Description
openedon Sep 4, 2024
Description
This existing page documents the rules for escaping \
, *
, and ?
for rule exceptions with this text
Some characters must be escaped with a backslash, such as \ for a literal backslash, * for an asterisk, and ? for a question mark. Windows paths must be divided with double backslashes (for example, C:\Windows\explorer.exe), and paths that already include double backslashes might require four backslashes for each divider
That text is not relevant for Endpoint alert exceptions, trusted apps, and event filters. Those three types of artifacts should not have \
, *
, or ?
escaped.
Ideally we'd close this gap within Kibana. But doing that would be hard and not backwards compatible so at the very least we should document it.
Related links / assets
#5766 made a similar request, involving the app's inconsistency between trusted apps and rule exceptions, so I closed that issue in favor if this one for tracking. Here's the original description from that ticket:
There seems to be an inconsistency between the sections of the documentation related to the use "matches" operator and the escape characters.
Trusted Applications Documentation
The documentation states: "matches: Can include wildcards in Value, such asC:\path\*\app.exe
. This option is only available for the Path field type. Available wildcards are ? (match one character) and * (match zero or more characters)."Detection Rule Exception Documentation
The documentation states: "matches | does not match — Allows you to use wildcards in Value, such asC:\\path\\*\\app.exe
. Available wildcards are ? (match one character) and * (match zero or more characters). The selected Field data type must be keyword, text, or wildcard."The primary inconsistency lies in the use of the escape character. The "Trusted Applications" documentation does not seem to require double backslashes for paths, while the "Detection Rule Exception" documentation does.
Could we please clarify whether the escape character (double backslashes) is necessary in both contexts or if the single backslash is fine? If so, it would be helpful to have the documentation updated for consistency to avoid any confusion.
Which documentation set needs improvement?
ESS and serverless
Software version
This is applicable to all Kibana and Endpoint versions.
Collaborators
PM: @caitlinbetz
Developer: @gabriellandau @marshallmain
Timeline / deliverables
This is an enhancement request because this undocumented distinction is confusing to users.