Detection failures for pipe-separated content using default DLP Data Identifiers
search cancel

Detection failures for pipe-separated content using default DLP Data Identifiers


Article ID: 277956


Updated On:


Data Loss Prevention Cloud Detection Service for REST


You are using DLP default "system" Data Identifier (e.g., the defaults that come with your install, such as for SSN or CCN detection, etc.).

You find that DLP detects test content in most cases, but you have seen that numbers prefaced or followed by the pipe character ("|") are not being picked up by your DLP detection.


Current DLP platforms, using either on-premises or Cloud Services detection servers


There is a list of "pre-validators" and "post-validators" that is part of every Data Identifier (aka "DI") by default. The pipe character or separator is not one of the validator characters in the default list.


These are not revealed in the UI and you cannot add any characters to a system Data Identifier, but the list of validator characters is available at the online help topic below (see Additional Information).

To add a character to the list of these pre- & post-validators, follow the steps below to first copy an existing system Data Identifier, thereby creating a "Custom" Data Identifier.

Note: By creating a Custom DI, you will have the option to add the pipe to the list of validators. A Custom Data Identifier only allows for one breadth of pattern , however, named "Wide" by default. To create a Custom DI that detects on a Medium or Narrow breadth - copy the appropriate pattern into your new Custom DI configuration.

  1. In the Enforce UI, go to "Manage > Policies > Data Identifiers".
  2. Copy the existing configuration elements from the Data Identifier you want, into a text file for later usage e.g.,
    • The Masking Configuration.
    • The Patterns of regular expressions - be sure to copy the one from the breadth you want (such as Medium, or Narrow).
    • Data Normalizer type (usually "Digits").
    • Take note of the "Active Validators" - such as "Randomized US Social Security Number Validation Check" or "Find keywords".
  3. Click on "Add Data Identifier" at the top of the list of Data Identifiers.
  4. Add a name and description as needed, and enter the data captured in the preceding steps.
  5. In the Pre- and Post-Validators section, you can add characters required, as per the below screenshot:
  6. Save the Data Identifier as created.
    • Note that the new category of your Data Identifier is "Custom" - and it will also have a "pencil" added to the target icon to the left of the name.
  7. After assigning the new Data Identifier to your policy, test that detection is working for the new validator character you have added.

Additional Information

See this topic for the list in 16.0.1: Configuring pre- and post-validators (

There is also a Feature Request for having these validator characters exposed in the UI for system Data Identifiers: PM-3714, "Detection -- Pre- and Post-Validators for Default Data Identifiers".