Skip to content

Clarify wildcard escaping rules for Endpoint alert exceptions, trusted apps, and event filters #5773

New issue
New issue
Open
Open
Clarify wildcard escaping rules for Endpoint alert exceptions, trusted apps, and event filters#5773

Description

@ferullo

ferullo
openedon Sep 4, 2024

Description

This existing page documents the rules for escaping \, *, and ? for rule exceptions with this text

Some characters must be escaped with a backslash, such as \ for a literal backslash, * for an asterisk, and ? for a question mark. Windows paths must be divided with double backslashes (for example, C:\Windows\explorer.exe), and paths that already include double backslashes might require four backslashes for each divider

That text is not relevant for Endpoint alert exceptions, trusted apps, and event filters. Those three types of artifacts should not have \, *, or ? escaped.

Ideally we'd close this gap within Kibana. But doing that would be hard and not backwards compatible so at the very least we should document it.

Related links / assets

#5766 made a similar request, involving the app's inconsistency between trusted apps and rule exceptions, so I closed that issue in favor if this one for tracking. Here's the original description from that ticket:

There seems to be an inconsistency between the sections of the documentation related to the use "matches" operator and the escape characters.

  • Trusted Applications Documentation
    The documentation states: "matches: Can include wildcards in Value, such as C:\path\*\app.exe. This option is only available for the Path field type. Available wildcards are ? (match one character) and * (match zero or more characters)."

  • Detection Rule Exception Documentation
    The documentation states: "matches | does not match — Allows you to use wildcards in Value, such as C:\\path\\*\\app.exe. Available wildcards are ? (match one character) and * (match zero or more characters). The selected Field data type must be keyword, text, or wildcard."

The primary inconsistency lies in the use of the escape character. The "Trusted Applications" documentation does not seem to require double backslashes for paths, while the "Detection Rule Exception" documentation does.

Could we please clarify whether the escape character (double backslashes) is necessary in both contexts or if the single backslash is fine? If so, it would be helpful to have the documentation updated for consistency to avoid any confusion.

Which documentation set needs improvement?

ESS and serverless

Software version

This is applicable to all Kibana and Endpoint versions.

Collaborators

PM: @caitlinbetz
Developer: @gabriellandau @marshallmain

Timeline / deliverables

This is an enhancement request because this undocumented distinction is confusing to users.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

Docset: ESSIssues that apply to docs in the Stack releaseDocset: ServerlessIssues for Serverless SecurityEffort: MediumIssues that take moderate but not substantial time to completeTeam: Detection EngineTeam: DocsTeam: EDR WorkflowsFormerly Defend Workflows, Onboarding and Lifecycle ManagementTeam: EndpointEndpoint related issuesbugSomething isn't workingenhancementNew feature or request

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions