Aware - Setting Rule Triggers

Updated

This article contains information on setting up Signal rule triggers, including creating, editing, and deleting custom conditions to detect specific content types, keywords, patterns, and more for effective content monitoring.

 

Aware provides many different options when it comes to triggering con. You have already defined the Rule Scope and are ready to identify what triggers will match the content of your Rule. This article will review the following functionality:

  • General Condition Knowledge.
  • Create a Custom Condition List.
  • Edit a Custom Condition List.
  • Delete a Custom Condition List.

 

General Condition Knowledge

 

  1. Select the content types to scan: Messages and/or Uploaded Files and/or Images.

     

     

  2. Select the AND Condition drop-down and choose the desired Condition Type:

 

 

Keywords: Exact match keywords and phrases (these keywords and phrases can be in any language, including characters).

  • Patterns: A regular expression pattern used to identify a unique combination of numbers, letters or symbols.
  • Has Attachment: Attachments that have been included in a message (files, images, videos, platform documents, OneDrive, Google Drive, Box Files).
  • Contains Language: Identify messages that contain specific languages (English, German, French, Dutch, Spanish, Hindi, Bengali, Chinese, and/or Russian). An additional Language option (“Other”) is available to detect when a language is being spoken that is outside of a specific set of languages their employees are “allowed” to use or within the bounds of what the customer would expect.
  • Code Detection: Identifies messages with any text that looks like code.
  • Sentiment: Identify content that matches a specific category of emotion; use this as an AND statement (very positive, positive, neutral, negative, and/or very negative).

 

 

  • Toxic Speech: Identify inappropriate, offensive, and/or hate speech content.

 

 

  • Credit Card Number: Pattern to identify real credit cards using the Luhn Validation Method.
  • NSFW Image: Image only—trigger images that contain an inappropriate amount of nudity.
  • Screenshot Detection: Image only; identify software screenshots (This model does not identify text or objects within a screenshot, just that the uploaded image was a screenshot.).
  • Time of Day: Listen for messages sent during a specific time period in 15-minute increments. Times are in UTC to accommodate a geographically distributed workforce.
  • File Names & Extensions: It allows users to detect when a file contains a specific string of characters when it is shared.

  • Link Risk:  Link Risk is a new trigger condition in Signal that evaluates URLs shared in messages. It determines the legitimacy of the site being linked and works to identify any sites that could be malicious, e.g., phishing scams, scanner sites, sites hosting Windows exploits, etc. It is configurable with five different risk categories to meet a customer's needs.

    Reach out to your CSM or support@awarehq.com if you are interested in learning more. Currently, this feature is limited to Slack and Workplace by Meta

  • Password Detection: Listen for additional types of secrets, social security numbers, credit card numbers, routing numbers, and account numbers, and incorporate a credit card image detection rule trigger that will identify scans and images of credit cards.

 

Here are a few factors to consider when setting up a Signal Rule using the Password Detection trigger.

 

Confidence/Likelihood: The Password Detection model identifies potential password sharing in messages but cannot confirm if a term is a password. Any string may serve as a password depending on system needs. To address this, we label messages flagged by the model with one of three confidence levels, which are available when setting up rule triggers.

  • Somewhat Likely: This confidence level generates the most events, covering all confidence levels. Choose this when you need Aware to detect potential password messages. It may result in more false positives and fewer false negatives. Users worried about false negatives should use this or “likely,” but may find the high noise-to-signal ratio challenging for automated workflows.
  • Likely: This confidence level will produce fewer events than the Somewhat Likely confidence level, but the events will have a higher likelihood of containing a password.
  • Very Likely: This confidence level yields the fewest events, but those events are most likely to contain a password. Use it for high certainty of password presence. It minimizes false positives but may overlook simpler or contextually irrelevant passwords. Ideal for automated workflows involving actions like tombstone/delete.

 

RegEx Builder (Optional)

Users can refine their results by adding regular expression criteria, regardless of minimum confidence threshold chosen. These criteria are cumulative, so a team is flagged as a potential password only if it meets all selected conditions. This feature is useful when users know the specific password formats they want to target.

  1. If you select Keywords or Patterns, you can create your own templates with keywords and phrases or regular expressions or leverage the ones provided out of the box with Aware.
  2. Once one AND Condition has been created, you will be able to add an OR, AND or a NOT Condition, Choose Actions or Save and Close (This will strengthen your Rule and narrow the scope for content triggering).

 

Examples on how to use OR, AND, or NOT Condition

  • If you want to identify address information, you will want to use our Zip or Postal Code Pattern AND Street Suffix Keywords (using additional AND statements will help strengthen your rule and reduce false positives)
  • If you want to identify the keyword surgical, you will want to use a NOT condition that contains "surgical center, surgical centers, surgical company, and/or surgical facility"
  • If you want to identify inappropriate conversations, you may want to use Handicap Insults OR Swear/Insulting keywords
  1. Validate your Rule Triggers in the scope panel on the right-hand side. If you don't see a Condition you would like to use, you can create or edit a condition.

 

Create a Custom Condition

  1. Select Signal and choose a Policy
  2. Once you are in your Policy, click Rules and choose the Rule you would like to create a Condition for OR create a new Rule and then create a Condition
  3. Click Choose Triggers at the bottom of the page OR select Triggers from the Edit Rule toolbar on the left

 

 

  1. Select Keywords or Patterns from the Condition dropdown

 

 

  1. Select Create Keyword Template, located above the search box

 

 

  1. Name the customer template, enter the desired Keywords, Phrases or enter the regular expression (ensure that you press enter or select add after each keyword or phrase)
  2. Once your template is finished, click Create Template at the bottom

 

Edit a Custom Condition List

  1. Choose the Condition you would like to edit and click Edit Template
  2. You can edit the template by adding or removing items in the box below

 

 

  1. Once finished, save the edited Condition list

 

Delete a Custom Condition List

  1. Select the Condition you would like to delete and click Delete Template in the upper right-hand corner

 

 

  1. Type "delete" and then click Delete Template

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.