CB Response: How to Use Regex Wildcard on Ingress Filters
search cancel

CB Response: How to Use Regex Wildcard on Ingress Filters

book

Article ID: 287912

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to use Regex wildcard on Ingress Filters

Environment

  • Carbon Black Response API: All Versions

Resolution

  • Regular Expression: rx|
  • Case Insensitive Regular Expression: rxi|.
  • In this example we will filter out Google Chrome processes based on the path_filters parameter, ignoring the install drives and case insensitive 
    curl -XPOST -H "X-AUTH-Token: <API TOKEN HERE> -H "Content-Type: application/json" "https://localhost/api/v1/ingress_whitelist" -k -d '
[
 {
   "id": "ChromeExample",
   "global": true,
   "path_filters":[rxi|.*\\\\Program Files\\(x86\\)\\\\Google\\\\Chrome\\\\Application\\\\.*]
 }
]'

Additional Information

  • Path backslashes need to be converted to four backslashes "\\\\Application"
  • Wildcards need to be preceded with a dot asterisks "\\\\.*"
  • Paths containing parentheses need to be cancelled out with two backslashes "\\(x86\\)"
Powered by Wolken Software