Enterprise Recon 2.11.1
Global Filters
This section covers the following topics:
- Overview
- Permissions and Global Filters
- View Global Filters
- Add a Global Filter
- Manage Global Filters
- Sort Global Filters
- Import and Export Filters
- Filter Columns in Databases
Overview
Global Filters allow you to set up filters to automatically exclude or ignore matches based on the set filter rules.
You can do this by adding a filter from the Scans > Global Filters page or through Remediation by marking matches as False Positive or Test Data when remediating matches.
Permissions and Global Filters
Resource Permissions and Global Permissions that are assigned to a user grants access to perform specific operations for global filters.
Operation | Definition | Users with Access |
---|---|---|
Import or export global filter | Import or export global filter definitions in supported files formats. |
|
Add, edit or delete global filters | Users can add, modify or remove global filters that apply to all or specific Targets / Target Groups. |
|
See User Permissions for more information.
View Global Filters
The Global Filters page displays a list of filters and the Targets they apply to. Filters created by marking exclusions when taking remedial action will also be displayed here (see Remediation).
Filter the list of global filters displayed using the options in the Filter by… section:
- False Positives > Locations: Locations marked as False Positives.
- False Positives > Matches: Match data marked as False Positives.
- Test Data > Matches: Match data marked as test data.
Add a Global Filter
- Log in to the ER2 Web Console.
- Go to the Scans > Global Filters page.
- On the top-right corner of the Global Filters page, click +Add.
- Select New Global Filter or Global Filter Template.
-
From the drop-down list, select a filter template to start with, or a filter type:
Filter Type Description Exclude location by prefix Exclude search locations and nested locations with paths that begin with a given string. Can be used to exclude entire directory trees.
Example 1
Filter value: C:\Windows\System32
Excludes all files and folders in the "C:\Windows\System32" folder.
Example 2
Filter value: C:\Users\A\Documents\file.zip
Excludes all files and folders nested in the "C:\Users\A\Documents\file.zip" archive.
Exclude location by suffix Exclude search locations and nested locations with paths that end with a given string.
Example
Filter value: led.jnl
Excludes all files and folders that end with "led.jnl", e.g. "canceled.jnl" and "totaled.jnl".
Exclude locations by expression Exclude search locations and nested locations that match the given expression. The syntax of the expressions you can use are as follows:
?: A wildcard character that matches exactly one character; ??? matches 3 characters.
*: A wildcard character that matches zero or more characters in a search string.
Example 1
Filter value: C:\V???
All locations where the path starts with "C:\V" followed by any three characters will be excluded during scans. For example, the expressions will exclude "C:\V123", but does not exclude "C:\V1" or "C:\V1234".
Example 2
Filter value: /var/*
All locations in the "/var" directory will be excluded during scans.
Example 3
Filter value: /var/*.txt
All text files with the ".txt" extension in the "/var" directory will be excluded during scans.
Example 4
Filter value: C:\Users\A\Documents\*.zip
All archived files with the ".zip" extension in the "C:\Users\A\Documents" folder will be excluded during scans.
Example 5
Filter value: *.txt
All text files with the ".txt" extension in all locations will be excluded during scans.
You can inverse this filter with a logical NOT operation to only include search locations and nested locations that match the given expression.
!<expression>
Example 1
Filter value: !*.pdf
Only locations with the ".pdf" suffix will be included during scans.
Example 2
Filter value: !C:\Users\*
Only locations where the path starts with "C:\Users\" will be included during scans.
Example 3
Filter value: !C:\Users\A\Documents\*.zip
Only archived files within the "C:\Users\A\Documents" folder will be included during scans.
Example 4
Filter value: !*.txt
Only text files with the ".txt" extension in locations will be included during scans.
Include locations within modification date Include search locations modified within a given range of dates.
Prompts you to select a start date and an end date. Files and folders that fall outside of the range set by the selected start and end date are not scanned.
Include locations modified recently Include search locations modified within N number of days from the current date, where the value of N is from 1 - 99 days.
Example
Filter value: 14
Only scan files and folders that have been modified not more than 14 days before the current date.
Exclude locations greater than file size (MB) Exclude files that are larger than a given file size (in MB). Ignore exact match Ignore matches that match a given string exactly.
Example
Filter value: 4419123456781234
All exact matches of the pattern "4419123456781234" will be ignored as matches during scans.
Ignore match by prefix Ignore matches that begin with a given string.
Example
Filter value: 4419
Search ignores matches found during scans that begin with "4419", such as "4419123456781234".
Ignore match by expression Ignore matches found during scans if they match a given expression.
?: A wildcard character that matches exactly one character; ??? matches 3 characters.
*: A wildcard character that matches zero or more characters in a search string.
Example 1
Filter value: *123
All data patterns that end with "123" will be ignored as matches during scans.
Example 2
Filter value: 123*
All data patterns that begin with "123" will be ignored as matches during scans.
PCRE
To enter a Perl Compatible Regular Expression (PCRE), select Enable full regular expressions support.
Add test data Report match as test data if it matches a given string exactly.
Example
Filter value: 4419123456781234
All exact matches of "4419123456781234" found during scans will be reported as test data.
Add test data prefix Report matches that begin with a given string as test data.
Example
Filter value: 4419
Report matches that begin with "4419" as test data, such as "4419123456781234".
Add test data expression Report matches as test data if they match a given expression. The syntax the of the expressions you can use:
?: A wildcard character that matches exactly one character; ??? matches 3 characters.
*: A wildcard character that matches zero or more characters in a search string.
Example 1
Filter value: *123
All data patterns that end with "123" found during scans will be reported as test data.
Example 2
Filter value: 123*
All data patterns that begin with "123" found during scans will be reported as test data.
-
Complete the following fields:
Field Description Filter name (optional) Enter the Global Filter name. Expression / Suffix / Prefix / Date range / Days / Maximum file size / Exact match Enter the expression / suffix / prefix / date range / days / file size / match to be excluded or included in the scan. Press the Enter key to add multiple expressions or paths for filter types that accept multiple values.Description (optional) Enter the Global Filter description. Targets to be filtered Select the Target Group and Target the filter applies to. "All Groups" and "All Targets" are selected by default. Status upon adding Toggle off to disable the Global Filter upon adding. Enabled by default. Adding the filter with the toggle on will only affect upcoming scans that have not started. - Click Add Global Filter.
Manage Global Filters
You can edit, delete, and enable or disable existing global filters in the Global Filters page.
To edit an existing Global Filter, click the Edit button .
To remove an existing global filter, click the Delete button .
To enable or disable a global filter, under the On/Off column, select the toggle button .
Sort Global Filters
To sort the list of existing global filters, click the ˄ and ˅ arrow at each column header:
Column Headers | Toggle Function |
---|---|
On/Off |
|
Last Modified |
|
Name & ID |
|
Filter Details |
|
Description |
|
Filter Types |
|
Targets |
|
Import and Export Filters
Importing and exporting filters allows you to move filters from one ER2 installation to another. This is also useful if you are upgrading from Card Recon, or are moving from an older installation of ER2.
You can import from or export to the following file formats:
- Portable XML file.
- Spreadsheet (CSV).
- Text File.
- Card Recon Configuration File.
Portable XML File
This section shows how filters are described in XML files.
These XML files follow the following basic rules:
- XML tags are case sensitive.
- Each tag must include the closing tag. For example, <filter>...</filter>.
-
The following ASCII characters have a special meaning in XML and have to be replaced by their corresponding XML character entity reference:
ASCII Character Description XML Character Entity Reference < Less-than sign < > More-than sign > & Ampersand & ' Apostrophe ' " Double quotation mark " The XML representation of "<User's Email & Login Name>" is written as "<User's Email & Login Name>".
The following tags are used in the XML file for global filters:
XML Tags | Description |
---|---|
<filter> | This is the root element that is required in XML files that describe global filters. All defined global filters must be within the filter tag. |
<level> | This tag defines the realm that the filter is applied to.
|
<name> | Name of the Group or Target that the filter is applied. Only required when level is group or target. |
<filter type> | This tag defines the filter type and expression. Refer to Filter Types table to understand how to set up different filters. |
Filter Types
Filter Type | Description and Syntax |
---|---|
Exclude location by prefix | Exclude search locations with paths that begin with a given string. Can be used to exclude entire directory trees. Syntax: <location-exclude>prefix*</location-exclude> <location-exclude>/root*</location-exclude>
This excludes all files and folders in the "/root" folder. |
Exclude location by suffix | Exclude search locations with paths that end with a given string. Syntax: <location-exclude>*suffix</location-exclude> <location-exclude>*.gzip</location-exclude>
This excludes all files and folders such as "example.gzip", "files.gzip". |
Exclude locations by expression | Excludes search locations by expression. Syntax: <location-exclude>expression</location-exclude> <location-exclude>C:\W??????</location-exclude>
This excludes locations like "C:\Windows", but not "C:\Win" and "C:\Windows1234". |
Include locations within modification date | Include search locations modified within a given range of date by specifying a start date and an end date. Syntax: <modified-between>YYYY-MM-DD - YYYY-MM-DD</modified-between> <modified-between>2018-1-1 - 2018-1-31</modified-between>
This includes only locations that have been modified between 1 January 2018 to 31 January 2018. |
Include locations modified recently | Include search locations modified within N number of days from the current date, where the value of N is from 1 - 99 days. Syntax: <modified-within>N number of days</modified-within> <modified-within>10</modified-within>
This includes locations that have been modified within 10 days from the current date. |
Exclude locations greater than file size (MB) | Exclude files that are larger than a given file size (in MB). Syntax: <modified-maxsize>file size in MB</modified-maxsize> <modified-maxsize>1024</modified-maxsize>
This excludes files that are larger than 1024 MB. |
Ignore exact match | Ignore matches that match a given string exactly. Syntax: <match-exclude>string</match-exclude> <match-exclude><<<DataType>>></match-exclude>
This ignores matches that match the literal string "<<<DataType>>>". |
Ignore match by prefix | Ignore matches that contain a given prefix. Syntax: <match-exclude>string*</match-exclude> <match-exclude>MyDT*</match-exclude>
This ignores matches that begin with "MyDT", such as "MyDT123". |
Ignore match by expression | Ignore matches found during scans if they match a given expression. Syntax: <match-exclude>expression</match-exclude> <match-exclude>*DataType?</match-exclude>
This ignores matches that contain the string "DataType" followed by exactly one character, such as "MyDataType0" and "DataType1". PCRE To enable full regular expression support, include @~ before a given expression. Syntax: <match-exclude>@~expression</match-exclude><match-exclude>@~DataType[0-9]</match-exclude>
This ignores matches that contain the string "DataType" followed by a single digit number "0" to "9", such as "DataType8". |
Add test data | Report match as test data if it matches a given string exactly. Syntax: <match-test>string</match-test> <match-test>TestData</match-test>
This reports matches as test data if they match the literal string "TestData". |
Add test data prefix | Report matches that begin with a given string as test data. Syntax: <match-test>string*</match-test> <match-test>TestData*</match-test>
This reports matches as test data if they begin with "TestData", such as "TestData123". |
Add test data expression | Report matches as test data if they match a given expression. Syntax: <match-test>expression</match-test> <match-test>*TestData?</match-test>
This reports matches as test data if they contain the string "TestData" followed by exactly one character, such as "MyTestData0" and "TestData1". |
Example
<filter>
<!-- These filters apply to all Targets -->
<global>
<location-exclude>*.gzip</location-exclude>
<location-exclude>*FOOBAR*</location-exclude>
<match-test>*@example.com</match-test>
<modified-maxsize>2048</modified-maxsize>
</global>
<!-- These filters apply only to the Group My-Default-Group -->
<target>
<name>My-Default-Group</name>
<modified-between>2018-1-1 - 2018-1-15</modified-between>
</target>
<!-- These filters apply only to the Target host My-Windows-Machine -->
<target>
<name>My-Windows-Machine</name>
<match-exclude>1234567890</match-exclude>
<modified-within>3</modified-within>
</target>
</filter>
Filter Columns in Databases
Filter out columns in databases by using the "Exclude location by suffix" filter to specify the columns or tables to exclude from the scan.
Description | Syntax |
---|---|
Exclude specific column across all tables in a database. | <column name>
To filter out "columnB" for all tables in a database, enter columnB.
|
Exclude specific column from in a particular table. | <table name>/<column name>
To filter out "columnB" only for "tableA" in a database, enter tableA/columnB.
|
Use the Apply to field if the global filter only needs to be applied to a specific Target Group or Target.
Database Index or Primary Keys
Certain tables or columns, such as a database index or primary key, cannot be excluded from a scan. If a filter applied to the scan excludes these tables or columns, the scan will ignore the filter.