Define the match criteria that a data asset policy rule uses when the service scans for
matches.
Define the match criteria that a data asset policy rule uses when the service scans for
matches. When you add a new data asset rule or you modify a
policy rule, you define the match criteria that the data asset policy rule
uses when Data Security scans for matches. The service compares all of the
information it discovers against the enabled data asset policy rules and identifies
incidents and exposures in every asset across all your monitored SaaS applications.
Match criteria are critical for successful discovery of risks in SaaS application usage
across your organization so, when you set the match criteria, you must carefully
consider the thresholds, types of information, and risks associated with how assets are
shared. Use match criteria to enforce compliance with your corporate acceptable use
policy rule.
Match Criteria
Description
Activity
Select the asset access and modification activities within a selected
time frame to match. For example, activities can include:
Created
Modified
Before
After
Within
Not Within
Calendar Date
Relative Date
Asset
Enter the Asset Name to include or exclude in
the match results. Select either Equals to
match the asset, or Does not Equal to exclude
the asset from matching.
Cloud Applications
Select the managed apps to scan and match. Choose one of the
following:
Any Application
Choose Application(s)
Data Pattern
Select the available data patterns to match, including predefined or
custom data patterns or a file property you defined when you create a custom data
pattern. Specify your include or exclude logic. Enter the
number of Occurrences and
Confidence (Confidence Level) required
to display a data pattern match.
Data Profiles
Select the available data profiles to match when you create a custom data
profile. Select either Equals to
match the profile, or Does not Equal to
exclude the profile from matching. You can also use the And / Or
option to choose multiple data profiles.
Exposure
Select the match conditions for how the asset is exposed (shared). Select
from the following as you require:
Public
External
Company
Internal
Label
Select the app (Google Drive) and the data label that you fetched for
that app.
For Microsoft Labels, use
custom DLP patterns as match criteria.
Extension
Enter the File Extension to include or exclude
in the match results. Select either Equals to
match the asset file extension, or Does not
Equal to exclude the asset file extension from
matching.
File Hash (SHA256)
Files are scanned using WildFire analysis to detect and protect
against malicious portable executables (PEs) and known threats based
on file hash. Enter the Hash (SHA256) details
of the file to match. Select Equals (include
in matching), or Does not Equal (exclude in
matching).
Owner
Enter the email address for the asset Owner to
include(Equals) or exclude
(Not Equals) in the match results. You can add one
or more Directory groups
Owner Group
To enforce group-based policy rule using File Owner’s
Group, you must first IntegrateCloud Identity Engine with Data Security.
Select either Equals, or Does not
Equal and the Identity Provider Group to which the
file owner must belong. You can also select Not Available
if you want to enforce an action for any users who are
not identified either because the email address is unavailable or
because they belong to an Active Directory group that isn’t being
scanned by Data Security.
Trust State occurrence
When you Define Untrusted Users and Domains or if you're matching on
an asset's trust state, all assets shared with a user in the
selected Trusted,
Untrusted, or Anyone but
Trusted users list are detected as a match. Specify
the number of occurrences (such as Any,
More than or equal to, Fewer
than or equal to, or Between
with whom a file must be shared to trigger a match.
Conversation Type
The following conversation types can be enabled as a match criteria
when you create a data asset policy rule:
Direct Message: Messages shared between two people.
Group Message: Messages shared in a group.
Public Channel: Messages that are shared in a public
channel.
Private Channel: Messages that are shared in a private
channel.
This option is available only for Slack Enterprise.
If you configure your match criteria correctly, a green color border appears on
those specific match criteria items.
If you configure your match criteria incorrectly or leave it incomplete and try
to proceed with the next step, a red color border appears on those specific
match criteria items along with a specific error message.
Click the reset button if you want to get back to the default setting for that
specific match criteria.
You can also use the Advanced tab to define the match criteria
using expressions. This tab also displays the various advanced
search queries.
The fields policy.name,
incident.category, email.sent, and
assigned.to in the Advanced tab
are:
Applicable only when you perform an advanced search in the
Data Assets page.
Not applicable when you create a policy rule (using Match CriteriaAdvanced).
