Creating patterns

In Reveal, a pattern is an expression that matches entities that can otherwise be hidden in the context of other information. You can create patterns based on keywords or regular expressions (regex).

For example, a pattern could match an entity such as a credit card number or email address. Assign a pattern to a rule to match entities in unstructured data such as a word processing document, text file, PDF document, or spreadsheet. Reveal provides patterns for several types of sensitive information, such as credit card numbers, social security numbers, and email addresses.

Update patterns created by Tanium

Patterns created by Tanium update automatically through a content feed that is checked once every 24 hours by default. If a deployed rule uses an updated pattern, the update automatically deploys to endpoints, based on the time configured in the Rule Publication On Modify setting. To immediately deploy updated rules, from the Main menu, click Rules, click Deploy All Rule Sets, enter your credentials, and click OK. For more information, see Deploy rules.

  • To adjust the automatic update schedule, go to the Overview page and click Settings . On the Settings tab, update the Content Feed Update Interval Hours setting.
  • To manually check for updates, click Refresh in the Last Modified by Tanium section of the Patterns page.

Update patterns in an air-gapped environment

If you want to manually update content or your Tanium Server is in an air-gapped environment, you can upload the content archive from the Reveal settings.

  1. Download the latest content archive from a computer that can access the internet:https://content.tanium.com/files/published/reveal/reveal-content/stable/reveal2-content-stable.zip

    .
  2. Transfer the file to a computer in the air-gapped environment.

  3. Go to the Reveal Overview page and click Settings .

  4. On the Settings tab, clear the value in the Content Feed Update Interval Hours. Click Save. An Upload Content tab appears

  5. Click the Upload Content tab. Drag and drop the content archive to the tab to upload it.

Create a regex pattern

Before you begin

  • Use the RE2 syntax and style. For more information about RE2, see https://github.com/google/re2/wiki/Syntax
  • Define the use case for your pattern:
    • Who is the intended user for this pattern?
    • What data does that user need to discover?
    • Why does that user need to discover that data?
  • Research and understand the format of the data that you want to match. For example, you might want to look for a particular ID that has 4-10 alphanumeric characters that are not case sensitive.
  • Define example matches, both expected matches and some examples that are close, but that you do not want to match.
  • Develop, test, and validate your regex using a regex editor, such as https://regex101.com.
  • Optimize your regex:
    • Minimize the use of open-ended terms (such as *) and lookaheads.
    • Use a regex editor that displays the number of steps the engine took to match your test data. Try to minimize the number of steps required for a match.
  1. From the Reveal menu, go to Patterns > Create Pattern > Regex Pattern.
  2. Specify a name for the pattern using only letters, numbers, spaces, dashes and underscores.
  3. Provide a description for the pattern.
  4. Specify a regular expression (RE2 syntax) to define the pattern for the data that you want to find in files.
  5. (Optional) If you used an online regular expression debugger, such as https://regex101.com, to build your expression, provide the shared URL in the Regex Test URL field for quick reference.

    Test and validate regular expressions in a regular expression debugger before you use them in a pattern. Test all patterns in a lab environment before using them in a production environment.

  6. Click Create.

Create a keyword list

Create a keyword list to specify keywords for the data that you want to find in files. This keyword list is included as a pattern that you can use in a rule to search for that data.

  1. From the Reveal menu, go to Patterns > Create Pattern > Keyword Pattern.
  2. Enter a name for the pattern.
  3. (Optional) Provide a description for the pattern.
  4. Specify the keywords for the data that you want to find in files, using one of the following methods:
    1. Add keywords to the Keyword List. Enter one keyword per line, with a maximum of 50 keywords.
    2. Upload keywords from a CSV file. Click Browse and import a single-column CSV file.

      This option replaces any existing keywords in your keyword list for this pattern.

  5. Click Create.

Edit a pattern

  1. From the Reveal menu, click Patterns.
  2. Click View Details next to the pattern name for the pattern that you want to edit.

    You cannot edit patterns created by Tanium.

  3. Click Edit Pattern .
  4. Make the necessary changes and click Save.

Delete a pattern

You can delete only patterns that are not Reserved patterns or used in a rule.

  1. From the Reveal menu, click Patterns.
  2. Click View Details next to the pattern name for the pattern that you want to delete.

    You cannot delete patterns created by Tanium.

  3. Click Delete Pattern .