Prevention Rules Filters and Fields

Depending on the target, you can filter by the fields described in the table.

Field		Additional Information and Links
Detector	Indicator/Detector Name
User	User Name	Username as seen by the observed system. For example a local endpoint username, “samAccountName” or an “email”. Rule configuration is based on the user name. Prevention rules based on these fields are sensitive to name change. Modifying theuser name will cause the rule not to match. Use this field to target based on pattern matching using wildcard operators (e.g., 'contains').
	User from Catalog and Group from Catalog Available from Windows 3.5 and Mac 4.2	These fields refer to the IDs only and the originate from the Users Catalog only. Use these fields when you want to create rules that target explicit IDs. Since the rule is based solely on the ID, rules remain valid even if you change the User/Group Name. Rules with these fields are limited to In and Not In operators. When you create a rule, using these fields, the name is displayed for clarity only.
	Group Names	Group name from the observed system containing User Names. Rule configuration is based on the group name. Prevention rules based on these fields are sensitive to name change. Modifying the group name will cause the rule not to match. Use this field to target based on pattern matching using wildcard operators (e.g., 'contains').
Process/Application	Executable Name	Name of the executable file of the application
Files/Resources	Classification Labels	MIP File Label Classification Accounts (MIP Labels for ITM / Endpoint DLP)
	File Name	File name you want without the extension. Characters not supported by Windows OS are not supported and cannot be used (‘/’, ‘\’, ‘?’, ‘%’, ‘’, ‘:’, ‘\|’, ‘”’, ‘<’, ‘>’). You can also set a rule to intercept a specific a pattern of characters in a file name. Characters in a pattern are represented by ? character and can contain other characters and spaces within the pattern. Use this for a file name that contains a defined pattern of characters. For example ??_??_???? to represent a date format in the file name, such as myfile 21_02_2023. An example with spaces ?? ?? ??? would include myfile 21 02 2023* Prevention by filename is currently supported for Windows Agents only. The usage of “?” as wildcard in Files/Resources > File Name field is available only in Prevention Rules. It cannot be used in Detection Rules & Exploration. Neither directly nor indirectly via Conditions.
	Content Type	Internally registered data type True File Type Detection - Agent Realm
	Extension	File Extension
	Size	File Size
	Resource URL	Target URL the file is being uploaded to.
	Tracking Origin Resource URL	URL of the physical file that can be located on a different domain than the web page from which the download activity was triggered.
	Resource URL Domain	For File Web Upload, represents the hostname of the URL. (From 4.3)
Devices	USB Vendor Name
	USB Vendor ID
	USB Product Name
	USB Product ID
	USB Serial Number
	Device ID
	Device Name
	Device URL	(from 4.3)
	Device Scheme	(From 4.3)

Group Name and Group from Catalog

Group Name field is retrieved from Identity Catalog, in addition to the already supported field Group from Catalog.

Group From Catalog is based on the group's record ID, which remains consistent even if the group's name or other properties are changed.
Group Name from Identity Catalog is based on the record's property Group Name, which may change if the name is modified in the source system (e.g., Microsoft Entra ID/Azure AD).

Group Name from Identity Catalog allows users to use operators such as Starts With and Contains.

Rules based on Group Name in the Identity Catalog may stop working if the Group Name is changed in the Identity Service (e.g., Microsoft Entra ID/Azure AD).

Related Topic:

ITM / Endpoint DLP Prevention Rules