Expressions | Trend Micro Service Central

Views:

Expressions are data with certain structures. For example, credit card numbers typically have 16 digits and appear in the format "nnnn-nnnn-nnnn-nnnn", making them suitable for expression-based detections.

Predefined expressions

Trend Micro provides a set of predefined expressions. Data Loss Prevention verifies these expressions using pattern matching and mathematical equations. After Data Loss Prevention matches potentially sensitive data with an expression, the data may also undergo additional verification checks. You cannot modify or delete predefined expressions.

Learn about Data Loss Prevention predefined expressions.

Custom expressions

Create custom expressions if none of the predefined expressions meet your requirements. Expressions are a powerful string-matching tool. Ensure that you are comfortable with expression syntax before creating expressions. Poorly written expressions can dramatically impact performance.

When creating expressions:

Refer to the predefined expressions for guidance on how to define valid expressions. For example, if you are creating an expression that includes a date, you can refer to the expressions prefixed with "Date".
Note that Data Loss Prevention follows the expression formats defined in Perl Compatible Regular Expressions (PCRE). For more information on PCRE, visit the following website: http://www.pcre.org/.
Start with simple expressions. Modify the expressions if they are causing false alarms or fine tune them to improve detections.
Use parentheses to group a series of pattern elements into a subexpression to match the string you want to capture in an expression, for example, (\d+) or ([A-Z]+).

Note

If there is more than one grouped subexpression with parentheses, for example, (\d+)([a-z]+)(\d+), only the first subexpression takes effect.

Custom expression criteria

Criteria	Rule	Example
None	None	All - Names from US Census Bureau Expression: [^\w]([A-Z][a-z]{1,12}(\s?,\s?\|[\s]\|\s([A-Z])\.\s)[A-Z][a-z]{1,12})[^\w]
Specific characters	An expression must include the characters you have specified. In addition, the number of characters in the expression must be within the minimum and maximum limits.	US - ABA Routing Number Expression: [^\d]([0123678]\d{8})[^\d] Characters: 0123456789 Minimum characters: 9 Maximum characters: 9
Suffix	Suffix refers to the last segment of an expression. A suffix must include the characters you have specified and contain a certain number of characters. In addition, the number of characters in the expression must be within the minimum and maximum limits.	All - Home Address Expression: \D(\d+\s[a-z.]+\s([a-z]+\s){0,2} (lane\|ln\|street\|st\|avenue\|ave\| road\|rd\|place\|pl\|drive\|dr\|circle\| cr\|court\|ct\|boulevard\|blvd)\.? [0-9a-z,#\s\.]{0,30}[\s\|,][a-z]{2}\ s\d{5}(-\d{4})?)[^\d-] Suffix characters: 0123456789- Number of characters: 5 Minimum characters in the expression: 25 Maximum characters in the expression: 80
Single- character separator	An expression must have two segments separated by a character. The character must be 1 byte in length. In addition, the number of characters left of the separator must be within the minimum and maximum limits. The number of characters right of the separator must not exceed the maximum limit.	All - Email Address Expression: [^\w.]([\w\.]{1,20}@[a-z0-9]{2,20}[\.][a-z]{2,5}[a-z\.]{0,10})[^\w.] Separator: @ Minimum characters to the left: 3 Maximum characters to the left: 15 Maximum characters to the right: 30

Adding custom expressions

Add custom expressions if no predefined expressions meet your requirements.

Procedure

Go to Data Loss Prevention → Data Identifiers → Expressions.
Click Add.

Specify custom expression settings.

Option

Description

Basic Properties

Name: Type a name that does not exceed 512 bytes in length.
Description: Type a description that does not exceed 2048 bytes in length.
Criteria: Select the criteria and then specify the additional settings.
Expression: Type the expression and specify whether it is case-sensitive.
Displayed data: Type the format that represents this custom expression. The data is for reference purposes only and will not appear elsewhere in the product. For example, if you are creating an expression for email addresses, type xxxx@xxxx.xxxx.
Example: Type an example that represents this custom expression. The example is for reference purposes only and will not appear elsewhere in the product. For example, if you are creating an expression for ID numbers, type a sample ID number.
Validation: Select an additional validation method if necessary. These additional validators were specifically designed to detect highly specialized digital assets.

Test Area

Specify actual data to test the expression.

For example, if the expression is for a national ID, type a valid ID number in the Test data text box, click Test, and then check the result.

Note

Save the settings only if the testing was successful. An expression that cannot detect any data wastes system resources and may impact performance.

Click Save.

Cloud Email and Collaboration Protection performs a matching performance check to ensure the expression is properly configured. The process takes up to 20 seconds to complete. If the expression took too long to complete the check, the check fails, with a warning advising you to review and update the expression.

Importing custom expressions

Importing custom expressions requires a properly-formatted .xml file containing the expressions.

Note

Each expression contains a unique ID value. If an expression with the same ID already exists, Cloud Email and Collaboration Protection overwrites the existing expression. If an expression with the same display name already exists, Cloud Email and Collaboration Protection appends a time stamp suffix to the new expression before adding it to the list.

Procedure

Go to Data Loss Prevention → Data Identifiers → Expressions.
Click Import, and then click Choose File to locate the .xml file to import.
Click Open.
Click Import.