> For the complete documentation index, see [llms.txt](https://eaclouddoc.eauditor.eu/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://eaclouddoc.eauditor.eu/eacloud-docs-en/features/data-loss-prevention/dlp-policies-and-rules/actions/document-marking.md).
# Document Marking
{% hint style="info" %}
**\[Document watermarking]** We are working on this functionality. We will announce its deployment in the changelog as soon as it becomes available.
{% endhint %}
Document watermarking using **Fingerprint** is a process of automatically assigning invisible markers to files according to predefined rules. These markers do not interfere with the file structure or its integrity – they follow the file in the NTFS data stream, which makes them resistant to moving, copying, or editing.
## Introduction
### Key features of Fingerprint
1. **No impact on file structure:**
* The marker does not change the file checksum.
* A file bearing a digital signature remains intact.
2. **Invisible to the end user:**
* The marker is a string of characters in the NTFS data stream.
* Visible only to the system eAgent and the administrator in the eAuditor console.
* A single file can have multiple markers.
3. **Identification in system logs:**
* The administrator sees the marker name that they previously defined in the system.
* The number of markers in the system is unlimited.
{% hint style="warning" %}
**Note:** Implementing a file-classification policy should be accompanied by imposing restrictions on the use of the file system within the organization, such as NTFS. If a marked file is moved to an environment with a different file system (e.g., FAT32), the marker will be lost.
This is particularly important in situations where files are copied between devices not via, for example, network locations, but using, for instance, USB flash drives.
* If the USB flash drive uses the **NTFS file system, the file will be moved along with the marker.**
* If the USB flash drive uses the **FAT32 file system, the moved file will lose the marker.**
{% endhint %}
### Examples of use
#### 1. Marking based on file content
* **Example:** The administrator creates a DLP policy that assigns a marker to every file containing the surname “Nowak” (case-insensitive).
* **Configuration:**
* Criterion: File content contains “Nowak”.
* Marker name: “File containing the boss’s surname”.
* **Behavior:** Every file meeting the condition will be automatically tagged with a string in the NTFS stream, e.g. `67asudhasd7a8s9diajsdhua7sd8aisddjausd8a`. The administrator will see in the logs: “File ABCD.doc met the criteria and received the marker: File containing the boss’s surname”.
#### 2. Marking based on location
* **Example:** The administrator assigns a marker to files saved in the “Downloads” folder.
* **Configuration:**
* Criterion: File location `C:\Users\Downloads`.
* Marker name: “Downloaded file”.
* **Behavior:** Every file saved in the “Downloads” folder automatically receives the marker.
#### 3. Marking based on process
* **Example:** Files created by the process `aplikacjatest.exe` are to be marked with a marker.
* **Configuration:**
* Criterion: Process `aplikacjatest.exe`.
* Marker name: “File from test application”.
* **Behavior:** Every file created by the specified process, regardless of extension and location, receives the marker.
#### 4. Combining rules and markers
Rules can be applied concurrently and overlap; for example, files containing “Nowak” saved in the “Downloads” folder may receive an additional marker.
### Benefits and advanced uses
#### 1. **Log filtering and reporting**
Markers enable easy filtering of logs in the system, allowing the administrator to find all files meeting specified criteria (e.g., content, location, process) by searching the marker name. Reports can also be generated with information about:
* File locations.
* Author (who created the file).
* File creation date.
#### 2. **Monitoring operations on marked files**
**Example:** The “File Operations” policy monitors rename operations on a file marked as “File containing the boss’s surname”.
* Configuration: Define monitoring of rename operations for files with a given marker.
* Effect: Every attempt to rename the file is logged in the system, and the operation can also be blocked.
#### 3. **Blocking file edits**
**Example:** Blocking editing of files marked as “File from test application”.
* Configuration: The policy blocks writing to files with a given marker.
* Effect: The user cannot edit or save changes to the file.
## Configuration
System **eAuditor** enables assigning markers **Fingerprint** in two ways:
1. **Using a schedule:**
* Files are classified cyclically, at defined time intervals.
* The system, via the agent, scans specified locations and marks files that meet defined criteria.
* Configuration is performed in the second step (skip the first)
2. **Using the File Operation rule:**
* Files are classified dynamically at the moment of save or creation.
* Any file meeting specified parameters will be automatically marked during the operation.
***
### Configuration using a schedule
Configuration steps
{% stepper %}
{% step %}
#### Create a policy or add a rule
* Go to the main DLP policies view.
* Create a new policy or edit an existing one.
{% endstep %}
{% step %}
#### Add an action
Select an action **Add marker** or **Remove marker**:
* **Add marker:** Tagging files.
* **Remove marker:** Removing existing markers – this is the only option for an administrator to remove a marker.
{% endstep %}
{% step %}
#### Configure locations and files
Specify a location mask, e.g.:
* `C:\Users\Documents` – monitoring the “Documents” folder.
* Ability to specify exclusions for certain subfolders.
[How to add/edit a mask?](/eacloud-docs-en/features/data-loss-prevention/dlp-policies-and-rules/triggers/file-operations/masks.md)
Specify a file mask, e.g.:
* `*.docx` – monitoring Word documents.
* Ability to specify exclusions (e.g. `test.docx`).
[How to add/edit a mask?](/eacloud-docs-en/features/data-loss-prevention/dlp-policies-and-rules/triggers/file-operations/masks.md)
{% endstep %}
{% step %}
#### Enter credentials
* Provide credentials required by the agent to access the scanned location (e.g., a dedicated domain account with appropriate permissions).
* Select option **Read-only files** (if applicable).
{% endstep %}
{% step %}
### Scan interval
Define the interval during which the specified locations will be scanned to classify files that meet the defined parameters.
{% endstep %}
{% step %}
#### Select marker
Select a marker from the available list:
* Adding new markers is described in the section [**Adding a new marker**](#dodawanie-nowego-znacznika).
{% endstep %}
{% step %}
#### Add a content search pattern (optional)
* Select criteria for searching content within files:
* **Content contains:** Search for files containing specified text.
* **Content does not contain:** Search for files without the specified text.
* Supported file masks: `*.docx`, `*.xlsx`, `*.pptx`, `*.txt`.
* Adding new patterns is described in the section [**Adding a content search pattern**](#dodawanie-wzorca-przeszukiwania-tresci).
{% endstep %}
{% step %}
#### Save configuration
{% endstep %}
{% step %}
#### Add notifications (optional)
Possible notification options:
* **Admin log.**
* **E-mail for the administrator.**
* **Message for the user.**
{% endstep %}
{% endstepper %}
{% hint style="info" %}
**INFO:** Notifications for markers are not recommended due to the high volume of operations, which may lead to excessive logs and messages.
{% endhint %}
### Configuration using the File Operation rule
Configuration steps
{% stepper %}
{% step %}
#### Create a policy or add a rule
* Go to the main DLP policies view.
* Create a new policy or edit an existing one
{% endstep %}
{% step %}
#### Add a trigger
* In the **"When this happens..."** add a new step and select a trigger **File Operation**.
* Adding or removing a marker is available for the following operation types:
* **Save.**
* **Create.**
{% hint style="warning" %}
**NOTE!** If you select other types of operations, the file classification option will be unavailable.
{% endhint %}
{% endstep %}
{% step %}
#### Define file parameters
Specify classification criteria:
* File location.
* File extension.
* More information about parameters in the section [**File operations**](/eacloud-docs-en/features/data-loss-prevention/dlp-policies-and-rules/triggers/file-operations.md).
{% endstep %}
{% step %}
#### Add an action
Select an action **Add marker** or **Remove marker**.
{% endstep %}
{% step %}
#### Select marker
Select a marker from the available list:
* Initially the list contains two example markers.
"Why don’t I see markers?" - [**Adding a new marker**](#dodawanie-nowego-znacznika).
{% endstep %}
{% step %}
#### Add a content search pattern (optional)
* Select criteria for searching content within files:
* **Content contains:** Search for files containing specified text.
* **Content does not contain:** Search for files without the specified text.
* Supported file masks: `*.docx`, `*.xlsx`, `*.pptx`, `*.txt`.
**"Why don’t I see content search patterns?" -** [**Adding a content search pattern**](#dodawanie-wzorca-przeszukiwania-tresci).
{% endstep %}
{% step %}
#### Save configuration
{% endstep %}
{% step %}
#### Add notifications (optional)
Possible notification options:
* **Alert for the administrator.**
* **E-mail for the administrator.**
* **Message for the user.**
* **Alert for the user.**
{% endstep %}
{% endstepper %}
{% hint style="info" %}
**INFO:** Notifications for markers are not recommended due to the high volume of operations.
{% endhint %}
### Adding a new marker
Below you will find instructions that will be useful if you have reached step 7 [of configuration using the schedule](#konfiguracja-za-pomoca-harmonogramu) or 6 [of the File Operation rule](#konfiguracja-za-pomoca-reguly-operacja-na-plikach).
{% stepper %}
{% step %}
#### Click **+ Add new marker**.
{% endstep %}
{% step %}
#### Enter
* Marker name.
* Description (optional).
{% endstep %}
{% step %}
#### Save the marker.
{% endstep %}
{% endstepper %}
The new marker will be added to the list and will be available when creating classification rules.
### Adding a content search pattern
Below you will find instructions that will be useful if you have reached step 6 [of configuration using the schedule](#konfiguracja-za-pomoca-harmonogramu) or 5 [of the File Operation rule](#konfiguracja-za-pomoca-reguly-operacja-na-plikach).
{% hint style="warning" %}
**NOTE!** The file content search parameter is supported only for file masks: \*.docx, \*.xlsx, \*pptx, \*.txt
{% endhint %}
{% stepper %}
{% step %}
#### Click **Define a new marker pattern**.
{% endstep %}
{% step %}
#### Enter
* Pattern name.
* Description (optional).
{% endstep %}
{% step %}
#### Select pattern type
**Text (string):**
* Plain text that the system will search for in the file.
* Example:
* `“Kowalski”` – if the word “Kowalski” appears in the file content, the file will be marked as meeting the conditions.
* Enter text one by one, without commas; separate using ENTER.
[**Regular expression (RegEx)**](/eacloud-docs-en/features/data-loss-prevention/dlp-policies-and-rules/actions/document-marking/regular-expressions.md)**:**
* An advanced way to define a pattern that allows searching for more complex data structures in files.
* Examples:
* **PESEL**: `\b[0-9]{11}\b` – searches for an 11-digit PESEL number.
* **E-mail**: `[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}` – searches for e-mail addresses.
* **Phone number**: `\b\d{3}[-.\s]?\d{3}[-.\s]?\d{3}\b` – searches for phone numbers in the format 123-456-789.
* **IP address (IPv4):** `\b((25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?).){3}(25[0-5]|2[0-4][0-9]|[0-1]?[0-9][0-9]?)\b` - Searches for IPv4 addresses, e.g. `192.168.1.1`.
* **Credit card number (16 digits):** `\b(?:\d[ -]*?){13,16}\b` – Searches for credit card numbers, e.g. `1234-5678-1234-5678`.
* **Postal code in Polish format (XX-XXX):** `\b\d{2}-\d{3}\b` – Searches for postal codes in Poland, e.g. `01-234`.
{% endstep %}
{% endstepper %}
A pattern added this way will appear in the list available when creating classification rules.
{% hint style="warning" %}
**NOTE!**
* The provided pattern examples are for demonstration purposes only and are not validated.
* The administrator should test and adapt patterns to the requirements of their organization.
{% endhint %}
### Summary
Document watermarking using **Fingerprint** is an advanced and flexible tool supporting the enforcement of security policies in the organization. Through precise file tagging, the administrator gains full control over monitoring and managing documents, regardless of their location, content, or source. Practical applications can be found in the section **Case Study**, which discusses use-case scenarios of this feature in detail.
{% hint style="info" %}
**\[Document watermarking]** We are working on this functionality. We will announce its deployment in the changelog as soon as it becomes available.
{% endhint %}
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:
```
GET https://eaclouddoc.eauditor.eu/eacloud-docs-en/features/data-loss-prevention/dlp-policies-and-rules/actions/document-marking.md?ask=&goal=
```
`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.