Creating Patterns in Inclusion/Exclusion Filters

Inclusion and exclusion filters in the File Integrity Monitoring (FIM) profile let you define which events should be logged by the system. These filters help you:

  • Monitor what is essential:
    By filtering out unnecessary events at the agent level, you can focus on relevant activities and avoid an overflow of false positives. Since irrelevant events never reach the platform, this reduces the load on both the agent and the platform.
    Example: To monitor changes only to database files in the C:\ProgramData directory, you can apply a file type inclusion filter and specify *.db as the relative path. Events unrelated to .db files are discarded and not sent to the platform.
  • Optimize agent performance:
    By minimizing unnecessary event processing, the Qualys Cloud Agent operates more efficiently.
  • Reduce system resource usage:
    The streamlined processing keeps CPU usage low, ensuring the Qualys Cloud Agent performs optimally.

Supported Patterns

The files/directories patterns entered in Advanced Options to include or exclude files/directories for monitoring are validated against these rules.

Supported Pattern Types for Windows Directory

  • Do not use the following special characters in directory paths: / " < > |
  • Directory paths can include up to 260 characters, including spaces, slashes, and the following special characters: [ ] { } ( ) * ? '
    • The ? character is a single-character wildcard.
    • The * character is a multi-character wildcard.

Supported Pattern Types for Windows File

  • Do not use the following special characters in file paths: / " < > |
  • File paths can include up to 260 special characters, including spaces, slashes, and the following special characters: [ ] { } ( ) * ? '
    • The ? character is a single-character wildcard.
    • The * character is a multi-character wildcard.

Supported Pattern Type for Linux Directory

  • Do not use the following special characters in the directory paths: \ " < > : |
  • Directory paths can include up to 4096 characters including spaces, slashes, and the following special characters: [ ] { } ( ) * ? '
    • The ? character is a single-character wildcard.
    • The * character is a multi-character wildcard.

Supported Pattern Type for Linux File

  • Do not use the following special characters in the file paths: \ " < > : |
  • File paths can include up to 255 characters including spaces, slashes and the following special characters: [ ] { } ( ) * ? '
    • The ? character is a single-character wildcard.
    • The * character is a multi-character wildcard.

Using Wildcards in Inclusion/Exclusion Filters

When defining patterns in inclusion or exclusion filters, follow these rules to ensure proper wildcard usage and avoid errors.

Character Usage
? Represents a single-character wildcard.
* Represents a multi-character wildcard.
  • Can be used only at the beginning or end of a string literal or in place of a string literal.
  • Do not use * on both sides of a string literal.
    Example: "*file*" is not supported.
*.* This character is supported.

The following examples to show the usage of above-mentioned rules:

Valid Usage of Wildcards Invalid Usage of Wildcards
  • *.*
  • Text?.txt
  • *.log
  • Win?ow?.log
  • *host.dat
  • qualys*
  • ?icro?oft
  • *microsoft*

Sample Scenarios for Inclusion and Exclusion filter

Few sample scenarios for Inclusion and Exclusion filters are given below. The inclusion and exclusion filter may change based on your environment and use case.

  • Scenario 1
    You want to monitor events for any kind of modification on configuration *.conf files and wants to block events for *.sh files.

    Example 1

  • Scenario 2
    You want to monitor events for changes only in *.conf type of files and exclude the rest.

    Example 2

  • Scenario 3  
    You want to monitor events for modifications in any type of files (with extensions) excluding the ones with .sh extension.

    Example 3

Scenarios: Event Inclusion
Scenario 1

This scenario monitors a specific sub-directory (config) within the C:\Windows\System32 base path. The filter is configured to track events generated by the Windows\Administrator user when using the cmd.exe process. The config directory and up to five levels of its sub-directories are monitored. Events outside these criteria are excluded to ensure targeted tracking.

  • Directory Path: C:\Windows\System32
  • Depth: 5
  • Type: Include
  • Targeting: Directories
  • Relative pathconfig
  • Users: Windows\Administrator
  • Process: cmd.exe

Logged Events:

As per the above configuration, events are logged from the Windows\Administrator user and the cmd.exe process for the paths starting with C:\Windows\System32\Config and its sub-directories.

Dropped Events:

Events are dropped if:

  • The user is not Windows\Administrator.
  • The process is not cmd.exe.
  • The paths are outside the specified depth or the config folder.
Scenario 2

This scenario monitors all directories under the C:\Windows\System32 path. It targets events generated by specific users (Windows\Administrator, Windows\John, and Windows\Doe), regardless of the processes involved. By using a wildcard (*) as the relative path, the filter ensures all sub-directories within the base path are included. Events from unauthorized users or paths outside the specified base are excluded.

  • Directory Path: C:\Windows\System32
  • Depth: All
  • Type: Include
  • Targeting: Directories
  • Relative Path*
  • Users: Windows\Administrator, Windows\John, Windows\Doe
  • Process: Not specified

Logged Events:

Events are logged if the user is Windows\Administrator, Windows\John, or Windows\Doe, and the file path starts with C:\Windows\System32. All directories under C:\Windows\System32 are monitored for the specified users.

Dropped Events:

Events are dropped for:

  • Users that are not listed in the Users field.
  • Paths that do not start with C:\Windows\System32.
Scenarios: Event Exclusion
Scenario 1

This exclusion scenario monitors all events except those from the directory path C:\Windows\System32, along with all its sub-directories (Depth: All). By using a wildcard (*) as the relative path, the filter ensures all sub-directories within the base path are excluded. The exclusion applies to events generated by the processes cmd.exe, notepad.exe, and explorer.exe.

  • Directory Path: C:\Windows\System32
  • Depth: All
  • Type: Exclude
  • Targeting: Directories
  • Relative Path*
  • Users: Not Specified
  • Process: cmd.exe, notepad.exe, explorer.exe

Logged Events

Events are logged for any processes other than those listed in the Processes field. It means that the cmd.exe, notepad.exe, and explorer.exe processes are excluded and events for other processes in the file path C:\Windows\System32 are logged.

Dropped Events

Events are dropped for file path other than C:\Windows\System32.

Scenario 2

This exclusion scenario monitors all events except events within the directory path C:\Windows\System32\Config, including its sub-directories up to a depth of 5. The exclusion specifically targets directories and applies only to the user Windows\Administrator and the process cmd.exe.

  • Directory Path: C:\Windows\System32
  • Depth: 5
  • Type: Exclude
  • Targeting: Directories
  • Relative Path: config
  • Users: Windows\Administrator
  • Process: cmd.exe

Logged Events

Events are logged if the user is not Windows\Administrator or the process is not cmd.exe in the file path C:\Windows\System32.

Dropped Events

Events are dropped if the user is Windows\Administrator or the process is cmd.exe in the file path C:\Windows\System32.

Related Topics

Create a Profile

Import a Profile from Qualys Library

Clone a Profile

Activate and Deactivate a Profile

Delete a Profile

 

© Qualys, Inc. All rights reserved. Privacy Policy.