Documentation Version: er2.0.28-docs-1.1

Advanced Filters

There are situations where a certain combination of data types can provide a more meaningful insight for matches found during the scans. Specifically, during analysis of scan results, such combinations can be helpful when attempting to eliminate false positive matches while at the same time homing in on positive matches with greater confidence.

For example, consider a situation where a scanned location A has matches for phone numbers, scanned location B has matches for email addresses, while scanned location C has matches for both email addresses, and phone numbers.

In the example above, it is more likely that location C would actually have Personally Identifiable Information (PII) targeted at an individual compared to locations A and B alone. This is because location C contains two items of data that can be related to an individual. We can use Advanced Filters to display such locations.

This section covers the following topics:

Displaying Matches While Using Advanced Filters

To view match locations that fulfil the conditions defined in an Advanced Filter:

  1. On the Targets page, click a Target to display its list of matches.
  2. At the top-right hand of the Target details page, click Filter to display the Filter sidebar.
  3. Select one or more Advanced Filter rules to display specific match locations.

Using The Advanced Filter Manager

Use the Advanced Filter Manager to:

  1. Add an Advanced Filter.
  2. Update an Advanced Filter.
  3. Delete an Advanced Filter.

Add an Advanced Filter

  1. On the Targets page, click a Target to display its list of matches.
  2. At the top-right hand of the Target details page, click Filter to display the Filter sidebar.
  3. Click the icon to open the Advanced Filter Manager.
  4. In the Filter name field, provide a meaningful label for the Advanced Filter.
  5. In the Filter expression panel, define expressions for the Advanced Filter. See Writing Expressions for more information.
  6. Click Save Changes. The newly created filter will be added to the list on the left.

Update an Advanced Filter

  1. On the Targets page, click a Target to display its list of matches.
  2. At the top-right hand of the Target details page, click Filter to display the Filter sidebar.
  3. Click the icon to open the Advanced Filter Manager.

  4. Select an Advanced Filter from the left panel.
  5. Edit the filter name or expression for the Advanced Filter. See Writing Expressions for more information.
  6. Click Save Changes.

Delete an Advanced Filter

  1. On the Targets page, click a Target to display its list of matches.

  2. At the top-right hand of the Target details page, click Filter to display the Filter sidebar.
  3. Click the icon to open the Advanced Filter Manager.
  4. Select an Advanced Filter from the left panel.
  5. Click the trash bin icon next to the filter name.
  6. Click Yes to delete the Advanced Filter.

Writing Expressions

Each Advanced Filter is defined using one or more expressions which are entered in the editor panel of the Advanced Filter Manager. There are a few basic rules to follow when writing expressions:

Expressions That Check For Data Types

The simplest Advanced Filter expression is one that checks for the presence of a specific data type match in a scanned location. This is called a Data Type Presence Check.

You can find a full list of built-in data types and their names when you Add a Data Type Profile. These data type names:

The Advanced Filter editor has an AutoComplete feature that helps you with data type names. To use AutoComplete, press the [ key and start typing the data type name to include in your expression.

The AutoComplete feature only lists the data types that have matches for your Target, but you can still define data type names that have not matched in your Advanced Filter expressions.

Data Type Presence Check

Description

Checks for the presence of a data type in a match location.

Syntax

[<Data Type>]

Example 1

1 [Personal Names (English)]

Example 1 lists match locations that contain at least one Personal Names (English) match.

Example 2

1 NOT[Visa]

Example 2 lists match locations that are not [Visa] data type matches.

Data Type Count Comparison Operators

Description

Use comparison operators to determine if the match count for a data type meets a specific criteria.

Syntax

[<Data Type>] <operator> n

n is any positive integer, e.g. 0, 1, 2, ..., n.

Operators

Comparison Operator Description
[<Data Type>] < n Evaluates to TRUE if the match count for the Data Type is less than n for the match location.
[<Data Type>] > n Evaluates to TRUE if the match count for the Data Type is greater than n for the match location.
[<Data Type>] <= n Evaluates to TRUE if the match count for the Data Type is less than or equal to n for the match location.
[<Data Type>] >= n Evaluates to TRUE if the match count for the Data Type is greater than or equal to n for the match location.
[<Data Type>] = n Evaluates to TRUE if the match count for the Data Type is exactly n for the match location.
[<Data Type>] != n Evaluates to TRUE if the match count for the Data Type is anything except n for the match location.

Example 3

1
[Personal Names (English)] >= 2

Example 3 lists match locations that contain at least two Personal Names (English) matches.

Example 4

1
2
[Login credentials] < 3
[Email addresses] = 0

Example 4 lists match locations that contain less than three Login credentials matches or contains no Email addresses.

Data Type Function Check

Description

MATCH function checks for the presence of n unique data types from a list of provided data types, where the number of provided data types has to be greater or equal to n.

Syntax

MATCH(n, [<Data Type 1>], [<Data Type 2>], ..., [<Data Type N>] )

n is any positive integer, e.g. 1, 2, ..., n.

Example 5

1
MATCH(2, [Visa], [Mastercard], [Troy], [Discover])

Example 5 checks match locations for Visa, Mastercard, Troy, and Discover matches, and only lists a match location if it contains at least two (n=2) of the four data types specified. In this example:

Data Type Sets

Description

Use SET to define a collection of data types that can be referenced from the MATCH function.

Syntax

SET <set identifier> ( [<Data Type 1>], [<Data Type 2>], ..., [<Data Type N>] )

When defining a SET, follow these rules:

Example 6

1
2
SET CHD_Data ([Visa], [Mastercard], [Troy], [Discover])
MATCH (2, CHD_Data)

Example 6 defines a set of data types named CHD_Data in line 1. It then uses a MATCH function call to check scanned locations for the presence of matches for the data types specified in the CHD_Data set. Any scanned location that contains at least two of the data types specified in the CHD_Data set will be returned as a matched location. The following locations will be returned by the filter in Example 6:

Logical and Grouping Operators

Use logical and grouping operators to write more complex expressions. Operator precedence and order of evaluation for these operators is similar to operator precedence in most other programming languages. When there are several operators of equal precedence on the same level, the expression is then evaluated based on operator associativity.

Logical Operators

Description

You can use the logical operators AND, OR and NOT in Advanced Filter expressions. Logical operators are not case sensitive.

Operators

Precedence Operator Syntax Description Associativity
1 NOT NOT a Negates the result of any term it is applied to. Right-to-left
2 AND a AND b Evaluates to TRUE if both a and b are TRUE. Left-to-right
3 OR a OR b Evaluates to TRUE if either a or b are TRUE. Left-to-right

Example 7

1
2
NOT [Visa]
[Login credentials] AND [Email addresses]

In Example 7, line 1 lists match locations that do not contain Visa matches.
Line 2 lists match locations that contain at least one Login credentials match and at least one Email addresses match.

Example 8

1 [Australian Mailing Address] OR [Australian Telephone Number]

In Example 8, line 1 lists match locations that contain at least one Australian Mailing Address match or at least one Australian Telephone Number match.

Instead of writing a chain of OR operators, you can write a series of data type presence checks to keep your expression readable. For example, Example 8 can be rewritten as:

1
2
[Australian Mailing Address]
[Australian Telephone Number]

Example 9

1
[Email addresses] > 1 AND [IP Address] AND NOT [Passport Number]

Example 9 lists match locations that contain more than one Email addresses match and at least one IP Address match, but only if those match locations do not contain any Passport Number matches.

Grouping Operators

Description

Grouping operators can be used to combine a number of statements into a single logical statement, or to alter the precedence of operations. Group statements by surrounding them with parentheses ( ).

Syntax

( )

Example 10

1
NOT ([SWIFT Code] AND [International Bank Account Number (IBAN)])

For Example 10, the filter displays match locations that do not contain both SWIFT Code and International Bank Account Number (IBAN) matches. Match locations that meet any of the following conditions will be displayed for this filter:

Example 11

1
[License Number] OR [Personal Names (English)] AND [Date Of Birth]

In Example 11, scanned locations are checked if they contain:

Because the AND operator has a higher precedence than the OR operator, the AND operation in [Personal Names (English)] AND [ Date Of Birth ] is evaluated first.

The below expression is equivalent to Example 11. While Example 11 uses implicit operator precedence, this example uses it explicitly:

1
[License Number] OR ([Personal Names (English)] AND [Date Of Birth])

Example 12

1
([License Number] OR [Personal Names (English)]) AND [Date Of Birth]

Example 12 shows how the operator precedence from Example 11 can be modified with grouping operators. Match locations that meet any of the following conditions will be displayed for this filter:

Remediating Matches While Using Advanced Filters

When performing remediation on selected matches, Advanced Filters are ignored. To change the scope of remedial action, use a Match Filter or restrict the number of match locations selected instead.

See Match Filter for more information.