Creating and publishing a custom EDD rule

You can create your own custom Endpoint Data Discovery Endpoint Data Discovery policies scan the hard drives of your managed Windows and Mac devices for confidential file content, such as personal health information, credit card numbers, and SSNs. Scan results are reported in EDD reports to help you identify at-risk devices. (EDD) rules to find confidential or at-risk file content that is unique and is of particular interest to your organization.

IMPORTANT    Rules is an advanced feature that Administrators can use to build custom Endpoint Data Discovery rules that address the specific policy needs of their organization. Rules use an easy to understand syntax; however, before you use this feature it's best practice to thoroughly review and understand the information provided in Getting started with EDD Rules and familiarize yourself with the syntax guidelines.

If you have any questions about using this feature, or you require assistance, contact Absolute Technical Support.

To create, test, and publish a new EDD rule you need to perform the following tasks:

A rule contains sets of expressions that define the file content you want to detect during an EDD scan.

To create a new rule that you can add expression sets to:

  1. On the footer of the Rules sidebar, click .
  2. On the menu, click Add.

    3. A rule is added to the sidebar with the name, New Rule <#>. The <#> ensures that the rule name is unique. Your new rule shows in the work area.

    NOTE  You can also create a new rule by duplicating an existing one.

It's best practice to change the default rule name to a unique name that describes the scope or purpose of the rule.

To rename the new rule:

  1. Do one of the following:
    • Click the name of the rule at the top of the page.
    • Click EDD Rule Options > Rename.

      • The rule name is now editable.

  2. Edit the name of the rule.
  3. Click anywhere on the page. The Saved date and time update to the current date and time.

You need to add an expression set to your new rule. Each rule needs to contain at least one expression set. You will add and edit expressions in a later task.

To add an expression set, do one of the following:

  • To add an empty expression set, click Add Expression Set and select New.
  • To add an expression set that is prepopulated with expressions that you can edit, click Add Expression Set and select a template.

If you added an empty expression set, you need to add expressions to define the file content you want detected. If you added an expression set that is based on a template, you can add more expressions, if required.

An expression can be a word or phrase, such as a health term, or it can contain a combination of words, variables, operators, and special characters in a supported syntax.

To add expressions:

  1. If the expression set is not expanded, click the icon next to the name of the expression set that you want to edit. The expression set expands.
  2. Click Add Expression. A new row is added to the expression set.
  3. Enter the expression using supported syntax. If Syntax error shows after you click away from the expression field, the syntax is not supported. You need to correct the expression's syntax before you can publish your rule.
  4. In the field below the expression, enter additional information to describe the expression, if desired.
  5. Repeat steps 2 to 4 to add more expressions.
  6. To edit an existing expression:
    1. Click the expression that you want to edit. The expression is now editable.
    2. Update the expression text using supported syntax. If Syntax error shows after you click away from the expression field, the syntax is not supported. You need to correct the expression's syntax before you can publish your rule.
    3. In the field below the expression, update the comment associated with the expression, if applicable.
  7. To ensure that the expressions are yielding the desired results, test your expression.

We recommend that you change the name of the expression set to a unique name that describes the scope of the expressions contained within it.

To rename the expression set:

  1. Do one of the following:
    • Click the name of the expression set.
    • To the right of the expression set name, click Expression Set Options > Rename.

      • The expression set name is now editable.

  2. Edit the name of the expression set.
  3. Click anywhere on the page. The Saved date and time near the top of the page update to the current date and time.

Complete the following tasks for each expression set you want to add:

  1. Add an expression set
  2. Add expressions to the expression set
  3. Rename the expression set

If you want to exclude an expression set from the rule's Match Score calculation, to the right of the expression set name, click Expression Set Options > Exclude from Match Score. The expression set is excluded.

To test your rule:

  1. If the Test Rule section is collapsed, click Test Rule to expand it.
  2. In the text box, enter or paste text that contains content that you want your rule to find. For example, if the rule is intended to find instances of your country's health insurance numbers, enter a sentence that includes a valid number, such as "The patient's identifier is 123 567 988."

    3. NOTE  If the rule includes expressions that define content that should not be matched, such as an invalid health insurance number, you may also want to test for this. For example, if an expression defines that the health insurance number can never start with "11", enter sample text that contains "113 567 988". No match should be found.

  3. Click Test.

    If ...

    Then ...

    Matches are found

    • The matched text is highlighted in the Test Rule text box
    • Each matched expression set is expanded and the line number of the matched expression is highlighted
    • The total number of matches shows next to the Test button

      • NOTE  Total matches is not synonymous with Match Score. The Test tool shows a simple count of matched words whereas Match Score is a calculation.

    Matches are not found

    • 0 matches found shows next to the Test button

      • NOTE  If a result of 0 matches found is unexpected, keep in mind that if the rule includes more than one expression set, the rule needs to match at least one expression in each and every expression set for any matches to be found.

  4. To ensure that the expressions in your rule produce the expected results, we recommend that you repeat steps 2 and 3 to test each and every expression in your rule. This step is particularly important if the rule includes complex expressions with multiple operators, such as the Mask operator.
  5. If the test results are not as expected, edit the applicable expressions.

Depending on the custom rule you are creating, you may want to include its matches in the GDPR Summary report. To do so, you need to enable its Include in GDPR Report option.

After you're finished creating your rule and are ready to use it in EDD scans, you can publish it.

To publish your new rule:

  1. Click Publish to Device Policies.
  2. In the Publish to Device Policies dialog, click Publish. Your rule is published to the Policies area.

    3. NOTE  If the Unable to publish rule message shows, the rule contains errors and you can't publish it. To publish your rule, you first need to review expression requirements and limitations and then edit the expressions that do not comply.

  3. To apply your new rule to an EDD scan, update the applicable EDD policy's configuration in the Configure EDD dialog.
Related Topics Link IconRelated Topics