Working with expression sets

Expressions sets are the largest building blocks of EDD rules. Each rule needs to include at least one expression set, which contains expressions that define a specific type of content. The expressions within a set are joined by OR operators meaning that a match is generated if any individual expression is matched by content in a file.

There is no limit to the number of expression sets that a rule can include, but it's best practice to keep your rule as simple as possible while still meeting the needs of your organization. If you need to add multiple expression sets to a rule, be aware that a match is generated only when an expression in each and every expression set is matched by content in a file.

To protect confidential data, use the @Mask_After and the @Mask_Upto operators to redact personal information.

You can perform the following actions on expression sets:

To view a rule's expression sets, your user role needs to be granted the View permission for Endpoint Data Discovery. To manage a rule's expression sets, your user role needs to be granted the Manage permission for Endpoint Data Discovery. All Administrator roles are granted these permissions.

To add an empty expression set:

  1. On the navigation bar, click Policies > EDD Rules.

  2. After searching for the rule, click its name, or hover over its row and click . The rule opens.

  3. Click Add Expression Set > New. A new expression set is added.
  4. Click the name of the expression set and rename it to a unique name that describes its scope and context. Click anywhere on the page to close edit mode.
  5. Add one or more expressions to the set.

To add an expression set that is prepopulated with content specific expressions:

  1. On the navigation bar, click Policies > EDD Rules.

  2. After searching for the rule, click its name, or hover over its row and click . The rule opens.

  3. Click Add Expression Set and select a template. A new expression set is added.
  4. Optionally, rename the expression set.
  5. Edit or delete existing expressions, as required.
  6. Add expressions to the set, as required.

To duplicate an existing expression set:

  1. On the navigation bar, click Policies > EDD Rules.

  2. After searching for the rule, click its name, or hover over its row and click . The rule opens.

  3. To the right of the expression set name, click > Duplicate.

    A new expression set named Copy of <original expression set name> is added.

  4. Edit the expression set name and its expressions, as required.

By default, every time unique content in a file matches an expression, a match score of 1 is added to the total match score for a rule. If your rule includes multiple expression sets, meaning that an expression in each and every expression set must be matched for a match score to be generated, a match score of 1 is generated for each unique match in each expression set. As a result, the match score may become inflated, hindering your ability to determine the actual risk associated with a file.

Example
You want to find personal financial information residing on your devices. You create a rule and add two expression set templates: Tax Code ID (Italy) and Financial Terms. An EDD scan runs on a device and finds a file that contains 15 unique Tax Code IDs and 60 unique financial terms. If both expression sets are included in the match score calculation, the match score for the file is 75, but if you exclude the Financial Terms expression set, the match score is 15. This match score corresponds to the number of individuals whose financial information may be at risk, which is a more accurate reflection of the risk associated with the file.

At least one expression set's match score must be included in a rule's total match score.

To exclude an expression set's match score from the total match score:

  1. On the navigation bar, click Policies > EDD Rules.

  2. After searching for the rule, click its name, or hover over its row and click . The rule opens.

  3. To the right of the expression set name, click > Exclude from Match Score.

    The expression set's match score will be excluded from the rule's total match score.

  4. To include an expression set's match score that was previously excluded:

    1. Click . A check mark shows next to Exclude from Match Score.
    2. Click Exclude from Match Score to clear the check mark.

The expression set's match score will be included in the rule's total match score.

To edit an expression set:

  1. On the navigation bar, click Policies > EDD Rules.

  2. After searching for the rule, click its name, or hover over its row and click . The rule opens.

  3. Do one or more of the following:
    • Edit the name of the expression set or its description.
    • Edit or delete existing expressions, as required.
    • Add expressions to the set, as required.
  4. Click Save , or if the rule is unpublished and you want to publish it, click Publish.

To delete an expression set:

  1. On the navigation bar, click Policies > EDD Rules.

  2. On the EDD Rules sidebar, click the rule that you want to edit. The rule opens in the work area.

    If the work area is grayed out, the rule is currently used in one or more EDD policies. Click Edit Rule to enable the work area.

  3. To the right of the expression set name you want to delete, click .

The expression set is deleted.