Creating advanced data pattern
Advanced DLP Pattern Objects allow you to form more complicated patterns that use several primitives combined into expressions using boolean logic, including weighted counts of the number of matches found for specified DLP patterns.
Steps
-
Click the green plus icon and select Advanced to create the data pattern.
-
On the General tab, enter the name and description of the data pattern and then click the Match Criteria tab to display the match
criteria.
-
On the Match Criteria tab, enter primitives to build complex data patterns.
You can use Predefined DLP patterns for creating advanced patterns using functions like COUNT, COUNTUNIQUE, and so on.
This example leverages two simple DLP patterns to match on files that contain 5 or more credit card numbers. The count of matches on the Credit-Card-Types DLP pattern must be greater than 0. The count of unique matches on the Credit Card Digits pattern must be greater than 5.
The primitives that may be combined into expressions are:
- Pattern counting functions:
- Count("") counts the number of occurrences of the pattern object in the scanned text. This function uses greedy matching, that is, text that is consumed to find a match does not participate in subsequent matches. Count() returns a maximum of 150, that is, it stops counting past 150 pattern matches. Admins can also write a condition to check if there are no pattern matches using a "Count() == 0" construct.
- CountUnique: CountUnique("") counts the number of unique occurrences of the pattern object in the scanned text. This function uses greedy matching, that is text that is consumed to find a match does not participate in subsequent matches. CountUnique() returns a maximum of 1500 and stops counting past 1500 pattern matches.
- Arithmetic operators: +, -, *
Example: Count("SSN1") * 0.25 + Count("SSN2") * 0.75 > 5
- Relational operators: ==, !=, <, >, <=, >=
Example: Count("SSN1") > 1
- Logical operators: and or, not
Example: (Count("SSN1") > 1) and (Count("SSN2") > 1)
- Conditional operators: if, else
Example: (Count("SSN1") if Count("SSN1") > 5 else Count("SSN2")) > 3
- Other functions: max, min
Example: max(Count("SSN1"), Count("SSN2")) > 3
- FileSize - Admins can also use FileSize construct in advanced patterns to control files based on their size while accessing applications inline. This will allow
admins to ensure that users are not downloading large files or preventing large files from being uploaded to their sanctioned cloud storage application through inline
access.
FileSize("<unit>") accepts FileSize("KB"), FileSize("MB"), and FileSize("GB"), and returns the size of a file in kilobytes, megabytes, and gigabytes respectively.
For example: FileSize("MB")>10
- AssignToGroup and RemoveFromGroup - At times you might want to create a policy that, when violated, will assign users to a risky group to restrict further access and allow admins to review their activity before removing them from the risk group. You can accomplish this using Advanced Patterns and the AssignToGroup construct. Refer to Using advanced pattern to assign users to groups to learn.
- ContentTypeHexRe("<hexlified regex string>") - Use the ContentTypeHexRe("<hexlified regex string>") in advanced pattern to match if the content type (mime type) of the file matches the specified regex. Refer to Creating DLP Advanced Data Pattern by using hexlified value of file Mime type to learn.
- FileNameHexRe("<hexlified regex string>") - Use the FileNameHexRe("<hexlified regex string>") in advanced pattern to match the file name to the specified regex. Refer to Creating DLP Advanced Data Pattern by using hexlified value of file name to learn.
- Pattern counting functions:
-
(Optional) Click on the Test Pattern tab to verify if pattern was configured properly.
