Getting started with Endpoint Data Discovery rules

Endpoint Data Discovery Endpoint Data Discovery policies scan the hard drives of your managed Windows and Mac devices for confidential file content, such as personal health information, credit card numbers, and SSNs. Scan results are reported in EDD reports to help you identify at-risk devices. (EDD) policies contain rules that detect confidential and at-risk file content stored on the hard drives of your devices.

You can use the Rules area to create custom rules to identify at-risk file content that is unique and is of particular interest to your organization. After you have created and tested your rule, you can publish it to the Policies area so you can include it in an EDD scan.

IMPORTANT  Rules is an advanced feature that Administrators use to build custom Endpoint Data Discovery rules that address the specific policy needs of their organization. Rules use an easy to understand syntax; however, before you use this feature it's best practice to thoroughly review and understand the information provided in this topic and familiarize yourself with the syntax guidelines.

If you have any questions about using the Rules feature, or you require assistance, contact Absolute Technical Support.

Expressions sets are the largest building blocks of EDD rules. Each rule needs to include at least one expression set, which contains one or more expressions that define a specific type of content. An expression can be a single word or phrase, such as "account number", or it can include a combination of words, variables, operators, and special characters. When you add an expression to an expression set, you need to use correct syntax.

The Rules area includes many expression set templates to help you get started building your own custom EDD rules. Each template contains expressions to detect a particular type of content.

Expression set templates available in Rules

Template

Description

Social Security Number (USA)

Includes expressions to detect United States Social Security Numbers

The template's expressions use the @Mask_After operator to redact some of the content.

Social Insurance Number (Canada)

Includes expressions to detect Canadian Social Insurance Numbers

The template's expressions use the @Mask_After operator to redact some of the content.

My Number (Japan)

Includes expressions to detect valid Japanese My Numbers (also known as Individual Numbers)

The template's expressions use the @JPIDnumber operator to ensure that only valid numbers are detected. It also uses the @Mask_After operator to redact some of the content.

General ID Samples

Includes sample expressions to detect the following types of content:

  • US Medicare Beneficiary Identifiers
  • Student IDs
  • Account, loan, policy, or certificate numbers
  • Patient IDs
  • Birth dates

You can use this template as a starting point to match identifiers that are unique to your organization.

NOTE  If you use this expression set template in your rule, you will most likely need to remove the expressions that are not relevant and edit the remaining expressions to best suit your needs.

GDPR Personal Data

 

 

Includes expressions to detect personal identifiers of the countries of the European Economic Area (EEA) The EEA includes all European Union (EU) countries and also Iceland, Liechtenstein, and Norway. It defines the countries that participate in the European Single Market.

The template is specifically designed to help you comply with the General Data Protection Regulation (GDPR) The General Data Protection Regulation (GDPR) defines a set of data protection rules that apply to all organizations that process data related to individuals residing in the European Economic Area (EEA)..

The following 40 personal identifiers are detected by this template:
  • Tax Identification Number (Austria)
  • National Number (Belgium)
  • Uniform Civil Number (Bulgaria)
  • Master Citizen Number (Croatia)
  • Personal ID (Croatia)
  • Tax ID Number (Cyprus)
  • Birth Number (Czech Republic and Slovakia)
  • Civil Registration System (Denmark)
  • Personal ID Number (Estonia)
  • Personal ID Number (Finland)
  • Social Security Number (France)
  • Social Security Number (Germany)
  • Taxpayer ID Number (Germany)
  • Personal ID Number (Greece)
  • Social Security Number (Greece)
  • Tax Identifier (Greece)
  • Personal ID (Hungary)
  • Personal Number (Hungary)
  • Social Insurance Number (Hungary)
  • Personal ID (Iceland)
  • Public Service Number (Ireland)
  • Tax Code ID (Italy)
  • Personal Code (Latvia)
  • Personal ID Number (Liechtenstein)
  • Personal Code (Lithuania)
  • Personal ID (Luxembourg)
  • Identity Card Number (Malta)
  • Citizen Service Number (Netherlands)
  • Personal ID Number (Norway)
  • Personal Number (Poland)
  • Civil Identification Number (Portugal)
  • Social Security Number (Portugal)
  • Tax ID Number (Portugal)
  • Personal Numerical Code (Romania)
  • Master Citizen Number (Slovenia)
  • Citizen ID Number (Slovakia)
  • DNI Number (Spain)
  • Personal ID Number (Sweden)
  • National Health Service (UK)
  • National Insurance Number (UK)

Credit Card Samples

Includes expressions to detect valid credit card numbers

The following credit card types are included in this template:

  • Mastercard
  • Visa
  • American Express
  • Discover Card

The template's expressions use the @Luhn operator to ensure that only valid numbers are detected. It also uses the @Mask_After operator to redact some of the content

Health Terms

Includes a list of over 5500 health conditions, diagnoses, and medications, which are contained within almost 500 expressions. The health terms are synonymous with those used by the predefined Personal Health Information rule to detect at-risk file content. You can edit this expression set template to meet the specific needs of your organization.

Financial Terms

Includes a list of 130 terms related to financial information, which is used by the predefined Personal Financial Information rule to detect at-risk file content. You can edit this expression set template to meet the specific needs of your organization.

After you've added an expression set template to your rule, you can edit expressions, delete expressions, and add new expressions to the expression set.

NOTE  You may find that you need to edit an expression set to detect all possible instances of the content you're interested in.

For example, the US Social Security Number template contains expressions to detect numbers in the format ###-##-####, but not in the format ######### (hyphens are omitted). You may want to add expressions to detect this number format, but keep in mind that it may result in an unacceptable number of false positive A result on an EDD-related report or page in which a match is detected in a file, but upon further investigation, you do not consider the matched content to be at-risk data.s.

When a rule includes one expression set, a match is generated when any one of the set's expressions are matched by content in a file. If you write the rule definition as an expression, the expressions within the expression set are joined by OR operators.

Example

The Engineering team in an organization is working on a new project named Phoenix. The goal of the project is to design a SuperWidget and an UltraWidget. Files related to this project should not be distributed outside of the Engineering team.

The organization wants to detect any project-related files that are stored on non-Engineering team devices, so they create an EDD rule with a single expression set that contains the following expressions:

Phoenix project expression set

  • Phoenix
  • SuperWidget
  • UltraWidget
  • Confidential

When any one of these terms are detected in file content on a device, a match is generated. If all four terms are detected in a file, four matches are generated.

When a rule includes multiple expression sets, a match is generated only when an expression in each and every expression set is matched by content in a file. If you write the rule definition as an expression, the expression sets are joined by AND operators and the expressions within each expression set are joined by OR operators.

Example

General Hospital works with files that contain patients' personal health information (PHI). These files should not be distributed to unauthorized employees. The hospital wants to detect any files that contain PHI stored on unauthorized devices. To qualify as PHI, the EDD rule should only find instances where both a patient identifier, such as a Patient ID, and a diagnosis are present. If only one item is found in a file, such as the word "asthma", the content should be ignored because "asthma" on its own does not constitute an information breach.

To create a rule that finds files with both a patient identifier and a diagnosis, you need to add two expression sets to the rule.

Patient identifier expression set

  • Patient ID W/1??=====
  • Patient record W/1??=====
  • Patient number W/1??=====

Health term expression set

  • anemia
  • apnea
  • asthma
  • atrophy
  • etc.

If patient identifier expressions and health term expressions were added to the same expression set, the rule would be considered matched if only one of the expressions was matched.

As you work in the Rules area your changes are auto-saved. The date and time of the last auto-save shows near the top of the Rules page next to Saved. The auto-save time corresponds to the time zone set in your browser.

If you are editing an existing rule and you want to undo your changes, you can revert to the last published version of the rule.

After you've added expression sets and expressions to your rule, you'll want to validate the rule definition to ensure that it detects the file content you're interested in. You can enter sample text in the Test Rule section of your rule and then check to see that the expected matches are found.

After you've thoroughly tested your rule, you can publish it to the Policies area by clicking Publish to Device Policies on the Rules page. This action makes your rule available for selection on the Configure EDD dialog.

After your new rule is associated with an EDD scan and devices are scanned for content, the scan results show on the following reports and pages:

  • Data Risk Assessment report
  • Devices with At-Risk Files in Cloud report
  • History report
  • Match Score Summary report
  • Reporting Data report
  • GDPR Summary report
  • Endpoint Data Discovery pages for a device
Related Topics Link IconRelated Topics