Enterprise Recon Cloud 2.12.0

How To Set up Global Filters

This section covers the following topics:

Overview

Global Filters allow you to set up filters to automatically exclude or ignore matches based on the set filter rules.

You can do this by adding a filter from the Scans > Global Filters page or by marking matches as False Positive or Test Data when remediating matches.

Permissions and Global Filters

Resource Permissions and Global Permissions that are assigned to a user grants access to perform specific operations for global filters.

Operation Definition Users with Access
Import or export global filter Import or export global filter definitions in supported files formats.

  1. Global Admin.
  2. System Manager.

Add, edit or delete global filters Users can add, modify or remove global filters that apply to all or specific Targets / Target Groups.

  1. Global Admin.
  2. System Manager.
  3. Users without Global Permissions but have Scan or Remediate - Mark Location for Report privileges assigned through Resource Permissions.

For more information, refer to the Grant User Permissions section.

View Global Filters

The Global Filters page displays a list of filters and the Targets they apply to. Filters created by marking exclusions when taking remedial action will also be displayed here.

Filter the list of global filters displayed using the options in the Filter by… section:

  • False Positives > Locations: Locations marked as False Positives.
  • False Positives > Matches: Match data marked as False Positives.
  • Test Data > Matches: Match data marked as test data.

Global Filter Manager page to add, export and import global filters.

Add a Global Filter

  1. Log in to the ER Cloud Web Console.
  2. Go to the Scans > Global Filters page.
  3. On the top-right corner of the Global Filters page, click +Add.
  4. Select New Global Filter or Global Filter Template.
  5. From the drop-down list, select a filter template to start with, or a filter type. For the table of supported types of global filters, refer to the Scanning - Supported Global Filter Types section.
  6. Complete the following fields:

    Field Description
    Filter name (optional) Enter the Global Filter name.
    Expression / Suffix / Prefix / Date range / Days / Maximum file size / Exact match Enter the expression / suffix / prefix / date range / days / file size / match to be excluded or included in the scan.
    Press the Enter key to add multiple expressions or paths for filter types that accept multiple values.
    Description (optional) Enter the Global Filter description.
    Targets to be filtered Select the Target Group and Target the filter applies to. "All Groups" and "All Targets" are selected by default.
    Status upon adding Toggle off to disable the Global Filter upon adding. Enabled by default.
    Adding the filter with the toggle on will only affect upcoming scans that have not started.
  7. Click Add Global Filter.

Manage Global Filters

You can edit, delete, and enable or disable existing global filters in the Global Filters page.

To edit an existing Global Filter, click the Edit button Edit button to modify existing global filter..

To remove an existing global filter, click the Delete button Delete button to remove existing Global Filter..

To enable or disable a global filter, under the On/Off column, select the toggle button Enable/disable button to on/off existing Global Filter..

Sort Global Filters

To sort the list of existing global filters, click the ˄ and ˅ arrow at each column header:

Column Headers Toggle Function
On/Off
  • ˄ sorts global filters by status from disabled (off) to enabled (on).
  • ˅ sorts global filters by status from enabled (on) to disabled (off).
Last Modified
  • ˄ sorts global filters by last modified date from the earliest to the latest date and time.
  • ˅ sorts global filters by last modified date from the latest to the earliest date and time.
Name & ID
  • ˄ sorts global filters by name alphabetically from A to Z; filters without names are arranged by ID in descending order and are listed after filters with names.
  • ˅ sorts global filters by name alphabetically from Z to A; filters without names are arranged by ID in ascending order and are listed before filters with names.
Filter Details
  • ˄ sorts global filters by details alphabetically from A to Z.
  • ˅ sorts global filters by details alphabetically from Z to A.
Description
  • ˄ sorts global filters by description alphabetically from A to Z; filters without descriptions are listed before filters with descriptions.
  • ˅ sorts global filters by description alphabetically from Z to A; filters without descriptions are listed after filters with descriptions.
Filter Types
  • ˄ sorts global filters by type alphabetically from A to Z.
  • ˅ sorts global filters by type alphabetically from Z to A.
Targets
  • ˄ sorts global filters by Target alphabetically from A to Z.
  • ˅ sorts global filters by Target alphabetically from Z to A.

Import and Export Filters

Importing and exporting filters allows you to move filters from one ER Cloud installation to another. This is also useful if you are upgrading from Card Recon or Enterprise Recon on-prem, or are moving from an older installation of ER Cloud.

You can import from or export to the following file formats:

  • Portable XML file.
  • Spreadsheet (CSV).
  • Text File.
  • Card Recon Configuration File.

Portable XML File

To describe filters in XML files, follow the following basic rules:

  • XML tags are case sensitive.
  • Each tag must include the closing tag. For example, <filter>...</filter>.
  • The following ASCII characters have a special meaning in XML and have to be replaced by their corresponding XML character entity reference:

    ASCII Character Description XML Character Entity Reference
    < Less-than sign &lt;
    > More-than sign &gt;
    & Ampersand &amp;
    ' Apostrophe &apos;
    " Double quotation mark &quot;

The following tags are used in the XML file for global filters:

XML Tags Description
<filter> This is the root element that is required in XML files that describe global filters. All defined global filters must be within the filter tag.
<level> This tag defines the realm that the filter is applied to.
  1. global : Filter applies to all Targets.
  2. group : Filter is only applied to a specific Group.
  3. target : Filter is only applied to a specific Target.
<name> Name of the Group or Target that the filter is applied. Only required when level is group or target.
<filter type> This tag defines the filter type and expression. Refer to Filter Types table below to understand how to set up different filters.

Filter Types

Filter Type Description and Syntax
Exclude location by prefix

Exclude search locations with paths that begin with a given string. Can be used to exclude entire directory trees.

Syntax: <location-exclude>prefix*</location-exclude>

Exclude location by suffix

Exclude search locations with paths that end with a given string.

Syntax: <location-exclude>*suffix</location-exclude>

Exclude locations by expression

Excludes search locations by expression.

Syntax: <location-exclude>expression</location-exclude>

Include locations within modification date

Include search locations modified within a given range of date by specifying a start date and an end date.

Syntax: <modified-between>YYYY-MM-DD - YYYY-MM-DD</modified-between>

Include locations modified recently

Include search locations modified within N number of days from the current date, where the value of N is from 1 - 99 days.

Syntax: <modified-within>N number of days</modified-within>

Exclude locations greater than file size (MB)

Exclude files that are larger than a given file size (in MB).

Syntax: <modified-maxsize>file size in MB</modified-maxsize>

Ignore exact match

Ignore matches that match a given string exactly.

Syntax: <match-exclude>string</match-exclude>

Ignore match by prefix

Ignore matches that contain a given prefix.

Syntax: <match-exclude>string*</match-exclude>

Ignore match by expression

Ignore matches found during scans if they match a given expression.

Syntax: <match-exclude>expression</match-exclude>


PCRE

To enable full regular expression support, include @~ before a given expression.

Syntax: <match-exclude>@~expression</match-exclude>
Add test data

Report match as test data if it matches a given string exactly.

Syntax: <match-test>string</match-test>

Add test data prefix

Report matches that begin with a given string as test data.

Syntax: <match-test>string*</match-test>

Add test data expression

Report matches as test data if they match a given expression.

Syntax: <match-test>expression</match-test>

Example

<filter> <!-- These filters apply to all Targets --> <global> <location-exclude>*.gzip</location-exclude> <location-exclude>*FOOBAR*</location-exclude> <match-test>*@example.com</match-test> <modified-maxsize>2048</modified-maxsize> </global> <!-- These filters apply only to the Group My-Default-Group --> <target> <name>My-Default-Group</name> <modified-between>2018-1-1 - 2018-1-15</modified-between> </target> <!-- These filters apply only to the Target host My-Windows-Machine --> <target> <name>My-Windows-Machine</name> <match-exclude>1234567890</match-exclude> <modified-within>3</modified-within> </target>
</filter>

Filter Columns in Databases

Filter out columns in databases by using the "Exclude location by suffix" filter to specify the columns or tables to exclude from the scan.

Description Syntax
Exclude specific column across all tables in a database. <column name>
Exclude specific column from in a particular table. <table name>/<column name>

Database Index or Primary Keys

Certain tables or columns, such as a database index or primary key, cannot be excluded from a scan. If a filter applied to the scan excludes these tables or columns, the scan will ignore the filter.