Skip to main content

Content Sharing Rules: What Contents Trigger the Rules?

  • Updated

Help Topics

 

Content Sharing rules are used to detect content or text inside an object. The object can be a file, an email or IM chat, data in the clipboard or even any text displayed on the screen. You can use these powerful rules to prevent data exfiltration attempts, such as: block transferring of a file when it contains credit card numbers; warn a user when they attempt to send emails containing sensitive keywords etc.

You can specify the detection criteria for the Content Sharing rules in two places:

  • On the special Content Tab: This tab allows you to define what makes the content sensitive and specify the data values to look for. This tab is automatically added when you select the Content Sharing rule type (in the General tab).
  • On the selected Content Type Tabs: For example, if you selected Clipboard and Emails from the Type of Content section (in the General tab), you will have two tabs called ‘Clipboard’ and ‘Emails’ where you can add the rule conditions and values.
i
 The basic premise of the Content Sharing rule is: you describe the data in the Content tab and then you tell Teramind where to look for that data in the Content Type Tabs. You need to use both of them for creating a Content Sharing rule.

The Content Tab

This tab allows you to define what makes the content sensitive and specify the values to look for. You need to select at least one Types of Content, such as: Clipboard, File etc. to be able to use the Content tab.

image-89__1_.png

You can select from different data definitions depending on what Types of Content you have selected in the General tab (i.e. Clipboard, Files, Emails, IM).

For example, if you have selected the Clipboard content type, then you will see the ‘Clipboard Origin’ in the data definition list.

The table below shows what criteria the Content definition supports and what conditions you can use with them.

Data Content

content-tab-768x1225.png

Data Content is a generic criterion that can be used to look for any text or binary data. For example, by using it with the Clipboard, you can detect anything copied on the clipboard.

You can select TEXT, BINARY or BOTH as the CONTENT TYPE.

For SELECT MATCH TYPE, you can choose ‘Contains’, ‘Equals’ or ‘RegExp’ and specify the text or binary values in the bottom field. Use the + button to add multiple values. Or, you can choose ‘Match List Member’ or ‘Equals List Member’ as a match type and then select a Shared List (Text-based or Regular Expressions-based) from the SELECT SHARED LIST drop-down menu. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

i

The Data Content criterion can be used with any content types (i.e. Files, Email etc.).

Clipboard Origin

clipboard.png

Clipboard Origin detects data pasted into the clipboard from a specific webpage or application. By using it you can, for example, build a rule that prevents copy pasting of customer data from your CRM site.

You can select WEBPAGE or APPLICATION as the source of the clipboard copy operation.

For SELECT MATCH TYPE, you can choose ‘Contains’, ‘Equals’ or ‘RegExp’ and specify the text values in the bottom field. Use the + button to add multiple values. Or, you can choose ‘Match List Member’ or ‘Equals List Member’ as a match type and then select a Shared List (Text-based or Regular Expressions-based) from the SELECT URL or SELECT NAME drop-down menu. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

i

The Clipboard Origin criterion can only be used with the Clipboard content type.

File Origin

file-origin-526x1024.png

File Origin detects file sharing based on its origin or source. It supports local, Cloud and web sharing. By using it you can, for example, build a rule that prevents sharing of files to Cloud drives.

You can select from several sharing options under the SELECT FILE ORIGIN section. SHARE = any type of network shares, CLOUD = sharing over Cloud services, such as, Dropbox and URL = sharing over any websites.

Depending on which origin (SHARE / CLOUD / URL) you selected, you can choose from ‘All Share’, ‘Contains’, ‘Equals’ or ‘RegExp’ in the SELECT MATCH TYPE field and specify the text values in the bottom field. Use the + button to add multiple values. Or, if available, you can choose the ‘Match List Member’ or ‘Equals List Member’ as a match type and then select a Shared List (Network-based) from the SELECT URL or SELECT NAME drop-down menu. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

i

The File Origin criterion can only be used with the Files content type.

File Properties

mceclip3.png

File Properties detect files based on their meta-tags (also know as ‘file property’ or ‘field’). By using it you can, for example, build a rule that prevents sharing of any documents outside your company that has has a specific property/field containing a specific value. For example, a 'Restricted' field/property with the string value 'Yes'.

i

The File Properties criterion can only be used with MS Office or Office 365 files (e.g. doc, docx, xls, xlsx etc.).

 To use this criterion, first create the rule:

  1. Select a FIELD TYPE such as: ANY, STRING, INTEGER or DATE.
  2. Select MATCH TYPE for the condition. If you have selected the STRING field type, you can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ options. Use the + button to add multiple values. Or, you can choose the ‘Match List Member’ or ‘Equals List Member’ as a match type and then select a Shared List from the SELECT URL or SELECT NAME drop-down menu. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists. If you chose INTEGER or DATE field type, you can choose one of the ‘=’, ‘>’, ‘<’ logics.
  3. Enter the name of the file property the rule will detect in the FIELD NAME field.
  4. Specify the value the file property should contain in the SPECIFY VALUE field.

After you have created the rule, you can now add Custom tag(s) in the file(s) you want the rule to detect.  You can create a custom tag from the Office apps such as Word, Excel, PowerPoint etc. Here's an example showing how to create a custom tag in Microsoft Word:

  1. Click File > Info
  2. Click on Properties on the right-panel and select Advanced Properties:

mceclip2.png

  1. Click the Custom tab and enter a Name, Type and Value for the property. Click the Add button when done:

mceclip4.png

  1. Save the document.
i

The File Properties criterion can only be used with the Files content type.

Predefined Classified Data

classified-768x1186.png

Predefined Classified Data detects content based on predefined data categories.

There are several types of data categories you can choose from: Financial Data, Health Data, Personally Identifiable Data etc.

The SENSITIVE DATA TO DETECT field will have different menu options depending on what you choose in the SELECT SENSITIVE DATA CATEGORY field. For example, if you choose Financial Data in the previous field, you can choose from ‘All credit card numbers’, ‘SWIFT code’ etc. Or, if you choose the Health Data, you can choose from ‘Common drug names’, ’DNA profile’ etc. Check out the List of Predefined Classified Data article for a list of all the predefined classified data supported in Teramind.

Finally, specify how often a data pattern can appear in the content before the rule is triggered in the TRIGGER ON PATTERN… field.

Clipboard

The Clipboard content type detects text copied to the clipboard from any applications or websites.

Rule Examples

  • Prevent sharing of customer data  outside of your CRM site.
  • Warn users when they copy social security numbers from an Excel spreadsheet and paste it on an email client like Outlook.
  • Prevent data marked as sensitive in the Predefined Classified Data list to be pasted on an image application. So that the user cannot later upload the image to bypass your document upload rules.

Rule Criteria

The table below shows what criteria the Clipboard supports and what conditions you can use with them.

Any

image-93__1_.png

Lets you detect the clipboard text in any applications or websites.

i

If you use this option without any other criteria, Teramind will trigger the rule anytime a clipboard paste operation is performed in any applications or websites where the content is detected.

Application Name

image-94__1_.png

Used to specify the applications in which the Clipboard action will be detected.

You can choose from ‘Contains’, ‘Equals’ or ‘Equals List’ with any text as conditions. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Equals List’ or ‘Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any applications you do not want to track in the EXCEPT field.

i

The Application Name and the Webpage URL criteria cannot be used together in the same condition block.

Webpage URL

image-95__1_.png

Used to specify the webpage URL (website address) in which the Clipboard action will be detect.

You can enter any text in the CONDITION field and choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any URLs in the EXCEPT field.

i

The Webpage URL and the Application Name criteria cannot be used together in the same condition block.

Files

Files content type works in the same way as it does in the Files Activity rules. However, there are certain file operations that you cannot use in the Content Sharing rules. For example, the Download operation isn’t supported.

Note that not all criteria are available for all file operations. Teramind will automatically show or hide the criteria based on which file operation you select. So, if you select the Access or the Delete operation, you will only see the Program criterion. Some file operation may have additional detection criteria. For example, the Upload operation lets you specify the Upload URL.

image-96__1_.png

Select a file operation by clicking the CONDITION filed.

Click the Plus (+) button to add a criterion to the operation.

If you choose the ‘Any’ file operation without any other criteria, Teramind will trigger the rule for any file operation where the content is detected.

i

If you choose the ‘Any’ file operation without any other criteria, Teramind will trigger the rule for any file operation where the content is detected.

Files Rule Examples

  • Prevent sharing of files that contain sensitive information, such as: Credit Card Numbers, Social Security Numbers, Health Records or your own custom data type.
  • Prevent sharing of a file based on certain properties, such as, when a document contains a ‘confidential’ watermark.
  • Create rules based on file origin, such as, stop all network sharing from certain applications.
i

These are some examples of Content Sharing rules for Files. For other examples of the Files rules, check out the Files Activity rule examples.

Files Rule Criteria

The table below describes the criteria you can use for the Files sharing rules, and which file operations are supported for each criterion.

Program

image-97__1_.png

Lets you specify in which program/app the file operation took place.

You can choose from ‘Contains’, ‘Equals’ or ‘Match RegExp’.

Similarly, you can exclude any programs you do not want to track in the EXCEPT field.

Network Host

image-98__1_.png

Used for network-based file operations. Detects the host name of the file operation. For example: http://sharepoint.com, ftp://filevault.net etc.

You can choose from ‘Contains’, ‘Equals’, ‘All Shares’. Or, you can select a Shared List (Network-based) and specify a ‘Match List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any hosts you do not want to track in the EXCEPT field.

i

This criterion is only supported in the Write and Copy operations.

Cloud Provider

image-99.png

Used to detect cloud providers.

You can choose from ‘All Cloud Providers’, ‘Dropbox’, ‘Google Drive’, ‘OneDrive’ or ‘Box’.

Similarly, you can exclude any provider you do not want to track in the EXCEPT field.

i

This criterion is only supported in the Write and Copy operations.

RDP File Transfer

image-100__1_.png

Detects if the file copy operation is done over an RDP (Remote Desktop Protocol) session. This happens when you connect to a remote computer and copy files to/from it.

You can select either YES or NO.

i

This criterion is only supported in Copy operations.

Upload URL

image-101__1_.png

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’. Or, you can select a Shared List and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any URLs you do not want to track in the EXCEPT field.

i

This criterion is only supported in Upload operations.

External Drive

image-102__1_.png

You do not need to specify any conditions in this criterion.

i

This criterion is only supported in the Write and Copy operations.

Emails

Files content type works in the same way as it does in the Email Activity rules. Except, the Mail Body criterion is not supported.

Emails lets you detect content sharing over outgoing and incoming emails including any email attachments.

Emails Rule Examples

  • Detect sensitive information like Credit Card Numbers, Social Security Numbers, Health Records or your own custom data types inside attachments and act based on what’s detected.
  • Detect if an internal memo is shared outside the company.
  • For example, warn the user when sending out an email that contains a document containing contacts to prevent data exfiltration or comply with privacy laws.
i

These are some examples of Content Sharing rules for Emails. For other examples of the Emails rules, check out the Emails Activity rule examples.

Emails Rule Criteria

The table below shows what criteria the Emails sharing supports and what conditions you can use with them.

Any

image-103__1_.png

Lets you detect if an email is sent or received.

i

If you use this option without any other criteria, Teramind will trigger the rule anytime an email is sent or received and the content is detected in any of the supported mail parts (i.e. Mail Subject, Mail Attachments etc.).

Mail Subject

image-104__1_.png

Used for detecting text inside the mail subject.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any text/list you do not want to track in the EXCEPT field.

Mail CC

image-105__2_.png

Detects the CC addresses in an email.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text. Or, you can select a Shared List (Text-based or Regular Expressions-based) and specify a ‘Match List’ or ‘Equals List’ condition. Check out the Shared List section on the Teramind User Guide to learn how to create shared lists.

Similarly, you can exclude any text/list you do not want to track in the EXCEPT field.

Mail To

image-106__2_.png

Similar to Mail CC criterion but used to detect the Mail To addresses instead.

Mail From

image-107.png

Similar to Mail CC and Mail To criterion but used to detect the Mail From addresses instead.

Mail Direction

image-108__1_.png

Lets you detect if the mail is being sent or received.

Select either the INCOMING or OUTGOING option.

Mail Client

image-109__1_.png

Used to specify the mail client you want to detect.

You can choose from ‘Gmail’, ‘Outlook Client’, ‘Outlook Web Client’, ‘Live.com’, ‘Yahoo Mail’, and ‘Yandex Mail’. Teramind keeps adding support for new clients so you might see more clients than mentioned here.

Similarly, you can exclude any client(s) you do not want to track in the EXCEPT field.

Has Attachments

image-110__1_.png

Used to detect if the mail has any attachment.

Select either the YES or NO option.

Attachment Name

image-111__1_.png

Used to detect the names or extensions for the attached files. File extension are used to identify a file type and usually starts with a ‘. (dot)’. For example: .doc, .pdf etc. Note: you do not need to specify the ‘.’ when entering the extension.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text. Or, you can check for file extensions using one of the ‘Extension Contains’, ‘Extension Equals’, ‘Extension Does Not Contain’ options.

i

The Attachment Name criterion is only shown when you have already selected YES for the Has Attachment criterion.

Mail Size

image-112__1_.png

Used to detect the size (in bytes) of the mail.

You can enter a byte value in the CONDITION field and use the ‘=’, ‘>’, ‘<’, ‘>=’ logics.

Similarly, you can use the EXCEPT field to specify an exception.

IM – Instant Messaging

IM content type works in the same way as it does in the IM Activity rules. Except, the Message Body criterion is not supported.

IM lets you detect content sharing over instant messaging conversations and group chats for popular IMs such as: Facebook, Skype, Slack etc. You can detect both incoming and outgoing messages, detect the participants and search in the message body for keywords or text.

IM Rule Examples

  • Improve productivity and data security. For example, detect if customer service agents are not responding to complaints or queries coming through your Instant Messaging channels.
  • Create rules that warn the HR about angry exchanges, harassment or other potential negative sentiments in chat conversations.
  • Detect if a user is targeted for phishing or social engineering online.
i

These are some examples of Content Sharing rules for IM. For other examples of the IM rules, check out the IM Activity rule examples.

IM Rule Criteria

The table below shows what criteria the IM sharing supports and what conditions you can use with them.

Any

image-113__1_.png

Lets you detect if an IM is sent or received.

i

If you use this option without any other criteria, Teramind will trigger the rule anytime an IM is sent or received where the content is detected.

Message Direction

image-114__1_.png

Lets you detect if the message is being sent or received.

Select either the INCOMING or OUTGOING option.

Messaging App

image-115__1_.png

Used to specify the messaging app you want to detect.

You can choose from ‘Facebook, ‘Skype Web’, ‘Skype for Business’, ‘LinkedIn’, ‘Google Hangouts’, ‘WhatsApp Web’, ‘Slack Web’, ‘Slack’, ‘Microsoft Team Web’ and ‘Microsoft Team’. Teramind keeps adding support for new apps so you might see more clients than mentioned here.

Similarly, you can exclude any app(s) you do not want to track in the EXCEPT field.

Contact Name

image-116__1_.png

Used to detect the contacts/participants of the IM conversation.

You can choose from ‘Contains’, ‘Equals’ or ‘RegExp’ with any text as conditions.

Similarly, you can exclude any contacts you do not want to track in the EXCEPT field.

Related articles

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk