search cancel

How to properly place wildcard (*) in a 'regexp' or 'Regular Expression' when 'Creating a Recorder policy'


Article ID: 222148


Updated On:


Endpoint Detection and Response


An additional wildcard or asterisk (*) may be required to create a working Endpoint Activity Recorder rule.

See #8, #9 on the "Creating a Recorder policy " page in the EDR documentation.




The syntax of the asterisk (*) if not placed correctly may cause the matching engine not to match the entire string, which is necessary to trigger the rule.

See footnote 1 and event log items 8 and 9 in "Creating a Recorder policy " page in the EDR documentation.


All versions of EDR that support recorder rule.


To use 'regexp' syntax, you must use a / (slash) at the beginning and end of the regexp.

To wildcard text at the beginning and ending of the line, add a ".*"  (dot asterisk) to the beginning and end of the 'Actor Command Line'.

Example: Stop recording "ETW 8015 Activity" events from a trusted script.

Description:  the EDR is recording excessive "ETW 8015 Activity" events due to a trusted CSCRIPT command that inventories user information.  Hence, the objective is create a recorder rule that stops recording the specifically the trusted program without eliminating recording of malicious CSCRIPT programs.

Fill out the form as follows (See image):

1) Selected option to stop recording trusted Events

2)  Select only the 8015 - ETW Event

3)  Enter full path of the cscript actor

4)  "event_actor.cmd_line" field in Event Log Details

5)            /.*C:\\Program Files \(x86\)\\Test\\Run_[0-9][0-9][0-9]\\Info.vbs.*/

6)  Comment details:

/ (slash) at front/end to start PCRE regexp matching engine
.* (dot asterisk) at front/end to accept any character before/after
\ (backslashes), parentheses () must be escaped with backslash
[0-9] single character position numeric match


Additional Information

  • Additional PCRE syntax rules are available online
  • Online PCRE regex rule debuggers can help testing syntax


Important Note: Endpoint Activity Recorder rules can prevent the recording of events.  The documentation does not state that creating such a rule will prevent incidents from being created.  Events are not incidents.  Incident rules govern which incidents are created and under what circumstances.