Creating rules

A rule is a combination of conditions that you define and an action to perform when the conditions are met. Rules are evaluated every hour on all files that have been hashed by Tanium™ Index. When all of the conditions of a rule are matched, an action is triggered. For example, you can label files that contain matches to social security number patterns as confidential. You can apply multiple rules to target the same files so you can discover many types of sensitive information in the same file set.

Depending on the role and permissions you have been assigned, you can view rules or create and edit rules. For more information, see User role requirements. For example, if you have write permissions for rules, you can edit the content of rules. Conversely, if you do not have write permissions for rules, you can view the rule information but not make edits and save changes. Regardless of permissions, you cannot edit or save rules that are designated as Tanium Managed.

Criteria for rule evaluation

For rules to evaluate on a file, the file must match the following criteria:

  • The file must be hashed by Tanium Index using hash type MIME.
  • The file must be in a format that Tanium Reveal can read.
  • Binary files must be less than 32 MB. To increase the default size limit, create and deploy a custom profile to update the Maximum Size Non-Streamable File Formats setting. Note that text files do not have a size limit. For more information, see Creating profiles.
  • The file must not be filtered by the Reveal Parse Exclusions by Regular Expression or Reveal Parse Exclusions by File Path settings, which you can configure using a profile. For more information, see Creating profiles.

Rule conditions

Rule conditions are criteria that determine if a file matches the rule. The following are the types of conditions that you can apply to a rule:

Filter

Use filters to limit the rule to files that match. Filters include file type, file location, file modification date, and file size. If you do not specify any filters, the rule applies to all eligible files on the endpoints from the computer groups specified in the rule set.

Pattern

Use patterns to find sensitive data in files that match the filters. Patterns include credit cards, social security numbers, email addresses, passwords, and phone numbers.

Pattern proximity group

Use pattern proximity groups to find combinations of patterns that are in close proximity to each other within a file.

Patterns in a pattern proximity group are joined with an AND operator.

Create a rule

  1. From the Reveal menu, click Rules. Click Create Rule.
  2. Enter a name and description for the rule.
  3. Select one or more rule sets to contain the rule. Click Add Rule Sets and select the rule sets you want to associate with the rule. Click Assign.
  4. [Optional] Add filters to limit the files to target. Under Rule Filters, click Add Filter and select the criteria that you want the rule to cover. Repeat to add another filter. For a list of file types, see Reference: Supported file types for rule evaluation.
  5. Under Rule Patterns, add one or more rule patterns. Rules must contain at least one condition.
    • To match a pattern, click Add Pattern and select the pattern to match. Enter the minimum number of matches to the pattern that must occur for the rule to match. Repeat to add another pattern.
    • To add a proximal pattern match, click Add Pattern Proximity Group. A rule can contain one pattern proximity group.
      1. For Proximity, select the maximum number of characters that the patterns can be from each other.
      2. In the pattern proximity group, click Add Pattern and select a pattern to include in the match. Repeat to add a second pattern. A pattern proximity group must contain at least two patterns. Patterns are joined with an AND operator.

      Each instance that matches the pattern proximity group results in a rule match. For example, you can create a pattern proximity group that searches for email addresses and password text that appear within 100 characters of each other. If there are four email addresses that appear within 100 characters of the word "password", Reveal creates five rule matches: four for the email addresses and one for the word "password".

  6. Under Rule Actions, click Add to select the action to perform when all the conditions match. To add a label to files that match the conditions of the rule, select Tag the affected files, and select one or more labels.
  7. Click Save.

Deploy rules

Reveal deploys rules to endpoints through a rules package. Rules packages also contain information that maps rules to rule sets and determines how endpoints in specific computer groups monitor for rules. Multiple rule sets can apply to an endpoint; and all rules in all of the applicable rule sets are evaluated.

Rules are automatically included in the next scheduled deployment when you update existing rules or create new rules. To immediately deploy updated rules, go to the Rules page, click Deploy All Rule Sets, enter your credentials, and click OK.

Test and verify rules before deploying to endpoints.

You can also deploy rules from the Rule Sets page .