Data Loss Prevention

I would like to use an Exclude Prefix to not trigger incidents with the
US Social Security Number Data Identifier when it is prefixed by a
date and time and the string "520".  Below is a sample of data.

What is the best way to accomplish this?

"520"0"2008-10-14 08:31:53.000"xxx-xx-xxxx

TIA,

Bob

Unfortunately, there is no way to do proximity matching when it comes to using a REGEX also.

What you can do is to write a new Data Identifier or a new REGEX that will identify both the DATE & TIME & SSN as a single entity and then have that as an exception to the policy.

This is going to take a little experimentation, but you need to MAKE SURE that the incidents that your are trying to EXCLUDE are always going to be the same format.

So off the top of my head...

To match..

2008-10-14 08:31:53.000"xxx-xx-xxxx

\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{3}\"\d{3}-\d{2}-\d{4}

Keep in mind that you will need to test this out.

Also Data Identifiers and the REGEX rules use different syntaxes, so be careful of using " and other non alphabetic matches.

Hope this helps.. please call it solved if it does!

Thanks, I'll have to play with this in our lab.

Bob.

Additional question...  I might have a valid SSN in the same message.  I still want to trigger an incident on those.  I just don't want to match when the prefix to a match is the "520" date/time mentioned above.  Won't your solution cause the whole message to be ignored?

Bob.

Hi bob,

 You can also try to define a regex which explicitly define that the pattern you are looking for mustnot contains 520 in front of the rest of your

[^(520)] \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}.\d{3}\"\d{3}-\d{2}-\d{4}

(so just use [^(string to reject)] in your regexp, here i just reject it if it contains 520 in front of date time...)

so like that if your string start with 520 it wont be taken into account (check regexp on your lab  cause i am not able now to check the way i really wrote it in DLP policy but i already did it on DLP v11.X in order to reject some type of false positive)

So like that you will still be able to detect real SSN.

 Regards

I used the following regex to do proximity matching of a date before a ssn.

20\d{2}-\d{2}-\d{2}\W+(\w+\W+){1,10}?\d{3}-\d{2}-\d{4}

For the sample set:

2008-10-14 hello 523-17-3336
2007-10-14 hello 523-17-3336
2008-10-14   open the door 523-17-3336

I tried using:

[^(2007)]20\d{2}-\d{2}-\d{2}\W+(\w+\W+){1,10}?\d{3}-\d{2}-\d{4}

to exclude the 2007 date, but was not successful.

I used this as a regex not a data identifier because the + sign is not supported.

bob,

please try :

[^(2007)]-\d{2}-\d{2}\W+(\w+\W+){1,10}?\d{3}-\d{2}-\d{4}

regards

If you want detect or highlight the entire date you may want to consider:

200[^(2007)]-\d{2}-\d{2}\W+(\w+\W+){1,10}?\d{3}-\d{2}-\d{4}

Please ignore my previous recommendation as it has very limited use...  

The exclusion portion of the regex is not being interpreted correctly. 

[^(2007)]

is the same as

[^2007]

which means it is not excluding 2007, it is excluding 2 or 0 or 7.

Stephane, back to you...