Discovery

Smart Filter Bundles

Description

PK Protect Discovery automates the critical task of securing sensitive content throughout the enterprise. It uses a combination of predefined dictionaries and other patterns that you can customize for your unique needs.

Use this page to set up what Discovery should look for, then set Policies to tell PK Protect what to do with the discovered data.

Discovery Terms: Patterns and Smart Filter Bundles

Discovery looks for sensitive data by analyzing files and and outgoing email messages to identify common patterns, such as credit card numbers, names of prescription drugs (indicating health information), home addresses and the like.

PK Protect provides some predefined patterns to help discover sensitive data throughout the PK Protect ecosystem. View some of these patterns on the Distributed Dictionaries page. Define custom patterns by either adding a custom list of search terms, or a custom regular expression (Regex) to help identify what you are looking for in files and Microsoft Outlook email messages.

You can include multiple patterns in one Smart Filter Bundle to identify the data you're seeking to protect in one pass.For example, if you want to protect personally identifiable information, use these existing patterns:

A Smart Filter Bundle is a combination of patterns and threshold quantities. The threshold is the quantity of the pattern where PK Protect takes notice. Assign one or more patterns to a Smart Filter Bundle. You can define a Smart Filter Bundle to search for different quantities of each pattern assigned as well.

Continue reading to learn how to create your own customized patterns and bundles.

You'll tell PK Protect what to do with files and emails that meet the threshold, called remediation, or action steps taken, when you define when and where to use the Smart Filter Bundle. Smart Filter Bundles are just the rules and regulations for what the PK Protect Discovery agents will search for. We still need to tell the agents to do the work. Scanning files on File Servers or Workstations can be set up and deployed through Assignments or Lockers. To enable the Microsoft Outlook Plugin to scan email body and attachments, you can control this behavior through Policies.

Add Discovery

Let's look at how to build that Personally Identifiable Information filter bundle.

Click Add Discovery.
Name the bundle Personally Identifiable Information.
Use the drop-down menu to choose Address US.
The threshold is the quantity of the pattern where PK Protect takes notice. Set a threshold of 10 for this pattern.
Click Add to add these patterns: National Insurance Number UK, Social Security Number US and Tax ID US. Give each of them a Threshold of 1.

In this example, if a file is scanned and contains 5 US Addresses, no remediation action will be taken because the quantity is not found. A mailing list with 10 or more US addresses would be flagged for remediation. If a US Social Security Number is found 3 times, a remediation will take place.

In the Add Smart Filter Bundle screen, you may also add Exclusion and Inclusion Filters.

Save the bundle when complete.

Add Redaction

The steps to create a bundle where remediation means redacting text are similar to the Discovery Smart Filter Bundle. You do not have to set a threshold in the Redaction bundle.

Click Add Redaction.
Name the bundle.
Use the drop-down menu to choose one or more Patterns.
(Optional) Add Exclusion and Inclusion Filters.
Save the new bundle.

File Filters

File filters are used to create file and folder bundles to discover based last accessed date, file extension, residing folder name, etc.

Item	Description
Name	Unique name that is referenced from assignment and locker pages
Comments	Specify any additional information for the Filters, in the field.
Platform	Windows Ability to exclude hidden files and system files Define relative and absolute dates based on, Created Date - WIN32_FILE_ATTRIBUTE_DATA.ftCreationTime Last Modified Date - WIN32_FILE_ATTRIBUTE_DATA.ftLastWriteTime Last Accessed Date - WIN32_FILE_ATTRIBUTE_DATA.ftLastAccessTime macOS and Unix Ability to exclude system files Define relative and absolute dates based on, Last Modified Date - stat.st_mtime; Last Accessed Date - stat.st_atime;
Whitelist Extensions & Blacklist Extensions	Define file names and their extensions. PK Protect will process every file in a directory it's defined to discover. With the Whitelist and Blacklist, you can restrict the number and type of files processed in the folder. For example, if you only want to process spreadsheets in this assignment, type .xls in the whitelist and leave the blacklist blank. All other files placed in this assignment will remain unprocessed. Files/extensions are separated by PEMicolons. Notes Use one at a time or together Blacklist automatically defaults with .dropbox, desktop.ini, thumbs.db, ~., If there is a conflict of the same extension in both rule sets, only the conflicting whitelist item will be processed Both extension lists can be used at the same time in use cases such as Whitelist Extension: ".doc" Blacklist Extension: "foo" Result: Discovery will trigger on files with a .doc file type and not pick up files that start with a file name of foo
Whitelist Paths & Blacklist Paths	Define whitelists and blacklists of the residing folder path a file could be discovered in, Use one at a time or together If there is a conflict of the same extension in both rule sets, only the conflicting whitelist item will be processed Both extension lists can be used at the same time in use cases such as Whitelist Paths: "\Desktop\" Blacklist Paths: "\Personal\" Result: Discovery will only trigger on files that reside in a folder path containing "Desktop" and does not include a parent folder called "Personal"

The steps to create a bundle where remediation means redacting text are similar to the Discovery Smart Filter Bundle. You do not have to set a threshold in the Redaction bundle.

Click Add Redaction.
Name the bundle.
Use the drop-down menu to choose one or more Patterns.
(Optional) Add Exclusion and Inclusion Filters.
Save the new bundle.

Discovery Patterns

Custom Discovery Dictionary

You can identify your own patterns for Discovery to flag. Choose keywords, define a regular expression, or create a Dictionary file to upload.

Click Patterns from the main Discovery page. A list of any existing custom patterns appears.
Click Add Custom Dictionary
Name this dictionary
Type each word to flag in the Keywords field.
You can also create a list of words and/or phrases to include as a pattern in a spreadsheet or text editor. Save that list as a CSV file. Each entry should be enclosed in quotation marks (such as “My Entry”). Do not use commas inside the entry. To include this list as a pattern dictionary, click Browse to identify the file, then load the dictionary file into PK Protect. File-based import will allow for 200k+ line delimited entries.
Use the checkboxes to Match Whole Phrase and/or Match Case for the defined keywords
Click Save when all the keywords and phrases are included

Custom Regex (Regular Expressions)

Use regular expressions (regex) for more flexibility in defining a custom discovery pattern.

Adding regular expressions follows the same workflow as adding keywords, with wildcards. PK Protect Discovery will flag any text matching the named regex.

Filters

(Optional) Add exclusion and inclusion filters to reduce false positive results from your bundle. These filters are applied after the primary patterns are identified, but before any remediation takes place.

Exclusion filters work like a blacklist; adding a set of digits, words, phrases or regular expression to an exclusion filter will be separated and processed differently from other data in this bundle.

Inclusion filters work like a whitelist; data matching the filter will be treated like any other matching data.

Exclusion Filter

To add an exclusion filter:

Open an existing bundle with the Edit link, or add a new bundle.
Click Add under Exclusions.
Use the drop-down menu to choose a data pattern to exclude.
Continue adding patterns to exclude by clicking Add.

Notes

Exclusion filters must relate to the patterns in the current Smart Filter Bundle. For example, don't exclude US Credit Cards from the Personally Identifiable Information bundle we created earlier.

Use Exclusion filters with patterns, regular expressions or custom dictionaries.

Inclusion Filter

To add an exclusion filter:

Open an existing bundle with the Edit link, or add a new bundle.
Click Add under Inclusions.
Add a keyword, regular expression or dictionary.
Continue adding patterns to include by clicking Add.

Note: Inclusion filters must relate to the patterns in the current Smart Filter Bundle. For example, don't try to identify US Credit Cards for remediation when you are searching for Personally Identifiable Information.

Importing and Exporting Bundle Packs

You can move existing Smart Filter Bundles, including custom bundles, from one instance of PK Endpoint Manager to another.

Exporting Discovery Bundle Packs

To export a Smart Filter Bundle:

Click Export Bundle Pack.
Name the file that contains the bundle.
Use the drop-down Filter Bundles menu to select one or more bundle. Ctrl+Click to select multiple bundles.
Click Export. You'll be asked to save the zip archive containing the exported bundle(s).

You'll return to the Export Discovery Bundle Pack screen to create additional bundles. Click Cancel to return to the Discovery page.

PK Protect delivers each selected bundle as a CSV file and packages the exported files in a ZIP archive.

Importing Discovery Bundle Packs

To import a Smart Filter Bundle into an instance of PK Endpoint Manager:

Click Import Bundle Pack on the Discovery page.
Browse to the file that contains the exported bundle.
Click Import.

Before importing a bundle, PK Protect checks for a bundle with the same name exists on this instance. You'll get an error if that happens. All bundles not already on the system will import.

You'll return to the Import Discovery Bundle Pack screen to import additional bundles. Click Cancel to return to the Discovery page.