Enterprise Recon Cloud 2.12.0
How To Set up Global Filters
This section covers the following topics:
- Overview
- Permissions and Global Filters
- View Global Filters
- Add a Global Filter
- Manage Global Filters
- Sort Global Filters
- Import and Export Filters
- Filter Columns in Databases
Overview
Global Filters allow you to set up filters to automatically exclude or ignore matches based on the set filter rules.
You can do this by adding a filter from the Scans > Global Filters page or by marking matches as False Positive or Test Data when remediating matches.
Permissions and Global Filters
Resource Permissions and Global Permissions that are assigned to a user grants access to perform specific operations for global filters.
Operation | Definition | Users with Access |
---|---|---|
Import or export global filter | Import or export global filter definitions in supported files formats. |
|
Add, edit or delete global filters | Users can add, modify or remove global filters that apply to all or specific Targets / Target Groups. |
|
For more information, refer to the Grant User Permissions section.
View Global Filters
The Global Filters page displays a list of filters and the Targets they apply to. Filters created by marking exclusions when taking remedial action will also be displayed here.
Filter the list of global filters displayed using the options in the Filter by… section:
- False Positives > Locations: Locations marked as False Positives.
- False Positives > Matches: Match data marked as False Positives.
- Test Data > Matches: Match data marked as test data.
Add a Global Filter
- Log in to the ER Cloud Web Console.
- Go to the Scans > Global Filters page.
- On the top-right corner of the Global Filters page, click +Add.
- Select New Global Filter or Global Filter Template.
- From the drop-down list, select a filter template to start with, or a filter type. For the table of supported types of global filters, refer to the Scanning - Supported Global Filter Types section.
-
Complete the following fields:
Field Description Filter name (optional) Enter the Global Filter name. Expression / Suffix / Prefix / Date range / Days / Maximum file size / Exact match Enter the expression / suffix / prefix / date range / days / file size / match to be excluded or included in the scan. Press the Enter key to add multiple expressions or paths for filter types that accept multiple values.Description (optional) Enter the Global Filter description. Targets to be filtered Select the Target Group and Target the filter applies to. "All Groups" and "All Targets" are selected by default. Status upon adding Toggle off to disable the Global Filter upon adding. Enabled by default. Adding the filter with the toggle on will only affect upcoming scans that have not started. - Click Add Global Filter.
Manage Global Filters
You can edit, delete, and enable or disable existing global filters in the Global Filters page.
To edit an existing Global Filter, click the Edit button .
To remove an existing global filter, click the Delete button .
To enable or disable a global filter, under the On/Off column, select the toggle button .
Sort Global Filters
To sort the list of existing global filters, click the ˄ and ˅ arrow at each column header:
Column Headers | Toggle Function |
---|---|
On/Off |
|
Last Modified |
|
Name & ID |
|
Filter Details |
|
Description |
|
Filter Types |
|
Targets |
|
Import and Export Filters
Importing and exporting filters allows you to move filters from one ER Cloud installation to another. This is also useful if you are upgrading from Card Recon or Enterprise Recon on-prem, or are moving from an older installation of ER Cloud.
You can import from or export to the following file formats:
- Portable XML file.
- Spreadsheet (CSV).
- Text File.
- Card Recon Configuration File.
Portable XML File
To describe filters in XML files, follow the following basic rules:
- XML tags are case sensitive.
- Each tag must include the closing tag. For example, <filter>...</filter>.
-
The following ASCII characters have a special meaning in XML and have to be replaced by their corresponding XML character entity reference:
ASCII Character Description XML Character Entity Reference < Less-than sign < > More-than sign > & Ampersand & ' Apostrophe ' " Double quotation mark " The XML representation of "<User's Email & Login Name>" is written as "<User's Email & Login Name>".
The following tags are used in the XML file for global filters:
XML Tags | Description |
---|---|
<filter> | This is the root element that is required in XML files that describe global filters. All defined global filters must be within the filter tag. |
<level> | This tag defines the realm that the filter is applied to.
|
<name> | Name of the Group or Target that the filter is applied. Only required when level is group or target. |
<filter type> | This tag defines the filter type and expression. Refer to Filter Types table below to understand how to set up different filters. |
Filter Types
Filter Type | Description and Syntax |
---|---|
Exclude location by prefix | Exclude search locations with paths that begin with a given string. Can be used to exclude entire directory trees. Syntax: <location-exclude>prefix*</location-exclude> <location-exclude>/root*</location-exclude>
This excludes all files and folders in the "/root" folder. |
Exclude location by suffix | Exclude search locations with paths that end with a given string. Syntax: <location-exclude>*suffix</location-exclude> <location-exclude>*.gzip</location-exclude>
This excludes all files and folders such as "example.gzip", "files.gzip". |
Exclude locations by expression | Excludes search locations by expression. Syntax: <location-exclude>expression</location-exclude> <location-exclude>C:\W??????</location-exclude>
This excludes locations like "C:\Windows", but not "C:\Win" and "C:\Windows1234". |
Include locations within modification date | Include search locations modified within a given range of date by specifying a start date and an end date. Syntax: <modified-between>YYYY-MM-DD - YYYY-MM-DD</modified-between> <modified-between>2018-1-1 - 2018-1-31</modified-between>
This includes only locations that have been modified between 1 January 2018 to 31 January 2018. |
Include locations modified recently | Include search locations modified within N number of days from the current date, where the value of N is from 1 - 99 days. Syntax: <modified-within>N number of days</modified-within> <modified-within>10</modified-within>
This includes locations that have been modified within 10 days from the current date. |
Exclude locations greater than file size (MB) | Exclude files that are larger than a given file size (in MB). Syntax: <modified-maxsize>file size in MB</modified-maxsize> <modified-maxsize>1024</modified-maxsize>
This excludes files that are larger than 1024 MB. |
Ignore exact match | Ignore matches that match a given string exactly. Syntax: <match-exclude>string</match-exclude> <match-exclude><<<DataType>>></match-exclude>
This ignores matches that match the literal string "<<<DataType>>>". |
Ignore match by prefix | Ignore matches that contain a given prefix. Syntax: <match-exclude>string*</match-exclude> <match-exclude>MyDT*</match-exclude>
This ignores matches that begin with "MyDT", such as "MyDT123". |
Ignore match by expression | Ignore matches found during scans if they match a given expression. Syntax: <match-exclude>expression</match-exclude> <match-exclude>*DataType?</match-exclude>
This ignores matches that contain the string "DataType" followed by exactly one character, such as "MyDataType0" and "DataType1". PCRE To enable full regular expression support, include @~ before a given expression. Syntax: <match-exclude>@~expression</match-exclude><match-exclude>@~DataType[0-9]</match-exclude>
This ignores matches that contain the string "DataType" followed by a single digit number "0" to "9", such as "DataType8". |
Add test data | Report match as test data if it matches a given string exactly. Syntax: <match-test>string</match-test> <match-test>TestData</match-test>
This reports matches as test data if they match the literal string "TestData". |
Add test data prefix | Report matches that begin with a given string as test data. Syntax: <match-test>string*</match-test> <match-test>TestData*</match-test>
This reports matches as test data if they begin with "TestData", such as "TestData123". |
Add test data expression | Report matches as test data if they match a given expression. Syntax: <match-test>expression</match-test> <match-test>*TestData?</match-test>
This reports matches as test data if they contain the string "TestData" followed by exactly one character, such as "MyTestData0" and "TestData1". |
Example
<filter>
<!-- These filters apply to all Targets -->
<global>
<location-exclude>*.gzip</location-exclude>
<location-exclude>*FOOBAR*</location-exclude>
<match-test>*@example.com</match-test>
<modified-maxsize>2048</modified-maxsize>
</global>
<!-- These filters apply only to the Group My-Default-Group -->
<target>
<name>My-Default-Group</name>
<modified-between>2018-1-1 - 2018-1-15</modified-between>
</target>
<!-- These filters apply only to the Target host My-Windows-Machine -->
<target>
<name>My-Windows-Machine</name>
<match-exclude>1234567890</match-exclude>
<modified-within>3</modified-within>
</target>
</filter>
Filter Columns in Databases
Filter out columns in databases by using the "Exclude location by suffix" filter to specify the columns or tables to exclude from the scan.
Description | Syntax |
---|---|
Exclude specific column across all tables in a database. | <column name>
To filter out "columnB" for all tables in a database, enter columnB.
|
Exclude specific column from in a particular table. | <table name>/<column name>
To filter out "columnB" only for "tableA" in a database, enter tableA/columnB.
|
Use the Apply to field if the global filter only needs to be applied to a specific Target Group or Target.
Database Index or Primary Keys
Certain tables or columns, such as a database index or primary key, cannot be excluded from a scan. If a filter applied to the scan excludes these tables or columns, the scan will ignore the filter.