Creating Professional DLP Dictionaries/Patterns

(Omar ) #1

I Finished ZCCA-IA, PA and ZTAC Certificates and currently in the Professional Certificate for IA.

My question is regarding Data Loss Prevention Dictionaries, when creating one is there a guideline for creating a dictionary that won’t return false positives.
Anyone can create a dictionary with Phrases like “Name”, “DOB”, “IP”, which will return false positives, but how to create professional dictionaries is what I want more depth on.

(Pooja Deshmukh) #2


Always start from the use-cases. What type of information would you like to identify and monitor on? Identify the data and constraints that can be imposed on the data.

Dictionaries comprise of phrases (name/dob/ip in your example) and patterns (regular expressions) both. More on the syntax and samples here -

(jitumani das) #3

The following are examples of valid custom patterns:
Looks for the word “Confidential” or “CONFIDENTIAL” anywhere
” at the beginning specifies to look anywhere in the stream
Depending on the case-sensitivity requirements of the decoder, this may not match “confidential” (all lower case)
.((Proprietary &amp Confidential)|(Proprietary and Confidential))
Looks for either “Proprietary & Confidential” or “Proprietary and Confidential”
More precise than looking for “Confidential”
(Press Release).((Draft)|(DRAFT)|(draft))
Looks for “Press Release” followed by various forms of the word draft, which may indicate that the press release isn’t ready to be sent outside the company
Looks for a project code name, such as “Zscaler”

(Omar ) #4

Appreciate your contribution this helps a lot.

(Omar ) #5

Zsclaer provides the supported table and some templates but not the way on how to make it more intelligent.

I want to build more intelligent patterns/dictionaries which will lead to intelligent detection. If we can have a list for sample dictionaries or sample patterns other than the ones in the Help Portal.

I am aware of the Exact Match feature but that is not what we are looking for.

(Pooja Deshmukh) #6

@Omar - The phrases and patterns work based on the format defined by the administrator. One can adjust violation threshold to define how many occurrences of such phrases/patterns generate an incident. One can also write more restrictive patterns.

Please look into Exact Data Match is you want a secondary level inspection on specific data like Name/DOB mentioned in your example.

(Omar ) #7

Thanks for the replay.