Teramind’s Rules Engine has some advanced features that let you create sophisticated insider threat detection, data loss prevention, and productivity-related rules. In this article, we will discuss how you can leverage some of these advanced features. For more information about policies and rules, check out the Teramind Rules Guide.

Using Rule Logic to Bind Multiple Activities/Content Types, Criteria and Conditions in a Rule

Rule logic binds two or more Condition Blocks, Condition Fields, Criteria or Content Definitions together.

Condition Logic

Rule conditions can either have an “OR” logic or an “AND” logic.

1. Each value in a rule condition is considered as an “OR” logic. In the above example, the rule will trigger in Condition 1 if the “Application caption' matches with value “Excel” or the value “Notepad'.

2. Each rule criterion is considered as an “AND” logic. In the above example, the rule will trigger if in Condition 1, the criterion “Application caption” matches 'Excel' and the criterion “Application name” matches 'excel.exe'.

3. If you have multiple condition blocks, each new condition block is considered as an “OR” logic. In the above example, if either Condition 1 or Condition 2 meets the criterion, the rule will be triggered.

4. If you use multiple rule types (e.g., Applications, Files, etc.), then each rule type is considered an OR condition. Each rule type is evaluated independently. Meaning the rule will trigger if any of the rule types’ conditions are met. You can see how the rule type condition logic relates to each other in the Rule Summary section.

Content Logic

When creating a Content Sharing rule and you have multiple content definitions, you can use logic to bind the definitions together. You can do so under the Advanced logics section of the Content tab.

Click on the logic between two conditions, and a pop-up menu will appear where you can select a logic out of four options:

You can see how the content definition logic relates to each other in the Rule Summary section.

The table below explains each type of logic and how they are evaluated:

Logic	Evaluates true if:	Example
AND	BOTH definitions are met.	In the above example, we are using the tags field from the File Properties in Definition 1 and the title field in Definition 2. The logic will return true if file tags equal the text “CONFIDENTIAL” and the title contains “PRIVATE”. As a result, the rule will detect files that are both confidential and private.
OR	EITHER of the definitions is met.	Using the above example, the logic will return true if file tags equal the text “CONFIDENTIAL” or the title contains the text “PRIVATE”. As a result, the rule will detect files that are either confidential or private.
AND NOT	The first definition is met AND the second definition is NOT met.	Using the above example, the logic will return true if file tags equal the text “CONFIDENTIAL” and the title does not contain the text “PRIVATE”. As a result, the rule will detect files that are both confidential and not private.
OR NOT	The first definition is met OR the second definition is NOT met.	Using the above example, the logic will return true if file tags equal the text “CONFIDENTIAL” or the title does not contain the text “PRIVATE”. As a result, the rule will detect all files except the private ones.

Using the Shared Lists in a Rule

Shared Lists allow you to build a list of items that can be shared across rules and configuration settings.

You can create/import and manage Shared Lists from the Configurations > Shared Lists screen. You can build lists of text/keywords, regular expressions, and network addresses/IP addresses.

Shared Lists allow you to detect a large amount of data without having to enter them every time you create a rule. For example, to block access to inappropriate websites, you can create a text-based Shared List containing those sites. They also make it easy to update the rule detection criteria without editing the rules.

Note that, not all rule conditions support the Shared Lists. For the rule conditions that support it, you can select either the matches list or equals list option and then select a Shared List from the list of available Shared Lists. The matches list option will detect any partially matched items while the equals list will detect only exactly matched items.

Using Regular Expressions in a Rule

A regular expression (also known as regex or regexp) allows you to detect text using a pattern. It’s a powerful tool that allows you to define complex definitions to find sensitive information such as credit card numbers, invoice numbers, social security numbers, and other texts that follow a pattern or expression. Explaining the full scope of the regular expression is beyond this article. However, there are many online resources you can use to learn about regular expressions. Here, we will show you some quick tips and examples so that you can begin to learn and experiment with them.

Teramind supports regex in rule conditions, configuration settings such as monitoring settings, OCR searches, etc. You can also create a list of regular expressions through the Shared Lists.

In all the places where the regular expressions can be used (e.g., monitoring settings, shared lists, rules), Teramind supports the standard С++ regex based on the ECMA-262v3 standard. ECMAScript's regular expression grammar does not include the use of modifiers in the form of the (?) syntax, so, by extension, neither does C++ or Teramind.

However, for the OCR rules and OCR report, Teramind supports the Elasticsearch (which uses Apache Lucene) regular expression syntax. More information can be found about it in Elastic documentation.

Poorly constructed regular expressions or too much use of them can have performance impact. For example, a regex based on the * (asterisk) and the + (plus sign) is usually slower.

You can use regular expressions in a rule in two ways:

Directly type the regular expression in the rule condition field and then select matches regex option from the drop-down list.
Select Matches list condition and select a Shared List which contains a list of regular expressions.

Regex Cheat Sheet

The following table lists some of the most commonly used regular expressions including syntax, symbols, range modifiers, special characters, etc.:

`.`	Will match a single character. For example, `.at` will match “cat”, “bat”, ”fat”, etc.
`[]`	Will match with any character in the brackets. For example, `[abc]` will match either “a”, “b”, or “c”.
`[^]`	Is the opposite of `[]`. So, `[^abc]` will find any character which is NOT “a”, “b”, or “c”.
`-`	Means a range. So, `[a-z]` will match any character in the alphabet. Similarly, `[0-9]` will find any digit.
`()`	Used to group strings/words together.
`\|`	Will match any of the words/characters in the brackets. Basically, it’s a ‘or’ statement. For example, `(john\|rick\|mark)` will find any of the three names listed.
`\`	You cannot search for special characters in a regex directly such as the `-+\/#.` characters. You will need to use `\` before using such a character. For example, use `\.` to find an actual dot/full-stop character. Basically, `\` is used to ‘escape’ the character following it.
`\d \w \s`	`\d` matches any digit, `\w` matches any digit or alphabet, `\s` is used for space. The uppercase version of these does the opposite. For example, `\D` will match anything which is NOT a digit.
*``**	Matches the preceding character/word zero or more times. For example, `abc` will match “ac”, “abc”, “abbbc”. You can use brackets with this modifier too. For example, `[abc]`, `(abc)*`, etc.
`{min,<max>}`	Matches the preceding character/word for at least the min time. For example, `a{4}` will find “aaaaa”, “aaaacbdd” but not “aaa”. You can also optionally use the <max> parameter to give it a range. For example, `a{2,4}` will match 'aa', 'aaa', or 'aaaa' but will not match “a” or “aaaaa”.
`?`	Similar to using `{0,1}`. It will match 1 time or none – making it optional. For example, `a?` will find an “a” or an empty string (“”).
`+`	One or more of the characters or expressions to the left. For example, `ab+c` will find "abc", "abbc", "abbbc", and so on, but not "ac".
`^` and `$`	`^` will find a match at the beginning while `$` will find a match at the end. For example, `^abc` will only match strings that start with the string “abc” while `abc$` will only match a string that ends with “abc”.

Regex Examples

Example 1: Matching from a List of Words

Regex	`.will be hearing from my (attorney\|lawyer\|counsel).`
Result	This regex will detect any sentence that contains one of the following phrases: will be hearing from my attorney will be hearing from my lawyer will be hearing from my counsel
Explanation	`.*` means, it will match any character (except for line terminators), any number of times. Having these two characters at the beginning and end means the system will look for the match inside a complete sentence/line. `will be hearing from my` is the fixed part of the text. It can be anything you want. `(attorney\|lawyer\|counsel)` will check to see if there is a match with any of the 3 options in the brackets.

Example 2: Finding Invoice/PO Numbers or Other Patterns

Regex	`INV[#\|\-\|\s]{0,1}[0-9]{6}[\-\|\s]{0,1}[0-9]{3}`
Result	This regex will detect invoice numbers such as: INV 123456 123 INV-123456-123 INV#123456123 INV123456123
Explanation	`INV` is the fixed part of the pattern. You can put any text here, e.g., PO, ID, etc. `[#\|\-\|\s]{0,1}` will match the pound sign, hyphen, and space (`\s`). `{0,1}` means these characters can appear once or never. `[0-9]{6}` will look for a six digit number. `[\-\|\s]{0,1}` will match the hyphen or space symbol for once or none. `[0-9]{3}` means, any 3-digit number.

Example 3: Detecting a Range of IP Addresses

Regex	`192\.168\.\d{1,3}\.\d{1,3}`
Result	This regex will detect any IP (IPv4) addresses within the range of 192.168.0.0 to 192.168.255.255. Note that, while this regex is good for simple purposes, it matches invalid IP addresses too. For example, 192.168.300.999. If you need to detect IP addresses more accurately with proper boundary checks, special ranges, etc., then you will have to use a more complex regex such as: `((25[0-5]\|(2[0-4]\|1[0-9]\|[1-9]\|)[0-9])(\.(?!$)\|$)){4}`.
Explanation	`\d{1,3}` will search for any 3 digit numbers since IP addresses consist of four sets of 3 digit numbers.

Example 4: Finding Different Spellings/Variations of a Word

Regex	`[pP][aA@][sS5$][sS5$]w[oO0]{0,1}[rR][dD]`
Result	This regex will detect the word “password” and variations of its spelling that spammers usually use for obfuscations. For example: p@ssword pa55word pa$$word Passw0rd passwrd
Explanation	The characters in the brackets mean either of them can match. So, `[pP]` will detect both an uppercase “P” or a lowercase “p”. `[aA@]` will match uppercase “A”, lowercase “a” and the at “@” symbol. `[oO0]{0,1}` means, the 6th character can be an uppercase “O”, a lowercase “o”, or a zero. The `0` in the `{0,1}` means it can be omitted too. This allows us to detect spellings like “passwrd”.

Example 5: Detecting an Email Address

Regex	`[\w\.\-]{0,25}@(yahoo\|hotmail\|gmail)\.[\w]{0,3}`
Result	This regex will detect email addresses from three different vendors and any domain. For example: [email protected] [email protected] [email protected] [email protected]
Explanation	`[\w\.\-]{1,25}` means, any character, digit or underscore (`\w`), dot (`\.`), or hyphen (`\-`) can be in the first part of the email address. `{1,25}` means, this is limited to minimum one character and up to 25 characters. `(yahoo\|hotmail\|gmail)` means, find from any of the 3 email types specified in the brackets. `[\w]{0,3}` means, the domain can be 0 to 3 characters long consisting of any characters or digits.

Using the Advanced Mode Actions/Risk Thresholds

In the Advanced mode on a rule's Action tab, you can set up risk thresholds and severity levels for a rule. This allows you to add multiple thresholds, assign different risk levels, and trigger various actions based on how often a rule is violated.

For example, you could create a Files rule that:

Sets a Low-risk severity and triggers a Warn action if a user uploads more than 5 files in a day.
Escalates to a High-risk severity and triggers both Block and Notify actions if the user uploads more than 50 files in a day.

The risk levels you define in this mode are used to calculate the overall risk score, which is reflected in places like the Risk column on the Behavior Alerts dashboard.

1. From the Choose time period for threshold list, select the desired time period for your thresholds (e.g., Hourly, Daily, Monthly).

2. In the Choose maximum numbers of saved alerts per day field, enter the maximum number of alerts that can be triggered for this rule in a single day. If the number of alerts exceeds this limit, Teramind will not save any further alerts, and they will not appear on the Behavior Alerts dashboard. Leaving the field empty means there is no daily limit. Setting it to 0 will prevent any alerts from being generated for the rule, though the rule will still trigger. Note that you can also set a global daily maximum for alerts in the Settings > Alerts screen.

3. Click the New Threshold button to add a new threshold. For each threshold you add, you can set the following:

a. Enter a number in the Frequency field to define how many times the rule can be violated before an action is triggered.

b. Select a risk severity from the Severity drop-down list. Your options are None, Low, Moderate, High, or Critical.

c. Click the Add button to add one or more actions.

Configurations > Shared Lists

Configurations > Behavior Policies

Understanding Common Rule Elements

Activity Rules: What Activities Can You Detect (Windows & Mac)?

Content Sharing Rules: What Contents Trigger the Rules (Windows)?

How to use advanced rules techniques: multiple conditions, shared lists, regex, risk thresholds