GAT Shield provides a real-time DLP solution for user browsing activities.
In GAT Shield the Admins can set up multiple different Alert rules. The Alert rules are a set of rules when triggered the Admin will get notified.
There are a few different types of alerts:
- File download
- Page content inspection
- Google docs inspection
- Visit
- Search
- Device usage
- Location
- IP Address
- ActiveID
- Denoted User/Last User mismatch
To set up an alert rule in GAT Shield for Social Security Number (SSN) detection
Within GAT Shield you will find a template rule for detecting Social Security Numbers on any website you users visit or if they themselves type it into a webpage.
Navigate to GAT Shield > Configuration > Alert Rules
Click on ‘Add a template rule’ and choose US SSN entered.
When you click on US SSN Entered a new window will be displayed to fill in the required details.
- Alert rule name – the name for the rule
- Activate – enable or disable the rule by using the checkmark
- Page content inspection regex – regex for US SSN number (the United States Social Security Number)
- Distinct upper and lower case letters – When enabled regex will distinct upper and lower case letters.
- Scan and alert on entire page – enable to trigger the scan on the entire page (uploaded, visited pages). By default, this option is disabled and triggers scanning only on user input (typing behavior).
- Regex word exclusions – Keywords for which no alert will be generated, even if the alert regex criteria are met, e.g. “gat;google” means this alert would never trigger when text matched by regex that contains at least one of a keyword.
- Page keywords – Words that appear on a page. Each of these keywords can have weight. Use for more accurate alert triggering. The weight for each keyword is counted only once, even if the keyword occurs many times on the page
- Alert trigger threshold – enter minimum weight to trigger an alert
- Report matched text
- Monitor on the following sites only – Enter websites for which an alert will be generated, e.g. “www.generalaudittool.com/test” or “generalaudittool.com/test/” means this alert would trigger on that site and all derivative sites. Add URL in the following format “(www.)yyy.zzz/path(/)”. No http:// or https:// is required.
- Site exclusions – Enter websites for which an alert will not be generated
- Scope – select the users for whom the alert will be set for
- (Optional) End-user action – set up the action for the end-user
- Display warning message
- Display warning message and close the browsing tab
- Display warning message and redirect
- Close the browser tab without message
- Redirect without message
- None
- Alert recipients – by default will be the Admin who creates the rule, additional recipients can be added
- (Optional) Screen capture – Report and take action, or do not report.
- (Optional) Webcam capture – Report and take action, or do not report.
- Note: Webcam capture must be enabled separately from the Admin console
When ready click on the Save button
The default example, all is needed is to select the Scope – which users are to be affected by this rule and change any of the additional settings according to your use-case. Inside of this template matches any valid SSN and by default, it has a weight of 1. If other keywords occur on the same page they each have their own weight. If the total weight is equal to or above 3 the rule will be fired.
You can also add your own keyword, or edit the regex, to exclude numbers like local area codes as an example (345,214,526,732).
The regex option we have is:
\b(?!000)(?!666)([0-6]\d{2}|7([0-356]\d|7[012]))[- ]?(?!00)\d{2}[- ]?(?!0000)\d{4}\b
We can edit this to exclude your local code:
\b(?!00)(?!000)(?!345)(?!214)(?!526)(?!732)(?!666)([0-6]\d{2}|7([0-356]\d|7[012]))[- ]?(?!00)\d{2}[- ]?(?!0000)\d{4}\b
Example of an email received by a super admin.
