Content Sharing rules are used to detect content or text inside an object. The object can be a file, an email, an instant messaging conversation, data in the clipboard, or even any text displayed on the screen. You can use these powerful rules to prevent data exfiltration attempts, such as block transferring of a file when it contains credit card numbers; warn a user when they attempt to send emails containing sensitive keywords, etc.
You can specify the detection criteria for the Content Sharing rules in two places:
On the Content tab: This tab allows you to define what makes the content sensitive and specify the data values to look for. This tab is automatically added when you select the Content Sharing rule type (in the General Settings tab).
On the Select the type of contents tabs: For example, if you selected Clipboard and Emails from the Select the type of contents section (in the General Settings tab), you will have two tabs called “Clipboard” and “Emails” where you can add the rule conditions and values.
The basic premise of a Content Sharing rule is this:
Describe the data in the Content tab.
Then, specify where to look for that data in the Select the type of contents tab.
The only exception to this is the Emails rule, where you can also detect content via the Subject criterion. In any case, you need to use both of them for creating a Content Sharing rule.
Teramind Agent will allow a maximum of 1 second to scan a file for content. If it cannot scan the file within that time (e.g., file too large, slow disk, etc.), it will discard that file. This may prevent content from being detected for larger files.
Note that Content-Sharing rules don't support the .xls and .doc files. However, .xlsx and .docx files are supported.
Teramind supports integration with Microsoft Purview Information Protection, allowing you to classify content such as email, files, etc. in Purview and then detect the labels inside Teramind Content Sharing rules.
For more information, please check out the How to integrate with Microsoft Purview Information Protection/MIP article in the Knowledge Base.
Content (Windows & Mac)
The Content tab allows you to define what makes the content sensitive and specify the values to look for. You need to select at least one type of content from the Select the type of contents section, such as: Clipboard, Emails, Files, etc., to be able to use the Content tab.
On Mac, only the Data Content under Type of sensitive data and the Text option under Sensitive data are supported.
Type of Sensitive Data
You can select from different Type of sensitive data definitions depending on what type of content (e.g., Clipboard, Emails, Files, etc.) you have selected (from the Select the type of contents section in the General Settings tab).
For example, if you have selected the Files content type, then you will see the “File Origin” and “File Properties” in the list.
Advanced Logics
When you add multiple definitions, you will be able to set the logics for matching those definitions. See the Content Logic section to learn more.
The following sections describe what criteria each sensitive data type supports and what conditions you can use with them.
Data Content
Data Content is a generic criterion that can be used to look for any text or binary data. For example, by using it with the Clipboard, you can detect anything copied to the clipboard.
You can select either Text, Binary, or Both under the Sensitive data to detect section.
You can enter some text in the field at the bottom and choose from “contains”, “equals”, or “matches regex” conditions. Or, you can select a Shared List (Text or Regular Expression type) and specify a “matches list”, or “equals list” condition.
The Data Content criterion can be used if you have selected a content type (e.g., Files, Emails, etc.) from the Select the type of contents section in the General Settings tab.
Clipboard Origin
Clipboard Origin detects data pasted into the clipboard from a specific webpage or application. By using it, you can, for example, build a rule that prevents copying and pasting of customer data from your CRM site.
You can select Webpage URL or Application as the source of the clipboard copy operation.
You can then enter some text in the field at the bottom and choose from “contains”, “equals”, or “matches regex” conditions. Or, you can select a Shared List (Text or Regular Expression type) and specify a “matches list” or “equals list” condition.
The Clipboard Origin criterion can only be used if you have selected the Clipboard content type from the Select the type of contents section in the General Settings tab.
File Origin
File Origin detects file sharing based on its origin or source. It supports local, Cloud, and web sharing. By using it, you can, for example, build a rule that prevents the sharing of files to Cloud drives.
You can select from several sharing options under the Sensitive data to detect section:
Network:
Use this option if you want to detect network shares. In the bottom field, you can specify a network address and choose from “contains”, “equals”, or “matches regex” conditions. Or, you can select a Shared List (Text or Regular Expression type) and specify a “matches list” or “equals list” condition.
Cloud:
Use this option to detect sharing over Cloud services. You can choose from supported Cloud providers such as “Dropbox”, “Google Drive”, etc.
You can optionally specify a File path and choose from “contains”, “equals”, or “matches regex” conditions.
When you select a Cloud provider, it will detect content from the Cloud app (not the web version of the Cloud service).
URL:
Use this option to detect content sharing over any website URLs. In the bottom field, you can specify a URL address and choose from “contains”, “equals”, or “matches regex” conditions. Or, you can select a Shared List (Text or Regular Expression type) and specify a “matches list” or “equals list” condition.
The File Origin criterion can only be used if you have selected the Files content type from the Select the type of contents section in the General Settings tab.
File Properties
File Properties detects files based on their properties (also known as 'labels', 'meta-tags', or 'fields'). By using it, you can, for example, build a rule that prevents the sharing of any documents outside your company that have a Tags property containing the string value of “internal only”. You can create such tags/fields/properties from an application (such as Microsoft Word) or the Windows Explorer.
You can select Any, Integer, String, or Date for the Field type.
Then, enter the name of the field/property in Field name.
If you select the String field type, you can enter any text in the Specify value field and choose from “contains”, “equals”, or “matches regex” conditions. Or, you can choose a Shared List and use the “matches list” or “equals list” condition.
If you choose an Integer field type, you can choose from one of the “=”, “>”, and “<” logic in the Specify value field.
If you choose a Date field type, you can choose from “equals”, “greater than”, or “less than” logic in the Specify value field.
The File Origin criterion can only be used if you have selected the Files content type from the Select the type of contents section in the General Settings tab.
Predefined Classified Data
Predefined Classified Data detects content based on predefined data categories.
From the Sensitive data category, you can choose from: Financial Data, Health Data, Personally Identifiable Information, Code Snippet, etc.
The Sensitive data to detect list will show different options depending on what you choose in the Sensitive data category field. For example, if you choose Financial Data in the previous field, you can choose from “Credit Card Number”, “SWIFT Code”, etc. Similarly, if you choose the Health Data, you can choose from “Disease Name”, “DNA Profile”, etc.
If you choose the Financial Data, you will see an additional option: Detection Mode. This option will let you select the sensitivity of the algorithm to detect credit card numbers. For more information, see the notes under Adjust the Sensitivity of Credit Card Detection below.
Finally, you can specify how often a data pattern can appear in the content before the rule is triggered in the Pattern frequency trigger field.
Check out the Appendix section for a list of all the predefined classified data.
Adjusting the Sensitivity of Credit Card Detection
You can detect credit card numbers using the built-in Predefined Classified Data. However, the way the algorithm works, it might incorrectly detect specially formatted strings as credit card numbers. For example, it might detect this URL string, “4.574%201.252.695%202” as a credit card number (e.g., “4574201252695202”).
To avoid such false positives, if you select Financial Data from the Sensitive data category list, an additional list called Detection mode will appear. This list will help you adjust the sensitivity of the detection algorithm. The list lets you choose from three detection modes:
Loose
This is how the algorithm works currently and is the default mode. In this mode, Teramind will detect credit card numbers in text sequences, even if the number is broken up by other characters.
For example:
4* 4*4*4-44&4% %4-44%44- 4&444
ABcdef44*444*444 444_444&44Xyz
abcdef4%4*4%4#4*4!!4##4_ 4#44_4%4%4&44Xyz
Medium
In this mode, Teramind will check sequences with the same delimiter/separator character. Any spaces will be ignored, and several consecutive delimiters will be included in the detection.
For example:
4%444%%44%44%4444%44%44
ABcdef4 %%4444%444%4444%%444%4Xyz
abcdef4_4444_44_44_4_4_4_4444Xyz
Strict
Only standalone credit card expressions will be included. Delimiters must be the same per expression, and one of NONE/SPACES/HYPENS delimiters will be allowed. Several consecutive delimiters will not be allowed.
For example:
4444444444444444
44-44-4444-444-4-44-44
44 44 4444 444 4 44 44
ABcde 4444444444444444 Xyz
Clipboard
Clipboard Content Sharing rules may not work properly if you have other software installed that also tracks clipboard operations.
The Clipboard Content Sharing rules detect content copied to/pasted from the clipboard by any applications or websites.
Clipboard Rule Examples
Prevent the sharing of customer data outside of your CRM site.
Warn users when they copy social security numbers from an Excel spreadsheet and paste them into an email.
Prevent data marked as sensitive in the Predefined Classified Data list from being pasted on an image application. So that the user cannot later upload the image to bypass your document upload rules.
Clipboard Rule Criteria
The table below shows what criteria the Clipboard Content Sharing rules support and what conditions you can use with them.
Capture Any Events
This criterion lets you detect clipboard text in any applications or websites.
If you use this option without any other criteria, Teramind will trigger the rule anytime a clipboard paste operation is performed in any applications or websites where the content is detected (specified in the Content tab).
Application Name
Use this criterion to specify in which application(s) the clipboard action should be detected.
You can choose from “contains”, “equals”, or “matches regex” with any text as conditions. Or, you can select a Shared List (Text or Regular Expressions type) and specify a “equals list” or “matches list” condition.
Similarly, you can exclude any applications you do not want to track in the Except field.
The Application Name and the Webpage URL criterion cannot be used together in the same condition block. However, you can use them in separate condition blocks (you can click the New Condition button to add a condition block).
Webpage URL
Use this criterion to specify the webpage URLs (website addresses) in which the clipboard action will be detected.
You can choose from “contains”, “equals”, or “matches regex” with any text as conditions. Or, you can select a Shared List (Text or Regular Expressions type) and specify a “equals list” or “matches list” condition.
Similarly, you can exclude any webpage URLs you do not want to track in the Except field.
The Webpage URL and the Application Name criterion cannot be used together in the same condition block. However, you can use them in separate condition blocks (you can click the New Condition button to add a condition block).
Files (Windows & Mac)
Note that Content Sharing rules don't support the .xls and .doc files. However, .xlsx and .docx files are supported. You can select which files the Files Content Sharing rule will scan for content from the Files monitoring settings (under the File types section).
Files Content Sharing rules help you detect content inside files.
Most of the criteria in the Files Content Sharing rules work in the same way as they do in the Files Activity rules. However, there are certain file operations that you cannot use in Content Sharing rules. Files Rule Criteria section below to learn more.
Files Rule Examples
Prevent sharing of files that contain sensitive information, such as: Credit Card Numbers, Social Security Numbers, Health Records, or your own custom data type.
Prevent the sharing of a file based on certain properties, such as when a document contains a “confidential” watermark.
Create rules based on file origin. For example, stop all network sharing from certain applications.
The above list shows some examples of the Files Content Sharing rules. For other examples of the Files rules, check out the Files Activity rule examples.
Files Rule Criteria
The table below shows what criteria the Files Content Sharing rules support and what conditions you can use with them.
File Operation
The first criterion you must select when creating a Files rule is the File Operation criterion. You can select from a list of operations such as Access, Access Folder, Copy, Create Folder, Delete, Rename, Write, Upload, etc.
The conditions you specify in this criterion will determine which other criteria are available to you. Teramind will automatically show or hide criteria based on your selection.
For example, if you select the Access or the Delete operation, you will only see the Program, Drive, and File Path criteria. Some file operations may have additional detection criteria. For example, the Upload operation lets you specify the Upload URL.
If you choose the “Any” file operation without any other criteria, Teramind will trigger the rule for any file operation where the content is detected (specified in the Content tab).
There are certain file operations that you cannot use in the Content Sharing rules. For example, the Download operation or none of the folder operations are supported.
Network Host
This criterion is used for network-based file operations. It detects the hostname of the file operation. For example: "http://sharepoint.com", "ftp://filevault.net", etc.
You can choose from “contains” or “equals” conditions. Or, you can select a Shared List (Network type) and specify a “matches list' condition.
Similarly, you can exclude any hosts you do not want to track in the Except field.
This criterion is not supported in the Delete and Upload operations.
Drive
This criterion can be used to detect the location of the file operation, such as local, network, or external drives.
You can enter a drive name (e.g., “C”) and select that particular drive or choose from “All drives” or “All external drives” conditions.
You can exclude any drive you do not want to track in the Except field.
File Path
This criterion can be used to detect a file path. For example: “\windows\system32\”.
You can only choose the “Starts with” condition for any path you enter.
You can exclude any path(s) you do not want to track in the Except field.
The path is treated as relative if the root is defined; otherwise, it's treated as absolute.
Cloud Provider
This criterion can be used to detect the cloud provider(s).
You can choose from “Any”, “Dropbox”, “Google Drive”, “OneDrive”, “Box”, etc.
Similarly, you can exclude any providers you do not want to track in the Except field.
This criterion is only supported in the Any, Copy, and Write operations.
RDP File Transfer
This criterion detects if the file copy operation is done over an RDP (Remote Desktop Protocol) session. This happens when you connect to a remote computer and copy files to/from it.
Select either Yes or No under the RDP transfer section to define if RDP transfers will be detected.
This criterion is only supported in the Copy operation.
Upload URL
Use this criterion to specify the URLs for upload destinations.
You can choose from “contains”, “equals”, or “matches regex” conditions. Or, you can select a Shared List and specify a “matches list” or “equals list” condition.
Similarly, you can exclude any URLs you do not want to track in the Except field.
This criterion is only available with the Upload operation.
Emails
Emails Content Sharing rules let you detect content sharing over outgoing and incoming emails, draft emails*, and email attachments.
Most of the criteria in the Emails Content Sharing rules work in the same way as they do in the Emails Activity rules. However, the Mail Body criterion is not supported, and the Mail Direction criterion only supports the outgoing emails.
*Rules for a draft email are triggered when the draft is saved. For example, if you create a rule to prevent sharing sensitive attachments, the rule will be triggered as soon as the attachment is added to the draft email and the email is autosaved by the email client.
Emails Rule Examples
Detect sensitive information like Credit Card Numbers, Social Security Numbers, Health Records, or your own custom data types inside attachments and act based on what's detected.
Detect if an internal memo is shared outside the company.
For example, warn the user when sending out an email that contains a document containing contacts to prevent data exfiltration or comply with privacy laws.
The above list shows some examples of the Emails Content Sharing rules. For other examples of the Emails rules, check out the Emails Activity rule examples.
Emails Rule Criteria
The table below shows what criteria the Emails Content Sharing rules support and what conditions you can use with them.
Capture Any Events
This criterion can be used to detect if any email is sent or received.
If you use this option without any other criteria, Teramind will trigger the rule anytime an email is sent or received, and the content is detected (specified in the Content tab).
Mail Subject
This criterion can be used for detecting text inside the mail subject.
You can choose from “contains”, “equals”, or “matches regex” with any text. Or, you can select a Shared List (Text or Regular Expressions type) and specify a “matches list” or “equals list” condition.
Similarly, you can exclude any text/list you do not want to track in the Except field.
Mail CC
This criterion detects the CC addresses in an email.
You can choose from “contains”, “equals”, or “matches regex” with any text. Or, you can select a Shared List (Text or Regular Expressions type) and specify a “matches list” or “equals list” condition.
Similarly, you can exclude any text/list you do not want to track in the Except field.
Mail To
This criterion is similar to the Mail CC criterion, but used to detect the Mail To addresses instead.
Mail From
This criterion is similar to Mail CC and Mail To criteria, but used to detect the Mail From addresses instead.
Mail Direction
Email Content Sharing rules only support the “Outgoing” option for the Mail Direction criteria.
This criterion lets you detect outgoing emails.
Mail Client
Use this criterion to specify the mail client(s) you want to detect.
You can choose from “Gmail”, “Live”, “Outlook”, etc. Teramind keeps adding support for new clients, so you might see more clients in the future.
Similarly, you can exclude any client(s) you do not want to track in the Except field.
Has Attachments
This criterion can be used to detect if the mail has any attachments.
Select either the Yes or No option under the Has attachments section to define if emails with attachments will be detected.
Mail Size
This criterion can be used to detect the size (in bytes) of the mail.
You can enter a byte value in the condition field and use the “=”, “>”, “<”, and “>=” logic.
You can use the Except field to specify an exception or use it to define a range. For example, you can specify ">=2048" in the Mail Size field and "<=5120" in the Except field to detect emails between 2 MB to 5 MB in size.
Instant Messaging
Instant Messaging Content Sharing rules let you detect content sharing over instant messaging conversations and group chats for popular IMs such as Skype, Slack, etc. You can detect both incoming and outgoing messages, detect the participants, and search in the message body for keywords or text.
Instant Messaging Rule Examples
Improve productivity and data security. For example, detect if customer service agents are not responding to complaints or queries coming through your Instant Messaging channels.
Create rules that warn the HR about angry exchanges, harassment, or other toxic sentiments in chat conversations.
Detect if a user is targeted for phishing or social engineering online.
The above list shows some examples of the Instant Messaging Content Sharing rules. For other examples of the Instant Messaging rules, check out the Instant Messaging Activity rule examples.
Instant Messaging Rule Criteria
The table below shows what criteria the Instant Messaging Content Sharing rules support and what conditions you can use with them.
Capture Any Events
This criterion lets you detect if any IM is sent or received.
If you use this option without any other criteria, Teramind will trigger the rule anytime an instant message is sent or received where the content is detected (specified in the Content tab).
Message Direction
Instant Messaging Content Sharing rules only support the “Outgoing” option for the Message Direction criteria.
This criterion lets you detect outgoing messages.
Messaging App
Use this criterion to specify the messaging app(s) you want to detect.
You can choose from “Facebook, “Google Chat”, “LinkedIn”, etc. Teramind keeps adding support for new apps, so you might see more apps in the future.
Similarly, you can exclude any app(s) you do not want to track in the Except field.
Messaging Contact
This criterion can be used to detect the contacts/participants of an instant messaging conversation.
You can choose from “contains”, “equals”, or “matches regex” with any text. Or, you can select a Shared List (Text or Regular Expressions type) and specify a “matches list” or “equals list” condition.
Similarly, you can exclude any text/list you do not want to track in the Except field.