Working with custom EDD rules

Endpoint Data Discovery (EDD) Endpoint Data Discovery (EDD) policies scan the hard drives of your managed Windows and Mac devices for confidential or at-risk file content, such as personal health information, credit card numbers, and SSNs. Scan results are reported in EDD reports to help you identify at-risk devices. rules define content to detect during an EDD scan. You can create your own custom EDD rules to find confidential or at-risk file content that is unique and is of particular interest to your organization. After your rule is created and tested, you can publish it to make it available for selected in your Endpoint Data Discovery policy configurations. You can add up to 50 custom EDD rules.

EDD Rules is an advanced feature that Administrators can use to build custom Endpoint Data Discovery rules that address the specific policy needs of their organization. Rules use an easy to understand syntax; however, before you use this feature it's best practice to thoroughly review and understand the information provided in Getting started with EDD Rules and familiarize yourself with the syntax guidelines.

If you have any questions about using this feature, or you require assistance, contact Absolute Technical Support.

To view EDD rules, your user role needs to be granted the View permission for Endpoint Data Discovery. To manage EDD rules, your user role needs to be granted the Manage permission for Endpoint Data Discovery. All Administrator roles are granted these permissions.

To access the EDD Rules area:

  1. Log in to the Secure Endpoint Console as a user with the View or Manage permission for Endpoint Data Discovery.

  2. On the navigation bar, click Policies > EDD Rules.

    The Rules area opens to show the Endpoint Data Discovery Rules page, which lists all existing EDD rules.

    The following information shows for each rule:

    • Rule name
    • Description (if provided)
    • Status (Published or Unpublished)

    • icon, which shows the number of policy groups associated with the rule

      Hover over the icon to view the list of policy groups in a tooltip.

    • Date and time of the most recent rule update and the user who performed it

    All predefined (Absolute) rules are indicated by a icon.

  3. [Optional] To filter the page by rule status, click the Rule status filter and select one of the following options: Published or Unpublished.
  4. [Optional] To filter the page by rule type, click the Rule type filter and select one of the following options: Absolute or Custom.

  5. To search for an EDD rule, enter all or part of the rule name or description in the Search field.

To create a new rule and add expression sets:

  1. On the navigation bar, click Policies > EDD Rules.

  2. Click Create EDD rule.

    The EDD Rules area can contain up to 50 custom rules. If that limit has been reached, an error message is displayed when you click Create EDD rule. To add another rule, you need to delete one first.

    A dialog opens showing the auto-generated name for the rule in the following format: New Rule - <yyyy-mm-dd hh:mm:ss>.

  3. Click the name and update it to a unique name that describes the rule's scope and context.

  4. [Optional] Add a description.

  5. To include the results of this custom rule in the GDPR Summary report, click the Include in GDPR Summary report checkbox to select it. By default, the GDPR Summary report includes match scores for the predefined GDPR Personal Data rule only.

    Example

    In addition to country-specific personal identifiers, you want to detect employee IDs since these identifiers are also considered personal data. To do so, you create a custom rule called "Employee IDs" that you will enable along with the GDPR Personal Data rule in an EDD policy. To include the Employee IDs rule in the GDPR Summary report, you enable the rule's Include in GDPR Summary report option.
  6. Edit the rule by adding expression sets and expressions.
  7. To ensure that the rule is yielding the desired results, test the expressions in your rule.
  8. When you're done, do one of the following:
    • To save the new custom rule and make it available for selection in Endpoint Data Discovery policy configurations, click Publish.
    • To save the rule without publishing it, click Save.

Before you publish a rule and make it available for assignment to EDD scans, you need to test the rule definition, which includes the rule's expressions and expression sets. It is important that you thoroughly test each expression to prevent false positives A result on an EDD-related report or page in which a match is detected in a file, but upon further investigation, you do not consider the matched content to be at-risk data. where the rules' expressions are detecting more content than expected. If there are an excessive number of detected matches, the EDD scan on a device is stopped.

You cannot test for matches to the @FILENAME and @SHA256 operators using Test Rule.

To test a rule:

  1. On the navigation bar, click Policies > EDD Rules.

  2. After searching for the rule, click its name, or hover over its row and click . The rule opens.

  3. Click Test Rule.

  4. In the text box, enter or paste sample text that contains content that you want your rule to find. For example, if the rule is intended to find instances of your country's health insurance numbers, enter a sentence that includes a valid number, such as "The patient's HIN is 123 567 988."

    If the rule includes expressions that define content that should not be matched, such as an invalid health insurance number, you may also want to test for this. For example, if an expression defines that the health insurance number can never start with "11", enter sample text such as "113 567 988". No match should be found.

  5. Click Test.

    If… Then…
    One or more matches are found
    • The matched text is highlighted in the Test Rule text box
    • Each matched expression set is expanded and the line number of the matched expression is highlighted

    • The total number of matches shows next to the Test button

      Total matches is not synonymous with match score. The Test tool shows a simple count of matched words whereas match score is a calculation.
    Matches are not found

    • 0 matches found shows under the Test button

      If a result of 0 matches found is unexpected, keep in mind that if the rule includes more than one expression set, at least one expression in each and every expression set needs to be matched for any matches to be found.
  6. To ensure that the expressions in your rule produce the expected results, we recommend that you repeat the steps to test each and every expression in your rule. This step is particularly important if the rule includes complex expressions with multiple operators, such as the @Mask_After or @Mask_Upto operators.
  7. If the test results are not as expected, edit the applicable expressions.

When you have finished testing the custom EDD rule and are satisfied that it returns the results you want, you need to publish it to make it available in an EDD policy.

After you have finished creating your rule and you are ready to make it available for EDD scans, you can publish it. Rules that have not yet been published show the following label on the EDD Rules page:

Unpublished

After a rule is published, it can't be unpublished. If you want to stop using the rule, delete it, or remove it from each Endpoint Data Discovery policy configuration where it's being used.

To publish a rule and make it available for EDD scans:

  1. On the navigation bar, click Policies > EDD Rules.

  2. After searching for the rule, click its name, or hover over its row and click . The rule opens.

  3. Click Publish.

  4. If the Publish button is grayed out, the rule contains errors and it can't be published. To publish your rule, you first need to review expression requirements and limitations and then edit the expressions that do not comply.

To apply your new published rule to an EDD scan, update the applicable EDD policy's configuration in each policy group.

To view more information about an existing rule, click anywhere on its row background. The rule overview opens to the right of the work area.

The following information about the rule is shown:

  • Rule name
  • Description (if provided)
  • Status (Published or Unpublished)

  • Date and time of the most recent rule update

  • User that last updated the rule

  • Associated policy groups: the name of each policy group where the rule is being used in the Endpoint Data Discovery policy

  • Options: indication of where the Include in GDPR Summary report option was selected in the rule configuration

If your user role is granted the Manage permission for Endpoint Data Discovery, you can click Edit to update the rule configurations.

To close the rule overview dialog, click .

To edit the name of a rule:

  1. On the navigation bar, click Policies > EDD Rules.

  2. After searching for the rule, click its name, or hover over its row and click . The rule opens.

  3. Edit the rule's name, description, and Include in GDPR Summary report option, as required. Learn more
  4. Add, edit, or remove expression sets and expressions, as required.
  5. If you edited any expression sets or expressions, test your rule to ensure it produces the desired results.
  6. When you're done, do one of the following:
    • If the rule is unpublished, click Publish. to save your changes and make the rule available for selection in Endpoint Data Discovery policy configurations.
    • To save your changes, click Save.

You can delete any rule that is not associated with an active Endpoint Data Discovery policy.

When you delete a rule that was previously activated on your devices, all historical EDD information associated with the rule is also deleted.

To delete a rule:

  1. On the navigation bar, click Policies > EDD Rules.

  2. After searching for the rule, hover over its row and click .

    If the icon is grayed out, the rule is currently in use by the Endpoint Data Discovery policy in one or more policy groups and the rule can't be deleted. To view the policy groups, hover over the icon or the icon. You can also view the rule's associated policy group in the rule overview area.

    To delete the rule, first remove the rule from each policy group's Endpoint Data Discovery policy.

  3. In the Delete EDD Rule dialog, click Delete.

The rule is deleted.