Working with custom EDD rules

Endpoint Data Discovery (EDD) Endpoint Data Discovery (EDD) policies scan the hard drives of your managed Windows and Mac devices for confidential file content, such as personal health information, credit card numbers, and SSNs. Scan results are reported in EDD reports to help you identify at-risk devices. (EDD) rules define content to detect during an EDD scan. You can create your own custom EDD rules to find confidential or at-risk file content that is unique and is of particular interest to your organization. After your rule is created and tested, you can publish it to make it available on the Configure EDD dialog. You can add up to 50 custom EDD rules.

EDD Rules is an advanced feature that Administrators can use to build custom Endpoint Data Discovery rules that address the specific policy needs of their organization. Rules use an easy to understand syntax; however, before you use this feature it's best practice to thoroughly review and understand the information provided in Getting started with EDD Rules and familiarize yourself with the syntax guidelines.

If you have any questions about using this feature, or you require assistance, contact Absolute Technical Support.

To create a new rule and add expression sets:

  1. Log in to the Secure Endpoint Console as a user with Manage permissions for Endpoint Data Discovery.
  2. On the navigation bar, click Policies > EDD Rules.

  3. On the footer of the EDD Rules sidebar, click (Add Rule).

    If (Add Rule) is disabled, the EDD Rules area contains 50 custom rules, which is the limit. To add another rule, you need to delete one first.

    A rule is added to the sidebar with the name, New Rule <yyyy-MM-dd hh:mm:ss.SS>. Adding the date and time to the rule name ensures that the rule name is unique. Your new rule shows in the work area.

  4. Rename the rule with a unique name that describes its scope and context. Click EDD Rule Options > Rename, edit the name of the rule, and press Enter or click anywhere on the page.

    The Saved date and time update to the current date and time.

  5. Edit the rule by adding expression sets and expressions.
  6. To ensure that the rule is yielding the desired results, test the expressions in your rule.

When you have finished testing the custom EDD rule and are satisfied that it returns the results you want, you need to publish it to make it available in an EDD policy.

You can create a copy of an existing rule and then edit its expression sets and expressions.

If the rule that you want to duplicate is currently activated (used by an EDD policy to scan devices), the copy of that rule is not activated until you publish it and associate it with an EDD policy.

To duplicate a rule:

  1. Log in to the Secure Endpoint Console as a user with Manage permissions for Endpoint Data Discovery.
  2. On the navigation bar, click Policies > EDD Rules.
  3. On the EDD Rules sidebar, select the rule you want to copy.

  4. On the footer of the EDD rules sidebar, click (Duplicate).

    If (Duplicate) is disabled, the EDD Rules area contains 50 custom rules, which is the limit. To add another rule, you need to delete one first.

    A rule is added to the sidebar with the name Copy of <rule name>. The copied rule shows in the work area.

  5. Rename the rule with a unique name that describes its scope and context. Click EDD Rule Options > Rename, edit the name of the rule and press Enter or click anywhere on the page.

    The Saved date and time update to the current date and time.

  6. Edit the rule by adding, editing or deleting expression sets and expressions.
  7. To ensure that the rule is yielding the desired results, test the expressions in your rule.

When you have finished testing the custom EDD rule and are satisfied that it returns the results you want, you need to publish it to make it available in an EDD policy.

To edit the name of a rule:

  1. Log in to the Secure Endpoint Console as a user with Manage permissions for Endpoint Data Discovery.
  2. On the navigation bar, click Policies > EDD Rules.

  3. On the EDD Rules sidebar, click the rule that you want to edit. The rule opens in the work area.

    If the work area is grayed out, the rule is currently used in one or more EDD policies. Click Edit Rule to enable the work area.

  4. Do one of the following:

    • Click the name of the rule at the top of the page.
    • On the work area toolbar, click EDD Rule Options > Rename.
  5. Edit the name of the rule and press Enter or click anywhere on the page.

The rule name is changed and the Saved date and time update to the current date and time.

As you work in the EDD Rules area your changes are auto-saved. If you edit an existing rule and want to undo your changes, you can revert to the last published version of the rule.

To revert your changes to the last published version of a rule:

  1. Log in to the Secure Endpoint Console as a user with Manage permissions for Endpoint Data Discovery.
  2. On the navigation bar, click Policies > EDD Rules.

  3. On the EDD Rules sidebar, click the rule that you want to edit. The rule opens in the work area.

    If the work area is grayed out, the rule is currently used in one or more EDD policies. Click Edit Rule to enable the work area.

  4. Click EDD Rule Options > Revert.
  5. In the Revert EDD Rule dialog click Revert. A message shows while the system processes the request.

All changes made to the rule since it was last published are undone. The Saved date and time update to the current date and time.

Before you publish a rule and make it available for assignment to EDD scans, you need to test the rule definition, which includes the rule's expressions and expression sets. It is important that you thoroughly test each expression to prevent false positives A result on an EDD-related report or page in which a match is detected in a file, but upon further investigation, you do not consider the matched content to be at-risk data. where the rules' expressions are detecting more content than expected. If there are an excessive number of detected matches, the EDD scan on a device is stopped.

You cannot test for matches to the @FILENAME and @SHA256 operators using Test Rule.

To test a rule:

  1. Log in to the Secure Endpoint Console as a user with Manage permissions for Endpoint Data Discovery.
  2. On the navigation bar, click Policies > EDD Rules.
  3. On the EDD Rules sidebar, click the rule you want to test. The rule opens in the work area.
  4. If the work area is grayed out, which indicates that the rule is currently used in one or more device policies, click Edit Rule. The work area is enabled.
  5. If the Test Rule section is collapsed, click Test Rule to expand it.

  6. In the text box, enter or paste sample text that contains content that you want your rule to find. For example, if the rule is intended to find instances of your country's health insurance numbers, enter a sentence that includes a valid number, such as "The patient's HIN is 123 567 988."

    If the rule includes expressions that define content that should not be matched, such as an invalid health insurance number, you may also want to test for this. For example, if an expression defines that the health insurance number can never start with "11", enter sample text such as "113 567 988". No match should be found.

  7. Click Test.

    If… Then…
    One or more matches are found
    • The matched text is highlighted in the Test Rule text box
    • Each matched expression set is expanded and the line number of the matched expression is highlighted

    • The total number of matches shows next to the Test button

      Total matches is not synonymous with Match Score. The Test tool shows a simple count of matched words whereas Match Score is a calculation.
    Matches are not found

    • 0 matches found shows under the Test button

      If a result of 0 matches found is unexpected, keep in mind that if the rule includes more than one expression set, at least one expression in each and every expression set needs to be matched for any matches to be found.
  8. To ensure that the expressions in your rule produce the expected results, we recommend that you repeat the steps to test each and every expression in your rule. This step is particularly important if the rule includes complex expressions with multiple operators, such as the @Mask_After or @Mask_Upto operators.
  9. If the test results are not as expected, edit the applicable expressions.

When you have finished testing the custom EDD rule and are satisfied that it returns the results you want, you need to publish it to make it available in an EDD policy.

By default, the GDPR Summary report includes Match Scores for the predefined GDPR Personal Data rule only. To include a custom rule in this report, you need to enable the rule's Include in GDPR Report option.

Example

In addition to country-specific personal identifiers, you want to detect employee IDs since these identifiers are also considered personal data. To do so, you create a custom rule called "Employee IDs" that you will enable along with the GDPR Personal Data rule in an EDD policy. To include the Employee IDs rule in the GDPR Summary report, you enable the rule's Include in GDPR Report option.

To control whether a custom rule shows in the GDPR Summary report:

  1. Log in to the Secure Endpoint Console as a user with Manage permissions for Endpoint Data Discovery.
  2. On the navigation bar, click Policies > EDD Rules.
  3. On the EDD Rules sidebar, click the rule you want to update. The rule opens in the work area.

  4. Do one of the following:

    • To include the rule in the report, click EDD Rule Options > Include in GDPR Report.

    • To exclude the rule if it was previously included:

      1. Click EDD Rule Options to open the menu. A checkmark shows next to Include in GDPR Report to indicate that the option is enabled.
      2. Click Include in GDPR Report to disable the option. The menu closes and the checkmark is removed.

After you have finished creating your rule and you are ready to use it in EDD scans, you can publish it.

To publish a rule and make it available for EDD scans:

  1. Log in to the Secure Endpoint Console as a user with Manage permissions for Endpoint Data Discovery.
  2. On the navigation bar, click Policies > EDD Rules.
  3. On the EDD Rules sidebar, click the rule you want to publish. The rule opens in the work area.
  4. If the work area is grayed out, which indicates that the rule is currently used in one or more device policies, click Edit Rule. The work area is enabled.
  5. Click Publish to Device Policies.

  6. In the Publish to Device Policies dialog, click Publish. Your rule is published to the Policies area.

    If the Unable to publish rule message shows, the rule contains errors and it can't be published. To publish your rule, you first need to review expression requirements and limitations and then edit the expressions that do not comply.

To apply your new rule to an EDD scan, update the applicable EDD policy's configuration in the Configure EDD dialog.

To see the list of policy groups in which a published EDD rule is actively used:

  1. Log in to the Secure Endpoint Console as a user with Manage permissions for Endpoint Data Discovery.
  2. On the navigation bar, click Policies > EDD Rules.
  3. On the EDD Rules sidebar, click the rule. The rule opens in the work area.
  4. Click Edit Rule. The work area is enabled.
  5. The indicator, Active in <#> policy groups, shows below the rule name. Hover over the icon to see the list of policy groups associated with the rule.

You can delete any rule that is not associated with an active Endpoint Data Discovery policy.

When you delete a rule that was previously activated on your devices, all historical EDD information associated with the rule is also deleted.

To delete a rule:

  1. Log in to the Secure Endpoint Console as a user with Manage permissions for Endpoint Data Discovery.
  2. On the navigation bar, click Policies > EDD Rules.
  3. On the EDD Rules sidebar, click the rule you want to delete. The rule opens in the work area.

  4. If the work area is grayed out, the rule is currently used by the EDD policy in one or more policy groups. To view the list of policy groups in which the rule is used:

    1. Click Edit Rule. The work area is enabled.
    2. Hover over the icon below the rule name to see the list of policy groups associated with the rule. Before you can delete the rule, you need to remove it from each EDD policy's configuration.

  5. If the rule can be deleted, click EDD Rule Options > Delete.

    If the Delete option is not available, the rule is currently used by the EDD policy in one or more policy groups.

  6. In the Delete Custom Rule dialog click Delete.

The rule is deleted.