • Medical Imaging • Satellite Data • Schematic Data To learn more, see <a href="https://help.zscaler....

New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...

Zscaler added three new inline web DLP macros for your DLP notification templates: • "${DEPARTMENT}": Shows the department of the user who triggered the DLP rule. • "${FILESIZE}": Specifies the size of the file that triggered the DLP rule.</li...

The Zscaler service supports using Patterns and Phrases Data Loss Prevention (DLP) dictionaries to create custom parent dictionaries and sub-dictionaries as a means of grouping similar dictionaries. For parent dictionaries, you can define patterns or phrases, or you can leave the...

Tenancy restriction support is extended to Amazon Web Services CLI. To learn more, see Adding Te...

Zscaler Sandbox (Administration > Cloud Service API Security > Sandbox API Token) supports up to 5 Sandbox API Tokens. The Sandbox token name field has a limit of 10 characters. See image. Web Insight Logs (Analytics >...

The Dedicated IP feature allows organizations to subscribe to dedicated IP addresses for the Zscaler data centers of their choice. Users can use these dedicated IP addresses (unique to the organization) as their source IP address to reach destinations that require source IP-based access. Th...

Users can now add URLs and MD5 file hashes to an Allowlist for Advanced Threat Protection (ATP) to explicitly allow or deny access to specific URLs or files. See image. To learn more, see <a href="https://help.zscale...

A filter to include or exclude selected cloud applications has been added to the existing Cloud Applications filter in NSS and Cloud NSS feeds for web logs as well as Microsoft Cloud App Security (MCAS) NSS feeds. When configuring a feed, you can select cloud applications and inc...

The default limit of File Type Control Policy rules has been increased to 2,048 from 1,024. To learn more, see Ranges & Limitations....

A new query parameter "fetchLocations" is available for the "GET /locations/groups" endpoint. The "fetchLocations" parameter is a Boolean that you can set to fetch locations associated with the group. To learn more, go to "GET /locations/groups" f...

When importing custom IPS signature rules using CSV files (Administration > Custom IPS), you must enclose comma-separated values for individual fields within three single quotes ("&#039;&#039;&#039;") instead of double quotes ("""). This update has been made...

Zscaler&#039;s Gen AI prompt configuration is extended to the Writer and Deepseek generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen-ai...

The Zscaler-managed Business Continuity Cloud is a fully managed private cloud solution that is built on the isolated and dedicated ZIA and Zscaler Private Access (ZPA) infrastructures to ensure consistent cyber and data protection during critical outages. Zscaler deploys and hosts the private ZI...

Zscaler&#039;s Gen AI prompt configuration is extended to the Grok AI generative AI application. You can enable prompts for this application to categorize and store the prompts for it. See image. To learn more, see <a h...

Web Insights includes additional information for Bandwidth Control with the new filter Bandwidth by Data Center. See image. To learn more, see <a href="https://help.zscaler.com/zia/web-data-types-and-filters...

On the App Panel header, you can hover over the risk score to view a breakdown of the score. On the Control Panel header, you can hover over the control severity level to view a breakdown of the severity. These actions allow you to view the components and criteria used to calcula...

As part of a continuous review, Zscaler has updated cloud applications across various cloud application categories. To obtain the list of updated cloud applications, download the list: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase...

New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...

The Tenant Profiles feature supports Zoom. This allows granular control of actions (e.g., disable file transfer in meetings, disable recording locally on the device, etc.) in Zoom. See image. To learn more, see <a href="htt...

The HTTP Header Control feature allows you to create URL Filtering policy rules based on HTTP headers. As part of this change, the following profiles are added to the ZIA Admin Portal: • HTTP Header Profile (Administration > HTTP Header Control) • HTTP Header Inser...

You can enable the service to send alerts for unknown or suspicious C2 traffic. This feature is enabled by default. See image. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanc...

The File Type Control and Data Loss Prevention (DLP) policies now support the Appinstaller Files (.appinstaller) file type in the Other Documents category. • File Type Control • <a href="#dlp...

You can configure file type control rules based on Password-Protected criteria. This criteria is applicable for the following formats: • Password-Protected/Encrypted • Portable Document Format (.pdf) • Encrypted Office Documents • ZIP • RAR <l...

Isolation allows microphone and camera functionality on the user&#039;s device while in an isolated browser. This can be enabled per isolation profile if Turbo Mode is also enabled. See image. To learn more, see...

You can choose either WebSocket or WebSocket SSL/TLS as a protocol type when defining a Data Loss Prevention (DLP) rule. On the Policy > URL Filtering & Cloud App Control > Advanced Policy Settings tab, a Microsoft Copilot toggle is added under the Gen AI Prompt Configuration sec...

The Tenant Profiles feature is extended to the ChatGPT application. This allows you to provide access to specific workspace IDs for ChatGPT. See image. To learn more, see <a href="https://help.zscaler.com/zia/ad...

The Administration > Role Management page is enhanced to provide admins more granular access to major ZIA features. Super admins or admins with full access to the ZIA Admin Portal can assign admins field-wise permissions (Full, View Only, and None) to access individual ZIA featur...

The Instance Discovery Report provides visibility into the instances accessed by users at the various levels of hierarchy for different SaaS applications. The Instance Discovery Report includes the following enhancements: • New applications are supported with vario...

The cloud service API includes the following new endpoints to create, update, and delete cloud application instances: • "POST /cloudApplicationInstances" • "PUT /cloudApplicationInstances/{instanceId}" • "DELETE /cloudApplicationInstances/{instanceI...

The rate limit for the "GET /users" request within the cloud service API has been updated to 10 calls/minute and up to 40 calls/hour. To learn more, see the API Rate Limit Summary....

The Sandbox Scanning Portal is now more secure with the change to an HTTPS URL: https://filecheck.zscaler.com/ If you have bookmarks to the previous URL for the Sandbox Scanning Portal, update them as they no...

The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Alerts • Bandwidth Control & Cl...

The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Service Edges To learn more about each endpoint, see...

The Trigger Multi-Factor Authentication action under Adding Alert Rule for UEBA Alert is deprecated and alert triggers with Multi-Factor Authentication is no longer supported. You can choose between Trigger an Alert or Place user in group to trigger the alert rule. <a class...

When creating a policy, you can choose to send an email through one or more default email addresses to notify the users whenever the policy is triggered. See image. To learn more, see <a href="https://help.zscaler.co...

You can assign a new predefined role called Viewer to a user. When assigned this role, the user can only view data and export reports across the 3rd-Party App Governance Admin Portal, but cannot take any action or make changes. To manage role assignments, contact Zscaler Suppor...

When you revoke or ban an app for users in your organization, you can send an email to notify them that the previously accessible app is revoked or banned. You can also select the email address from which you want to send the email. <a class="image-icon" href="#Revoke/Ban-C...

The Developer Tools predefined URL category is added to the Information Technology super category. It consists of sites that provide tools used by developers for coding, debugging, testing, and managing software projects. This category is enabled from the backe...

The following are new predefined DLP engines available on the DLP Engines page (Administration > DLP Dictionaries & Engines > DLP Engines). These engines are available by default for customers with tenants enabled on April 4, 2025, or later. For enablement on e...

For file sharing applications, you can configure MIP labels on PowerPoint files from the Data at Rest Scanning DLP policy in the Add DLP Rule window (Policy > Data at Rest Scanning > Data Loss Prevention). Choose from the list of OneDrive and SharePoint tenants to see this action...

Unified Communications as a Service (UCaaS) one-click configuration support is now extended to the Talkdesk cloud application. See image. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanced-url...

The following policy actions seen in the Insights and NSS Reports have changed to ensure consistency with the field values from the Web Insights in the ZIA Admin Portal: Old Policy ReasonNew Policy Reason<td style="overflow:hidden;pad...

The Zscaler Sandbox supports additional file types: • Python Source Code file (.py) • Pickle files (.p, .pkl, and .pickle) • Python Dynamic Module file (.pyd) • Python Script file (.pyw) See image....

The field "%s{ednsreq}" is available when adding an NSS or Cloud NSS feed for DNS logs. The field output is the hex-encoded FQDN in the DNS request. To learn more, see <a href="https://help.zscaler.com/zia/nss-feed-output-format-dns-logs" target="_blank" data-entity-type="node" d...

The cloud service API is updated to include a new "GET /locations/supportedCountries" endpoint that retrieves an up-to-date list of countries supported in location configuration. To learn more, see the API Reference...

To provide a unified and streamlined API experience through Zscaler OneAPI, our centralized API management solution for the Zscaler platform, Zscaler is applying the following changes to ZIA: • Going fo...

The cloud service API includes updates to the following categories of endpoints to extend programmatic access to specific ZIA features and functionalities: • Admin & Role Management • S...

The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy now supports the number of collaborators as a scoping criteria for file sharing applications. When enabled for a partner tenant, the CASB Collaborator Count field under Special Settings of the Tenant Detail...

Using the DNS Control policy, you can redirect users to a new Zscaler-provided end user notification (EUN) web page to inform users of your organization policy when they access restricted domains. You can do this by selecting the Redirect Response action in the DNS Control rule a...

For Advanced Sandbox users, all malicious samples are analyzed twice automatically, first through an unpatched vulnerable VM (Zero Day Report or Fully Patched VM Report) and then a second time through the fully patched secured VM (Regular Report). This allows you to compare the r...

In ZIA isolation profiles, the cookie persistence toggle has been updated to be called Persistent State. See image. To learn more, see <a href="https://help.zscaler.com/isolation/using-persistent-state-isolation" targe...

The following are new predefined DLP Dictionaries: • National Identification Number (Chile RUN) • National Identification Number (Peru CUI) • National Document ID (Uruguay) To learn more, see <a href="https://help.zscaler.com/zia/understanding-pre...

You can configure granular Smart Browser Isolation policies for specific users or groups from the Secure Browsing page. As part of this change, the following fields are added to the Smart Isolate tab (Policy > Secure Browsing > Smart Isolate): • Users • Groups...

Isolation creates preconfigured profiles for admins. These profiles can configure only the URL category "Miscellaneous and Unknown" in their Zscaler Internet Access (ZIA) policy. Some fields in this profile are permanently enabled, others permanently disabled, and some the admin can <a href="http...

The Firewall policy allows you to manage outbound and inbound traffic for cloud service providers such as Amazon Web Services (AWS) and Google Cloud Platform (GCP), along with their subservices, using the newly added AWS and GCP application service groups. These application servi...

The Zscaler service displays a notification when Remote Assistance is enabled. See image. The maximum time limit for both view-only and full access is 90 days. To learn more, see <a href="https://help.zscaler.com...

The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Admin & Role Management • User Manage...

The Complexity column and filter are added to the Posture page. You can view the complexity level of a control and filter the controls displayed in the table by using this filter option. The Control Panel header for each control displays its c...

The Assets tab of the Control Panel in Advanced SSPM includes the following enhancements: • You can export the assets report to a CSV file. • You can copy the asset evidence or download it as a JSON file. <a class="image-icon" href="#ZIA-Assets-Tab-Enha...

The cloud service API includes the following new endpoints to support excluding a Zscaler data center (DC) in the event of service disruption by disabling all tunnels terminating at a virtual IP (VIP) address of the DC. Using these endpoints, you can add, modify, and delete DC exclusions and retr...

The DNS Control policy includes a new action, Block with Response Code, which allows you to block DNS traffic and send a response code to the client. The response code can be chosen from a predefined list that appears in a new Response Code field when this action is selected. Whe...

The existing predefined Credit Card dictionary and EDM data type now support the additional popular formats: • Credit Card Number (China UnionPay) • Debit Card Number (Maestro) To learn more, see <a href="https://help.zscaler.com/zia/creating-exact-data-match-template"...

The Enable HTTP/2 option is enabled by default when configuring an SSL Inspection rule. This feature is only available when it is enabled for your organization. See image. To learn more, see <a href="https://help.zscaler.com...

Additional Firewall Control and Logging capabilities have been added for scenarios where an organization&#039;s roaming user (i.e., remote user from a Home tenant) is a guest user visiting another organization&#039;s tenant location (i.e., Host tenant) in the same Zscaler cloud and that Host tena...

Zscaler now supports the SSH key, ED25519. To learn more on upgrading the SSH key to ED25519, see <a href="https://help.zscaler.com/zia/configuring-zscaler-incident-receiver" target="_blank" data-entity-type="node" data-entity-uuid="1b3f21b1-0d52-4d5a-911b-61d5deeca357" data-entity-substitu...

When configuring ZIA admins and <a href="https://help.zscaler.com/zia/adding-zia-super-admins" target="...

The IoT Report has been enhanced to report IoT policy status and statistics for IoT devices. To learn more, see About the IoT Report. You can get an overview of the IoT web policies...

The resource access quota for retrieving Sandbox Detail Reports is increased to 3,000 requests per day, with a rate limit of 2/sec and 1,000/hour. To learn more, see the Obtaining San...

You can filter and view logs for Source IP Countries, Destination IP Countries, Is Source IP Country Risky? and Is Destination IP Country Risky? As part of the update, the following changes are available in the ZIA Admin Portal: Web Insights LogsThe following filte...

The cloud service API includes a new "POST /exportPolicies" endpoint for exporting rules configured for various policy types to JSON files. To learn more, see the API Reference. The Postman collection has...

Zscaler supports case-sensitive URL logging for select domains. Some sites and services, such as URL shorteners, use case sensitivity within the URL path when generating links. For example, "bit.ly/ABcDEf" has a different destination URL than "bit.ly/abcdef". With added supp...

When exporting the controls report to a CSV file from the Posture page, you can view additional attributes like Description, Tenant Name, Platform, Severity, etc. in the exported file. To learn more, see <a href="https://help.zscaler.com/zia/about-posture" target="_blank" data-entity-type="...

You can add up to 2,000 Zscaler Private Access (ZPA) application segments while configuring Source IP Anchoring in the ZIA Admin Portal. To increase the application segment limits, contact Zscaler Support. To learn more, see <a href="https://help.zscaler.com/zia/configuring-source-ip-anchor...

Advanced SSPM supports a new platform, Lucidchart. You can onboard a Lucidchart tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/connecti...

Advanced SSPM supports Zendesk as an API-based platform. You can onboard a Zendesk tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/conne...

You can configure Advanced SaaS Security Posture Management (SSPM) for Oracle Financials Cloud tenants. Select the SSPM Scan checkbox when onboarding a tenant to enable the Advanced SSPM scan capability for the specific tenant. <a class="image-icon" href="#Oracle-sspm-onboa...

Web Insights are enhanced to allow users to view the latency caused by bandwidth control on transactions in the ZIA Admin Portal. Web Insights LogsThe following new columns and filters are available in the Web Insights Logs: • Request Latency Due to Bandwi...

Zscaler&#039;s Application Investigation is a solution that provides comprehensive visibility and automated risk management for an organization&#039;s application ecosystem by delivering a clear view of all software in use, including unauthorized AI tools and unapproved browsers....

The Zscaler DLP Operational page (Analytics > Endpoint Data Scan > DLP Operational) provides insights into the endpoint&#039;s status, thereby ensuring that the system functions properly and as designed to avoid sensitive data leakage. <a class="image-icon" href="#D...

A new query parameter, "ruleLabelId", is available for the "GET /firewallFilteringRules" and "GET /firewallFilteringRules/count" endpoints. The "ruleLabelId" query parameter allows you to filter Firewall Filtering rules based on the rule label ID. To le...

On the Internet & SaaS > Role Management page, in the Policy & Components > Access Control tab, the URL Filtering and Cloud App Control policy permissions are separated to provide admins more granular control over those features. <a class="image-icon" href=...

Zscaler has introduced Exact Data Matching (EDM) for Endpoint Data Loss Prevention (DLP) which provides protection for structured sensitive data. This feature utilizes a unique hybrid architecture where the endpoint performs local prefiltering to identify candidate files for clou...

Advanced SaaS Security Posture Management (SSPM) expands its coverage for Salesforce with three new SSPM controls, providing deeper visibility and stronger security posture assessment....

Administrators can filter data on the Endpoint Data Scan page (Analytics > Endpoint Data Scan > Endpoint Data Scan) by a specific user group. See image. To learn more, see <a href="https://help.zscaler.com/legacy-zia/abo...

Share Files Externally provides a capability for Endpoint DLP that allows authorized users to securely share sensitive files with external partners by encrypting the data into a secure HTML format, ensuring that only verified recipients can access the content. You can acces...

The labels SSL Inspection and SSL policy are renamed to SSL/TLS Inspection and SSL/TLS policy. See image. Refer to the following table for a list of updated labels: Old UI Labels...

When you create a custom Zscaler connector for a Microsoft application, you have the option to choose whether you want to provide a client secret or a private key in the Zscaler Admin Console so that the Zscaler service can access the application. SharePoint, Copilot, and Microso...

The Zscaler service supports using Classless Inter-Domain Routing (CIDR) ranges and regular expressions for advanced matching when creating or editing network shares for Endpoint Data Loss Prevention (DLP) resources. The following image shows a regular expression that matches all...

The Zscaler service supports specifying a network type (e.g., Trusted, Off-Trusted, VPN) for the Network Share, Printing, and Device Control channels when creating policy rules for Endpoint Data Loss Prevention (DLP). • Endpoints must be running Zscaler...

You can create, update, and delete recipient email profiles, retrieve a list of all recipient email profiles, and obtain the count of recipient email profiles for an organization using the following endpoints: • "GET /emailRecipientProfile" • "POST...

The SaaS application tenants GitHub, Jira, Okta, Confluence, Trello, Webex Teams, and Google Workspace now have the option to onboard for SaaS Security Posture Management (SSPM) scan by choosing Read-only or Read/Write (full access) for the connector role...

The following enhancements are available in Zscaler Endpoint Data Loss Prevention (DLP) for macOS: Support for Endpoint DLP Block Action for Printing on macOSThe Zscaler service supports the Block action for printing from macOS devices in Endpoint DLP rules with co...

You can configure Advanced SaaS Security Posture Management (SSPM) for JumpCloud tenants. Select the SSPM Scan checkbox when onboarding a JumpCloud tenant to enable the Advanced SSPM scan capability for the specific tenant. <a class="image-icon" href="#JumpCloud-sspm-onboar...

The Insights Logs pages now feature asynchronous log retrieval. This enhancement allows users to continue working without interruption while queries are executed in the background, significantly improving their user experience. The following enhancements are available for I...

Proper neutralization of user input in specific input fields in the ZIA Admin Portal no longer allows an authenticated administrator to access unauthorized internal information in rare conditions (CVE-2026-22568)....

You can add up to 512 account IDs per tenant profile for AWS and there can be a maximum of 4,096 account IDs across all profiles. To learn more, see Adding Tenant Profiles and <a href="https://help.zscaler...

The application activity MCP is added to the Web Insights Logs to log Model Context Protocol (MCP) transactions in the ZIA Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/web-insights-logs...

Advanced SSPM supports a new platform, Airtable. You can onboard an Airtable tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integrating...

Advanced SSPM supports a new platform, Bitwarden. You can onboard a Bitwarden tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integratin...

Advanced SSPM supports a new platform, Sentry. You can onboard a Sentry tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integrating-sent...

New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...

Advanced SSPM supports OneLogin as an API-based platform. You can onboard a OneLogin tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/int...

The File Type Control and Data Loss Prevention (DLP) policies now support MSIX files in the Executable category. • File Type Control • DLP - Rule without Content Matching <p...

You can allow or block the use of embedded AI applications on Atlassian sites and enable or disable Zscaler to store the generative AI prompts entered in these embedded AI applications per cloud app control rule. As part of this feature, the following fields appear in the Add/Edi...

When scheduling a scan for SaaS applications tenants (Policy > SaaS Security > Scan Configuration > Add Scan Schedule), you can also configure the polling interval based on how often you want the system to scan the application. <a class="image-icon" href="#polling-intervals...

The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports the number of internal and external collaborators as scoping criteria for all file sharing applications, including Box, Dropbox, Confluence, ShareFile, and Smartsheet. Administrators can monitor fi...

The support for quarantining files in a desired location has been extended to all file sharing apps, including Box, Dropbox, Confluence, ShareFile, and Smartsheet. This feature was already available for Google Drive, OneDrive, and SharePoint apps. You can specify a quarantine loc...

You can apply either "OR" or "AND" logical operator between the Users, Groups, and Departments criteria in the URL Filtering Policy rules. This allows you to create granular policy rules using a combination of logical operators (i.e., "OR" or <cod...

Zscaler Isolation now supports password-protected PDF files to be <a href="https://help.zscaler.com/zia/about-sandbox" target="_blank" data-entity-type="node" data-entity-uuid="b6501cfa-e4fc-40ad-9568-c79e8ff2240e" data-entity-subst...

The Zscaler Cloud Performance Test Tool allows you to view only the domain part of the traffic or email, and the user name is hidden. For example, johndoe@zscaler.com is visible as xxxxxxx@zscaler.com. See image. To learn m...

The custom URL category supports regex patterns, enabling you to match multiple URLs with a single pattern and flexible configuration of custom URL categories. As part of this update, in the Administration > URL Categories > Add URL Category window, the URL Type toggle has been a...

The following policies are deprecated for Microsoft 365 in both SaaS Security Posture Management (SSPM) Essentials and Advanced SSPM: • Set Automated Notifications for New and Trending Cloud Applications in Our Organization • Set Automated Notification for New OAuth Applications Co...

This enhancement allows you to view logs for individual members within a collaborator group. As part of the update, the following changes are available in the ZIA Admin Portal: SaaS Security Insights Logs and SaaS Security Assets with IncidentsWhen an individual file is shared with...

The following platforms support 64 GB of RAM and 3 antivirus (AV) engines per Virtual Service Edge: • <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-clusters" target="_blank" data-entity-type="node" data-entity-uuid="0f1a169d-6547-4d25-a778-b2f20da57fa4" data-enti...

Generative AI (Gen AI) prompts that are displayed in the Web Insights Logs can be obfuscated when adding admin roles. <p...

The following enhancements are available for Insights and NSS Feeds in the ZIA Admin Portal to record the time Zscaler either received or sent an email response. Insights LogsNew columns Zscaler Sent Time and Zscaler Received Time are added to Email DLP Insights Lo...

For custom Data Loss Prevention (DLP) dictionaries that use patterns with lookaround constructs (also known as zero-length assertions), the Zscaler service now enforces the following restrictions: • You must select Match Any Patterns and Any Phrases as the Match Type.</l...

Zscaler supports comprehensive logging of Sandbox analysis activities through Insights Logs and the Nanolog Streaming Service (NSS). You can log and view details of all files that went through behavioral analysis regardless of the verdict (e.g., Suspicious Content, Benign). With the following enh...

On the Firewall Insights page (Analytics > Firewall Insights), the maximum number of rules displayed for the Rule Name data type has been increased. When using bar or table charts, you can view up to the top 4,000 rules (in increments of 500, 1,000, 2,000, and 4,000) by selecting...

Extranet Application Support can be configured bidirectionally, allowing partners to access your organization&#039;s resources securely. Extranet Application Support is a feature in limited availability. To access Extranet Application Support, contact your Zsca...

Zscaler’s Nanolog Streaming Service (NSS) supports the configuration and deployment of an NSS virtual machine (VM) on Hyper-V. After deploying an NSS VM, you can stream your organization’s web or firewall logs from the Zscaler cloud to your security information and event ma...

Zscaler’s Nanolog Streaming Service (NSS) supports the configuration and deployment of an NSS virtual machine (VM) on Nutanix. After deploying an NSS VM, you can stream your organization’s Web or Firewall logs from the Zscaler cloud to your security information and event ma...

The following enhancements are available in 3rd-Party App Governance and Advanced SSPM: SettingsThe SaaS Tenants and Notifications tabs are added to the Settings page. These tabs allow you to view and manage the onboarded SaaS tenants and also configure Slack and e...

Proper validation of user input in the ZIA Admin Portal no longer allows an authenticated administrator to initiate back end functions through specific input fields in limited scenarios (CVE-2026-22567)....

Automatic language translation is globally available for Isolation. The isolated session localizes the language based on the user&#039;s browser language settings, and displays that language on the rendered web page. To learn more, see <a href="https://help.zscaler.com/isolation/understandi...

Original URL has replaced Local Browser Rendering in Isolation. It is now an option that admins can configure in isolation profiles. This means that the user of the isolation profile sees the native browser URL of the web p...

If Turbo Mode is enabled on an isolation profile and the user also has hardware acceleration enabled, the appearance of the zGPU icon next to the Turbo Mode command is displayed in the Isolation Bar. See image. To...

Zscaler&#039;s Gen AI prompt configuration is extended to the Claude and Mistral generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen-ai-...

You can create a virtual machine (VM) in Amazon Web Services (AWS) using the Virtual Service Edge Terraform modules. To learn more, see <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-amazon-web-services" target="_blank" data-entity-type="node" data-entity-uuid="64393...

In the App Inventory and User Inventory, and on the Posture page, the filter options that don&#039;t currently exist in your organization display separately and do not return results. You can still select them when creating new views and policies. If a new app i...

The Users page displays multiple emails in addition to public emails for GitHub users. These emails are associated with the domain of the organization that owns the GitHub account. This enhancement improves the ability to find user and admin emails from outside the domain.</span...

You can segregate your Google Workspace integration by organizational units (OUs) in 3rd-Party App Governance. This segregation ensures that each OU can access only its relevant users, applications, and posture data, while maintaining consolidated tenant management f...

The 3rd-Party App Governance API adds a new endpoint, "/app_views/{appViewId}/accounts", to retrieve users&#039; email addresses associated with specific app IDs. "/app_views/{appViewId}/apps_extended" provides the total number of enabled users "totalenabledusers<...

You can identify and report not only the owner of the file, but also the user who last modified or shared a file that caused a DLP violation, in the ZIA Admin Portal. As part of this feature, the following enhancements are available for Insights Logs and NSS Feeds: Insight...

The following enhancements are available in Zscaler Endpoint Data Loss Prevention (DLP) for Windows: Endpoint DLP Support for Clipboard and Application File AccessTo access this feature, contact your Zscaler Account team. Endpoint DLP supports mo...

The number of SaaS Security Posture Management (SSPM) controls for GitHub in Advanced SSPM has been increased. Eleven new SSPM controls are supported for GitHub....

The DNS Control policy includes an option to display a notification to end users when the policy blocks access to specific domains. Zscaler hosts this End User Notification (EUN) page, eliminating the need for organizations to host their own EUN web page. The DNS EUN web page inf...

The Zscaler service can capture traffic in multiple ways: • Traffic Capture Essentials: Capture traffic as PCAP files with supported actions in ZIA policies when traffic matches policy criteria. • Traffic Capture for Network Detection and Response (NDR): Capture tr...

Zscaler supports Creative Commons (CC) search for certain search engines (i.e., Bing, Google, and Yahoo). This allows you to see only search results that are licensed under CC. The Enable Creative Commons Search Results option is added to the Policy > URL & Cloud App Control > Ad...

For file sharing applications OneDrive and SharePoint, you can apply the MIP label as a manual remediation action from the SaaS Security Assets with Incidents page (Analytics > SaaS Security > Assets > click an application or tenant). <a class="image-icon" href="#apply_mip_...

You can define scope types and values to map the workload traffic to a sublocation. Defining scopes allows you to apply granular ZIA and Cloud Connector security policies to the workload traffic from that sublocation. You can configure scopes only for Workload traffic type subloc...

JSON Web Token (JWT) authentication is available for Zscaler Cloud & Branch Connector workloads. JWT authentication is enabled when configuring locations. <a class="image-icon" href="#enable-jw...

The ZIA Admin Portal supports a new method, JWT authentication, to authenticate workloads from Cloud & Branch Connector. In the Management Portal for Partners, you can enable this feature in ZIA for your tenants by using the JWT Auth for Workload field on the Tenant Details...

You can create a virtual machine (VM) in Azure using the Virtual Service Edge Terraform modules. To learn more, see Configuring Virtual Service Edge for Microsoft Azure....

The Zscaler service supports the Enhanced Driver&#039;s License (United States) predefined Data Loss Prevention (DLP) dictionary. The parent dictionary contains predefined sub-dictionaries for all 50 U.S. states, plus the District of Columbia, and each sub-dictionary can be indiv...

When creating and saving a custom view in 3rd-Party App Governance, you can update the saved view to include your current tenant selection on the global platform filters. See image. To learn more, see <...

Beginning with Zscaler Client Connector version 4.8 for Windows, ZIA Firewall policies—including Firewall Filtering, DNS Control, and IPS Control—support end user notifications (EUNs) via Zscaler Client Connector. When configuring these policy rules, you can select to show a noti...

Adaptive Access Engine dynamically manages access based on real-time assessments of risk and trust by continuously evaluating contextual signals, user behavior, device health, location, and other factors to determine whether to allow or block access to websites or apps at any giv...

You can retrieve the SaaS Security Scan Configuration information and the validation status of a SaaS application tenant using the following endpoints: • "GET /casbTenant/scanInfo" • "GET /casbTenant/validate/status/{tenantId}" To...

Isolated sessions now automatically restore their web pages if they time out on a user&#039;s device. If a session is idle for longer than the timeout of 10 minutes, the isolated page automatically refreshes itself, and the user does not have to sign in again. When this action occurs, the banner...

The UI is updated so that when users enter an isolated session, they now see the original URL of the website they are on instead of the isolation web page URL. This change provides users with an experience with a look and feel more like a native browser compared to the container view of being iso...

New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...

Docusign is supported as a SaaS application tenant and can be onboarded for Advanced SaaS Security Posture Management (SSPM) scans. See image. When onboarding a Docusign tenant, you can enable Advanced SSPM scanning by selec...

Zscaler includes support for identifying several new network applications using deep packet inspection and controlling the network application traffic using Firewall Filtering rules. These network applications are listed on the Network Applications page (Administration > Network...

Microsoft Copilot is supported as a SaaS application tenant and can be onboarded for Advanced SaaS Security Posture Management (SSPM) scans. See image. When onboarding a Microsoft Copilot tenant, you can enable Advanced S...

The number of SaaS Security Posture Management (SSPM) controls for Snowflake in Advanced SSPM has been increased. Forty-six new SSPM controls are supported for Snowflake....

Zscaler is proactively preparing for post-quantum cryptography (PQC) by evaluating quantum-safe algorithms, supporting hybrid encryption systems, and enabling scalable integration of quantum-resilient technologies across its cloud infrastructure. Zscaler collaborates globally wit...

The SaaS Security Data at Rest Scanning DLP and Malware policies support specifying the location to quarantine files for the file sharing applications Google Drive, Microsoft OneDrive, and Microsoft SharePoint. SaaS Application Tenant OnboardingOnboarding a SaaS ap...

You can create custom file types and use them when creating Data Loss Prevention (DLP) and File Type Control policies. You can then filter and view logs for these custom file types in Web Insights Logs and the Nanolog Streaming Service (NSS). <a class="image-icon" href="#ad...

The File Type Control and Data Loss Prevention (DLP) policies now support custom file types with extension-based detection. On the Management Portal for Partners, partner tenants can see a new field, Custom File Type Limit, in their Technical Information section. The Custom...

SafeSearch allows granular control of applications. This allows you to apply SafeSearch to specific applications. As part of this change, on the Advanced Policy Settings page (Policies > URL & Cloud App Control > Advanced Policy Settings), the SafeSearch Applications drop-down ap...

The File Type Control and Data Loss Prevention (DLP) policies support the following file types in the Other category: • UTF-8 BOM • UTF-16 LE • UTF-16 BE The file types are available when creating the following policies: <l...

You can view information about the number of transactions per application based on their status (blocked or allowed) in the Cloud Applications table of the Shadow IT Report. A new column, No. of Transactions, is added to the Cloud Applications table. <a class="image-i...

To obtain access to this feature, contact Zscaler Support. You can configure Data Loss Prevention (DLP) Exact Data Match (EDM) to have strict checking against popular date formats. This feature supports 6- to 8-digit date formats that contain hyphens (<co...

AI or machine language classification is extended to support around 200 new document types across 10 common document categories. As part of this extended support, Insights Logs and the Nanolog Streaming Service (NSS) are enhanced to provide enriched auto-classification of documents that are...

New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...

The default limit of Users, Groups, Locations and Departments in policies has been increased to 32 from 4 and 8. This limit can be further expanded on a need basis. You can contact the Zscaler Sales or Zscaler Account team to further increase this limit, if required. On the Management Porta...

Gen AI is added as an application category in NSS and Cloud NSS feeds for SaaS Security Logs. When configuring a feed, you can select the Gen AI application category and available generative AI SaaS applications (e.g., ChatGPT) to stream the related logs from Zscaler to your secu...

You can specify the type of IoT devices to perform or bypass SSL Inspection. Admins can create an SSL Inspection policy based on IoT AI/ML classifications to perform or bypass SSL Insepction. This enhancement requires IoT enablement for your organization. <p...

The limit of users, groups, departments, and locations for a rule is increased to 32 from 4 users, 8 groups, 8 departments, and 8 locations. You can contact Zscaler Support to increase this limit further as needed. The following categories under the policy are supported: • Bandwidt...

You can choose a content location as a match criteria to target specific sections of a file or transaction when defining a Data Loss Prevention (DLP) rule. To enable this feature, contact Zscaler Support. • File• Document Properties: Matches are...

The Data Loss Prevention (DLP) policies support the OpenOffice Drawings (.odg, .otg) file type in the OpenOffice category: • DLP - Rule with Content Inspection To learn more, see <a href="https://h...

For organizations that have thousands of locations or sublocations, the loading time on the Locations page and in any policy that references locations when selected might incur noticeable loading time to retrieve and display the full location list. To learn more, see <a href="https://help.z...

A new query parameter "override" is available for the "PUT /ipDestinationGroups/{ipGroupId}" endpoint. The "override" parameter is a Boolean that you can set to override IPs when required. To learn more, go to "PUT /ipDestinationGroups/{ipGroupId}</code...

The Gen AI Security Report is improved, making it interactive and intuitive, with the following enhancements: • Option to view the sanctioned and unsanctioned Gen AI application usage. • Prompt Classification to categorize the prompts used in the Gen AI application...

You can select the countries from which traffic originates for the URL Filtering rules. This allows you to control the traffic originating from specific countries. As part of this change, the Source Countries field is added to the Add URL Filtering Rule window (Policies > URL & C...

The Cloud Nanolog Streaming Service (NSS) endpoint category in the cloud service API includes a new endpoint, "GET /nssDownload/{nssId}", that enables you to download the NSS virtual appliance information based on the specified NSS server ID. To learn more about...

You can create, update, and delete a ZIA Virtual Service Edge and retrieve the Virtual Service Edge for an organization using the following endpoints: • "GET /virtualZenNodes" • "POST /virtualZenNodes" • "GET /virtualZenNodes/{virtu...

You can add workload groups for an organization and update, delete, and retrieve the workload groups by specifying the ID using the following endpoints: • "POST /workloadGroups" • "GET /workloadGroups/{workloadGroupId}" • "PUT /wor...

A Notes tab is added to the App Panel in 3rd-Party App Governance and the Control Panel in Advanced SaaS Security Posture Management (SSPM). This tab allows you to communicate with and leave notes for multiple other users. You can add notes to each app or control and also comment...

The 3rd-Party App Governance API adds the following new endpoints to perform bulk actions as well as retrieve scan results and lists of filters and controls from the Posture page in the 3rd-Party App Governance Admin Portal: • "/posture/controls/status" • "/posture/...

To help improve incident management on the Zscaler Incident Receiver, the JSON file that contains Data Loss Prevention (DLP) policy scan metadata for Inline Web DLP policy violations (with Evaluate All Rules mode enabled) has been updated with the following fields: • "otherMatchedRu...

You can filter and view logs to learn which specific SSL Inspection policy r...

You can now forward information about transactions that violate various Data Loss Prevention (DLP) incidents directly to your appliances you&#039;ve defined in the ZIA Admin Portal by going to Administration > Data Loss Prevention and selecting Cloud-to-Cloud Forwarding. <a...

Zscaler supports lookup for uncategorized URLs using a third-party database. You can control the lookup for such uncategorized URLs using the newly added Enable 3rd-Party URL Category Lookup option on the Advanced Policy Settings tab (Policy > URL & Cloud App Control). <a c...

You can search for configuration changes on the Audit Logs page by selecting Changes from the search options. See image. The configuration change search applies to JSON attribute values, not a...

The following update is applicable only to tenants approved for an increased rule limit of up to 4,000 Firewall Filtering rules, based on qualified use cases. On the Firewall Filtering Policy page (Policy > Firewall Control), the search is updated to include th...

The cloud service API includes the Activation endpoint category to extend programmatic access to retrieve the EUSA acceptance status using the following endpoints: • "GET /eusaStatus/latest" • "PUT /eusaStatus/{eusaStatusId}" To le...

In the Policy > Forwarding Control > Add Forwarding Rule window, under the General section, a new Device Groups criterion is added. This criterion allows you to select device groups based on the device platform to which the configured forwarding rule applies. <a class="imag...

When creating your Zscaler Data Loss Prevention (DLP) EDM templates, you can now select the following data types: • National Document ID (Uruguay) • National Identification Number (Chile) • National Identification Number (Peru) To learn more, see...

When a folder&#039;s permissions are modified or a folder is shared with a new collaborator, files previously in violation of the SaaS Security DLP policy rules in the folder are rescanned against those rules. This feature is presently being rolled out to Microsoft OneDrive and SharePoint applica...

Users can now upload multiple files simultaneously while in an isolated session. There is no minimum or maximum limit while uploading. See image. To learn more, see <a class="url-external" href="https://help.zscaler....

Step-up authentication is a security mechanism that ensures users can only access sensitive or high-risk resources after completing an additional level of identity verification. Conditional access is supported for step-up authentication in the ZIA Admin Portal when configuring UR...

You can filter and view logs for External Collaborator Group and Internal Collaborator Group for the File Sharing Applications category. As part of the update, the following changes are available in the ZIA Admin Portal: SaaS Security Insights LogsFilters and colum...

The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports the number of internal and external collaborators as scoping criteria for Google Drive. Administrators can apply the scope to collaborators by choosing a range for the number of internal and extern...

Multiple enhancements have been made to improve the load time and performance of the Users page in 3rd-Party App Governance. This significantly improves the user experience. To learn more, see <a href="https://help.zscaler.com/zia/about-user-inventory" target="_blank" data-entity-type="node...

A new tab, Files, is added to the User Panel in 3rd-Party App Governance. This tab provides visibility into files associated with Data Loss Prevention (DLP) violations for a given user over a selected period of time. You can quickly identify the top files with DLP violations, ena...

Multiple improvements help to automatically detect internal apps and relate publishers to those internal apps in 3rd-Party App Governance. To learn more, see <a href="https://help.zscaler.com/zia/about-app-inventory" target="_blank" data-entity-type="node" data-entity-uuid="acfb521d-0327-4a...

A new finding, Excessive Data Permissions, is created for GitHub apps in 3rd-Party App Governance. Applications with excessive data permissions can access or modify multiple data types like emails, files, chats, and calendars, which puts the organization at risk of non-compliance and malicious ac...

You can add and manage labels for Software as a Service (SaaS) application tenants from the Integrations banner in 3rd-Party App Governance and Advanced SSPM. You can also filter the platforms by label. This allows you to identify the differences between the tenants for effective...

You can view the Software as a Service (SaaS) dashboard when you access Zscaler Advanced SaaS Security Posture Management (SSPM). The dashboard displays information about the overall posture score and risk score across all apps, platforms, and user accounts. It also displays the...

You can now add comments to malicious URLs you have added to Advanced Threat Protection (ATP) Blocked Malicious URLs. To learn more, see <a href="https://help.zscaler.com/zia/adding-urls-denylist" target="_blank" data-entity-type="node" data-entity-uuid="b78a03b4-6f84-4726-...

You can now create and manage multiple user confirmation templates for enhanced policy-level customization in the ZIA Admin Portal by going to Administration > Notification Templates > User Confirmation and clicking Add Custom Message. When configuring Endpoint DLP or Inline Web...

The Zscaler Data Loss Prevention (DLP) Exact Data Match (EDM) dictionary search score total "matchCount" has been enhanced to be based on the number of unique sets of matches found in the content. Previously, "matchCount" was determined by the number o...

You can now view and download the latest Zscaler ThreatLabz updates of all newly generated or updated content by the Zscaler ThreatlabZ team in a PDF from the Cybersecurity Insights page. See image. To learn more, see <a h...

You can filter and view logs for File Type Control policy rules that use the Allow action and have been triggered by the transaction. The following changes are available in the ZIA Admin Portal:</p...

Tenancy restriction support is extended to Amazon Web Services CLI. To learn more, see Adding Te...

On the Print All Policies page (Administration > Print All Policies), you can download your organization&#039;s configured policies as JSON files by selecting the ZIP file format. A single ZIP file containing JSON representation of the policies is downloaded, with one JSON file c...

A Location Groups filter is added to NSS and Cloud NSS feeds for Web, Firewall, and DNS logs as well as Microsoft Cloud App Security (MCAS) NSS feeds. You can use the filter when configuring a feed to limit the logs to specific location groups. <a class="image-icon" href="#...

In Firewall and Forwarding rules, the Department field was accessible to some customers without the appropriate entitlement (requires Advanced Firewall). An update has been made to ensure that this field availability matches the admin’s entitlement to the field licensed with Advanced Firewall. Fo...

The following are new predefined DLP dictionaries that use ML-based detection: • ID Card • Medical Imaging • Satellite Data • Schematic Data To learn more, see <a href="https://help.zscaler....

The following predefined DLP and EDM dictionaries now support an additional format for Australian Passport numbers: AAn(6), where AA is a combination of two letters (PA - PF, PU, PW, PX, PZ, and RA - RZ) and n is a combination of 6 digits. A delimiter (hyphen, spaces, or pe...

Single sign-on (SSO) can be configured for the ZIA Index Tool when adding or editing an Index Tool configuration. See image. To learn more, see...

The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy for file sharing applications supports redacting sensitive data in supported file types. To use this functionality, you first create a redaction profile that specifies whether the Zscaler service uses an as...

The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports specifying trusted users (i.e., users with email addresses outside your organization) and trusted domains (i.e., domains outside your organization) as part of your policy rules. The Zscaler service...

The File Type Control policy rules support Custom Browser end user notifications (EUN). You can create a custom EUN template for the File Type Control policy and associate it with the policy rules. This allows you to show the custom notification messages on the endpoints when the...

New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...

The Remediate option is removed from the policy drawer and Asset Summary tab on the Posture Management page. This option is available only if you subscribed to the Advanced SSPM service. See image. To learn more, see <a...

The Zscaler service supports custom, client-side connector onboarding for access to both sandbox and production Salesforce tenants. With this functionality, instead of requiring full administrator credentials, the Zscaler service can use a minimum set of credentials to access Sal...

Zscaler Sandbox (Administration > Cloud Service API Security > Sandbox API Token) supports up to 5 Sandbox API Tokens. The Sandbox token name field has a limit of 10 characters. See image. Web Insight Logs (Analytics >...

Zscaler added three new inline web DLP macros for your DLP notification templates: • "${DEPARTMENT}": Shows the department of the user who triggered the DLP rule. • "${FILESIZE}": Specifies the size of the file that triggered the DLP rule.</li...

The Zscaler service supports using Exact Data Match (EDM) and Indexed Document Match (IDM) dictionaries and engines in your Outbound Email Data Loss Prevention (DLP) policy rules. See image. To le...

Users can now add URLs and MD5 file hashes to an Allowlist for Advanced Threat Protection (ATP) to explicitly allow or deny access to specific URLs or files. See image. To learn more, see <a href="https://help.zscale...

The Zscaler service supports using Patterns and Phrases Data Loss Prevention (DLP) dictionaries to create custom parent dictionaries and sub-dictionaries as a means of grouping similar dictionaries. For parent dictionaries, you can define patterns or phrases, or you can leave the...

The cloud service API includes the following endpoint categories to extend programmatic access to various ZIA features and functionalities: • SaaS Security API To learn more about each endpoint, see th...

Zscaler 3rd-Party App Governance supports Microsoft as an identity provider (IdP) to authenticate admins and users logging in to the 3rd-Party App Governance Admin Portal. You can select Microsoft as the IdP when connecting a web-based platform to Advanced SaaS Security Posture M...

You can apply the None action to exception rules in Endpoint Data Loss Prevention (DLP) to exclude specific activities that match exception rule criteria from being reported (i.e., you might want to exclude specific users or groups from reporting incidents). <a class="image...

The Zscaler service now supports the following existing predefined Data Loss Prevention (DLP) dictionaries for Endpoint DLP: • CNPJ Number (Brazil) • Mexico Unique Population Registration Code • National Economic Registry Number...

A filter to include or exclude selected cloud applications has been added to the existing Cloud Applications filter in NSS and Cloud NSS feeds for web logs as well as Microsoft Cloud App Security (MCAS) NSS feeds. When configuring a feed, you can select cloud applications and inc...

The default limit of File Type Control Policy rules has been increased to 2,048 from 1,024. To learn more, see Ranges & Limitations....

Administrators can now define Device Control rules criteria (Analytics > Endpoint Data Scan > Device Control) based on User Groups and Departments. See image. To learn more, see <a href="https://help.zscaler.com/z...

A new query parameter "fetchLocations" is available for the "GET /locations/groups" endpoint. The "fetchLocations" parameter is a Boolean that you can set to fetch locations associated with the group. To learn more, go to "GET /locations/groups" f...

When importing custom IPS signature rules using CSV files (Administration > Custom IPS), you must enclose comma-separated values for individual fields within three single quotes ("&#039;&#039;&#039;") instead of double quotes ("""). This update has been made...

You can embed links and add line breaks in the custom messages for Zscaler Client Connector-based End User Notifications (EUNs) (Administration > End User Notifications > Client Connector) and User Confirmation notifications (Administration > Notification Templates > User Confirm...

The cloud service API includes the following endpoint categories to extend programmatic access to various ZIA features and functionalities: • Browser Control Policy To learn more about each endpoint, see the...

You can configure Advanced SaaS Security Posture Management (SSPM) for Workday tenants. Select the SSPM Scan checkbox when onboarding a Workday tenant to enable the Advanced SSPM scan capability for the specific tenant....

You can configure the SaaS Security Posture Management (SSPM) Scan for Webex Teams tenants. Select the SSPM Scan checkbox when onboarding a Webex Teams tenant to enable the SSPM scan capability for the specific tenant. S...

The Dedicated IP feature allows organizations to subscribe to dedicated IP addresses for the Zscaler data centers of their choice. Users can use these dedicated IP addresses (unique to the organization) as their source IP address to reach destinations that require source IP-based access. Th...

The SaaS Security Data at Rest Scanning DLP and Malware policies support configuring tenants for Zoom, a collaboration application. See image. To learn more, see <a href="https://help.zscaler.com/zia/ab...

You can now choose the Tombstone Template when quarantining files to the user root folder in the Assets Report (Analytics > SaaS Security > Assets). See image. To learn more, see <a href="https://help.zscaler.co...

Zscaler&#039;s Gen AI prompt configuration is extended to the Writer and Deepseek generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen-ai...

Zscaler&#039;s Gen AI prompt configuration is extended to the Grok AI generative AI application. You can enable prompts for this application to categorize and store the prompts for it. See image. To learn more, see <a h...

Zscaler Outbound Email DLP supports System for Cross-domain Identity Management (SCIM)-based user lookup to map email addresses with ZIA login names. To learn more, see <a href="https://help.zscaler.com/zia/step-step-configuration-guide-zscaler-outbound-email-dlp#prerequisites" target="_bla...

The Zscaler-managed Business Continuity Cloud is a fully managed private cloud solution that is built on the isolated and dedicated ZIA and Zscaler Private Access (ZPA) infrastructures to ensure consistent cyber and data protection during critical outages. Zscaler deploys and hosts the private ZI...

You can onboard, edit, and delete new Software as a Service (SaaS) application tenants enabled with 3rd-Party App Governance or the Advanced SaaS Security Posture Management (SSPM) feature from the Add SaaS Application Tenant page in the ZIA Admin Portal. You can continue editing...

On the App Panel header, you can hover over the risk score to view a breakdown of the score. On the Control Panel header, you can hover over the control severity level to view a breakdown of the severity. These actions allow you to view the components and criteria used to calcula...

As part of a continuous review, Zscaler has updated cloud applications across various cloud application categories. To obtain the list of updated cloud applications, download the list: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase...

The File Type Control and Data Loss Prevention (DLP) policies now support the Appinstaller Files (.appinstaller) file type in the Other Documents category. • File Type Control • <a href="#dlp...

You can configure file type control rules based on Password-Protected criteria. This criteria is applicable for the following formats: • Password-Protected/Encrypted • Portable Document Format (.pdf) • Encrypted Office Documents • ZIP • RAR <l...

Isolation allows microphone and camera functionality on the user&#039;s device while in an isolated browser. This can be enabled per isolation profile if Turbo Mode is also enabled. See image. To learn more, see...

New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...

To enable this feature for your organization, contact Zscaler Support. On the Data at Rest Scanning page (Policy > Saas Security > Data at Rest Scanning), you can create Data at Rest Scanning Data Loss Prevention (DLP) policies without content matching. <...

SaaS Application Tenants (Administration > SaaS Application Tenants > Manage SaaS Application Components) supports the management of SharePoint tenant Sites and Site Groups. In the Components tab, you can view a list of the SharePoint sites that are available under the selected S...

The Instance Discovery Report provides visibility into the instances accessed by users at the various levels of hierarchy for different SaaS applications. The Instance Discovery Report includes the following enhancements: • New applications are supported with vario...

The Administration > Role Management page is enhanced to provide admins more granular access to major ZIA features. Super admins or admins with full access to the ZIA Admin Portal can assign admins field-wise permissions (Full, View Only, and None) to access individual ZIA featur...

The HTTP Header Control feature allows you to create URL Filtering policy rules based on HTTP headers. As part of this change, the following profiles are added to the ZIA Admin Portal: • HTTP Header Profile (Administration > HTTP Header Control) • HTTP Header Inser...

The cloud service API includes the following new endpoints to create, update, and delete cloud application instances: • "POST /cloudApplicationInstances" • "PUT /cloudApplicationInstances/{instanceId}" • "DELETE /cloudApplicationInstances/{instanceI...

The rate limit for the "GET /users" request within the cloud service API has been updated to 10 calls/minute and up to 40 calls/hour. To learn more, see the API Rate Limit Summary....

The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Alerts • Bandwidth Control & Cl...

The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Service Edges To learn more about each endpoint, see...

The Trigger Multi-Factor Authentication action under Adding Alert Rule for UEBA Alert is deprecated and alert triggers with Multi-Factor Authentication is no longer supported. You can choose between Trigger an Alert or Place user in group to trigger the alert rule. <a class...

The Tenant Profiles feature is extended to the ChatGPT application. This allows you to provide access to specific workspace IDs for ChatGPT. See image. To learn more, see <a href="https://help.zscaler.com/zia/ad...

You can enable the service to send alerts for unknown or suspicious C2 traffic. This feature is enabled by default. See image. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanc...

The following enhancements are made to the Endpoint Data Scan page (Analytics > Endpoint Data Scan): Nearby SharingZscaler Device Control is enhanced to prevent nearby sharing between endpoints and devices that are close by. The Nearby Sharing rule restricts the us...

Zscaler Client Connector-based End User Notifications (EUNs) and user confirmation messages for Inline Web DLP and Cloud App Control policies can be enabled without having an Endpoint DLP subscription. These policy EUNs are supported (without requiring Endpoint DLP) on the following Zscaler...

You can choose either WebSocket or WebSocket SSL/TLS as a protocol type when defining a Data Loss Prevention (DLP) rule. On the Policy > URL Filtering & Cloud App Control > Advanced Policy Settings tab, a Microsoft Copilot toggle is added under the Gen AI Prompt Configuration sec...

The Sandbox Scanning Portal is now more secure with the change to an HTTPS URL: https://filecheck.zscaler.com/ If you have bookmarks to the previous URL for the Sandbox Scanning Portal, update them as they no...

When creating a policy, you can choose to send an email through one or more default email addresses to notify the users whenever the policy is triggered. See image. To learn more, see <a href="https://help.zscaler.co...

You can assign a new predefined role called Viewer to a user. When assigned this role, the user can only view data and export reports across the 3rd-Party App Governance Admin Portal, but cannot take any action or make changes. To manage role assignments, contact Zscaler Suppor...

When you revoke or ban an app for users in your organization, you can send an email to notify them that the previously accessible app is revoked or banned. You can also select the email address from which you want to send the email. <a class="image-icon" href="#Revoke/Ban-C...

You can configure notification templates so that email notifications are sent automatically to specified auditors when outbound email transactions trigger Outbound Email DLP rules. On the Notification Templates page (Administration > Notification Templates > DLP), you can c...

SaaS Application tenant onboarding for SaaS Security API now supports configuring external trusted domains and users. See image. To learn more, see <a href="https://help.zscaler.com/zia/about-email-profiles" target="_bla...

The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports the number of internal and external collaborators as a scoping criteria for SharePoint and OneDrive to monitor file sharing among collaborators. Administrators can choose a range for the number of...

The following policy actions seen in the Insights and NSS Reports have changed to ensure consistency with the field values from the Web Insights in the ZIA Admin Portal: Old Policy ReasonNew Policy Reason<td style="overflow:hidden;pad...

The Developer Tools predefined URL category is added to the Information Technology super category. It consists of sites that provide tools used by developers for coding, debugging, testing, and managing software projects. This category is enabled from the backe...

You can refresh the status of a scheduled SaaS Security DLP or malware scan by clicking the Refresh icon next to the status of an ongoing scan on the SaaS Security Scan Configuration page. See image. To learn more,...

The field "%s{ednsreq}" is available when adding an NSS or Cloud NSS feed for DNS logs. The field output is the hex-encoded FQDN in the DNS request. To learn more, see <a href="https://help.zscaler.com/zia/nss-feed-output-format-dns-logs" target="_blank" data-entity-type="node" d...

The following are new predefined DLP engines available on the DLP Engines page (Administration > DLP Dictionaries & Engines > DLP Engines). These engines are available by default for customers with tenants enabled on April 4, 2025, or later. For enablement on e...

For file sharing applications, you can configure MIP labels on PowerPoint files from the Data at Rest Scanning DLP policy in the Add DLP Rule window (Policy > Data at Rest Scanning > Data Loss Prevention). Choose from the list of OneDrive and SharePoint tenants to see this action...

Unified Communications as a Service (UCaaS) one-click configuration support is now extended to the Talkdesk cloud application. See image. To learn more, see <a href="https://help.zscaler.com/zia/configuring-advanced-url...

Twilio and Trello are supported as SaaS application tenants. Both can only be configured for SSPM scan which requires an Advanced SSPM license. If you don&#039;t have the correct license, a message to upgrade your license appears next to the SSPM Scan checkbox during the onboardi...

The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy now supports the number of collaborators as a scoping criteria for file sharing applications. When enabled for a partner tenant, the CASB Collaborator Count field under Special Settings of the Tenant Detail...

The cloud service API is updated to include a new "GET /locations/supportedCountries" endpoint that retrieves an up-to-date list of countries supported in location configuration. To learn more, see the API Reference...

To provide a unified and streamlined API experience through Zscaler OneAPI, our centralized API management solution for the Zscaler platform, Zscaler is applying the following changes to ZIA: • Going fo...

The cloud service API includes updates to the following categories of endpoints to extend programmatic access to specific ZIA features and functionalities: • Admin & Role Management • S...

The following are new predefined DLP Dictionaries: • National Identification Number (Chile RUN) • National Identification Number (Peru CUI) • National Document ID (Uruguay) To learn more, see <a href="https://help.zscaler.com/zia/understanding-pre...

The Zscaler Sandbox supports additional file types: • Python Source Code file (.py) • Pickle files (.p, .pkl, and .pickle) • Python Dynamic Module file (.pyd) • Python Script file (.pyw) See image....

Using the DNS Control policy, you can redirect users to a new Zscaler-provided end user notification (EUN) web page to inform users of your organization policy when they access restricted domains. You can do this by selecting the Redirect Response action in the DNS Control rule a...

In ZIA isolation profiles, the cookie persistence toggle has been updated to be called Persistent State. See image. To learn more, see <a href="https://help.zscaler.com/isolation/using-persistent-state-isolation" targe...

You can configure granular Smart Browser Isolation policies for specific users or groups from the Secure Browsing page. As part of this change, the following fields are added to the Smart Isolate tab (Policy > Secure Browsing > Smart Isolate): • Users • Groups...

Isolation creates preconfigured profiles for admins. These profiles can configure only the URL category "Miscellaneous and Unknown" in their Zscaler Internet Access (ZIA) policy. Some fields in this profile are permanently enabled, others permanently disabled, and some the admin can <a href="http...

The Firewall policy allows you to manage outbound and inbound traffic for cloud service providers such as Amazon Web Services (AWS) and Google Cloud Platform (GCP), along with their subservices, using the newly added AWS and GCP application service groups. These application servi...

The Zscaler service displays a notification when Remote Assistance is enabled. See image. The maximum time limit for both view-only and full access is 90 days. To learn more, see <a href="https://help.zscaler.com...

The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Admin & Role Management • User Manage...

For Advanced Sandbox users, all malicious samples are analyzed twice automatically, first through an unpatched vulnerable VM (Zero Day Report or Fully Patched VM Report) and then a second time through the fully patched secured VM (Regular Report). This allows you to compare the r...

The DNS Control policy includes a new action, Block with Response Code, which allows you to block DNS traffic and send a response code to the client. The response code can be chosen from a predefined list that appears in a new Response Code field when this action is selected. Whe...

The existing predefined Credit Card dictionary and EDM data type now support the additional popular formats: • Credit Card Number (China UnionPay) • Debit Card Number (Maestro) To learn more, see <a href="https://help.zscaler.com/zia/creating-exact-data-match-template"...

The Enable HTTP/2 option is enabled by default when configuring an SSL Inspection rule. This feature is only available when it is enabled for your organization. See image. To learn more, see <a href="https://help.zscaler.com...

Additional Firewall Control and Logging capabilities have been added for scenarios where an organization&#039;s roaming user (i.e., remote user from a Home tenant) is a guest user visiting another organization&#039;s tenant location (i.e., Host tenant) in the same Zscaler cloud and that Host tena...

Zscaler now supports the SSH key, ED25519. To learn more on upgrading the SSH key to ED25519, see <a href="https://help.zscaler.com/zia/configuring-zscaler-incident-receiver" target="_blank" data-entity-type="node" data-entity-uuid="1b3f21b1-0d52-4d5a-911b-61d5deeca357" data-entity-substitu...

When configuring ZIA admins and <a href="https://help.zscaler.com/zia/adding-zia-super-admins" target="...

The IoT Report has been enhanced to report IoT policy status and statistics for IoT devices. To learn more, see About the IoT Report. You can get an overview of the IoT web policies...

The resource access quota for retrieving Sandbox Detail Reports is increased to 3,000 requests per day, with a rate limit of 2/sec and 1,000/hour. To learn more, see the Obtaining San...

You can filter and view logs for Source IP Countries, Destination IP Countries, Is Source IP Country Risky? and Is Destination IP Country Risky? As part of the update, the following changes are available in the ZIA Admin Portal: Web Insights LogsThe following filte...

The cloud service API includes a new "POST /exportPolicies" endpoint for exporting rules configured for various policy types to JSON files. To learn more, see the API Reference. The Postman collection has...

The Complexity column and filter are added to the Posture page. You can view the complexity level of a control and filter the controls displayed in the table by using this filter option. The Control Panel header for each control displays its c...

The Assets tab of the Control Panel in Advanced SSPM includes the following enhancements: • You can export the assets report to a CSV file. • You can copy the asset evidence or download it as a JSON file. <a class="image-icon" href="#ZIA-Assets-Tab-Enha...

The cloud service API includes the following new endpoints to support excluding a Zscaler data center (DC) in the event of service disruption by disabling all tunnels terminating at a virtual IP (VIP) address of the DC. Using these endpoints, you can add, modify, and delete DC exclusions and retr...

Zscaler supports case-sensitive URL logging for select domains. Some sites and services, such as URL shorteners, use case sensitivity within the URL path when generating links. For example, "bit.ly/ABcDEf" has a different destination URL than "bit.ly/abcdef". With added supp...

Zscaler supports real-time Data Loss Prevention (DLP) for messages and file attachments sent via Webex Teams. To learn more, see Step-by-Step Configuration Guide for Webex Teams Re...

The Zscaler service supports optical character recognition (OCR) for Outbound Email DLP. You can enable OCR settings on the DLP Advanced Settings page in the ZIA Admin Portal (Administration > DLP Advanced Settings) for inline DLP, SaaS Security API, and Outbound Email DLP. <p...

You can configure Advanced SaaS Security Posture Management (SSPM) for Zoom tenants. Select the SSPM Scan checkbox when onboarding a Zoom tenant to enable the Advanced SSPM scan capability for the specific tenant. Existing users can also enable Advanced SSPM support by selecting...

To access Extranet Application Support, contact your Zscaler Account team. Zscaler Extranet Application Support provides organizations with a secure way to access resources from partners that are not using the Zscaler service. This is typically accomplished wit...

Zscaler supports the following new HTTP request methods in URL Filtering rules: • PROPFIND • PROPPATCH • COPY • MOVE • MKCOL • LOCK • UNLOCK • PATCH If the OTHER method is already selected, these new requ...

You can now apply an Atlassian Label when configuring the Data at Rest Scanning DLP Policy in the Add DLP Rule window. This action is only applicable for Atlassian Confluence users. To access this feature, go to the Add DLP Rule window (Policy > Data at Rest Scanning) and choose...

When exporting the controls report to a CSV file from the Posture page, you can view additional attributes like Description, Tenant Name, Platform, Severity, etc. in the exported file. To learn more, see <a href="https://help.zscaler.com/zia/about-posture" target="_blank" data-entity-type="...

The File Type Control and Data Loss Prevention (DLP) policies now support the following file types: • Microsoft Excel Add-On (.xla) • Open Document Files (.odt) • Public Key File (.pub) • Binary Files (.bin) The File Type Control and DLP pol...

You can configure Advanced SaaS Security Posture Management (SSPM) for ShareFile tenants. Select the SSPM Scan checkbox when onboarding a ShareFile tenant to enable the Advanced SSPM scan capability for the specific tenant. Existing users can also enable Advanced SSPM support by...

You can configure Advanced SaaS Security Posture Management (SSPM) for Slack tenants. Select the SSPM Scan checkbox when onboarding a Slack tenant to enable the Advanced SSPM scan capability for the specific tenant. Existing users can also enable Advanced SSPM support by selectin...

With Advanced Sandbox, organizations have by default a quota of 100 API file submissions per day. If you are interested in raising the API file submission limit, contact your Zscaler Account Team or Zscaler Support. To learn more, see <a href="https://help.zscaler.com/zia/about-sandbox" tar...

You can add up to 245 custom bandwidth classes (Administration > Bandwidth Classes) for Cloud Applications in the ZIA Admin Portal. To learn more, see Adding Bandwidth Classes and <a href="https://help.zscal...

The following are new predefined DLP dictionaries to detect personally identifiable information (PII): • Addresses (Japan) • First Names (Japan) • Last Names (Japan) • Full Names (Japan) To...

Driver&#039;s License (United States) predefined DLP dictionaries now support 2-letter state codes for all US states (e.g., WA for Washington or CA for California) as part of high confidence phrases. See image.</...

To help improve incident management on the Zscaler Incident Receiver, the JSON file that contains Inline Web DLP policy scan metadata for policy violations has been updated with the following new fields: • "fileSize": The size of the file that violated the DLP policy • <...

The number of custom domains allowed per domain profile has been increased from 32 to 1,024. To learn more, see Ranges & Limitations and <a href="https://help.zscaler.com/zia/about-email-profiles"...

The Instance Discovery Report provides visibility about the different instances accessed by the users at the various levels of hierarchy, such as Organization, Project, and Resource Type for Google Cloud Platform (GCP). The Instance Discovery Report includes the following e...

You can use Zscaler Outbound Email Data Loss Prevention (DLP) policies with your Gmail server to prevent the exfiltration of sensitive data by enforcing policy rules on email content sent to external domains, including content in subject lines, body text, and attachments. As part...

The Zscaler&#039;s Site Review shows the cloud application for the site that is looked up. As part of this change, the Cloud Application column is added to Step 2. Request Review on the Site Review page. A cloud application is shown in the Cloud Application col...

You can choose whether to include subdomains as part of your email domain profiles (e.g., blog.example.com is a subdomain of example.com). When you include subdomains (Administration > Email Profiles > Domain Profiles), the Zscaler service automatically evaluates subdomains as pa...

The "GET /pacFiles" endpoint is updated with new request parameters such as "pageSize" and "page" to support pagination. The default value of "pageSize" is 100 and the request retrieves up to 100 PAC files at a time. To learn more, see the <a href...

The File Type Control and Data Loss Prevention (DLP) policies now support the following file types: • Microsoft Outlook Mac Data (.olm) • Microsoft Publisher Files (.pub) • Microsoft TNEF file (.tnef) • LZH Archive (.lzh, .lha) • CPIO File (.cpio)...

The Zscaler Sandbox supports additional file types: • Microsoft Software Installer (msi) • Windows Batch File (bat) • Windows Script File (wsf) See image. To learn more, see <a href="https://help.z...

Optical Character Recognition (OCR) SupportThe Zscaler service supports OCR for Endpoint DLP to scan PNG, JPEG, TIFF, and BMP files for sensitive text data. This functionality does not require configuration and is automatically available based on whether your subscription includes the ZS...

In the ZIA Admin Portal, on the File Type Control page (Policy > File Type Control) and on the Sandbox Policy page (Policy > Sandbox), you have the option of selecting Newly Registered and Observed Domains in the Miscellaneous section for URL Categories. <a class="image-ico...

Zscaler has updated the names of select cloud applications. The updates synchronize the cloud application names across Web Insights and NSS and Cloud NSS web log feeds. To verify and address any impacts related to the updates, Zscaler recommends that admins review the following:<...

Audit logs include a new Trace ID value that is generated for transactions associated with ZIA API requests made through Zscaler OneAPI. See i...

The cloud service API includes the following new endpoints to retrieve information about browser-based end user notifications (EUNs) and to update the EUN configuration: • "GET /eun" • "PUT /eun" To learn more, see the <a href="https://help.zscaler...

DNS Gateways support a customized URL path for DNS servers that use the DNS over HTTP (DoH) protocol. See image. To learn more, see <a href="https://help.zscaler.com/zia/adding-dns-gateways" target="_bl...

The cloud service API includes the following new categories of endpoints to extend programmatic access to various ZIA features and functionalities: • Malware Protection Policy • <a href="#advanced-threat...

Advanced SSPM supports a new platform, Lucidchart. You can onboard a Lucidchart tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/connecti...

Advanced SSPM supports Zendesk as an API-based platform. You can onboard a Zendesk tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/conne...

You can configure Advanced SaaS Security Posture Management (SSPM) for Oracle Financials Cloud tenants. Select the SSPM Scan checkbox when onboarding a tenant to enable the Advanced SSPM scan capability for the specific tenant. <a class="image-icon" href="#Oracle-sspm-onboa...

Web Insights are enhanced to allow users to view the latency caused by bandwidth control on transactions in the ZIA Admin Portal. Web Insights LogsThe following new columns and filters are available in the Web Insights Logs: • Request Latency Due to Bandwi...

Zscaler&#039;s Application Investigation is a solution that provides comprehensive visibility and automated risk management for an organization&#039;s application ecosystem by delivering a clear view of all software in use, including unauthorized AI tools and unapproved browsers....

The Zscaler DLP Operational page (Analytics > Endpoint Data Scan > DLP Operational) provides insights into the endpoint&#039;s status, thereby ensuring that the system functions properly and as designed to avoid sensitive data leakage. <a class="image-icon" href="#D...

A new query parameter, "ruleLabelId", is available for the "GET /firewallFilteringRules" and "GET /firewallFilteringRules/count" endpoints. The "ruleLabelId" query parameter allows you to filter Firewall Filtering rules based on the rule label ID. To le...

On the Internet & SaaS > Role Management page, in the Policy & Components > Access Control tab, the URL Filtering and Cloud App Control policy permissions are separated to provide admins more granular control over those features. <a class="image-icon" href=...

Zscaler has introduced Exact Data Matching (EDM) for Endpoint Data Loss Prevention (DLP) which provides protection for structured sensitive data. This feature utilizes a unique hybrid architecture where the endpoint performs local prefiltering to identify candidate files for clou...

Advanced SaaS Security Posture Management (SSPM) expands its coverage for Salesforce with three new SSPM controls, providing deeper visibility and stronger security posture assessment....

Administrators can filter data on the Endpoint Data Scan page (Analytics > Endpoint Data Scan > Endpoint Data Scan) by a specific user group. See image. To learn more, see <a href="https://help.zscaler.com/legacy-zia/abo...

Share Files Externally provides a capability for Endpoint DLP that allows authorized users to securely share sensitive files with external partners by encrypting the data into a secure HTML format, ensuring that only verified recipients can access the content. You can acces...

The labels SSL Inspection and SSL policy are renamed to SSL/TLS Inspection and SSL/TLS policy. See image. Refer to the following table for a list of updated labels: Old UI Labels...

When you create a custom Zscaler connector for a Microsoft application, you have the option to choose whether you want to provide a client secret or a private key in the Zscaler Admin Console so that the Zscaler service can access the application. SharePoint, Copilot, and Microso...

The Zscaler service supports using Classless Inter-Domain Routing (CIDR) ranges and regular expressions for advanced matching when creating or editing network shares for Endpoint Data Loss Prevention (DLP) resources. The following image shows a regular expression that matches all...

The Zscaler service supports specifying a network type (e.g., Trusted, Off-Trusted, VPN) for the Network Share, Printing, and Device Control channels when creating policy rules for Endpoint Data Loss Prevention (DLP). • Endpoints must be running Zscaler...

You can create, update, and delete recipient email profiles, retrieve a list of all recipient email profiles, and obtain the count of recipient email profiles for an organization using the following endpoints: • "GET /emailRecipientProfile" • "POST...

The SaaS application tenants GitHub, Jira, Okta, Confluence, Trello, Webex Teams, and Google Workspace now have the option to onboard for SaaS Security Posture Management (SSPM) scan by choosing Read-only or Read/Write (full access) for the connector role...

The following enhancements are available in Zscaler Endpoint Data Loss Prevention (DLP) for macOS: Support for Endpoint DLP Block Action for Printing on macOSThe Zscaler service supports the Block action for printing from macOS devices in Endpoint DLP rules with co...

You can configure Advanced SaaS Security Posture Management (SSPM) for JumpCloud tenants. Select the SSPM Scan checkbox when onboarding a JumpCloud tenant to enable the Advanced SSPM scan capability for the specific tenant. <a class="image-icon" href="#JumpCloud-sspm-onboar...

The Insights Logs pages now feature asynchronous log retrieval. This enhancement allows users to continue working without interruption while queries are executed in the background, significantly improving their user experience. The following enhancements are available for I...

Proper neutralization of user input in specific input fields in the ZIA Admin Portal no longer allows an authenticated administrator to access unauthorized internal information in rare conditions (CVE-2026-22568)....

You can apply either "OR" or "AND" logical operator between the Users, Groups, and Departments criteria in the URL Filtering Policy rules. This allows you to create granular policy rules using a combination of logical operators (i.e., "OR" or <cod...

Zscaler supports comprehensive logging of Sandbox analysis activities through Insights Logs and the Nanolog Streaming Service (NSS). You can log and view details of all files that went through behavioral analysis regardless of the verdict (e.g., Suspicious Content, Benign). With the following enh...

The File Type Control and Data Loss Prevention (DLP) policies now support MSIX files in the Executable category. • File Type Control • DLP - Rule without Content Matching <p...

The application activity MCP is added to the Web Insights Logs to log Model Context Protocol (MCP) transactions in the ZIA Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/web-insights-logs...

Advanced SSPM supports a new platform, Airtable. You can onboard an Airtable tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integrating...

Advanced SSPM supports a new platform, Bitwarden. You can onboard a Bitwarden tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integratin...

Advanced SSPM supports a new platform, Sentry. You can onboard a Sentry tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/integrating-sent...

New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...

Advanced SSPM supports OneLogin as an API-based platform. You can onboard a OneLogin tenant from the 3rd-Party App Governance Admin Portal. See image. To learn more, see <a href="https://help.zscaler.com/zia/int...

The Zscaler Cloud Performance Test Tool allows you to view only the domain part of the traffic or email, and the user name is hidden. For example, johndoe@zscaler.com is visible as xxxxxxx@zscaler.com. See image. To learn m...

You can allow or block the use of embedded AI applications on Atlassian sites and enable or disable Zscaler to store the generative AI prompts entered in these embedded AI applications per cloud app control rule. As part of this feature, the following fields appear in the Add/Edi...

The custom URL category supports regex patterns, enabling you to match multiple URLs with a single pattern and flexible configuration of custom URL categories. As part of this update, in the Administration > URL Categories > Add URL Category window, the URL Type toggle has been a...

Zscaler Isolation now supports password-protected PDF files to be <a href="https://help.zscaler.com/zia/about-sandbox" target="_blank" data-entity-type="node" data-entity-uuid="b6501cfa-e4fc-40ad-9568-c79e8ff2240e" data-entity-subst...

When scheduling a scan for SaaS applications tenants (Policy > SaaS Security > Scan Configuration > Add Scan Schedule), you can also configure the polling interval based on how often you want the system to scan the application. <a class="image-icon" href="#polling-intervals...

The SaaS Security Data at Rest Scanning Data Loss Prevention (DLP) policy supports the number of internal and external collaborators as scoping criteria for all file sharing applications, including Box, Dropbox, Confluence, ShareFile, and Smartsheet. Administrators can monitor fi...

The support for quarantining files in a desired location has been extended to all file sharing apps, including Box, Dropbox, Confluence, ShareFile, and Smartsheet. This feature was already available for Google Drive, OneDrive, and SharePoint apps. You can specify a quarantine loc...

The following policies are deprecated for Microsoft 365 in both SaaS Security Posture Management (SSPM) Essentials and Advanced SSPM: • Set Automated Notifications for New and Trending Cloud Applications in Our Organization • Set Automated Notification for New OAuth Applications Co...

This enhancement allows you to view logs for individual members within a collaborator group. As part of the update, the following changes are available in the ZIA Admin Portal: SaaS Security Insights Logs and SaaS Security Assets with IncidentsWhen an individual file is shared with...

The following platforms support 64 GB of RAM and 3 antivirus (AV) engines per Virtual Service Edge: • <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-clusters" target="_blank" data-entity-type="node" data-entity-uuid="0f1a169d-6547-4d25-a778-b2f20da57fa4" data-enti...

Generative AI (Gen AI) prompts that are displayed in the Web Insights Logs can be obfuscated when adding admin roles. <p...

You can add up to 512 account IDs per tenant profile for AWS and there can be a maximum of 4,096 account IDs across all profiles. To learn more, see Adding Tenant Profiles and <a href="https://help.zscaler...

The following enhancements are available for Insights and NSS Feeds in the ZIA Admin Portal to record the time Zscaler either received or sent an email response. Insights LogsNew columns Zscaler Sent Time and Zscaler Received Time are added to Email DLP Insights Lo...

For custom Data Loss Prevention (DLP) dictionaries that use patterns with lookaround constructs (also known as zero-length assertions), the Zscaler service now enforces the following restrictions: • You must select Match Any Patterns and Any Phrases as the Match Type.</l...

On the Firewall Insights page (Analytics > Firewall Insights), the maximum number of rules displayed for the Rule Name data type has been increased. When using bar or table charts, you can view up to the top 4,000 rules (in increments of 500, 1,000, 2,000, and 4,000) by selecting...

Extranet Application Support can be configured bidirectionally, allowing partners to access your organization&#039;s resources securely. Extranet Application Support is a feature in limited availability. To access Extranet Application Support, contact your Zsca...

Zscaler’s Nanolog Streaming Service (NSS) supports the configuration and deployment of an NSS virtual machine (VM) on Hyper-V. After deploying an NSS VM, you can stream your organization’s web or firewall logs from the Zscaler cloud to your security information and event ma...

Zscaler’s Nanolog Streaming Service (NSS) supports the configuration and deployment of an NSS virtual machine (VM) on Nutanix. After deploying an NSS VM, you can stream your organization’s Web or Firewall logs from the Zscaler cloud to your security information and event ma...

The following enhancements are available in 3rd-Party App Governance and Advanced SSPM: SettingsThe SaaS Tenants and Notifications tabs are added to the Settings page. These tabs allow you to view and manage the onboarded SaaS tenants and also configure Slack and e...

Proper validation of user input in the ZIA Admin Portal no longer allows an authenticated administrator to initiate back end functions through specific input fields in limited scenarios (CVE-2026-22567)....

Automatic language translation is globally available for Isolation. The isolated session localizes the language based on the user&#039;s browser language settings, and displays that language on the rendered web page. To learn more, see <a href="https://help.zscaler.com/isolation/understandi...

Original URL has replaced Local Browser Rendering in Isolation. It is now an option that admins can configure in isolation profiles. This means that the user of the isolation profile sees the native browser URL of the web p...

If Turbo Mode is enabled on an isolation profile and the user also has hardware acceleration enabled, the appearance of the zGPU icon next to the Turbo Mode command is displayed in the Isolation Bar. See image. To...

For file sharing applications OneDrive and SharePoint, you can apply the MIP label as a manual remediation action from the SaaS Security Assets with Incidents page (Analytics > SaaS Security > Assets > click an application or tenant). <a class="image-icon" href="#apply_mip_...

Zscaler&#039;s Gen AI prompt configuration is extended to the Claude and Mistral generative AI applications. You can enable prompts for these generative AI applications to categorize and store the prompts for the respective applications. <a class="image-icon" href="#gen-ai-...

You can create a virtual machine (VM) in Amazon Web Services (AWS) using the Virtual Service Edge Terraform modules. To learn more, see <a href="https://help.zscaler.com/zia/configuring-virtual-service-edge-amazon-web-services" target="_blank" data-entity-type="node" data-entity-uuid="64393...

You can identify and report not only the owner of the file, but also the user who last modified or shared a file that caused a DLP violation, in the ZIA Admin Portal. As part of this feature, the following enhancements are available for Insights Logs and NSS Feeds: Insight...

In the App Inventory and User Inventory, and on the Posture page, the filter options that don&#039;t currently exist in your organization display separately and do not return results. You can still select them when creating new views and policies. If a new app i...

The Users page displays multiple emails in addition to public emails for GitHub users. These emails are associated with the domain of the organization that owns the GitHub account. This enhancement improves the ability to find user and admin emails from outside the domain.</span...

You can segregate your Google Workspace integration by organizational units (OUs) in 3rd-Party App Governance. This segregation ensures that each OU can access only its relevant users, applications, and posture data, while maintaining consolidated tenant management f...

The 3rd-Party App Governance API adds a new endpoint, "/app_views/{appViewId}/accounts", to retrieve users&#039; email addresses associated with specific app IDs. "/app_views/{appViewId}/apps_extended" provides the total number of enabled users "totalenabledusers<...

You can define scope types and values to map the workload traffic to a sublocation. Defining scopes allows you to apply granular ZIA and Cloud Connector security policies to the workload traffic from that sublocation. You can configure scopes only for Workload traffic type subloc...

The following enhancements are available in Zscaler Endpoint Data Loss Prevention (DLP) for Windows: Endpoint DLP Support for Clipboard and Application File AccessTo access this feature, contact your Zscaler Account team. Endpoint DLP supports mo...

The IPv6 infrastructure is enhanced to receive IPv6 traffic directly from remote users, forwarding traffic through Zscaler Client Connector, when the Enable IPv6 Resolution for Zscaler Domains field is enabled in the <a href="https://help.zscaler.com/zscaler-client-connector/about-platform-settin...

ZIA Private Service Edge supports IPv6 traffic directly from remote users (forwarding traffic through Zscaler Client Connector or PAC files), when the Enable IPv6 Resolution for Zscaler Domains field is enabled in the <a href="https://help.zscaler.com/zscaler-client-connector/about-platform-setti...

JSON Web Token (JWT) authentication is available for Zscaler Cloud & Branch Connector workloads. JWT authentication is enabled when configuring locations. <a class="image-icon" href="#enable-jw...

The ZIA Admin Portal supports a new method, JWT authentication, to authenticate workloads from Cloud & Branch Connector. In the Management Portal for Partners, you can enable this feature in ZIA for your tenants by using the JWT Auth for Workload field on the Tenant Details...

The Zscaler service supports the Enhanced Driver&#039;s License (United States) predefined Data Loss Prevention (DLP) dictionary. The parent dictionary contains predefined sub-dictionaries for all 50 U.S. states, plus the District of Columbia, and each sub-dictionary can be indiv...

The number of SaaS Security Posture Management (SSPM) controls for GitHub in Advanced SSPM has been increased. Eleven new SSPM controls are supported for GitHub....

The DNS Control policy includes an option to display a notification to end users when the policy blocks access to specific domains. Zscaler hosts this End User Notification (EUN) page, eliminating the need for organizations to host their own EUN web page. The DNS EUN web page inf...

You can retrieve the SaaS Security Scan Configuration information and the validation status of a SaaS application tenant using the following endpoints: • "GET /casbTenant/scanInfo" • "GET /casbTenant/validate/status/{tenantId}" To...

You can create a virtual machine (VM) in Azure using the Virtual Service Edge Terraform modules. To learn more, see Configuring Virtual Service Edge for Microsoft Azure....

When creating and saving a custom view in 3rd-Party App Governance, you can update the saved view to include your current tenant selection on the global platform filters. See image. To learn more, see <...

Beginning with Zscaler Client Connector version 4.8 for Windows, ZIA Firewall policies—including Firewall Filtering, DNS Control, and IPS Control—support end user notifications (EUNs) via Zscaler Client Connector. When configuring these policy rules, you can select to show a noti...

Isolated sessions now automatically restore their web pages if they time out on a user&#039;s device. If a session is idle for longer than the timeout of 10 minutes, the isolated page automatically refreshes itself, and the user does not have to sign in again. When this action occurs, the banner...

The UI is updated so that when users enter an isolated session, they now see the original URL of the website they are on instead of the isolation web page URL. This change provides users with an experience with a look and feel more like a native browser compared to the container view of being iso...

Adaptive Access Engine dynamically manages access based on real-time assessments of risk and trust by continuously evaluating contextual signals, user behavior, device health, location, and other factors to determine whether to allow or block access to websites or apps at any giv...

New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...

You can create custom file types and use them when creating Data Loss Prevention (DLP) and File Type Control policies. You can then filter and view logs for these custom file types in Web Insights Logs and the Nanolog Streaming Service (NSS). <a class="image-icon" href="#ad...

Docusign is supported as a SaaS application tenant and can be onboarded for Advanced SaaS Security Posture Management (SSPM) scans. See image. When onboarding a Docusign tenant, you can enable Advanced SSPM scanning by selec...

SafeSearch allows granular control of applications. This allows you to apply SafeSearch to specific applications. As part of this change, on the Advanced Policy Settings page (Policies > URL & Cloud App Control > Advanced Policy Settings), the SafeSearch Applications drop-down ap...

The File Type Control and Data Loss Prevention (DLP) policies support the following file types in the Other category: • UTF-8 BOM • UTF-16 LE • UTF-16 BE The file types are available when creating the following policies: <l...

Zscaler includes support for identifying several new network applications using deep packet inspection and controlling the network application traffic using Firewall Filtering rules. These network applications are listed on the Network Applications page (Administration > Network...

You can view information about the number of transactions per application based on their status (blocked or allowed) in the Cloud Applications table of the Shadow IT Report. A new column, No. of Transactions, is added to the Cloud Applications table. <a class="image-i...

Microsoft Copilot is supported as a SaaS application tenant and can be onboarded for Advanced SaaS Security Posture Management (SSPM) scans. See image. When onboarding a Microsoft Copilot tenant, you can enable Advanced S...

The SaaS Security Data at Rest Scanning DLP and Malware policies support specifying the location to quarantine files for the file sharing applications Google Drive, Microsoft OneDrive, and Microsoft SharePoint. SaaS Application Tenant OnboardingOnboarding a SaaS ap...

AI or machine language classification is extended to support around 200 new document types across 10 common document categories. As part of this extended support, Insights Logs and the Nanolog Streaming Service (NSS) are enhanced to provide enriched auto-classification of documents that are...

The number of SaaS Security Posture Management (SSPM) controls for Snowflake in Advanced SSPM has been increased. Forty-six new SSPM controls are supported for Snowflake....

Zscaler is proactively preparing for post-quantum cryptography (PQC) by evaluating quantum-safe algorithms, supporting hybrid encryption systems, and enabling scalable integration of quantum-resilient technologies across its cloud infrastructure. Zscaler collaborates globally wit...

The default limit of Users, Groups, Locations and Departments in policies has been increased to 32 from 4 and 8. This limit can be further expanded on a need basis. You can contact the Zscaler Sales or Zscaler Account team to further increase this limit, if required. On the Management Porta...

For organizations that have thousands of locations or sublocations, the loading time on the Locations page and in any policy that references locations when selected might incur noticeable loading time to retrieve and display the full location list. To learn more, see <a href="https://help.z...

A new query parameter "override" is available for the "PUT /ipDestinationGroups/{ipGroupId}" endpoint. The "override" parameter is a Boolean that you can set to override IPs when required. To learn more, go to "PUT /ipDestinationGroups/{ipGroupId}</code...

Gen AI is added as an application category in NSS and Cloud NSS feeds for SaaS Security Logs. When configuring a feed, you can select the Gen AI application category and available generative AI SaaS applications (e.g., ChatGPT) to stream the related logs from Zscaler to your secu...

The limit of users, groups, departments, and locations for a rule is increased to 32 from 4 users, 8 groups, 8 departments, and 8 locations. You can contact Zscaler Support to increase this limit further as needed. The following categories under the policy are supported: • Bandwidt...

The Cloud Nanolog Streaming Service (NSS) endpoint category in the cloud service API includes a new endpoint, "GET /nssDownload/{nssId}", that enables you to download the NSS virtual appliance information based on the specified NSS server ID. To learn more about...

You can create, update, and delete a ZIA Virtual Service Edge and retrieve the Virtual Service Edge for an organization using the following endpoints: • "GET /virtualZenNodes" • "POST /virtualZenNodes" • "GET /virtualZenNodes/{virtu...

You can add workload groups for an organization and update, delete, and retrieve the workload groups by specifying the ID using the following endpoints: • "POST /workloadGroups" • "GET /workloadGroups/{workloadGroupId}" • "PUT /wor...

To obtain access to this feature, contact Zscaler Support. You can configure Data Loss Prevention (DLP) Exact Data Match (EDM) to have strict checking against popular date formats. This feature supports 6- to 8-digit date formats that contain hyphens (<co...

New cloud applications are added to the cloud application categories. You can download the list of newly added cloud applications to the respective categories: <a class="download" href="https://help.zscaler.com/sites/default/files/downloads/zia/documentation-knowledgebase/policies/cloud-apps/clou...

You can choose a content location as a match criteria to target specific sections of a file or transaction when defining a Data Loss Prevention (DLP) rule. To enable this feature, contact Zscaler Support. • File• Document Properties: Matches are...

The Data Loss Prevention (DLP) policies support the OpenOffice Drawings (.odg, .otg) file type in the OpenOffice category: • DLP - Rule with Content Inspection To learn more, see <a href="https://h...

You can specify the type of IoT devices to perform or bypass SSL Inspection. Admins can create an SSL Inspection policy based on IoT AI/ML classifications to perform or bypass SSL Insepction. This enhancement requires IoT enablement for your organization. <p...

The Gen AI Security Report is improved, making it interactive and intuitive, with the following enhancements: • Option to view the sanctioned and unsanctioned Gen AI application usage. • Prompt Classification to categorize the prompts used in the Gen AI application...

Step-up authentication is a security mechanism that ensures users can only access sensitive or high-risk resources after completing an additional level of identity verification. Conditional access is supported for step-up authentication in the ZIA Admin Portal when configuring UR...