CB Response: How to Use Regex Wildcard on Ingress Filters
search cancel

CB Response: How to Use Regex Wildcard on Ingress Filters

book

Article ID: 287912

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to use Regex wildcard on Ingress Filters

Environment

  • Carbon Black Response API: All Versions

Resolution

  • Regular Expression: rx|
  • Case Insensitive Regular Expression: rxi|.
  • In this example we will filter out Google Chrome processes based on the path_filters parameter, ignoring the install drives and case insensitive
    curl -XPOST -H "X-AUTH-Token: <API TOKEN HERE> -H "Content-Type: application/json" "https://localhost/api/v1/ingress_whitelist" -k -d '
    [
     {
       "id": "ChromeExample",
       "global": true,
       "path_filters":[rxi|.*\\\\Program Files\\(x86\\)\\\\Google\\\\Chrome\\\\Application\\\\.*]
     }
    ]'

Additional Information

  • Path backslashes need to be converted to four backslashes "\\\\Application"
  • Wildcards need to be preceded with a dot asterisks¬†"\\\\.*"
  • Paths containing parentheses need to¬†be cancelled out with two backslashes "\\(x86\\)"