Symbolic Constants Type Name Event Description Supported

OS Type Name Description Supported

OS
Control Rule Examples Quick Reference
Symbolic constants provide predefined values for certain The following are common Control rules. For more rule
rule properties. For example, an operation can be defined by
the symbolic constant constOpFileCopy to be a file copy
Rule action tested
by evtCurrentRule-
Action. Use evtCur-
constRuleActionBlock Rule action was Block Windows
Network Adapter
Types used in
const1394
constBluetooth
Firewire adapter
Bluetooth adapter
Windows
Windows
examples, refer to the Digital Guardian Rule Implementation
Guide.
Digital Guardian 6.2.2
evtPhysical
rentRuleAction with
event. Continue Rule Medium constEthernet Ethernet adapter Windows Block File Writes to Removable Drives By Digital Guardian
Type Name Event Description Supported Evalutation option. constIrDA Infrared adapter Windows <and>
OS <in> Basic rules consist of an event operation and a property. The event operation uses a symbolic constant to define the event the rule
constRuleActionBlock Rule action was Block Windows constVPN Virtual private network adapter Windows <evtOperationType/>
Operation Type used constOpAdeCut Copy or cut Windows, constRuleActionContinue Rule action was Windows constWireless Wireless adapter Windows <list> governs. The rule property defines the event condition that must exist to trigger the rule. For example, CD Burn is an event operation,
in evtOperationType OS X <constOpFileCopy/> defined by the symbolic constant constOpCDBurn. A file extension of .doc is a property, defined by the property evtSrcFileExt.
Continue
<constOpFileMove/>
constOpADEInsertFile Existing OLE insertion Windows constRuleActionEncrypt Rule action was Encrypt Windows <constOpFileWrite/>
Depending on the rule action type, a Control Rule that contained both the CD Burn event and the .doc property could prevent users
Protocol Type used in constProtocol Bluetooth Protocol Windows
constOpADEInsert Unsaved OLE insertion Windows constRuleActionNone Rule action was None. Windows evtProtocolType Bluetooth </list> from burning Word documents to CDs.
NewObject </in>
No rule has matched the constProtocolHTTP HTTP Protocol Windows, The symbolic constants, properties, and operators available in Digital Guardian work for most types of rules, including Classification
<equal>
constOpAdePaste Paste from clipboard Windows current event. OS X <evtDestDriveType/> Rules, Control Rules, and Filter Rules. The effect of the rule is determined by the rule type and action type. The syntax for the rule
constOpAdePrintProcess Print current application Windows constRuleActionVault Rule action was Vault Windows constProtocolIrDA IrDA Protocol Windows <constDriveRemovable/>
definitions remains the same, regardless of rule type.
window </equal>
constProtocolTCP Transport Control Protocol All </and> When you have multiple event operations, or multiple rule properties, you can use logical operators to specify the Boolean relation-
constOpAdePrintScreen Print entire screen Windows Type Name Description Supported (TCP) Block Network Uploads from Specified Directory
constOpAdeScreen Non-native screen Windows OS <and>
ships between those expressions. Logical operators can wrap an entire rule definition and can be nested. For example, most rules are
constProtocolUDP User Datagram Protocol (UDP) All
Capture capture application Application Data constCutPaste Copy or cut Linux <regExp expr="\\sourcecode\\.*"> wrapped with the <and> operator to specify that all the conditions within the rule must be true to trigger the rule. Within that <and>,
Exchange Type used <evtSrcFilePath/> you might also have a nested <or> operator, for example, if you only require some rule properties to be true.
constOpAppData Application data All constDragDrop Drag and drop Linux </regExp>
Exchange exchange paste from in evtADEType Device event used in constOpDeviceAdded Device iserted into port Windows
constPrintScreen Print screen Linux evtOperationType
<equal> You can use relational operators to perform detailed evaluations of event operations and property values. Relational operators can
clipboard <evtOperationType/>
constOpDevice Device found during start Windows <constOpNetTransferUpload/>
construct strings to match property values, evaluate lists of property values, or compare multiple expressions to one another.
constOpAppScreen Scans screen for classifi- Windows
Buffer able content Bus Type used in: constBus1394 Firewire (1394) bus Windows, Detected </equal> For a detailed explanation of the concepts outlined on this card, refer to the Digital Guardian Rule Implementation Guide.
evtDestBusType OS X </and>
constOpDevice USB device not present during Windows
Block App Data Exchange by Pasting from Word into
Rule Evaluation Order
constOpAppStart Application start (used All evtSrcBusType Missing start that was present during
by Control rules to constBusATA Advanced Technology Attach- Windows
shutdown AOL Instant Messenger
prevent an application ment bus
from starting)
<and> Digital Guardian evaluates rules from the bottom to the top. When the DG Agent meets a rule condition during rule evaluation that
constBusATAPI Advanced Technology Attach- Windows constOpDeviceOpen Device opened for use. Windows <like expr="%america online%">
ment Packet Interface bus Primarily for USB or built-in <curProcessCompanyName/>
does not match the current activity, it stops evaluating that rule. Placing the most restrictive rule conditions at the bottom of a rule
constOpCDBurn CD/DVD burn Windows,
Linux, OS X Web cameras </like> definition helps Digital Guardian more quickly determine if the current user activity is subject to a particular rule.
constBusiScsi Internet Small Computer Windows <like expr="%instant messenger%">
constOpFileArchive File archive using Linux Windows, System Interface bus constOpDevice Device is removed Windows <curProcessProductName/> The rule examples shown on this card use the recommended bottom-to-top, restrictive-to-general design. For more information on
tar or mkisofs. Also Linux Removed
constBusRAID Redundant Array of Inexpen- Windows </like> rule evaluation order, refer to “Appendix B: Rule Optimization” in the Digital Guardian Rule Implementation Guide.
WinZip or WinRAR on sive Disks Wireless Authentica- constOpen Open, unsecured access Windows <equal>
Microsoft Windows.
Creates an empty archive constBusSAS Serial Attached SCSI Windows
tion Types used in
evtWireless
constShared Wi-Fi shared access Windows
<evtSrcFileExt/>
<string value="doc"/> Component Rules
when used in blocking. constWPA Wi-Fi Protected Access Windows </equal>
constBusSATA Serial ATA Windows, Authentication
<equal>
Component rules are rules that you can reference from the definitions of other rules, similar to functions in a programming language.
constOpFileClose Close a file Windows, OS X Mode constWPA2 Wi-Fi Protected Access 2 Windows By using component rules, you can reduce the time required to write and maintain your rules. Component rules do not contain
<evtOperationType/>
Linux constBusScsi Small Computer System Inter- Windows <constOpAppDataExchange/> action, severity, or status information. That information is supplied by the rule that references the component rule.
constWPA2PSK Wi-Fi Protected Access 2 with Windows
constOpFileCopy File copy All face bus Pre-shared key </equal>
constBusSD Secure Digital Windows
</and> You use the <userFunction> element to call a component rule from within other rules of the same type (classification, control, filter
constOpFileCreate File create Windows, constWPANone Wi-Fi Protected Access with Windows
Linux no key
or trusted process). This example shows the component rule office_file_types being called from a rule that blocks print events:
constBusSSA Serial Storage Architecture bus Windows
constOpFileDecrypt Manual decryption of Windows constBusFibre Fibre channel host bus. Windows constWPAPSK Wi-Fi Protected Access with Windows Classification Rule Examples <and>
AFE encrypted file Pre-shared key <userFunction name="office_file_types"/>
constBusUnknown Unknown bus type Windows The following are common Classification rules. For more rule <equal>
constOpFileDelete File delete Windows examples, refer to the Digital Guardian Rule Implementation
constBusUSB Universal Serial Bus Windows, <evtOperationType/>
constOpFileEdit File edit Windows OS X Wireless Encryption constAES Advanced Encryption Standard Windows Guide. <constOpPrint/>
Types used in
constOpFileMove File move All constNone No encryption applied Windows </equal>
evtWireless Classify Downloaded Files from Specific Domain
constOpFileOpen File open All Days of the Week constSunday Sunday Windows Encryption constTKIP Temporal Key Integrity Windows <and> </and>
used in Protocol <regExp expr="sharepoint\.example\.com">
Microsoft Windows® Environment Variables
constOpFileRead File read All constMonday Monday Windows
agentCurrentDay <evtDomain/>
constWEP Wired Equivalency Privacy Windows
constOpFileRecycle File recycle Windows, OfWeek constTuesday Tuesday Windows </regExp>
encryption
Linux. OS X <equal> Digital Guardian allows you to use Microsoft Windows® environment variables in your rule properties. Windows environment vari-
constWednesday Wednesday Windows <evtOperationType/>
constOpFileRename File rename All <constOpNetTransferDownload/> ables can create values based on local settings that change with each user. Use environment variables with regular expression or like
constThursday Thursday Windows Wireless Infrastruc- constAccessPoint Wireless access points network Windows </equal> operators as shown in this example:
constOpFileRestore File restore Windows
constFriday Friday Windows ture Mode Types used constAdHoc </and>
Ad hoc wireless network Windows
constOpFileSaveAs File save as All in evtWireless Classify Files with More Than One Credit Card Number <regExp expr="^c:\\documents and settings\\##username##\\localsettings\\.*">
constSaturday Saturday Windows
constOpFileWrite File write All InfrastructureMode <greaterThan> <evtSrcFilePath/>
constOpLogon User logs on to Agent Windows
<evtSrcFileEntityFrequency name="cc_number"/> </regExp>
Drive Type used in: constDriveUnknown Windows could not determine All <int value="1"/>
computer </greaterThan>
evtDestDriveType drive type.
constOpLogoff User logs off Agent Windows evtSrcDriveType constDrive Disk is removable from the All
computer
constOpMailAttach Attach to Outlook or Windows
Removable drive, or the drive is hot swap- Copyright
pable.
Notes message Digital Guardian and the Digital Guardian logo are registered trademarks of Digital Guardian.
constDriveFixed Disk or drive cannot be All All Rights Reserved © 2003 Digital Guardian. No part of this publication may be reproduced, stored in a
constOpNetTransfer Download over network All removed retrieval system, or transmitted in any means electronic or mechanical, including photocopying and
Download recording for any purpose beyond that provided for in the license agreement. The contents of this docu-
constDriveRemote Disk is a remote/network drive. All
constOpNetTransfer Upload file over network All ment are subject to change without notice.
constDriveCDRom Drive is a CD-ROM/DVD. All
Upload Last updated: October 2, 2014
constDriveRamDisk Drive is a RAM disk. All
constOpNetwork All network operations All
(connect, listen, accept
connections, etc.) Email Recipient Types constMailBCC Recipients on BCC line of All
constOpPrint Print All used in email
evtMailRecipient-
constOpSendMail Send email All (Apple constMailCC Recipients on CC line of email All
Types
Mail only on constMailTo Recipients on To line of email All
OS X)
Rule Properties ALL OPERATIONS Property Type Supported
OS DATA VAULT Property Type Supported evtSrcDriveMatchesDest Boolean Windows Relational Operators Regular Expressions
OPERATIONS OS evtSrcDriveType constant All
Rule properties define the type of computer and event to evtIsLocalAdmin Boolean Windows, Relational operators evaluate one or two system properties, This operator evaluates whether the operand matches a given
which the rule applies. OS X Any activeVaultRuleNames string Windows evtSrcFileClassificationRank int All symbolic constants, or user defined values. regular expression.
anyProcessVaulted Boolean Windows, evtSrcFileEntityFrequency int Windows,
Relational Operations By Value Type parentProcessCmdLine string Windows
Linux
Operator Example Character Definitions
Linux Linux, OS X
Value Type Operators Value Type Operators equal <equal> ^ Matches the beginning of a line.
parentProcessCompanyName string Windows clipboardVaultRuleName string Windows evtSrcFileExt string All <evtDestDriveType/>
bluetoothAddress equal, in irdaAddress equal, in <constDriveRemovable/> . (period) Matches any character.
parentProcessFileDescription string Windows curProcessSaveAsActive Boolean Windows evtSrcFileIsClassified Boolean All
</equal>
Boolean equal macAddress equal, in * Finds 0 or more of a match.
curProcessVaulted Boolean Windows, evtSrcFileIsEncrypted Boolean Windows <greaterThan>
parentProcessFilePath string Windows, greater than
constant equal, in md5Hash equal, in Linux <agentLastServerComm/> [] Matches any instance in the bracketed range.
Linux evtSrcFileIsTemp Boolean Windows
dateTime equal, string equal, in, like, curProcessVaultRuleName string Windows, <int value="1440"/> | Delimits Boolean OR values within a bracketed set. For example,
parentProcessFileVersion string Windows evtSrcFileModifiedTime dateTime Windows, </greaterThan>
greaterThan, lessThan regEx Linux (app1.exe|app2.exe).
parentProcessImageName string All Linux <in>
in
int equal, in time equal, lessThan, parentProcessVaulted Boolean Windows, <evtRemotePort/> () Groups one or more sequences of characters or matches.
parentProcessLegalCopyright string Windows evtSrcFilePath string All
greaterThan, lessThan greaterThan Linux <list> $ Matches the end of a line.
parentProcessMD5ContentHash md5Hash Windows, evtSrcFileOwnerId string Windows, <int value="80"/>
ipAddress equal, in, ipMask parentProcessVaultRuleName string Windows,
Linux Linux <int value="443"/> \ Indicates that the next character should be treated literally, not as a regular
Linux
</list> expression character.
parentProcessProductName string Windows evtSrcFilePolicyTag string All
ALL OPERATIONS Property Type Supported prevProcessVaulted Boolean Windows </in>
OS parentProcessProductVersion string Windows prevProcessVaultRuleName string Windows evtSrcFileSize int Windows, ipMask <ipMask mask="10.10.10.10/24"> Regular Expression Examples
Linux, OS X <evtRemoteAddress/>
constOpFileCopy agentAdapterCount int Windows, parentProcessWindowTitle string Windows, similarProcessVaulted Boolean Windows </ipMask>
This example shows a regular expression that checks any
Linux, OS X Linux evtSrcFileSupportsADS Booolean Windows product version for the string "5.0".
EMAIL OPERATIONS Property Type Supported less than <lessThan>
constOpFileDelete agentCurrentDayOfWeek constant Windows serverAvailable Boolean All OS evtSrcIsWindowsCdBurnFolder Boolean Windows <agentCurrentTime/> <regExp expr="5\.0">
<time value="19:00 utc"/>
constOpFileOpen agentCurrentTime time All similarProcessRunning Boolean Windows constOpSendMail evtMailAttachmentSize int Windows evtSrcProduct string All <curProcessProductVersion/>
</lessThan> </regExp>
Linux evtSrcProductId string All
constOpFileMove agentCurrentDateTime time Windows like <like expr="%adobe%">
evtMailRecipients string All <curProcessCompanyName/> This example shows a regular expression that checks the
constOpFileRead agentFileVersion string Windows, ADDRESS/URL Property Type Supported evtSrcSerialNumber string All
Linux OPERATIONS OS evtMailRecipientTypes constant All
</like> beginning of a file path for the directory c:\docrepository.
evtSrcSupportsEncrypt Boolean Windows <regExp expr="^\\\\FileServerName\\ShareName\\.*">
constOpNetwork curProcessAddressBar string Windows regular The regular expression includes the ^ character to indicate
constOpFileWrite agentGatewayMac macAddress All evtMailSMIMEEncrypted Boolean Windows evtSrcVendor string All expression <evtSrcFilePath/>
curProcessURLList string Windows </regExp> that the string appears at the beginning of a line. The expres-
constOpAppData agentIPAddress ipAddress All evtMailSMIMESigned Boolean Windows evtSrcVendorId string All
Exchange op <in op=”like” > sion also includes the \ character to indicate that the slash
parentProcessAddressBar string Windows evtMailSubject string Windows <some_property /> character in the path is to be taken literally, and not as a regu-
constOpFileRename agentIPAddress (array) ipAddress All parentProcessURLList string Windows <list>
evtMailTotalSize int Windows NETWORK FILE Property Type Supported lar expression operator.
<string value="%testvalue1%" />
constOpCDBurn agentIsLaptop Boolean All prevProcessAddressBar string Windows Linux TRANSFER OS
OPERATIONS <string value="%testvalue2%" /> <regExp expr="^c:\\docrepository">
constOpFileRecycle agentIsRegistered Boolean Windows, ADE OPERATIONS Property Type Supported FILE OPERATIONS Property Type Supported </list> <evtSrcFilePath/>
Linux OS OS constOpNetTransfer evtSrcDriveType constant All </in> </regExp>
Download
constOpNet agentIsVirtualSession Boolean Windows, constOpAdeCut evtADEType constant Linux constOpFileCopy evtDestBusType constant Windows,
OS X constOpNetTransfer evtDomain string Windows
TransferDownload
constOpFileRestore agentLastServerComm int
Linux
All
constOpAdePaste evtBufferEntityFrequency int Windows
constOpFileCreate evtDestCustomId string Windows
Upload Logical Operators Match Attribute
constOpAdePrint evtBufferPolicyTag string All evtIsOutboundConn Boolean All In cases where you have multiple event operations, or multi-
constOpAppStart agentType int All Process constOpFileDelete evtDestDriveType constant All The Like and Regular Expression operators can use the
evtLocalPort int Windows ple rule properties, you can use logical operators to specify optional match attribute to evaluate string values against one
constOpPrint curProcessCmdLine string Windows, constOpAde evtDestDocPropertyDate dateTime Windows constOpFileMove evtDestFileCanContentInspect Boolean Windows,
Linux the Boolean relationships between those expressions.
Linux PrintScreen OS X or all of the multiple values in a single multistring property.
evtProtocolType constant All
constOpNet curProcessCompanyName string Windows constOpADEFile evtDestDocPropertyInt int Windows constOpFileOpen evtDestFileClassificationRank int All Operator Example Supported Properties
TransferUpload Classification evtRemoteAddress ipAddress All
constOpFileRead evtDestFileEntityFrequency int Windows, and <and>
Linux, OSX evtRemotePort int All <expression/> The following rule properties support the Match attribute:
constOpNetwork curProcessFileDescription string Windows constOpAppData evtDestDocPropertyString string Windows
<expression/>
Exchange constOpFileRecycle evtDestFileExt string All evtSrcFileExt string All clipboardVaultRuleName evtMailRecipients
curProcessFilePath string All </and>
constOpApp evtDestDriveType constant All constOpFileRename evtDestFileIsClassified Boolean All evtSrcFilePath string All <or> curProcessURLList evtSrcFilePolicyTag
curProcessFileVersion string Windows, or
ScreenBuffer <expression/>
Linux constOpFileRestore evtDestFileIsEncrypted Boolean Windows evtUrlPath string All curProcessVaultRuleName parentProcessURLList
<expression/>
evtDestFileExt string All
curProcessImageName string All constOpFileWrite evtDestFileIsTemp Boolean Windows NETWORK Property Type Supported </or> evtBufferPolicyTag prevProcessVaultRuleName
evtDestFilePath string All OPERATIONS OS <not>
curProcessLegalCopyright string Windows evtDestFileModifiedTime dateTime Windows, not evtDestFilePolicyTag
evtSrcDocPropertyDate dateTime Windows, constOpNetwork agentType string Windows, <expression/>
curProcessMD5ContentHash md5Hash Windows, Linux </not>
Linux
Linux Linux, Match All
evtDestFilePath string All OS X nested <and>
evtSrcDocPropertyInt int Windows, <expression/> A Like or Regular Expression operator with a Match All attri-
curProcessNoPrompting Boolean Windows evtDestFilePolicyTag string All
Linux dnsHostAvailable Boolean Windows, <or>
curProcessOriginalName string Windows OS X
bute evaluates to True if the comparison string matches all of
evtSrcDocPropertyString string Windows, evtDestFileOwnerId string Windows, <expression/>
Linux <expression/> the values contained in the property.
curProcessProductName string Windows Linux evtDomain string Windows,
</or>
curProcessProductVersion string Windows evtSrcDriveType constant All evtDestFileSize int Windows, OS X <not> For example, the following property evaluates to True only if
Linux, OS X evtIsOutboundConn Boolean Windows, <expression/> all of the recipients of a particular email contained the string
curProcessWindowTitle string Windows, evtSrcFileCanContentInspect Boolean Windows, </not>
evtDestFileSupportsADS Boolean Windows Linux “.example.com”.
Linux OS X </and>
evtDestProduct string All evtIsPrivate Boolean All <regExp expr=".*\.example\.com" match="all">
dnsHostAvailable Boolean Windows, evtSrcFileExt string All
OS X evtLocalPort int Windows, <evtMailRecipients />
evtSrcFilePath string All evtDestIsWindowsCdBurnFolder Boolean Windows
Linux </regExp>
driverRunning Boolean Windows evtDestProductId string All Match Any
evtSrcProcessCompanyName string Windows
evtPhysicalMedium constant Windows
evtCurrentUserId string Windows evtDestSupportsEncrypt Boolean Windows A Like or Regular Expression with a Match Any attribute
evtSrcProcessFileDescription string Windows
evtProtocolType constant All
evtDomainName string Windows evtDestSerialNumber string All evaluates to True if the comparison string matches any of the
evtSrcProcessFilePath string Windows,
evtRemoteAddress ipAddress All
evtIsDomainUser Boolean Windows, Linux evtDestVendor string All values in the list. If you do not specify a Match attribute, any
OS X evtRemotePort int All is the default behavior for all properties.
evtSrcProcessFileVersion string Windows evtDestVendorId string All
evtIsOverwrite Boolean Windows evtAdapterName string Windows
evtSrcProcessImageName string Windows, evtSrcBusType constant Windows, For example, the following property evaluates to True if any
evtOperationType constant All Linux OS X evtWirelessAccessPoint macAddress Windows
classification tags associated with a file match the string
evtParentOperationType constant All evtSrcProcessLegalCopyright string Windows evtSrcCustomId string Windows evtWirelessAuthenticationMode constant Windows “confidential”.
evtUserName string Windows, evtSrcProcessMD5ContentHash md5Hash All evtSrcDocPropertyDate dateTime Windows evtWirelessEncryption constant Windows
<like expr="confidential" match="any">
OS X evtSrcProcessProductName string Windows evtSrcDocPropertyInt int Windows evtWirelessInfrastructureMode constant Windows <evtSrcFilePolicyTag />
hostIsAvailable Boolean OS X </like>
evtSrcProcessProductVersion string Windows evtSrcDocPropertyString string Windows evtWirelessSSID string Windows,
Linux
evtSrcProcessWindowTitle string Windows,
Linux