Creating patterns

In Reveal, a pattern is an expression that matches entities that can otherwise be hidden in the context of other information. You can create patterns based on keywords or regular expressions (regex).

For example, a pattern could match an entity such as a credit card number or email address. Assign a pattern to a rule to match entities in unstructured data such as a word processing document, text file, PDF document, or spreadsheet. Reveal provides patterns for several types of sensitive information, such as credit card numbers, social security numbers, and email addresses.

Create a regex pattern

Before you begin

  • Use an online tutorial, such as RegEx101: RegEx101 Regex Quiz, to learn the Perl Compatible Regular Expressions (PCRE) syntax and style. For more information about PCRE, see PCRE: pcre2pattern
  • Define the use case for your pattern:
    • Who is the intended user for this pattern?
    • What data does that user need to discover?
    • Why does that user need to discover that data?
  • Research and understand the format of the data that you want to match. For example, you might want to look for a particular ID that has 4-10 alphanumeric characters that are not case sensitive.
  • Define example matches, both expected matches and some examples that are close, but that you do not want to match.
  • Develop, test, and validate your regex using a regex editor, such as https://regex101.com.
  • Optimize your regex:
    • Minimize the use of open-ended terms (such as *) and lookaheads.
    • Use a regex editor that displays the number of steps the engine took to match your test data. Try to minimize the number of steps required for a match.
  1. From the Reveal menu, go to Patterns > Create Pattern > Regex Pattern.
  2. Specify a name for the pattern using only letters, numbers, spaces, dashes and underscores.
  3. (Optional) Update the Pattern ID.

    The Pattern ID is automatically set to the same value as the Name. If you modify the pattern ID, use only lowercase letters [a-z], numbers, and underscores. IDs must be between 5-50 characters.

  4. Provide a description for the pattern.
  5. Specify a regular expression (PCRE syntax) to define the pattern for the data that you want to find in files.
  6. (Optional) If you used an online regular expression debugger, such as https://regex101.com, to build your expression, provide the shared URL in the Regex Test URL field for quick reference.

    Test and validate regular expressions in a regular expression debugger before you use them in a pattern. Test all patterns in a lab environment before using them in a production environment.

  7. Click Create.

Create a keyword pattern

  1. From the Reveal menu, go to Patterns > Create Pattern > Keyword Pattern.
  2. Enter a name for the pattern.
  3. (Optional) Update the Pattern ID.

    The Pattern ID is automatically set to the same value as the Name. If you modify the pattern ID, use only lowercase letters [a-z], numbers, and underscores. IDs must be between 5-50 characters.

  4. (Optional) Provide a description for the pattern.
  5. Specify the keywords for the data that you want to find in files, using one of the following methods:
    1. Add keywords to the Keyword List. Enter one keyword per line, with a maximum of 50 keywords.
    2. Upload keywords from a CSV file. Click Browse and import a single-column CSV file.

      This option replaces any existing keywords in your keyword list for this pattern.

  6. Click Create.

Edit a pattern

  1. From the Reveal menu, click Patterns.
  2. Click View Details next to the pattern name for the pattern that you want to edit.

    You cannot edit patterns created by Tanium.

  3. Click Edit Pattern .
  4. Make the necessary changes and click Save.

Delete a pattern

You can delete only patterns that are not Reserved patterns or used in a rule.

  1. From the Reveal menu, click Patterns.
  2. Click View Details next to the pattern name for the pattern that you want to delete.

    You cannot delete patterns created by Tanium.

  3. Click Delete Pattern .