How to properly place an asterik (*) or wildcard in a 'regexp' or 'Regular Expression' for a Recorder Rule "8015 - ETW Activity"

book

Article ID: 222148

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

In the documentation for the "Creating a Recorder policy ", an additional asterisk (*) or wildcard may be required to properly create a working rule.

See note 8, 9 and footnote 1 about regexp.

 

Cause

The syntax of the asterisk (*) if not placed correctly may cause the matching engine not to match the entire string, which is necessary to trigger the rule.

Environment

All versions of EDR that support recorder rule.

Resolution

Add a ".*"  (dot asterisk) to the beginning and end of the 'Actor Command Line'.

Example: "Do not record" the "ETW 8015 Activity" that uses the cscript command to run another program that inventories users information.

Note 1:   Selected option to stop recording trusted Events

Note 2:  Select only the 8015 - ETW Event

Note 3:  Enter full path of the cscript actor

Note 4:  "event_actor.cmd_line" field in Event Log Details

Note 5

/.*C:\\Program Files \(x86\)\\Test\\Run_[0-9][0-9][0-9]\\Info.vbs.*/

Note 6 Comment: 

/ (slash) at front/end to start PCRE regexp matching engine
.* (dot asterisk) at front/end to accept any character before/after
\ (backslashes), parentheses () must be escaped with backslash
[0-9] single character position numeric match

 

 

 

 

Additional Information

  • Additional PCRE syntax rules are available online
  • Online PCRE regex rule debuggers can help testing syntax

Attachments