How to properly place wildcard (*) in a 'regexp' or 'Regular Expression' when 'Creating a Recorder policy'

book

Article ID: 222148

calendar_today

Updated On:

Products

Endpoint Detection and Response

Issue/Introduction

An additional wildcard or asterisk (*) may be required to create a working Endpoint Activity Recorder rule.

See #8, #9 on the "Creating a Recorder policy " page in the EDR documentation.

 

 

Cause

The syntax of the asterisk (*) if not placed correctly may cause the matching engine not to match the entire string, which is necessary to trigger the rule.

See footnote 1 and event log items 8 and 9 in "Creating a Recorder policy " page in the EDR documentation.

Environment

All versions of EDR that support recorder rule.

Resolution

To use 'regexp' syntax, you must use a / (slash) at the beginning and end of the regexp.

To wildcard text at the beginning and ending of the line, add a ".*"  (dot asterisk) to the beginning and end of the 'Actor Command Line'.

Example: Stop recording "ETW 8015 Activity" events from a trusted script.

Description:  the EDR is recording excessive "ETW 8015 Activity" events due to a trusted CSCRIPT command that inventories user information.  Hence, the objective is create a recorder rule that stops recording the specifically the trusted program without eliminating recording of malicious CSCRIPT programs.

Fill out the form as follows (See image):

1) Selected option to stop recording trusted Events

2)  Select only the 8015 - ETW Event

3)  Enter full path of the cscript actor

4)  "event_actor.cmd_line" field in Event Log Details

5)            /.*C:\\Program Files \(x86\)\\Test\\Run_[0-9][0-9][0-9]\\Info.vbs.*/

6)  Comment details:

/ (slash) at front/end to start PCRE regexp matching engine
.* (dot asterisk) at front/end to accept any character before/after
\ (backslashes), parentheses () must be escaped with backslash
[0-9] single character position numeric match

 

Additional Information

  • Additional PCRE syntax rules are available online
  • Online PCRE regex rule debuggers can help testing syntax

Attachments