Administrators and analysts can create search patterns to find sensitive data on their networks. These rules use keywords to identify patterns and they are matched based on an exact keyword string. Once a pattern is applied to a matched policy with services (Decoders), it will search for that pattern in the network traffic. Upon successful detection of a match, two important metadata will be generated (found and match). Analysts can use this metadata to investigate further and determine if the sensitive data is being used maliciously.

What do you want to do?

User Role I want to ... Show me how

Administrators / Analysts

Create Search Pattern

Analyze Events in the Events View

Related Topics

Quick Look - Create Search Pattern Dialog

This is an example of the Create Search Pattern Dialog


The following table describes the fields in the Create Search Pattern view.

Feature Description
Search Pattern Name Specify a descriptive Name to identify the search pattern or leave the default name automatically populated using Search Pattern Rule format.

Allows you to add one or more keywords. Keywords are matched based on an exact string only. Regular expressions (Regex) are not supported. Use semicolons (;) to separate multiple keywords. For example, CreditCard;VISA;US.

Service Port

Allows you to add one or more ports. Use semicolons (;) to separate multiple port numbers. For example, 20;21;23.

The port numbers must be between 1 and 65535.

Select Policy Displays a drop-down list of available policies for selection.


Creates the search pattern and closes the dialog. A message confirms that the search pattern was created successfully.

Create and Publish Creates the search pattern and deploys the search pattern rule to a available policy containing Decoder services.
Cancel Closes the dialog without applying changes.