An additional wildcard or asterisk (*) may be required to create a working Endpoint Activity Recorder rule.
See #8, #9 on the "Creating a Recorder policy " page in the EDR documentation.
The syntax of the asterisk (*) if not placed correctly may cause the matching engine not to match the entire string, which is necessary to trigger the rule.
See footnote 1 and event log items 8 and 9 in "Creating a Recorder policy " page in the EDR documentation.
All versions of EDR that support recorder rule.
To use 'regexp' syntax, you must use a / (slash) at the beginning and end of the regexp.
To wildcard text at the beginning and ending of the line, add a ".*" (dot asterisk) to the beginning and end of the 'Actor Command Line'.
Example: Stop recording "ETW 8015 Activity" events from a trusted script.
Description: the EDR is recording excessive "ETW 8015 Activity" events due to a trusted CSCRIPT command that inventories user information. Hence, the objective is create a recorder rule that stops recording the specifically the trusted program without eliminating recording of malicious CSCRIPT programs.
Fill out the form as follows (See image):
1) Selected option to stop recording trusted Events
2) Select only the 8015 - ETW Event
3) Enter full path of the cscript actor
4) "event_actor.cmd_line" field in Event Log Details
5) /.*C:\\Program Files \(x86\)\\Test\\Run_[0-9][0-9][0-9]\\Info.vbs.*/
6) Comment details:
/ (slash) at front/end to start PCRE regexp matching engine
.* (dot asterisk) at front/end to accept any character before/after
\ (backslashes), parentheses () must be escaped with backslash
[0-9] single character position numeric match
Important Note: Endpoint Activity Recorder rules can prevent the recording of events. The documentation does not state that creating such a rule will prevent incidents from being created. Events are not incidents. Incident rules govern which incidents are created and under what circumstances.