How to create a rule set
Last updated
Last updated
To create a new rule set, follow these steps:
Click on Create New Rule Set at the top right corner.
Rule Set Name and Policy Type: -
Select a policy type (Detection, External Users, Internal Users, Labeling or Retention).
Enter a name for the new rule set.
Enter a description.
The Rule Set Criteria screen allows you to define the conditions under which alerts are triggered. This is the first step in creating a rule set and supports combining multiple conditions with logical operators like OR or AND. You can configure conditions based on document classification, sensitive attributes, sensitivity levels, or labels.
The following steps explain how to configure Rule Set Criteria, referencing the diagram for better visualization.
Logical Operator Selection (Marker 1):
Choose between Any (OR) to trigger alerts if any condition matches or All (AND) to trigger alerts only if all conditions match.
Condition Type (Marker 2):
Select the type of condition you want to configure. Options include:
Document Classification: Filter based on categories like Financial or Medical.
Other types like Attribute Sensitivity or Labels can also be chosen (not shown here).
Logical Operator for Condition (Marker 3):
Define how the selected condition is evaluated. For Document Classification, options include:
Any of these (OR): Alerts trigger if a document matches any selected category.
All of these (AND): Alerts trigger only if a document matches all selected categories.
Category Selection (Marker 4):
Expand categories (e.g., Financial, Legal) to view specific subcategories.
Subcategory Options (Marker 5):
Select subcategories like Tax Forms or Insurance to refine your rule.
Add More Conditions (Marker 6):
Use the Add More Condition button to include additional filters, combining them with the primary logical operator (OR/AND).
Choose a Condition Type: Select a type like Document Classification, Attribute Type, Attribute Sensitivity, or Labels.
Configure the Selected Condition: Specify subcategories, instance counts, sensitivity thresholds, or labels.
Add More Conditions (Optional): Combine additional conditions to refine your rule set.
Save and Proceed: Finalize the rule set and move to the next step in the workflow.
At the top of the screen:
Any (OR): Triggers alerts if at least one condition is met.
All (AND): Triggers alerts only if all conditions are met.
This operator applies to all conditions in the rule set.
Example:
Use OR for broader policies, such as detecting Financial OR Legal documents.
Use AND for stricter policies, such as detecting Financial AND Medical documents.
Choose a Condition Type (refer to Marker 2 in the diagram):
Document Classification: Apply rules to document categories like Financial or Medical.
Attribute Type: Filter by sensitive data, such as Credit Card or SSN.
Attribute Sensitivity: Set thresholds based on sensitivity levels (High, Medium, Low).
Labels: Apply rules to documents with specific labels like Confidential or Restricted.
Set Logical Operators for Conditions (refer to Marker 3 in the diagram):
Any of these (OR): Alerts trigger if any selected criteria match.
All of these (AND): Alerts trigger only if all criteria match.
Not any of these (NOR): Alerts trigger only if none of the selected criteria match.
Not all of these (NAND): Alerts trigger if not all criteria match.
3.1 Document Classification
Create rules based on document types or categories. Select specific document types to include in or exclude from the rule:
Broad document categories (e.g., Financial, Legal, Human Resource, Medical, Identity, Unclassified).
Specific document types within the selected category (e.g., Invoices/Receipts, Tax Forms, SEC filings).
Adding Logical Conditions
Use the second dropdown to select the logical operator for this condition. For document classifications, you can choose:
Any of these (OR): Alerts trigger if any selected category matches.
All of these (AND): Alerts trigger only if all selected categories match.
Tip: Use buttons like "Select All" or "Clear All" to manage your selections quickly.
3.2 Attribute Type
Select Attributes:
Choose from predefined sets like US Essentials or Privacy Essentials.
Examples include SSN, Credit Card, or Driver’s License.
Set Instance Counts:
Specify Minimum (Min) and Maximum (Max) counts for each attribute.
Example: Trigger alerts for documents containing 3–10 Credit Card numbers.
3.3 Attribute Sensitivity
Group by Sensitivity:
Configure rules based on High, Medium, or Low sensitivity levels.
Set Thresholds:
Example: Trigger an alert for documents with more than 1 High-Sensitivity attribute and 3 Medium-Sensitivity attributes.
3.4 Labels
Select Labels:
Expand the label group (e.g., Lightbeam Sensitivity Labels) to view available labels.
Use checkboxes to select one or more labels (e.g., Classified, Sensitive, Restricted).
Use the Select All or Clear All options for bulk actions.
Combine with Other Conditions:
Example: Trigger alerts for Confidential documents containing High-Sensitivity attributes.
Click Add More Criteria to include additional conditions.
Combine these conditions with the logical operator (OR/AND) selected in Step 1.
Example:
Combine Document Classification with Attribute Sensitivity:
Condition 1: Document Classification > Financial > Tax Forms.
Condition 2: Attribute Sensitivity > High > 3 Instances.
Click Save Criteria to finalize the rule set.
Continue to the next steps:
Step 2: Select Data Sources: Specify where the rule applies (e.g., Gmail, SharePoint, or S3 buckets).
Step 3: Configure Alerts and Notifications: Define alert severity and notification preferences.
Step 4: Automation: Set automated actions for triggered alerts (optional).
Example 1: Financial Documents with High-Sensitivity Data
Rule: Alert for Financial documents with 5 or more instances of Credit Card numbers.
Configuration:
Condition 1: Document Classification > Financial.
Condition 2: Attribute Type > Credit Card > Min 5.
Example 2: Confidential Documents with Attribute Sensitivity
Rule: Alert for Confidential documents containing High-Sensitivity data.
Configuration:
Condition 1: Labels > Confidential.
Condition 2: Attribute Sensitivity > High > Min 2.
Click Next to move to the next step.
Users can connect various data sources to the LightBeam application and these data sources would be continuously monitored for attributes and entities.
In the new update, the data source selection process has been enhanced with new policy scan conditions. Here's how it works: a. Choose the scope of your policy:
All data sources: This option will automatically include any future data sources in the scanning process. Ideal for policies that should apply universally across your organization's data.
Specific Data Source Selection:
If you don’t want to scan all data sources, deselect the "Select all data sources" option and choose specific ones. For each selected data source, you can now configure more granular scanning conditions.
b. Configure Granular Controls for Selected Data Sources
i. SharePoint:
Scan all Sites: Include all SharePoint sites but specify an exclusion list to omit specific sites from scanning.
Scan selected Sites: Target specific sites for scanning by specifying an inclusion list.
ii. Google Drive and OneDrive:
Include or exclude specific drives (e.g., personal drives, shared drives).
iii. Gmail and Outlook:
Include or exclude specific members or groups to target relevant email accounts for scanning.
iv. Amazon S3:
Include or exclude specific buckets to focus on relevant data repositories.
New Features in Alerts 2.1.2:
The ability to configure exclusion lists for broader data sources such as SharePoint sites, Gmail accounts, and Google Drives.
The option to automatically include future data sources using the All Data Sources setting.
c. Create Inclusion and Exclusion Lists
For each supported construct (sites, drives, mailboxes, buckets), you can define detailed inclusion or exclusion lists to fine-tune the scanning process.
Example Configuration for SharePoint:
If scanning selected sites, navigate to the "Inclusion List for Scanning" section.
Input the names of the sites to include in the provided text box.
Click the Add button to include them in the scanning scope.
If needed, remove sites by selecting their checkboxes and clicking "Remove from Inclusion List".
If scanning all sites, navigate to the "Exclusion List for Scanning" section.
Input the names of the sites to exclude in the provided text box.
Click the Add button, and ensure their checkboxes are ticked.
Save your configuration by clicking Save.
d. Example Scenarios
Scenario 1: Apply a Policy to HR Documents in Google Drive
Configuration:
Select Google Drive as the data source.
Include the HR team’s shared drive.
Exclude folders marked External Collaboration.
Save the configuration.
Scenario 2: Monitor Specific Members/Groups in Gmail
Configuration:
Select Gmail as the data source.
Include groups for HR and Legal teams.
Exclude other groups from the scanning scope.
Save the configuration.
For example, consider this Sharepoint datasource:
Choose between the "Scan all Sites" or "Scan selected Sites" option:
If you selected "Scan selected Sites", navigate to the "INCLUSION LIST FOR SCANNING" section.
Input the names of the sites you want to include in scanning in the provided text box.
Click on the Add button.
If needed, you can remove sites from the inclusion list by selecting the checkboxes next to them and clicking the "Remove from inclusion list" button.
If you select "Scan all Sites", you can specify an exclusion list to exclude specific sites from scanning.
If you selected "Scan all Sites", navigate to the "EXCLUSION LIST FOR SCANNING" section.
Input the names of the sites you want to exclude from scanning in the provided text box and click on Add.
To proceed with the selected sites, make sure their checkboxes are ticked and then click on Save.
LightBeam Playbooks Alerts 2.1.2 introduces path conditions for SMB data sources, allowing you to specify which folders should be included in policy scanning. This feature helps you target specific locations within your SMB shares when applying policies.
Configuring SMB Path Conditions
To configure SMB path conditions:
In the data source selection screen of the rule set creation workflow, select your SMB data source.
Click "Select folders" next to the SMB data source to configure path conditions.
Figure 17.1: SMB Data Source Selection
In the SMB path configuration dialog, you can choose between:
Scan all folders: Apply the policy to all folders in the SMB share
Scan selected folders: Specify an inclusion list of folders to include in scanning
Figure 17.2: SMB Path Conditions Dialog
Adding Folders to the Inclusion List
If you selected "Scan selected folders", follow these steps to add folders to the inclusion list:
Navigate to the "INCLUSION LIST FOR SCANNING" section.
Enter the folder path in the text field (e.g., "/Shared3/Finance/").
Click the "Add" button.
Figure 17.3: Adding Folders to Inclusion List
The folder will appear in the inclusion list with a checkbox.
Ensure the checkbox is selected for folders you want to include.
If needed, you can remove folders from the inclusion list by selecting the checkboxes next to them and clicking the "Remove from inclusion list" button.
Click "Save" to confirm your selection.
Excluding Folders from Scanning
If you selected "Scan all folders", you can specify an exclusion list:
Navigate to the "EXCLUSION LIST FOR SCANNING" section.
Enter the folder path you want to exclude from scanning in the provided text box.
Click the "Add" button.
Ensure the checkboxes are ticked for folders you want to exclude.
Click "Save" to confirm your selection.
Note: Only documents in the specified folders (or all folders except excluded ones) will be evaluated against the policy criteria, helping to optimize scanning performance and reduce false positives.
Benefits of SMB Path Conditions
Targeted Scanning: Focus policy evaluation on specific folders containing sensitive data
Improved Performance: Reduce scanning time by excluding irrelevant folders
Granular Control: Apply different policies to different folders within the same SMB share
Reduced False Positives: Limit policy application to relevant data locations
LightBeam Spectra scans the selected data source(s) for specified attribute sets and raises an alert for each instance of data violation. In this step, you'll configure how these alerts are generated, managed, and prioritized. Here's how to set up each option:
Select the Enabled option to receive alerts for this rule set.
Choose Disabled if you don't want to generate alerts.
When enabled, an alert is triggered for each data privacy violation detected.
By default, alerts are assigned to the Datasource Owner(s).
To assign alerts to the Object Owner(s) instead, select that option.
To include more team members in alert notifications:
Locate the field labeled "Hit enter to add another member".
Type in the email address of each additional recipient.
Press Enter after each email to add it to the list.
Choose the severity level for alerts generated by this rule set.
Click the Select Severity Level dropdown menu and choose one of:
Info: For low-priority notifications
Warning: For moderate-priority issues
Critical: For high-priority alerts requiring immediate attention
Selecting the appropriate severity helps prioritize responses to alerts.
If the rule set relates to specific data privacy regulations:
Click the Select Regulations dropdown.
Choose the relevant regulations from the list.
This optional field allows you to associate alerts with specific data privacy regulations that may be breached.
Linking regulations aids in compliance tracking and reporting.
By carefully configuring these settings, you ensure that the right people are promptly notified of potential data privacy violations, can prioritize their responses effectively, and maintain regulatory compliance as needed.
The option to automate actions on alerts that highlight instances of data breaches will be made available in the future.
This feature will allow the system to automatically act on the alert and prevent the violation through actions such as:
Redaction
Deletion
Revoking access
Archiving
LightBeam Playbooks Alerts 2.1.1 introduces file classification-based policies, which allow you to apply labels and generate alerts based on the specific file classification of documents. These policies leverage the categorization of files determined by LightBeam Spectra's machine-learning algorithms, enabling more granular control over labeling and alerting based on the file classification hierarchy.
Navigate to the Policies section within the LightBeam Spectra console.
Click on the "Create New" button to start creating a new Labeling Policy.
Provide a name for the policy in the "Rule Set Name" field.
Select the file classification-based label set that you want to use from the available options. (Refer to the Label Management document for instructions on creating file classification-based label sets.) Click on Next.
Choose the data sources to which the policy should be applied, such as SharePoint, OneDrive, or Google Drive.
Click on the "Save & Close" button to save the Labeling Policy.
