URL list definitions are used to define web addresses. They are added to rules as web address conditions, or to web application content fingerprinting criteria. You can create a URL list definition in either of two ways: import the list in CSV format, or import items with a script containing REST API calls. The administrator who runs the script must be a valid ePolicy Orchestrator (ePO) user with permissions in the ePO permission sets to perform the actions invoked by the APIs.
URL list CSV files can use multiple columns. Technical Support suggests exporting a URL list to understand how the columns are populated
before creating a file for import. When creating a URL list definition, the user needs to identify the different sections in the URL address.
The following is an example of a URL containing all sections with each section broken down and explained:
https://SubDomain.myDomain.dom:8443/FolderPath/SubFolderPath?QSKey1=QSValue1&QSKey2=QSValue2
Protocol (Optional)
- Identification: From start of the address to the character "://"
- In the example: "https://"
Host (Mandatory)
- Identification: From the "://" to the character ":" Or "/"
- Behavior: Host definition must match exactly the host part of the URL. For example, when defining "google.com" it matches "*.google.com" but does not match "123google.com"
- In the example: "SubDomain.mydomain.dom"
Port (Optional)
- Identification: From the ":" to the next "/" present.
- In the example: ":8443"
Path (Optional)
- Identification: From the "/" present to the end of the address bar or the character "?" when a query string is in use.
- Behavior: If a path is defined in the URL list, and the HTTP request path begins with the value defined in the URL list, then the entire path is a match. If the path was not defined, any URL path in the HTTP request serves as a trigger for the URL list.
- In the example: "/FolderPath/SubFolderPath"
Query String (Advanced)
- Identification: From the first "?" to the end of the address. Query string is a list of parameter and value pairs divided by "&".
- Behavior: When a query string is specified, the DLP agent parses the query string and breaks it into pairs of parameters and values. Then it performs the same logic to the query string it receives from the Browser HTTP Request. For a Query String in the HTTP Request to be a positive match to the URL list query, all pairs in the DLP URL list query must match the pairs in the HTTP Request.
- In the example: ?QSKey1=QSValue1&QSKey2=QSValue2
| DLP URL list definition |
Browser HTTP Request |
Match |
Explanation |
| Host: google.com |
https://mail.google.com/mail/u/0/#inbox?compose=cllgcjzwxv |
a |
When a host is specified in a URL definition, DLP automatically includes the subdomain of this host. |
| Host: google.com |
https://123google.com/mail/u/0/#inbox?compose=cllgcjzwxv |
x |
|
Protocol: https
Host: 123google.com |
https://123google.com/mail/u/0/#inbox?compose=cllgcjzwxv |
a |
Protocol and host match. |
Protocol: https
Host: SharePoint
Port: 8080
Path: /sites/filerepository |
https://sharepoint:8080/sites/filerepository/_layouts/15/upload.aspx?list=ToUpload |
a |
When a path is specified in the URL definition, DLP checks whether the path starts with the value inserted in the URL list. |
Protocol: http
Host: SharePoint
Port: 8080 Path:/start/sites/filerepository |
https://sharepoint:8080/sites/filerepository/_layouts/15/upload.aspx?list=ToUpload |
x |
Protocol and path do not match. |
Host: SharePoint
Port: 8080
Query String: param1=value1¶m2=value2 |
https://sharepoint:8080/sites/upload.aspx?param1=value1¶m2=value2 |
a |
Host and port matches.
All parameter and value pairs in the URL list definition are present in the HTTP request. |
Host: SharePoint
Port: 8080
Query String: param1=value1¶m2=value2 |
https://sharepoint:8080/sitesupload.aspx?param1=value1 |
x |
Only one parameter and value pair defined in the URL list is present in the HTTP request. To match, all pairs present in a URL list must appear in the HTTP request. |
Host: SharePoint
Port: 8080
Query String: param1=value1¶m2=value2 |
https://sharepoint:8080/sites/upload.aspx?param2=value2¶m1=value1 |
a |
To match, all parameter and value pairs defined in a URL list must be present in the HTTP request. The order of appearance is not important. |
Host: SharePoint
Port: 8080
Query String: param1=value1¶m2=value2 |
https://sharepoint:8080/sites/upload.aspx?param2=value2¶m3=value3¶m1=value1 |
a |
To match, all parameter and value pairs defined in a URL list must be present in the HTTP request. If there are more pairs in the HTTP request than defined in the URL list, it still matches. |
