Enterprise Recon 2.11.0

Global Filters

This section covers the following topics:

Overview

Global Filters allow you to set up filters to automatically exclude or ignore matches based on the set filter rules.

You can do this by adding a filter from the Scans > Global Filters page or through Remediation by marking matches as False Positive or Test Data when remediating matches.

Permissions and Global Filters

Resource Permissions and Global Permissions that are assigned to a user grants access to perform specific operations for global filters.

Operation Definition Users with Access
Import or export global filter Import or export global filter definitions in supported files formats.

  1. Global Admin.
  2. System Manager.

Add, edit or delete global filters Users can add, modify or remove global filters that apply to all or specific Targets / Target Groups.

  1. Global Admin.
  2. System Manager.
  3. Users without Global Permissions but have Scan or Remediate - Mark Location for Report privileges assigned through Resource Permissions.

See User Permissions for more information.

View Global Filters

The Global Filters page displays a list of filters and the Targets they apply to. Filters created by marking exclusions when taking remedial action will also be displayed here (see Remediation).

Filter the list of global filters displayed using the options in the Filter by… section:

  • False Positives > Locations: Locations marked as False Positives.
  • False Positives > Matches: Match data marked as False Positives.
  • Test Data > Matches: Match data marked as test data.

Global Filter Manager page to add, export and import global filters.

Add a Global Filter

  1. Log in to the ER2 Web Console.
  2. Go to the Scans > Global Filters page.
  3. On the top-right corner of the Global Filters page, click +Add.
  4. Select New Global Filter or Global Filter Template.
  5. From the drop-down list, select a filter template to start with, or a filter type:

    Filter Type Description
    Exclude location by prefix

    Exclude search locations and nested locations with paths that begin with a given string. Can be used to exclude entire directory trees.

    Example 1

    Filter value: C:\Windows\System32

    Excludes all files and folders in the "C:\Windows\System32" folder.

    Example 2

    Filter value: C:\Users\A\Documents\file.zip

    Excludes all files and folders nested in the "C:\Users\A\Documents\file.zip" archive.

    Exclude location by suffix

    Exclude search locations and nested locations with paths that end with a given string.

    Example

    Filter value: led.jnl

    Excludes all files and folders that end with "led.jnl", e.g. "canceled.jnl" and "totaled.jnl".

    Exclude locations by expression

    Exclude search locations and nested locations that match the given expression. The syntax of the expressions you can use are as follows:

    ?: A wildcard character that matches exactly one character; ??? matches 3 characters.

    *: A wildcard character that matches zero or more characters in a search string.

    Example 1

    Filter value: C:\V???

    All locations where the path starts with "C:\V" followed by any three characters will be excluded during scans. For example, the expressions will exclude "C:\V123", but does not exclude "C:\V1" or "C:\V1234".

    Example 2

    Filter value: /var/*

    All locations in the "/var" directory will be excluded during scans.

    Example 3

    Filter value: /var/*.txt

    All text files with the ".txt" extension in the "/var" directory will be excluded during scans.

    Example 4

    Filter value: C:\Users\A\Documents\*.zip

    All archived files with the ".zip" extension in the "C:\Users\A\Documents" folder will be excluded during scans.

    Example 5

    Filter value: *.txt

    All text files with the ".txt" extension in all locations will be excluded during scans.

    You can inverse this filter with a logical NOT operation to only include search locations and nested locations that match the given expression.

    !<expression>

    Example 1

    Filter value: !*.pdf

    Only locations with the ".pdf" suffix will be included during scans.

    Example 2

    Filter value: !C:\Users\*

    Only locations where the path starts with "C:\Users\" will be included during scans.

    Example 3

    Filter value: !C:\Users\A\Documents\*.zip

    Only archived files within the "C:\Users\A\Documents" folder will be included during scans.

    Example 4

    Filter value: !*.txt

    Only text files with the ".txt" extension in locations will be included during scans.

    Include locations within modification date

    Include search locations modified within a given range of dates.

    Prompts you to select a start date and an end date. Files and folders that fall outside of the range set by the selected start and end date are not scanned.

    Include locations modified recently

    Include search locations modified within N number of days from the current date, where the value of N is from 1 - 99 days.

    Example

    Filter value: 14

    Only scan files and folders that have been modified not more than 14 days before the current date.

    Exclude locations greater than file size (MB) Exclude files that are larger than a given file size (in MB).
    Ignore exact match

    Ignore matches that match a given string exactly.

    Example

    Filter value: 4419123456781234

    All exact matches of the pattern "4419123456781234" will be ignored as matches during scans.

    Ignore match by prefix

    Ignore matches that begin with a given string.

    Example

    Filter value: 4419

    Search ignores matches found during scans that begin with "4419", such as "4419123456781234".

    Ignore match by expression

    Ignore matches found during scans if they match a given expression.

    ?: A wildcard character that matches exactly one character; ??? matches 3 characters.

    *: A wildcard character that matches zero or more characters in a search string.

    Example 1

    Filter value: *123

    All data patterns that end with "123" will be ignored as matches during scans.

    Example 2

    Filter value: 123*

    All data patterns that begin with "123" will be ignored as matches during scans.

    PCRE

    To enter a Perl Compatible Regular Expression (PCRE), select Enable full regular expressions support.

    Add test data

    Report match as test data if it matches a given string exactly.

    Example

    Filter value: 4419123456781234

    All exact matches of "4419123456781234" found during scans will be reported as test data.

    Add test data prefix

    Report matches that begin with a given string as test data.

    Example

    Filter value: 4419

    Report matches that begin with "4419" as test data, such as "4419123456781234".

    Add test data expression

    Report matches as test data if they match a given expression. The syntax the of the expressions you can use:

    ?: A wildcard character that matches exactly one character; ??? matches 3 characters.

    *: A wildcard character that matches zero or more characters in a search string.

    Example 1

    Filter value: *123

    All data patterns that end with "123" found during scans will be reported as test data.

    Example 2

    Filter value: 123*

    All data patterns that begin with "123" found during scans will be reported as test data.

  6. Complete the following fields:

    Field Description
    Filter name (optional) Enter the Global Filter name.
    Expression / Suffix / Prefix / Date range / Days / Maximum file size / Exact match Enter the expression / suffix / prefix / date range / days / file size / match to be excluded or included in the scan.
    Press the Enter key to add multiple expressions or paths for filter types that accept multiple values.
    Description (optional) Enter the Global Filter description.
    Targets to be filtered Select the Target Group and Target the filter applies to. "All Groups" and "All Targets" are selected by default.
    Status upon adding Toggle off to disable the Global Filter upon adding. Enabled by default.
    Adding the filter with the toggle on will only affect upcoming scans that have not started.
  7. Click Add Global Filter.

Manage Global Filters

You can edit, delete, and enable or disable existing global filters in the Global Filters page.

To edit an existing Global Filter, click the Edit button Edit button to modify existing global filter..

To remove an existing global filter, click the Delete button Delete button to remove existing Global Filter..

To enable or disable a global filter, under the On/Off column, select the toggle button Enable/disable button to on/off existing Global Filter..

Sort Global Filters

To sort the list of existing global filters, click the ˄ and ˅ arrow at each column header:

Column Headers Toggle Function
On/Off
  • ˄ sorts global filters by status from disabled (off) to enabled (on).
  • ˅ sorts global filters by status from enabled (on) to disabled (off).
Last Modified
  • ˄ sorts global filters by last modified date from the earliest to the latest date and time.
  • ˅ sorts global filters by last modified date from the latest to the earliest date and time.
Name & ID
  • ˄ sorts global filters by name alphabetically from A to Z; filters without names are arranged by ID in descending order and are listed after filters with names.
  • ˅ sorts global filters by name alphabetically from Z to A; filters without names are arranged by ID in ascending order and are listed before filters with names.
Filter Details
  • ˄ sorts global filters by details alphabetically from A to Z.
  • ˅ sorts global filters by details alphabetically from Z to A.
Description
  • ˄ sorts global filters by description alphabetically from A to Z; filters without descriptions are listed before filters with descriptions.
  • ˅ sorts global filters by description alphabetically from Z to A; filters without descriptions are listed after filters with descriptions.
Filter Types
  • ˄ sorts global filters by type alphabetically from A to Z.
  • ˅ sorts global filters by type alphabetically from Z to A.
Targets
  • ˄ sorts global filters by Target alphabetically from A to Z.
  • ˅ sorts global filters by Target alphabetically from Z to A.

Import and Export Filters

Importing and exporting filters allows you to move filters from one ER2 installation to another. This is also useful if you are upgrading from Card Recon, or are moving from an older installation of ER2.

You can import from or export to the following file formats:

  • Portable XML file.
  • Spreadsheet (CSV).
  • Text File.
  • Card Recon Configuration File.

Portable XML File

This section shows how filters are described in XML files.

These XML files follow the following basic rules:

  • XML tags are case sensitive.
  • Each tag must include the closing tag. For example, <filter>...</filter>.
  • The following ASCII characters have a special meaning in XML and have to be replaced by their corresponding XML character entity reference:

    ASCII Character Description XML Character Entity Reference
    < Less-than sign &lt;
    > More-than sign &gt;
    & Ampersand &amp;
    ' Apostrophe &apos;
    " Double quotation mark &quot;

The following tags are used in the XML file for global filters:

XML Tags Description
<filter> This is the root element that is required in XML files that describe global filters. All defined global filters must be within the filter tag.
<level> This tag defines the realm that the filter is applied to.
  1. global : Filter applies to all Targets.
  2. group : Filter is only applied to a specific Group.
  3. target : Filter is only applied to a specific Target.
<name> Name of the Group or Target that the filter is applied. Only required when level is group or target.
<filter type> This tag defines the filter type and expression. Refer to Filter Types table to understand how to set up different filters.

Filter Types

Filter Type Description and Syntax
Exclude location by prefix

Exclude search locations with paths that begin with a given string. Can be used to exclude entire directory trees.

Syntax: <location-exclude>prefix*</location-exclude>

Exclude location by suffix

Exclude search locations with paths that end with a given string.

Syntax: <location-exclude>*suffix</location-exclude>

Exclude locations by expression

Excludes search locations by expression.

Syntax: <location-exclude>expression</location-exclude>

Include locations within modification date

Include search locations modified within a given range of date by specifying a start date and an end date.

Syntax: <modified-between>YYYY-MM-DD - YYYY-MM-DD</modified-between>

Include locations modified recently

Include search locations modified within N number of days from the current date, where the value of N is from 1 - 99 days.

Syntax: <modified-within>N number of days</modified-within>

Exclude locations greater than file size (MB)

Exclude files that are larger than a given file size (in MB).

Syntax: <modified-maxsize>file size in MB</modified-maxsize>

Ignore exact match

Ignore matches that match a given string exactly.

Syntax: <match-exclude>string</match-exclude>

Ignore match by prefix

Ignore matches that contain a given prefix.

Syntax: <match-exclude>string*</match-exclude>

Ignore match by expression

Ignore matches found during scans if they match a given expression.

Syntax: <match-exclude>expression</match-exclude>


PCRE

To enable full regular expression support, include @~ before a given expression.

Syntax: <match-exclude>@~expression</match-exclude>
Add test data

Report match as test data if it matches a given string exactly.

Syntax: <match-test>string</match-test>

Add test data prefix

Report matches that begin with a given string as test data.

Syntax: <match-test>string*</match-test>

Add test data expression

Report matches as test data if they match a given expression.

Syntax: <match-test>expression</match-test>

Example

<filter> <!-- These filters apply to all Targets --> <global> <location-exclude>*.gzip</location-exclude> <location-exclude>*FOOBAR*</location-exclude> <match-test>*@example.com</match-test> <modified-maxsize>2048</modified-maxsize> </global> <!-- These filters apply only to the Group My-Default-Group --> <target> <name>My-Default-Group</name> <modified-between>2018-1-1 - 2018-1-15</modified-between> </target> <!-- These filters apply only to the Target host My-Windows-Machine --> <target> <name>My-Windows-Machine</name> <match-exclude>1234567890</match-exclude> <modified-within>3</modified-within> </target>
</filter>

Filter Columns in Databases

Filter out columns in databases by using the "Exclude location by suffix" filter to specify the columns or tables to exclude from the scan.

Description Syntax
Exclude specific column across all tables in a database. <column name>
Exclude specific column from in a particular table. <table name>/<column name>

Database Index or Primary Keys

Certain tables or columns, such as a database index or primary key, cannot be excluded from a scan. If a filter applied to the scan excludes these tables or columns, the scan will ignore the filter.