URL patterns
The URL patterns parameter is provided in various policy templates, which enables you to set specific URL conditions for triggering detections. It can be used to define either an allowlist that matches URLs users are permitted to interact with or a denylist that matches URLs users are prohibited to interact with.
|
For example, using the Sensitive file uploaded template, you could use this parameter to create an allowlist that prevents sensitive files from being uploaded to non-corporate websites. |
Some templates, such as the Sensitive file uploaded template, let you configure the URL patterns parameter to prohibit uploads, considering both a file's web origin and destination. For more on this, also see URL patterns: origin (Preview).
The URL patterns parameter allows/denies URLs based on their domain name, including subdomains (see example 1 below). To cut policy configuration time, the URL patterns parameter also supports the use of glob-style syntax in both the domain name and the URL path. This means that you can use an asterisk (*) to match 0 or more characters within a domain/path segment (see examples 2 and 3). Similarly, you can use a double asterisk (**) to match 0 or more whole domain/path segments (see examples 4 and 5).
| Example | URL pattern | Matched URLs |
|---|---|---|
| 1 | example.com
|
|
| 2 | example.*
|
|
| 3 | www.nextdlp.com/use-cases/secure*
|
|
| 4 | www.nextdlp.com/**/about
|
|
| 5 | **.nextdlp.com/about
|
|
|
When including a path in a URL pattern—for example, |
Specification
URL patterns can be used to look for specified schemes, port numbers, queries, and fragments.
When comparing a URL with a given URL pattern, any URL sections that are not specified in the pattern will be ignored.
|
|
For example, the pattern |
For URL sections that are specified in the pattern, the following syntax applies.
| URL section | Example | Syntax/matching rule |
|---|---|---|
| Scheme | https://
|
Literal; an asterisk can be used at one end—for example, http*:// to match both http and https. |
| Userinfo | nick@
|
Not supported. |
| Domain | nextdlp.com
|
Glob-style with * and **. Note that ** is only permitted at the start. |
| Port | :443
|
Literal. |
| Path | /solutions/insider-risk
|
Glob-style with * and **. |
| Query | ?id=123
|
All specified key-value pairs must be present, and additional values are ignored. An asterisk may be provided as a value to require that a given key is present without regard for its value. |
| Fragment | #Introduction
|
Literal. |
Additional guidance on subdomains and paths
Subdomains of specified domains will normally be matched. For example, the pattern example.com will match subdomain.example.com. However, subdomains will not be matched when the pattern contains a scheme or path. For example, the pattern example.com/about will not match subdomain.example.com/about.
In cases where a scheme or path has been specified, the prefix **. can be added to the start of the domain to match all subdomains. Conversely, the scheme pattern *:// can be used to exclude subdomains without choosing a particular scheme or path.
Similarly, if a pattern does not specify a path, then all paths will be matched, except where the pattern specifies a query or fragment. For example, the pattern nextdlp.com?id=123 will not match nextdlp.com/about?id=123.
The suffix /** can be added to match any path if a query or fragment has been specified. Conversely, a forward slash (/) can be added to a domain name to exclude all paths without specifying a query or fragment.