Skip to main content
All CollectionsTroubleshooting and How-ToHow-To Articles
How to use advanced rules techniques: multiple conditions, shared lists, regex, risk thresholds
How to use advanced rules techniques: multiple conditions, shared lists, regex, risk thresholds
A
Written by Arick Disilva
Updated over 2 months ago

Teramind’s Rules Engine has some advanced features that let you create sophisticated insider threat detection, data loss prevention, and productivity-related rules. In this article, we will discuss how you can leverage some of these advanced features. For more information about policies and rules, check out the Teramind Rules Guide.

Using Multiple Parameters and Conditions in a Rule

You can add multiple 'parameters' and 'conditions' to an Activity rule or Agent Schedule rule. To add a parameter, click the small Plus icon. To add a condition, click the ADD CONDITION button.

mceclip0.png

Rule ‘logic’ binds rule parameters and conditions. The logic can be either ‘OR’ or ‘AND’:

  1. Each value in a rule condition is considered as an ‘OR’ logic. In the above example, the rule will trigger if the ‘Application Name’ matches with ‘regedit.exe’ or ‘pseditor.exe’.

  2. Each rule parameter is considered as an ‘AND’ logic. In the above example, the rule will trigger if the ‘Application Name’ and the ‘Launch from CLI’ parameters meet the condition.

  3. If you have multiple conditions under the same parameter, each condition is considered as an ‘OR’ logic. In the above example, if either Condition 1 or Condition 2 (under the Launched from CLI parameter) meets the criterion, the rule will be triggered.

You can see how the rule condition logics relate to each other on the Rules Editor’s Summary panel.

Using Multiple Content Definitions in a Rule

When creating a Content Sharing rule with multiple content definitions, you can use logics to bind the definitions together. You can do so under the Advanced: Setup Logics section of the Content tab. Click on the logic (the dotted underlined text) between two definitions, a pop-up menu will appear where you can select a logic out of four options:

mceclip1.png

You can see how the content definition logics relate to each other on the Rules Editor's Summary panel:

mceclip2.png

The table below explains each type of logic and how they are evaluated:

Logic

Evaluates true if:

Example

AND

BOTH of the definitions are met.

In the above example, we are using the tags field from the File Properties in the first definition and the title field in the second definition. The logic will return true if file tags match with the text ‘CONFIDENTIAL’ and the title contains ‘PRIVATE’. Basically, it will process the files that are both confidential and private.

OR

EITHER of the definitions is met.

Using the above example, the logic will return true if file tags match with the text ‘CONFIDENTIAL’ or the title contains the text ‘PRIVATE’. Basically, it will process files that are either confidential or private.

AND NOT

the 1st definition is met AND the 2nd definition is NOT met.

Using the above example, the logic will return true if file tags match with the text ‘CONFIDENTIAL’ and the title does not contain the text ‘PRIVATE’. Basically, it will process files that are confidential and not private.

OR NOT

the 1st definition is met OR the 2nd definition is NOT met.

Using the above example, the logic will return true if file tags match with the text ‘CONFIDENTIAL’ or the title does not contain the text ‘PRIVATE’. Basically, it will process all files except the private ones.

Using the Shared Lists in a Rule

Shared Lists allow you to build a list of items that can be shared across rules and configuration settings.

You can create/import and manage Shared Lists from the Configure > Shared Lists screen. You can build lists of text/keywords, regular expressions, and network addresses/IP addresses.

Shared Lists allow you to detect a large amount of data without having to enter them every time you create a rule. For example, to block access to inappropriate websites, you can create a text-based Shared List containing those sites. They also make it easy to update the rule detection criteria without editing the rules.

mceclip3.png

Note that, not all rule conditions support the Shared Lists. For the rule conditions that support it, you can select either the Match list or Equals list option and then select a Shared List from the list of available Shared Lists. The Match list option will detect any partially matched items while the Equals list will detect only exactly matched items.

Using Regular Expressions in a Rule

A regular expression (also known as regex or regexp) allows you to detect text using a pattern. It’s a powerful tool that allows you to define complex definitions to find sensitive information such as credit card numbers, invoice numbers, social security numbers, and other texts that follow a pattern or expression. Explaining the full scope of the regular expression is beyond this article. However, there are many online resources you can use to learn about regular expressions. Here, we will show you some quick tips and examples so that you can begin to learn and experiment with them.

Teramind supports regex in rule conditions, configuration settings such as monitoring settings, OCR searches, etc. You can also create a list of regular expressions through the Shared Lists.

In all the places where the regular expressions can be used (e.g., monitoring settings, shared lists, rules), Teramind supports the standard С++ regex based on the ECMA-262v3 standard. ECMAScript's regular expression grammar does not include the use of modifiers in the form of the (?) syntax, so, by extension, neither does C++ or Teramind.

However, for the OCR rules and OCR report, Teramind supports the Elasticsearch (which uses Apache Lucene) regular expression syntax. More information can be found about it in Elastic documentation.

Poorly constructed regular expressions or too much use of them can have performance impact. For example, a regex based on the * (asterisk) and the + (plus sign) is usually slower.

To use regex in a rule condition, you can do either of these two things:

mceclip4.png
  1. Start typing the expression in the rule condition and then select Match regexp.

  2. Click on the empty condition field and select Match list regexp. This will only work if you have created a Shared List which contains a list of regex.

Regex Cheat Sheet

The following table lists some of the most commonly used regular expressions including syntax, symbols, range modifiers, special characters, etc.:

.

Will match a single character. For example, .at will match “cat”, “bat”, ”fat”, etc.

[]

Will match with any character in the brackets. For example, [abc] will match either “a”, “b”, or “c”.

[^]

Is the opposite of []. So, [^abc] will find any character which is NOT “a”, “b”, or “c”.

-

Means a range. So, [a-z] will match any character in the alphabet. Similarly, [0-9] will find any digit.

()

Used to group strings/words together.

|

Will match any of the words/characters in the brackets. Basically, it’s a ‘or’ statement. For example, (john|rick|mark) will find any of the three names listed.

\

You cannot search for special characters in a regex directly such as the -+\/#. characters. You will need to use \ before using such a character. For example, use \. to find an actual dot/full-stop character. Basically, \ is used to ‘escape’ the character following it.

\d \w \s

\d matches any digit, \w matches any digit or alphabet, \s is used for space. The uppercase version of these does the opposite. For example, \D will match anything which is NOT a digit.

*

Matches the preceding character/word zero or more times. For example, ab*c will match “ac”, “abc”, “abbbc”. You can use brackets with this modifier too. For example, [abc]*, (abc)*, etc.

{min,<max>}

Matches the preceding character/word for at least the min time. For example, a{4} will find “aaaaa”, “aaaacbdd” but not “aaa”. You can also optionally use the <max> parameter to give it a range. For example, a{2,4} will match 'aa', 'aaa', or 'aaaa' but will not match “a” or “aaaaa”.

?

Similar to using {0,1}. It will match 1 time or none – making it optional. For example, a? will find an “a” or an empty string (“”).

+

One or more of the characters or expressions to the left. For example, ab+c will find "abc", "abbc", "abbbc", and so on, but not "ac".

^ and $

^ will find a match at the beginning while $ will find a match at the end. For example, ^abc will only match strings that start with the string “abc” while abc$ will only match a string that ends with “abc”.

Regex Examples

Example 1: Matching from a List of Words

Regex

.*will be hearing from my (attorney|lawyer|counsel).*

Result

This regex will detect any sentence that contains one of the following phrases:

  • will be hearing from my attorney

  • will be hearing from my lawyer

  • will be hearing from my counsel

Explanation

  • .* means, it will match any character (except for line terminators), any number of times. Having these two characters at the beginning and end means the system will look for the match inside a complete sentence/line.

  • will be hearing from my is the fixed part of the text. It can be anything you want.

  • (attorney|lawyer|counsel) will check to see if there is a match with any of the 3 options in the brackets.

Example 2: Finding Invoice/PO Numbers or Other Patterns

Regex

INV[#|\-|\s]{0,1}[0-9]{6}[\-|\s]{0,1}[0-9]{3}

Result

This regex will detect invoice numbers such as:

  • INV 123456 123

  • INV-123456-123

  • INV#123456123

  • INV123456123

Explanation

  • INV is the fixed part of the pattern. You can put any text here, e.g., PO, ID, etc.

  • [#|\-|\s]{0,1} will match the pound sign, hyphen, and space (\s). {0,1} means these characters can appear once or never.

  • [0-9]{6} will look for a six digit number.

  • [\-|\s]{0,1} will match the hyphen or space symbol for once or none.

  • [0-9]{3} means, any 3-digit number.

Example 3: Detecting a Range of IP Addresses

Regex

192\.168\.\d{1,3}\.\d{1,3}

Result

This regex will detect any IP (IPv4) addresses within the range of 192.168.0.0 to 192.168.255.255. Note that, while this regex is good for simple purposes, it matches invalid IP addresses too. For example, 192.168.300.999. If you need to detect IP addresses more accurately with proper boundary checks, special ranges, etc., then you will have to use a more complex regex such as: ((25[0-5]|(2[0-4]|1[0-9]|[1-9]|)[0-9])(\.(?!$)|$)){4}.

Explanation

  • \d{1,3} will search for any 3 digit numbers since IP addresses consist of four sets of 3 digit numbers.

Example 4: Finding Different Spellings/Variations of a Word

Regex

[pP][aA@][sS5$][sS5$]w[oO0]{0,1}[rR][dD]

Result

This regex will detect the word “password” and variations of its spelling that spammers usually use for obfuscations. For example:

  • p@ssword

  • pa55word

  • pa$$word

  • Passw0rd

  • passwrd

Explanation

  • The characters in the brackets mean either of them can match. So, [pP] will detect both an uppercase “P” or a lowercase “p”. [aA@] will match uppercase “A”, lowercase “a” and the at “@” symbol.

  • [oO0]{0,1} means, the 6th character can be an uppercase “O”, a lowercase “o”, or a zero. The 0 in the {0,1} means it can be omitted too. This allows us to detect spellings like “passwrd”.

Example 5: Detecting an Email Address

Regex

[\w\.\-]{0,25}@(yahoo|hotmail|gmail)\.[\w]{0,3}

Result

This regex will detect email addresses from three different vendors and any domain. For example:

Explanation

  • [\w\.\-]{1,25} means, any character, digit or underscore (\w), dot (\.), or hyphen (\-) can be in the first part of the email address. {1,25} means, this is limited to minimum one character and up to 25 characters.

  • (yahoo|hotmail|gmail) means, find from any of the 3 email types specified in the brackets.

  • [\w]{0,3} means, the domain can be 0 to 3 characters long consisting of any characters or digits.

Using the Advanced Mode Actions/Risk Thresholds

The Advanced Mode on the Actions tab allows you to add multiple thresholds and assign a frequency, risk, and action for each threshold. This enables you to take different actions depending on the risk of a rule violation incident. For example, if you detect a user is sharing 1 credit card number in their email, you can just warn them. But if they do it 5 times or more in a day, or there is more than 1 credit card number, then notify an admin. Multiple thresholds also allow you to assign multi-level risks to a rule. It will let you analyze risk on the Risk Report, view risk trends and identify high-risk users and rules.

advanced_behavior_rule.png

P

Under the Choose time period for thresholds, choose the Period of time for the thresholds. You can choose from Hourly, Daily or Monthly.

T

You can add additional thresholds by clicking the ADD THRESHOLD button.

F1 – F2

Under the Configure action threshold, you will see small Dots. You can drag them left and right to adjust the Frequencies (number of occurrences of a match or how many times the rule is violated) of thresholds.

You can also adjust a threshold from the Frequency field located under the Define action area.

R1 – R2

You can assign a Risk to a threshold from the Risk field located under the Define action area. You can choose from No risk, Low, Moderate, High, and Critical.

A1 – A2

You can assign an Action to a threshold by clicking the small Plus icon under the Define action area.

Did this answer your question?