How to set a rule

In this example we will create a rule to find HR related data that is at high risk. We will assign ownership and set up a slack message to alert a specific channel.

Steps

  1. On the Data Controls page, select Create new rule.
  2. Enter the following data to create the rule.
    • Name: To identify the rule amongst many that can be created.
    • Description: Useful for others to understand the intention of the rule.
    • Ownership: The person who is responsible for the rule and its consequences.
    • Based on group: The data asset that this rule is associated with. These are granularly defined in the Data Asset Registry.
    • Select Accept.
  3. This screen allows you to further refine the rule and set the actions.
  4. At the top of the screen: the name, description, and owner are visible, as well as the creation date. The option to assign rule severity is also available. As this rule, if it were breached, has the potential to incur severe consequences such as legal and financial penalties, we will set it as High.
  5. In the select dataset drop-down, we need to define the entity types we are setting our conditions for. (In the backend this relates to separate databases). The choice will be for files, trustees, and activities.
    • Files: unstructured data classified during discovery
    • Trustees: the users and groups discovered during IAM scans
    • Activities: the usage statistics of the endpoint agents (FDC)

    We will select files in this example.

    The condition section will be pre-loaded with a GQL if you have selected a Data Asset Group. Here it is simply path=HR and we can see that there are some recent files that match this criterion.

  6. We will refine the search further by adding the condition that the HR files found will be high risk. AND risk=2.

    The platform has three levels of risk: low, medium, and high. Their respective values in GQL are: 0, 1, and 2.

    As can be seen, no files have yet to fall under this rule.

    We can create an action so that we can catch high risk HR files going forward.

  7. Scroll to below the condition and select Create Action. In the Action type drop-down you can choose a simple Webhook or a Slack Webhook. Here we will add a Slack Webhook that will notify a Slack channel when the data control is activated.

    Multiple actions can be created for the same data control.

  8. Select UPDATE to save the control, and that is it! Once scanning commences, we will get notified in Slack, as well as on the Incidents page.