Prevention Rules Filters and Fields
Depending on the target, you can filter by the fields described in the table.
| Field | Additional Information and Links | |
|---|---|---|
| User | User Name |
Username as seen by the observed system. For example a local endpoint username, “samAccountName” or an “email”. Rule configuration is based on the user name. Prevention rules based on these fields are sensitive to name change. Modifying theuser name will cause the rule not to match. Use this field to target based on pattern matching using wildcard operators (e.g., 'contains').
|
| Group Names |
Group name from the observed system containing User Names. Rule configuration is based on the group name. Prevention rules based on these fields are sensitive to name change. Modifying the group name will cause the rule not to match. Use this field to target based on pattern matching using wildcard operators (e.g., 'contains'). |
|
| Process/Application | Executable Name | Name of the executable file of the application |
| Files/Resources | Classification Labels |
MIP File Label |
| File Name | File name you want without the extension. Characters not supported by Windows OS are not supported and cannot be used (‘/’, ‘\’, ‘?’, ‘%’, ‘*’, ‘:’, ‘|’, ‘”’, ‘<’, ‘>’). You can also set a rule to intercept a specific a pattern of characters in a file name. Characters in a pattern are represented by ? character and can contain other characters and spaces within the pattern. Use this for a file name that contains a defined pattern of characters. For example ??_??_???? to represent a date format in the file name, such as myfile 21_02_2023. An example with spaces ?? ?? ??? would include myfile 21 02 2023 Prevention by filename is currently supported for Windows Agents only. |
|
| Content Type |
Internally registered data type |
|
| Extension | File Extension | |
| Size | File Size | |
| Resource URL |
Target URL the file is being uploaded to. |
|
| Tracking Origin Resource URL | URL of the physical file that can be located on a different domain than the web page from which the download activity was triggered. | |
| Devices | USB Vendor Name | |
| USB Vendor ID | ||
| USB Product Name | ||
| USB Product ID | ||
| USB Serial Number | ||
| Device ID | ||
| Device Name |
Group Name and Group from Catalog
Group Name field is retrieved from Identity Catalog, in addition to the already supported field Group from Catalog.
-
Group From Catalog is based on the group's record ID, which remains consistent even if the group's name or other properties are changed.
-
Group Name from Identity Catalog is based on the record's property Group Name, which may change if the name is modified in the source system (e.g., Microsoft Entra ID/Azure AD).
Group Name from Identity Catalog allows users to use operators such as Starts With and Contains.
Rules based on Group Name in the Identity Catalog may stop working if the Group Name is changed in the Identity Service (e.g., Microsoft Entra ID/Azure AD).
Related Topic:
ITM / Endpoint DLP Prevention Rules