Creating rules

A rule is a combination of conditions that you define and an action to perform when the conditions are met. Rules are evaluated every hour on all files that have been hashed by Tanium™ Index. When all of the conditions of a rule are matched, an action is triggered. For example, you can label files that contain matches to social security number patterns as confidential. You can apply multiple rules to target the same files so you can discover many types of sensitive information in the same file set.

Reveal provides default rules that feature commonly used configurations as examples. While you cannot edit default rules, you can duplicate them and create a version that you can customize.

Depending on the role and permissions you have been assigned, you can view rules or create and edit rules. For more information, see User role requirements. For example, if you have write permissions for rules, you can edit the content of rules. Conversely, if you do not have write permissions for rules, you can view the rule information but not make edits and save changes. Regardless of permissions, you cannot edit or save rules that are designated as Tanium Managed.

Criteria for rule evaluation

For rules to evaluate on a file, the file must match the following criteria:

  • The file must be hashed by Tanium Index using hash type MIME.
  • The file must be in a format that Tanium Reveal can read. For more information, see Reference: Supported file types for rule evaluation.
  • Binary files must be less than 32 MB. To increase the default size limit, edit the setting CX.index.ExtractorMaxSourceMB.
  • The file must not be filtered by the Reveal Parse Exclusions by Regular Expression or Reveal Parse Exclusions by File Path settings, which you can configure using a profile. For more information, see Creating profiles.

The contents of Zip archives are extracted into memory and Reveal evaluates rules against such contents if the compressed zip file size is within the specified overall maximum configured file size. By default this setting is 32 MB, and you can customize this default value using the CX.index.MaxZipSizeMB setting. If the uncompressed size is larger than the MaxZipSizeMB setting size, the archive is not extracted into memory and indexed.

For example, if you use the default setting value (32MB):

  • A zip file that is 1MB (compressed) and 20MB (uncompressed) would have its contents indexed.

  • A zip file that is 5MB (compressed) and 40MB (uncompressed) would not have its contents indexed.

A zip archive is determined by magic number 504b0304. Many file types are actually zip archives with a magic number of 504b0304. For example: ZIP, JAR, WAR, EAR, XLSX, PPTX, XLSX. Use the CX.index.ZipRecursionLimit (default 10) setting to configure the recursion limit for how deep to extract and index within zip files. For more information, see Tanium Client Index Extension User Guide: Indexing file systems.

Rule conditions

Rule conditions are criteria that determine if a file matches the rule. The following are the types of conditions that you can apply to a rule:

Filter

Use filters to limit the rule to files that match. Filters include file type, file location, file modification date, and file size. If you do not specify any filters, the rule applies to all eligible files on the endpoints from the computer groups specified in the rule set.

Pattern

Use patterns to find sensitive data in files that match the filters. Patterns include credit cards, social security numbers, email addresses, passwords, and phone numbers.

Pattern proximity group

Use pattern proximity groups to find combinations of patterns that are in close proximity to each other within a file.

Multiple patterns and patterns in a pattern proximity group are joined with an AND operator.

Create a rule

  1. From the Reveal menu, click Rules. Click Create Rule.
  2. Enter a name and description for the rule.
  3. Select one or more rule sets to contain the rule. Click Add Rule Sets and select the rule sets you want to associate with the rule. Click Assign.
  4. [Optional] Add filters to limit the files to target. Under Rule Filters, click Add Filter and select the criteria that you want the rule to cover. Repeat to add another filter. For a list of file types, see Reference: Supported file types for rule evaluation.
  5. Under Rule Patterns, add one or more rule patterns. Rules must contain at least one condition.
    • To match a pattern, click Add Pattern and select the pattern to match. Enter the minimum number of matches to the pattern that must occur for the rule to match. Repeat to add another pattern.
    • To add a proximal pattern match, click Add Pattern Proximity Group. A rule can contain one pattern proximity group.
      1. For Proximity, select the maximum number of characters that the patterns can be from each other.
      2. In the pattern proximity group, click Add Pattern and select a pattern to include in the match. Repeat to add a second pattern. A pattern proximity group must contain at least two patterns. Patterns are joined with an AND operator.

      Each instance that matches the pattern proximity group results in a rule match. For example, you can create a pattern proximity group that searches for email addresses and password text that appear within 100 characters of each other. If there are four email addresses that appear within 100 characters of the word "password", Reveal creates a rule match that includes all the matching search criteria.

  6. Under Rule Actions, click Add to select the action to perform when all the conditions match. To add a label to files that match the conditions of the rule, select Tag the affected files, and select one or more labels.
  7. Click Save.

Deploy rules

Reveal deploys rules to endpoints through a rules package. Rules packages also contain information that maps rules to rule sets and determines how endpoints in specific computer groups monitor for rules. Multiple rule sets can apply to an endpoint; and all rules in all of the applicable rule sets are evaluated.

Rules are automatically included in the next scheduled deployment when you update existing rules or create new rules. To immediately deploy updated rules, go to the Rules page, click Deploy All Rule Sets, enter your credentials, and click OK.

Test and verify rules before deploying to endpoints.

You can also deploy rules from the Rule Sets page.