Keyword Rules
NOTE: From the SSE 6.6.2 release, the Keywords rule is available to users who have already defined DLP policies using this rule. It will not be available to other users. Skyhigh recommends using classifications to define rules with keywords in your DLP policies. For details, see About Classifications.
In DLP policies, keywords allow you to specify a comma-separated list of search terms or expressions that are compared to words in files.
For information about using custom keywords with Data Identifiers, see Data Identifier Rules.
Keyword-based Search
To use keyword-based searches, you can enter keywords in a DLP policy. Skyhigh CASB then matches documents that contain the keywords. You can set a policy to search on just a word, or on a phrase. (Make sure to put a phrase within "quotation marks".)
You can also set a proximity match, which allows you to define how many words can separate keywords and still trigger a match. If two keywords are found within the number of words (set with ~n where n is the number of words), it's a match.
When the Keyword box is activated, the rule also looks for one of the keywords within 200 characters (about 30 words) before and after the identified data as another validation to reduce false positives.
As of the Skyhigh CASB 3.9 release, the keyword proximity is variable and can be between 1 and 10000 characters. You can specify this value through the custom Proximity Distance value when keyword validation is enabled. Existing policies are fixed at 200 characters; but, when you create a policy as of release 3.9, you can specify a variable proximity value between 1 and 10000.
Keyword 2 is used as a secondary set of keywords as an AND condition, where keywords from both lists must be present.
For example, say a document contains the following sentence:
This company confidential document was written in San Francisco and contains secret details.
The following table includes examples of how keyword-based searches in a DLP policy would work on the example sentence.
Query | Result | Notes |
---|---|---|
Secret | Match | Keyword-based searches are case insensitive. |
cisco | No Match | "cisco" is not seen as an exact match to "San Francisco". |
secret info | Match | The query tells Skyhigh CASB to find documents that contain either "secret" or "info," and because the document contains "secret", it is a match. |
"secret details" | Match | This is an exact phrase match. To define a phrase query, put the terms inside quotation marks to match exactly. For example, "secret details" matches secret details. |
"document secret”~10 | Match | The proximity defined at ~10 means the policy matches if the words in the phrase are found within 10 words of each other. Because it is a phrase, both words must be found. |
"company secret"~3 | No match | The proximity, defined as ~3, means that there are too many words between "company" and "secret" for this to be identified as a match. |
Limitation: A keyword rule cannot be used to identify comma-separated numbers in documents. For instance, if the document contains "123,456" and tries to match "123" using a keyword rule, the attempt will fail. To overcome such limitations, it is recommended to use a classification rule, which is not constrained by these limitations.
Create a Sanctioned DLP Policy for Keywords
To add a keyword to a DLP policy:
- Choose Policy > DLP Policies.
- Click Actions > Sanctioned Policy > Create New Policy to create a policy. (See Create a DLP Policy from a Template for information about templates.)
- Name. Enter a descriptive name to identify the policy from the policy selection screen in later steps.
- Description. Enter an optional description.
- Deployment Type. Select an integration method: API, Lightning Link, or Reverse Proxy. Some user actions and response actions depend on the Type you choose.
- Services. Click Select Service Instances and select your instance from the list. Click Done.
- Users. Select the users to apply the policy to.
- All Users. Click to apply the policy to all users.
- Use a predefined dictionary. Click to select a predefined dictionary from the menu.
- Manually enter users. Click to manually enter user emails using a comma to separate items. There is a limit of 1,000 characters.
- Click Save.
- Add Exclusions. Click to add users to exclude from the policy, if needed.
- None.
- Use a predefined dictionary. Click to select a predefined dictionary from the menu.
- Manually enter users. Click to manually enter user emails using a comma to separate items. There is a limit of 1,000 characters.
- User Groups. If your tenant has User Data (Active Directory) configured, click Edit to select the User Groups to include in the policy.
- Click Done.
- Add Exclusions. Click to add user groups to exclude from the policy, if needed. Select user groups from the list and click Done.
- Click Done.
- Click Next.
- For Rules, choose Keywords. Select one of the following options:
- Use a predefined dictionary. Choose it from the Select a Dictionary list.
- Manually enter Select Keywords. Enter keywords in a comma-separated list.
- Click Done.
- Match Criteria.
- Match Any. Creates a match when any keyword is found in a file.
- Match All. This means a match is created only when all keywords are found in a file.
- Match Count. Specify the number of unique matches and perform additional keyword validation.
- Count each match only one time. Activate or deactivate the checkbox to count the matches only one time or multiple times.
- Case Sensitive: Select No or Yes to consider case sensitivity.
- Match Special Characters. When this option is set to Yes, then the keywords in the dictionary are matched exactly, as is. If keywords are enclosed in quotes, a match occurs only if the document includes that keyword enclosed in quotes too. We recommend that you don't enclose keywords in quotes when this option is selected, unless you are trying to match exactly.
- If Yes is selected, only the exact special characters trigger a match, including quotation marks.
- If No is selected, any special character triggers a match.
- For Example, when matching "M&A":
- Yes. Only "M&A" (including quotes) triggers a match.
- No. M&A, M-A, and M#A all trigger a match.
- Location. Specify if the match should be located in:
- All
- Email Subject and File Metadata
- Email Subject, Body, Attachments, and File Content
- Click AND to add another rule, if needed.
- Click THEN to add a severity: Critical, Major, Minor, Warning, or Info.
- Click New Rule Group to add more, if needed.
- Click Add Exception. Add one or more exceptions, if needed. A DLP policy ignores any exception group within the policy. An exception group is ignored when ALL exceptions within the group match.
- Click Add Exception Group to add more.
- Click Next.
- Response. Select one or more response actions that are triggered when the policy rules are matched. By default, all DLP policies create an incident.
- Click Done.
- Click Next.
- Click Save.
Keyword Validation for UK Driving License
For UK driving license data identifiers, there are two list of keywords: the Country Specific Keywords list, and the Identifier Specific Keywords list. When keyword validation is enabled, to reduce false positives, you must use one keyword from each list. For details, see European Personal Identity.