Rules Reference
Detailed reference information for the Rules API.
Rule Actions
| Action | Behavior | Use Case | Requires Obfuscations |
|---|---|---|---|
detect |
Log detection without modifying content | Audit trails, compliance monitoring | No |
obfuscate |
Mask sensitive data with specified pattern | Data masking in logs, APIs | Yes |
block |
Reject entire request/response if sensitive data found | Prevent data leakage | No |
ICAP Modes
Rules can apply to different traffic directions based on the icapMode field:
| Mode | Description | Common Use Cases |
|---|---|---|
"REQMOD" |
Apply to outbound requests | Prevent sensitive data from leaving your network |
"RESPMOD" |
Apply to inbound responses | Mask sensitive data coming into your network |
"BOTH" |
Apply to both directions | Universal data protection policies |
"" (empty string) or omitted |
Apply to both directions | Alternative to "BOTH" |
Filter Conditions
Both user and group filters support the following conditions:
| Condition | Behavior | Example |
|---|---|---|
equal |
Exact match | "filter": "john.doe" matches only "john.doe" |
notequal |
Inverse match | "filter": "admin" matches all users except "admin" |
contains |
Substring match | "filter": "eng" matches "engineering", "engineer", etc. |
doesnotcontain |
Inverse substring | "filter": "test" excludes users with "test" in username |
Time Filter Reference
Time Windows
Time windows use 24-hour format (HH:MM):
{
"timeWindows": [
{
"startTime": "09:00",
"endTime": "17:00"
},
{
"startTime": "19:00",
"endTime": "23:00"
}
]
}
Notes: - Multiple windows can be defined - Times are in the specified timezone - Crossing midnight requires two entries (e.g., "22:00-23:59" and "00:00-02:00")
Days of Week
Days are represented as integers (0-6):
| Value | Day |
|---|---|
0 |
Sunday |
1 |
Monday |
2 |
Tuesday |
3 |
Wednesday |
4 |
Thursday |
5 |
Friday |
6 |
Saturday |
Example - Weekdays only:
Timezones
Uses IANA timezone database names:
| Region | Example Timezones |
|---|---|
| North America | America/New_York, America/Chicago, America/Los_Angeles |
| Europe | Europe/London, Europe/Paris, Europe/Berlin |
| Asia | Asia/Tokyo, Asia/Shanghai, Asia/Dubai |
| Australia | Australia/Sydney, Australia/Melbourne |
Full list: IANA Time Zone Database
Behavior Types
| Behavior | Description | Use Case |
|---|---|---|
match |
Apply rule during specified times | "Block PII during business hours" |
bypass |
Apply rule outside specified times | "Allow unrestricted access during off-hours" |
Field Validation
Name and Description
| Field | Min Length | Max Length | Required |
|---|---|---|---|
name |
1 | 64 | Yes |
description |
0 | 128 | No |
Arrays
| Field | Minimum Items | Notes |
|---|---|---|
apps |
1 | At least one application required |
obfuscations |
1 (if action is obfuscate) |
Required for obfuscation rules, ignored for detect/block |
Best Practices
- Order rules strategically - Most specific rules first, general rules last
- Use descriptive names - Include action, data type, and scope (e.g., "Block SSNs to External APIs")
- Test with
enable: false- Create rules disabled, test thoroughly, then enable - Document complex filters - Use the
descriptionfield to explain user/group/time filters - Minimize filter complexity - Too many filters make rules hard to troubleshoot
- Use time filters sparingly - Time-based rules can be confusing during troubleshooting
- Review rule order regularly - Rule priorities may need adjustment as policies evolve
Related Topics
- Rules Overview - Core concepts and use cases
- Create Rule - Create a new rule
- Reorder Rules - Adjust rule evaluation priority
- Applications API - Create applications for rules
- Obfuscations API - Create obfuscations for masking