Response Rules options:
This is list of options for response rules.
Detailed information regarding the rules can be found in rules
These options are saved inside rules configuration file. It contains both request and response rules. The filename depends on the name of the rule list → nameOfRuleList.conf.
These are stored in the following format under responseRules:
"responseRules": [
{
"enabled": true,
"type": "c",
"patterns": [
"columnsEndsWith:name"
],
"rowPatterns": [
"k"
],
"operator": "AND",
"columnNameOperator": "AND",
"intrans": false,
"properties": {
"honeyTokenAlert": "true"
}
},
]
Each rule might have:
- enabled - Boolean to indicate if the rule is active.
- type - Action of the rule inside the configuration file, such as Q → Allow.
- Patterns - The Java regex for columns to match on. Column Name Regex from GUI.
- rowPatterns - The Java regex for row to match on.
- intrans - Determine if rule matches in transactions or only on auto-commit mode. Always false for response rules.
- properties - Parameters and their values for given rule.
- notes - Extra notes that can be left, their presence is marked by message icon next to enabled option. Editable after clicking edit button.
⚠️ Note: You can use SHIFT with mouse scroll to scroll horizontally!
| Key | Type | Description |
|---|---|---|
| Alert Row | c | Raise an alert if the response data conditions are met (there is a match for Column Name Regex and Column Row Regex) |
| Delete Row | a | Deletes the matching rows from result set (might be used on metadata as well). |
| Mask Row | b | Masking row of data from result set |
| Tokenize Row | d | Please read Tokenizing for more information. Tokenization of result set data. Tokens generated during tokenization are stored within the designated database indicated by the specified datasource. Notably, the maximum supported length for string data is limited to Varchar(255). |
Rule Specific Parameters
For each response rule
sendNotification: An option to send notifications can be added to each response rule, which will be sent if the rule is triggered. Please read Response Rule Action Details for more information.
For Alert Row:
| Key | Description |
|---|---|
| honeyTokenAlert | Raise alert if queried for a "honey token" (if all conditions were met) |
| rowCountsAlert | Raise alert if more than a certain number of rows are queried as a result of a single query. (ColumnRowRegex field should be left blank, otherwise the alert will be promoted when at least one match is made in a row and other conditions are met - so basically it's looking for "token" that will trigger alerts) |
For Mask Row and Tokenize Row:
| Key | Description |
|---|---|
| replaceWith | Specifies with which string, data should be replaced. (This field is mandatory) |
| replaceType | Specifies the type of replacement, whether we should replace Each string/character or All with value provided by replaceWith field. |
| replaceFirst | Specifies how many first characters to replace with the given string provided in the replaceWith field. |
| replaceExceptFirst | Specifies how many of the first characters are left unchanged and the rest will be replaced. |
| replaceLast | Specifies how many of the last characters should be replaced with the given string specified in the replaceWith field. |
| replaceExceptLast | Specifies how many of the last characters are left unchanged and the rest will be replaced. |
| replaceAll | Specifies whether whole row of data should be replaced. Should not be combined with other masking actions (as the result will be returned immediately). |
| replaceBeforeString | Specifies delimiter and number of characters (in that order) to replace before given delimiter. Can be usefully with email masking. |
| replaceExceptFirstBeforeString | Specifies delimiter and number of characters (in that order) that should remain unchanged (counting form the beginning of the delimiter) and the rest of the string will be masked to the specified delimiter. |
| replaceAfterString | Specifies delimiter and number of characters (in that order) to replace after the given delimiter. |
| replaceExceptLastAfterString | Specifies delimiter and number of characters (in that order) that should remain unchanged (counting form the end of the delimiter) and the rest of the string will be masked to the specified delimiter. |
| replaceFirstRegex | Specifies the regex how the field should be replaced, matches only the first matching regex pattern. The replaceType field has no effect on regular expression processing. |
| replaceAllRegex | Specifies the regex how to replace the field, matches all matching regex. The replaceType field has no effect on regular expression processing. |
| excludedChars | This field specifies which characters should not be tokenized or masked. It's allowed to specify multiple excluded chars by typing them all in the String field e.g. if '-' and '@' needs to be excluded, user should define them as '-@' in one String. (If no other replacement is specified the replaceAll will be taken from default). If the user wants to specify space " " as excluded char, due to a triming policy, he should define it in the middle of string or as a Unicode value "\u0020" |
| ssn | Enables masking of Social Security Numbers. All digits in the value are replaced character-by-character with the chosen by replaceWith string, while separator characters such as dashes and spaces remain unchanged (for example, 111 22-3333 becomes *** **-****). When enabled, this option forces full‑value masking and overrides the replacement type to operate on each character. This is the equivalent of: replaceAll = true, excludedChars = "- ", replaceType = EACH. |
| credit card | Enables masking of credit card numbers. All digits and letters are replaced character-by-character with the chosen by replaceWith string, while formatting characters such as spaces and dashes remain unchanged (for example, 1111 1111 1111 1111 becomes **** **** **** ****). When enabled, this option forces full‑value masking and overrides the replacement type to operate on each character. This is the equivalent of: replaceAll = true, excludedChars = "- ", replaceType = EACH. |
| iban | Enables masking of IBAN account numbers. All digits and letters in the IBAN are replaced character-by-character with the chosen by replaceWith string, while separator characters such as spaces and dashes remain unchanged (for example, DE89 3704 0044 0532 0130 0000 becomes **** **** **** **** **** ****). When enabled, this option forces full‑value masking and overrides the replacement type to operate on each character. This is the equivalent of: replaceAll = true, excludedChars = "- ", replaceType = EACH. |
| phone number | Enables masking of phone numbers. All digits and letters are replaced character-by-character with the chosen by replaceWith string, while formatting symbols such as spaces, dashes, plus signs, and parentheses remain unchanged (for example, +1 (212) 555-8877 becomes +* (***) ***-****). When enabled, this option forces full‑value masking and overrides the replacement type to operate on each character. This is the equivalent of: replaceAll = true, excludedChars = "- +()", replaceType = EACH. |
Enables masking of email addresses. All characters except the @ symbol are replaced character-by-character with the chosen by replaceWith string, preserving only the position of the @ (for example, erik@heimdalldata.com becomes ****@****************). When enabled, this option forces full‑value masking and overrides the replacement type to operate on each character. This is the equivalent of: replaceAll = true, excludedChars = "@", replaceType = EACH. |
For Tokenize Row:
Tokenize Row has all parameters from Mask Row. If nothing is specified the default ReplaceAll action will be performed. For the duplicates the description is slightly changed to reflect difference in masking vs tokenizing.
| Key | Description |
|---|---|
| source | The data source used to store generated tokens. By default, it matches the data source used for the query. Only one data source can be selected per query. If multiple tokenization rules specify different data sources, the last applicable rule takes precedence, and all tokens for that query are stored in the same data source. The data source must be created beforehand, on the datasource tab, then it will be available for selection. The table for storing tokens is created via create-token-table.sql scrip, by clicking 'Execute scripts'. The table with the tokens is stored in 'heimdall' schema and 'tokens' table containing 'token' and 'mapped_value' columns. After applying this option, a token datasource will occur on the status tab gui, for checking the state of that source. |
| ssn | Enables tokenization of Social Security Numbers. All digits in the value are replaced by a generated token, while separator characters such as dashes and spaces remain unchanged (for example, 111-22-3333 may be tokenized to 423-48-1249). The token represents the original value and can be used for consistent referential usage without exposing the actual SSN. When enabled, this option forces full‑value masking and overrides the replacement type to operate on each character. This is the equivalent of: replaceAll = true, excludedChars = "- ". |
| credit card | Enables tokenization of credit card numbers. All digits are replaced by a generated token, while formatting characters such as spaces and dashes remain unchanged (for example, 1111 1111 1111 1111 may be tokenized to 2352 5743 6789 0632). The tokenized number preserves the layout but no longer reveals the original card number. When enabled, this option forces full‑value masking and overrides the replacement type to operate on each character. This is the equivalent of: replaceAll = true, excludedChars = "- ". |
| iban | Enables tokenization of IBAN account numbers. All digits and letters are replaced by a generated token, while separator characters such as spaces and dashes remain unchanged (for example, DE89 3704 0044 0532 0130 0000 may be tokenized to KF60 1123 1426 3326 1422 7223). The structure is retained for readability, but the underlying account information is protected. When enabled, this option forces full‑value masking and overrides the replacement type to operate on each character. This is the equivalent of: replaceAll = true, excludedChars = "- ". |
| phone number | Enables tokenization of phone numbers. All digits are replaced by a generated token, while formatting characters such as spaces, dashes, plus signs, and parentheses remain unchanged (for example, +1 (212) 555-8877 may be tokenized to +3 (164) 236-1035). This allows preserving the phone number format without exposing the real value. This is the equivalent of: replaceAll = true, excludedChars = "- +()". |
Enables tokenization of email addresses. All characters except the @ symbol are replaced by a generated token (for example, erik@heimdalldata.com may be tokenized to skfl@jufjlakwperv%pau). The position of @ is preserved so that the token still resembles a valid email-like string while protecting the original address. This is the equivalent of: replaceAll = true, excludedChars = "@". |