Teramind’s Rules Engine has some advanced features that let you create sophisticated insider threat detection, data loss prevention, and productivity-related rules. In this article, we will discuss how you can leverage some of these advanced features. For more information about policies and rules, check out the Teramind Rules Guide.
Using Multiple Parameters and Conditions in a Rule
Rule ‘logic’ binds rule parameters and conditions. The logic can be either ‘OR’ or ‘AND’:
Each value in a rule condition is considered as an ‘OR’ logic. In the above example, the rule will trigger if the ‘Application Name’ matches with ‘regedit.exe’ or ‘pseditor.exe’.
Each rule parameter is considered as an ‘AND’ logic. In the above example, the rule will trigger if the ‘Application Name’ and the ‘Launch from CLI’ parameters meet the condition.
If you have multiple conditions under the same parameter, each condition is considered as an ‘OR’ logic. In the above example, if either Condition 1 or Condition 2 (under the Launched from CLI parameter) meets the criterion, the rule will be triggered.
You can see how the rule condition logics relate to each other on the Rules Editor’s Summary panel.
Using Multiple Content Definitions in a Rule
When creating a Content Sharing rule with multiple content definitions, you can use logics to bind the definitions together. You can do so under the Advanced: Setup Logics section of the Content tab. Click on the logic (the dotted underlined text) between two definitions, a pop-up menu will appear where you can select a logic out of four options:
You can see how the content definition logics relate to each other on the Rules Editor's Summary panel:
The table below explains each type of logic and how they are evaluated:
Evaluates true if:
BOTH of the definitions are met.
In the above example, we are using the tags field from the File Properties in the first definition and the title field in the second definition. The logic will return true if file tags match with the text ‘CONFIDENTIAL’ and the title contains ‘PRIVATE’. Basically, it will process the files that are both confidential and private.
EITHER of the definitions is met.
Using the above example, the logic will return true if file tags match with the text ‘CONFIDENTIAL’ or the title contains the text ‘PRIVATE’. Basically, it will process files that are either confidential or private.
the 1st definition is met AND the 2nd definition is NOT met.
Using the above example, the logic will return true if file tags match with the text ‘CONFIDENTIAL’ and the title does not contain the text ‘PRIVATE’. Basically, it will process files that are confidential and not private.
the 1st definition is met OR the 2nd definition is NOT met.
Using the above example, the logic will return true if file tags match with the text ‘CONFIDENTIAL’ or the title does not contain the text ‘PRIVATE’. Basically, it will process all files except the private ones.
Using the Shared Lists in a Rule
Shared Lists allow you to build a list of items that can be shared across rules and configuration settings.
You can create/import and manage Shared Lists from the Configure > Shared Lists screen. You can build lists of text/keywords, regular expressions, and network addresses/IP addresses.
Shared Lists allow you to detect a large amount of data without having to enter them every time you create a rule. For example, to block access to inappropriate websites, you can create a text-based Shared List containing those sites. They also make it easy to update the rule detection criteria without editing the rules.
Note that, not all rule conditions support the Shared Lists. For the rule conditions that support it, you can select either the Match list or Equals list option and then select a Shared List from the list of available Shared Lists. The Match list option will detect any partially matched items while the Equals list will detect only exactly matched items.
Using Regular Expressions in a Rule
A regular expression (also known as regex or regexp) allows you to detect text using a pattern. It’s a powerful tool that allows you to define complex definitions to find sensitive information such as credit card numbers, invoice numbers, social security numbers, and other texts that follow a pattern or expression. Explaining the full scope of the regular expression is beyond this article. However, there are many online resources you can use to learn about regular expressions. Here, we will show you some quick tips and examples so that you can begin to learn and experiment with them.
Teramind supports regex in rule conditions, configuration settings such as monitoring settings, OCR searches, etc. You can also create a list of regular expressions through the Shared Lists.
To use regex in a rule condition, you can do either of the two things:
Start typing the expression in the rule condition and then select Match regexp.
Click on the empty condition field and select Match list regexp. This will only work if you have created a Shared List which contains a list of regex.
Regex Cheat Sheet
The following table lists some of the most commonly used regular expressions including syntax, symbols, range modifiers, special characters, etc.:
Will match a single character. For example,
Will match with any character in the brackets. For example,
Is the opposite of
Means a range. So,
Used to group strings/words together.
Will match any of the words/characters in the brackets. Basically, it’s a ‘or’ statement. For example,
You cannot search for special characters in a regex directly such as the
Matches the preceding character/word zero or more times. For example,
Matches the preceding character/word for at least the min time. For example,
Similar to using
One or more of the characters or expressions to the left. For example,
Example 1: Matching from a List of Words
This regex will detect any sentence that contains one of the following phrases:
Example 2: Finding Invoice/PO Numbers or Other Patterns
This regex will detect invoice numbers such as:
Example 3: Detecting a Range of IP Addresses
This regex will detect any IP (IPv4) addresses within the range of 192.168.0.0 to 192.168.255.255. Note that, while this regex good for simple purposes, it matches invalid IP addresses too. For example, 192.168.300.999. If you need to detect IP addresses more accurately with proper boundary check, special ranges, etc., then you will have to use a more complex regex such as:
Example 4: Finding Different Spellings/Variations of a Word
This regex will detect the word “password” and variations of its spelling that spammers usually use for obfuscations. For example:
Example 5: Detecting an Email Address
This regex will detect email addresses from three different vendors and any domain. For example:
Using the Advanced Mode Actions/Risk Thresholds
The Advanced Mode on the Actions tab allows you to add multiple thresholds and assign a frequency, risk, and action for each threshold. This enables you to take different actions depending on the risk of a rule violation incident. For example, if you detect a user is sharing 1 credit card number in their email, you can just warn them. But if they do it 5 times or more in a day, or there is more than 1 credit card number, then notify an admin. Multiple thresholds also allow you to assign multi-level risks to a rule. It will let you analyze risk on the Risk Report, view risk trends and identify high-risk users and rules.
Under the Choose time period for thresholds, choose the Period of time for the thresholds. You can choose from Hourly, Daily or Monthly.
You can add additional thresholds by clicking the ADD THRESHOLD button.
F1 – F2
Under the Configure action threshold, you will see small Dots. You can drag them left and right to adjust the Frequencies (number of occurrences of a match or how many times the rule is violated) of thresholds.
R1 – R2
You can assign a Risk to a threshold from the Risk field located under the Define action area. You can choose from No risk, Low, Moderate, High, and Critical.
A1 – A2
You can assign an Action to a threshold by clicking the small Plus icon under the Define action area.