Creating rules

Overview

A rule is a combination of conditions that you define and an action to perform when the conditions are met. Rules are evaluated every hour on all files that have been hashed by Taniumâ„¢ Index. When all of the conditions of a rule are matched, an action is triggered. For example, you can label files that contain matches to social security number patterns as confidential. You can apply multiple rules to target the same files so you can discover many types of sensitive information in the same file set.

Criteria for rule evaluation

For rules to evaluate, a file must match the following criteria:

  • Be included in an inventory by Tanium Index.
  • Be less than 32MB in size. To increase this default size limit, update both config.json for Reveal and config.ini for Tanium Index. For more information on updating config.ini, see Indexing file systems. To reduce this default size limit, it is only necessary to update config.json.
  • Be one of the following file types: .doc, .ppt, .log, .rtf, .txt, .csv, .ppt, .xml, .xls, .html, .dev
  • Be able to be compressed.

Create a rule

  1. From the Reveal menu, click Rules. Click New Rule.
  2. Enter a name and description for the rule.
  3. Select one or more rule sets to contain the rule. Click Add Rule Set and select the rule sets you want to associate with the rule. Click Save.
  4. Add conditions. Conditions include file types and patterns. Click Add Condition and select either File Type or Pattern.
    1. For file type conditions, select the types of files that you want the rule to cover. If you do not select at least one file type, rules do not evaluate.
    2. For Patterns, select the pattern to match.
  5. Select the Actions that the rule performs when the conditions have been matched. You can select to apply a label to the files that contain the match.
  6. Click Save.

Deploy rules

Reveal deploys rules to endpoints through a rules package. Rules packages also contain information that maps rules to rule sets and determines how endpoints in specific computer groups monitor for rules. Multiple rule sets can apply to an endpoint; and all rules in all of the applicable rule sets are evaluated.

Rules are automatically included in the next scheduled deployment when you update existing rules or create new ones. Click Deploy Rules to deploy the updated rules immediately.

Last updated: 12/3/2018 3:51 PM | Feedback