diff --git a/solutions/images/security-exception-item-example.png b/solutions/images/security-exception-item-example.png index 1da080b593..7b0c67a3cf 100644 Binary files a/solutions/images/security-exception-item-example.png and b/solutions/images/security-exception-item-example.png differ diff --git a/solutions/security/detect-and-alert/add-manage-exceptions.md b/solutions/security/detect-and-alert/add-manage-exceptions.md index 4885492526..745ffb8502 100644 --- a/solutions/security/detect-and-alert/add-manage-exceptions.md +++ b/solutions/security/detect-and-alert/add-manage-exceptions.md @@ -103,7 +103,7 @@ You can add exceptions to a rule from the rule details page, the Alerts table, t * `matches` | `does not match` — Allows you to use wildcards in **Value**, such as `C:\\path\\*\\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). The selected **Field** data type must be [keyword](elasticsearch://reference/elasticsearch/mapping-reference/keyword.md#keyword-field-type), [text](elasticsearch://reference/elasticsearch/mapping-reference/text.md#text-field-type), or [wildcard](elasticsearch://reference/elasticsearch/mapping-reference/keyword.md#wildcard-field-type). ::::{note} - Some characters must be escaped with a backslash, such as `\\` for a literal backslash, `\*` for an asterisk, and `\?` for a question mark. Windows paths must be divided with double backslashes (for example, `C:\\Windows\\explorer.exe`), and paths that already include double backslashes might require four backslashes for each divider. + For detection rule exceptions, some characters must be escaped with a backslash, such as `\\` for a literal backslash, `\*` for an asterisk, and `\?` for a question mark. Windows paths must be divided with double backslashes (for example, `C:\\Windows\\explorer.exe`), and paths that already include double backslashes might require four backslashes for each divider. :::: @@ -208,6 +208,7 @@ Additionally, to add an Endpoint exception to an endpoint protection rule, there ::::{note} * Fields with conflicts are marked with a warning icon (![Field conflict warning icon](/solutions/images/security-field-warning-icon.png "title =20x20")). Using these fields might cause unexpected exceptions behavior. For more information, refer to [Troubleshooting type conflicts and unmapped fields](../../../troubleshoot/security/detection-rules.md#rule-exceptions-field-conflicts). * The `is one of` and `is not one of` operators support identical, case-sensitive values. For example, if you want to match the values `Windows` and `windows`, add both values to the **Value** field. + * Unlike detection rule exceptions, Elastic Endpoint exceptions do not require escaping special characters. :::: diff --git a/solutions/security/manage-elastic-defend/event-filters.md b/solutions/security/manage-elastic-defend/event-filters.md index 2012f612c3..45aad0b97a 100644 --- a/solutions/security/manage-elastic-defend/event-filters.md +++ b/solutions/security/manage-elastic-defend/event-filters.md @@ -75,6 +75,10 @@ Create event filters from the **Hosts** page or the **Event filters** page. * `is not one of` * `matches` | `does not match` : Allows you to use wildcards in `Value`, such as `C:\path\*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). + ::::{note} + Unlike detection rule exceptions, event filters do not require escaping special characters. + :::: + ::::{important} Using wildcards in file paths can impact performance. To create a more efficient event filter using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching. :::: diff --git a/solutions/security/manage-elastic-defend/trusted-applications.md b/solutions/security/manage-elastic-defend/trusted-applications.md index 76b20e810f..6eda15959b 100644 --- a/solutions/security/manage-elastic-defend/trusted-applications.md +++ b/solutions/security/manage-elastic-defend/trusted-applications.md @@ -65,6 +65,10 @@ To add a trusted application: * `is`: Must be *exactly* equal to `Value`; wildcards are not supported. This operator is required for the `Hash` and `Signature` field types. * `matches`: Can include wildcards in `Value`, such as `C:\path\*\app.exe`. This option is only available for the `Path` field type. Available wildcards are `?` (match one character) and `*` (match zero or more characters). + ::::{note} + Unlike detection rule exceptions, trusted applications do not require escaping special characters. + :::: + 4. `Value`: Enter the hash value, file path, or signer name. To add an additional value, click **AND**. ::::{note} @@ -88,6 +92,10 @@ To add a trusted application: * `is not one of` * `matches` | `does not match`: Allows you to use wildcards in `Value`, such as `C:\path\*\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). + ::::{note} + Unlike detection rule exceptions, trusted applications do not require escaping special characters. + :::: + ::::{important} Using wildcards can impact performance. To create a more efficient trusted application using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching. ::::