Scopes covered for use of wildcards:
- Regex or Wildcard support in the Command line and Filepath
- Duplicates aren't allowed
- Maximum limit on the number of exclusions
1—Regex or Wildcard support in the Filepath and Command line:
When you exclude a threat from the threat list, you can now use wildcards in the criteria File Path and Command Line. If the input is not matched according to the defined regex, you see an error message for respective fields:
Please enter the correct file path
OR
Please enter the correct command line value
The maximum length of input characters for the File path and Command line are as follows:
- File path limit - 256 characters.
- Command line limit - 8191 characters.
If the limit entry is exceeded, an error message displays:
You have reached your maximum limit of characters allowed
Using wildcards when creating exclusions:
Wildcards (?, *, **) are helpful in creating exclusions, but certain rules apply:
- The question mark (?) wildcard is used to represent a single character in the exact position where it is placed in the path or file name.
- The asterisk (*) wildcard is used to represent one or more characters, and does not cross a folder boundary.
- The double asterisk (**) wildcard is used to represent one or more characters, and does cross folder boundaries.
Example:
Given the Ingested Trace from the EndPoint:
C:\Users\systemname\Artemis.exe
Valid Regex |
Remarks |
InValid Regex |
Remarks |
C:\**\Artemis.??? |
Exclude Artemis file ending with 3 characters that exists anywhere under the 'C' directory. |
*** |
Consecutive single asterisk or double asterisk is not a valid regex |
C:\Users\*\?rtemis.* |
Exclude a file name which starts with a character followed by the string 'rtemis.' and ends with zero or any characters that exist under zero, or any one level of subfolder name from the 'C:\Users' folder path. |
C:\**abc |
Double asterisk is allowed in between file path and not at the end. |
C:\USERS\SYSTEMNAME\?rtemis.* |
Exclude a file name which starts with a character followed by the string 'rtemis.' and ends with zero or any characters that exist only under 'SYSTEMNAME' (uppercase) subfolder name from the 'C:\Users' folder path. |
C:\USERS\systemname\?rtemis.* |
Exclude a file name which starts with a character followed by the string 'rtemis.' and ends with zero or any characters that exist only under 'systemname' (lowercase) subfolder name from the 'C:\Users' folder path. = By default, Windows supports case sensitive for the folder name; hence, this folder name is considered as a different value. |
Folder names at the end of filepath/cmdLine are accepted.
Limitations:
- Case Sensitive of FilePath and CmdLine will not be supported with regex values.
Example: file:paths = 'C:\\RO*\\TROJ??.exe => 'C:\roTT\trojKK.exe'
- Command Line field has only restrictions to reject *** regex value.
- Linux File Paths (example: /home/appsadm/threatD?t?/*.sh) are not supported by the regex.
- *** is not a valid regex to use.
- Windows doesn’t support folder names that have some of these special characters (example: / : < > | ").
- Double asterisk (**) can't be specified as the starting characters of the input regex for the FilePath/CommandLine fields.
- The network paths are also allowed as an input value for Filepath/Command line fields.
Example: \\servername\Share\sample.exe
2—Duplicates aren't allowed:
Duplicate exclusions aren't allowed. If adding a valid duplicate exclusion is attempted, an error message displays.
Exclusion with the same criteria already exists
When an addition of a duplicate exclusion is attempted in a
Monitor page, the error message below displays:
When an addition of a duplicate exclusion is attempted in a
Configuration page, the below error message is displayed:
Limitation:
- Duplicate exclusions added before this release will remain as it is.
3—Maximum limit on the number of exclusions:
The maximum number of exclusions that can be added for a tenant is 1000 and this value is configurable value. If this limit has crossed for a tenant then the SoC Analyst will see the below error message in the UI
Maximum exclusion limit is reached