A rule is a combination of conditions that you define and an action to perform when the conditions are met. Rules are evaluated every hour on all files that have been hashed by Tanium™ Index. When all of the conditions of a rule are matched, an action is triggered. For example, you can label files that contain matches to social security number patterns as confidential. You can apply multiple rules to target the same files so you can discover many types of sensitive information in the same file set.
For rules to evaluate on a file, the file must match the following criteria:
- The file must be hashed by Tanium Index using hash type MIME.
- The file must be in a format that Tanium Reveal can read. This include text files (such as text, XML, and CSV) and binary files (such as PDF and Microsoft Office).
- Binary files must be less than 32 MB. To increase this default size limit, update the max_file_size_kb setting in the config.json for Reveal. Note that text files do not have a size limit.
- The file must not be filtered out by the filter_stems or filter_regexes settings in the config.json for Reveal.
- From the Reveal menu, click Rules. Click New Rule.
- Enter a name and description for the rule.
- Select one or more rule sets to contain the rule. Click Add Rule Set and select the rule sets you want to associate with the rule. Click Save.
- Add conditions. Conditions include file types and patterns. Click Add Condition and select either File Type or Pattern.
- For file type conditions, select the types of files that you want the rule to cover. If you do not select at least one file type, rules do not evaluate.
- For Patterns, select the pattern to match.
- Select the Actions that the rule performs when the conditions have been matched, and click Apply. You can select to apply a label to the files that contain the match.
- Click Save.
Reveal deploys rules to endpoints through a rules package. Rules packages also contain information that maps rules to rule sets and determines how endpoints in specific computer groups monitor for rules. Multiple rule sets can apply to an endpoint; and all rules in all of the applicable rule sets are evaluated.
Rules are automatically included in the next scheduled deployment when you update existing rules or create new rules. To immediately deploy updated rules, click Deploy Rules, enter your credentials, and click OK .
Last updated: 4/16/2019 1:55 PM | Feedback