Is it possible to use regexp or wildcard when adding exception to detection rules?

buzzdeee · April 15, 2021, 8:52am

Hi,

when adding exceptions to detection rules, is it possible to use regular expressions or wildcards?

sometimes executable are started in directories created with random names, or have parameters with other variable parts, i.e. /home//some/path/to/file

Is it possible to for example match kind of:
/home/[a-z]/some/path/to/file
or even only
/home/./some/path/to/file ?

just want to ensure I don't accidentely miss what I'm looking for.

cheers,
Sebastian

ferullo · April 15, 2021, 4:35pm

Exceptions do not allow wildcarding or regular expressions. Only extract string matching is supported.

buzzdeee · April 15, 2021, 8:22pm

thank you @ferullo
at least I didn't overlooked anything obvious.

system · May 13, 2021, 8:22pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Event Filters & Wildcards Endpoint Security	7	439	November 7, 2023
Is one of Exceptions Elastic Security detection-rules	2	439	June 30, 2023
Security Detection exception MATCHES not working properly Elastic Security detection-rules	3	288	April 23, 2024
Clarification On escaping characters witch MATCHES operator in Rule Exclusions Kibana elastic-stack-security	0	25	September 10, 2024
Regexp parsing_exception for \[mytag\]. Why do regexp escapes for [, ], (, ), break the parser? Elasticsearch	3	876	April 20, 2017

Is it possible to use regexp or wildcard when adding exception to detection rules?

Related topics