PII detection rules define the patterns that PII Scanner uses to identify sensitive data in scanned files. Each rule consists of a regex pattern that is applied to file content during a scan โ when a match is found, the result is forwarded in real time to LT Auditor MP. Configuring the right detection rules is critical to ensuring your scans are both thorough and accurate, minimizing both missed detections and false positives.
Understanding PII detection rules:
PII Scanner ships with a set of built-in detection rules covering the most common categories of sensitive data. These built-in rules can be enabled, disabled, or modified to suit your environment. Custom rules can also be added to detect organization-specific sensitive data types that are not covered by the defaults.
Each detection rule consists of:
- Name โ a descriptive label for the PII class (e.g., Social Security Number)
- Regex Pattern โ the regular expression used to identify matches in file content
- Enabled Status โ whether the rule is active and applied during scans
- Severity Level โ the importance of a match (Critical, High, Medium, Low)
Accessing PII detection rules:
Log in to the PII Scanner Server web UI at:
https://<PII_Scanner_Server_IP>:52766
- Navigate to Admin โ PII Patterns
- The patterns list displays all configured detection rules with their name, pattern, enabled status, and severity level
Built-in PII detection rules:
PII Scanner includes the following default detection rules:
| PII Class | Description | Example Match |
| Social Security Number | US SSN in common formats | 123-45-6789, 123456789 |
| Credit Card Number | Major card formats (Visa, Mastercard, Amex, Discover) | 4111 1111 1111 1111 |
| Email Address | Standard email format | user@domain.com |
| Phone Number | US and international formats | (555) 123-4567 |
| Date of Birth | Common date formats | 01/15/1980, 1980-01-15 |
| Medical Record Number | Common MRN formats | Varies by healthcare system |
| IP Address | IPv4 address format | 192.168.1.100 |
| Passport Number | Common passport formats | Varies by country |
[Your administrator should confirm which built-in rules are appropriate for your environment and compliance requirements, and disable any that generate excessive false positives.]
Enabling and disabling detection rules:
To enable or disable a built-in rule without deleting it:
- Navigate to Admin โ PII Patterns
- Locate the rule in the patterns list
- Click the Enabled toggle to turn the rule on or off
- The change takes effect on the next scan job that runs
Disabled rules are not applied during scans but are retained in the system and can be re-enabled at any time. Prefer disabling over deleting built-in rules so they can be recovered if needed.
Editing an existing detection rule:
To modify the regex pattern or severity level of an existing rule:
- Navigate to Admin โ PII Patterns
- Click the Edit icon next to the rule
- Modify the relevant fields:
- Name โ update if needed for clarity
- Regex Pattern โ update the pattern to improve accuracy or reduce false positives
- Severity Level โ adjust based on the sensitivity of the data type
- Click Save
Test any modified regex patterns against sample data before activating them in a scan to confirm they match the intended data and do not produce excessive false positives.
Creating a custom detection rule:
Custom rules allow you to detect organization-specific sensitive data types not covered by the built-in patterns โ such as employee ID numbers, internal account codes, or proprietary data formats.
- Navigate to Admin โ PII Patterns
- Click Add Pattern
- Configure the custom rule:
- Name โ a clear, descriptive name for the data type (e.g., Employee ID Number)
- Description โ a brief explanation of what this pattern detects
- Regex Pattern โ the regular expression to match the data type
- Severity Level โ Critical, High, Medium, or Low based on data sensitivity
- Click Save
Example custom patterns:
| Data Type | Example Regex Pattern |
| Employee ID (EMP + 6 digits) | EMP\d{6} |
| Internal account code | ACC-[A-Z]{2}-\d{4} |
| UK National Insurance Number | [A-Z]{2}\d{6}[A-Z] |
| Canadian SIN | \d{3}-\d{3}-\d{3} |
| Australian Tax File Number | \d{3}\s\d{3}\s\d{3} |
[Your administrator should work with your legal and compliance teams to identify any organization-specific data types that require custom detection rules.]
Writing effective regex patterns:
When creating or modifying detection rules, keep the following in mind:
Be specific enough to avoid false positives: A pattern that is too broad will match unintended content and generate noise in your scan results. For example, a simple \d{9} pattern would match any 9-digit number, not just Social Security Numbers.
Be flexible enough to catch real matches: Data is not always formatted consistently. SSNs may appear with or without dashes. Phone numbers may use spaces, dots, or dashes as separators. Build flexibility into patterns where appropriate:
# SSN โ matches with or without dashes
\b\d{3}[-\s]?\d{2}[-\s]?\d{4}\b# Phone โ matches multiple separator styles
\b(\+1[-\s]?)?\(?\d{3}\)?[-\s.]?\d{3}[-\s.]?\d{4}\bUse word boundaries: Add \b (word boundary) anchors to prevent partial matches within longer strings:
# Without boundary โ matches “123456789” inside “9123456789”
\d{9}# With boundary โ only matches standalone 9-digit numbers
\b\d{9}\bTest patterns before activating: Use an online regex tester with representative sample data from your environment to validate patterns before adding them to PII Scanner.
[Your administrator should involve your security or data governance team when writing custom regex patterns to ensure accuracy and compliance alignment.]
Managing detection rule severity levels:
Severity levels help prioritize scan results in LT Auditor MP and can be used to drive alert rules and compliance reporting. Assign severity levels based on the regulatory and business impact of each data type:
| Severity | Examples |
| Critical | SSNs, credit card numbers, medical record numbers, passport numbers |
| High | Email addresses combined with other PII, dates of birth, financial account numbers |
| Medium | Phone numbers, IP addresses, employee IDs |
| Low | Internal codes, reference numbers with limited sensitivity |
[Your administrator should define severity levels in alignment with your organization’s data classification policy.]
Reviewing detection rule effectiveness:
After running scan jobs, review the results in LT Auditor MP to assess whether your detection rules are performing as expected:
- Navigate to View in the LT Auditor MP Web UI
- Filter by Source โ PII Scanner
- Review the PII classes detected across recent scans
- Identify:
- High false positive rates โ rules generating many matches that are not actually sensitive data โ consider tightening the regex pattern or disabling the rule
- Missed detections โ known sensitive data that is not being detected โ review and update the relevant regex pattern
- Unexpected findings โ sensitive data found in unexpected locations โ flag for remediation and access control review
Best practices:
- Review and validate all built-in detection rules before running your first scan to confirm they are appropriate for your environment
- Disable built-in rules that consistently generate false positives in your environment rather than tolerating the noise
- Test all custom regex patterns thoroughly with real sample data before activating them
- Assign severity levels consistently across all rules to ensure reliable prioritization in LT Auditor MP
- Review detection rules regularly โ data types and formats used in your organization may change over time
- Document the purpose and expected output of each custom rule so other administrators can maintain them
- Involve your legal and compliance teams when defining rules for regulated data types to ensure alignment with your compliance obligations
[Your administrator should schedule a periodic review of all active detection rules โ at minimum annually, or whenever compliance requirements or data handling practices change in your organization.]