Exception types and value syntax
Different exception types in Elastic Security require different escaping rules for file paths. This page clarifies the syntax differences between each exception type so you can create exceptions that work as expected.
Detection rule exceptions require escaping for special characters, while Elastic Endpoint exceptions and trusted applications do not. The following sections explain the syntax for each type.
When you use the matches or does not match operator in a detection rule exception, you must escape special characters with a backslash:
\\for a literal backslash\*for a literal asterisk\?for a literal question mark
Windows paths use backslashes as directory separators, so you must double each separator. Paths that already contain double backslashes (such as UNC paths) require four backslashes per separator.
Examples:
| What you want to match | Value to enter |
|---|---|
C:\Windows\explorer.exe |
C:\\Windows\\explorer.exe |
C:\Program Files\*\app.exe (wildcard) |
C:\\Program Files\\*\\app.exe |
\\server\share\file.txt (UNC path) |
\\\\server\\share\\file.txt |
Elastic Endpoint exceptions and trusted applications interpret values literally. Enter file paths and other values exactly as they appear on the host operating system. Do not escape backslashes or other special characters.
Examples:
| What you want to match | Value to enter |
|---|---|
C:\Windows\explorer.exe |
C:\Windows\explorer.exe |
C:\Program Files\*\app.exe (wildcard) |
C:\Program Files\*\app.exe |
\\server\share\file.txt (UNC path) |
\\server\share\file.txt |
The ? and * wildcards work the same way across all exception types — ? matches one character and * matches zero or more characters — but only the detection rule exception type requires escaping these characters when you want to match them literally.
Because escaping rules differ between exception types, values that work in one context can silently fail in another. The following table describes symptoms and how to resolve them:
| Symptom | Likely cause | Resolution |
|---|---|---|
| Elastic Endpoint exception or trusted application does not match a Windows path | The value contains double backslashes (for example, C:\\Windows\\explorer.exe) copied from a detection rule exception |
Remove the extra backslashes and enter the path as it appears on disk: C:\Windows\explorer.exe |
Detection rule exception with the matches operator does not match a Windows path |
The value contains single backslashes that are not escaped (for example, C:\Windows\explorer.exe) |
Escape each backslash: C:\\Windows\\explorer.exe |
| Exception was copied from a working detection rule into an Elastic Endpoint exception and no longer matches | Detection rule escaping syntax is not valid for Elastic Endpoint exceptions | Re-enter the value without escaping, matching the path exactly as it appears on the host |
The following table compares how detection rule exceptions and Elastic Endpoint exceptions differ in behavior and risk:
| Detection rule exception | Elastic Endpoint exception | |
|---|---|---|
| Where it operates | Detection engine in Kibana | Elastic Endpoint (on the host) |
| Primary purpose | Suppress alerts in Kibana | Exclude a process from blocking and monitoring on the endpoint |
| Affects endpoint blocking? | No — Elastic Endpoint can still block or detect the activity | Yes — prevents blocking and detection on the host |
| Affects alert generation? | Yes — prevents alerts | Sometimes — if Elastic Endpoint never generates an event, the detection engine has nothing to alert on |
| Used for | Reduce alert noise | Prevent endpoint interference with known-safe software |
| Risk if used incorrectly | Silent blocking on endpoints (Elastic Endpoint still blocks the process, but generates no alert) | Blind spots — Elastic Endpoint may never detect the activity |
| Example use case | Suppress alerts for a harmless administrative script | Allow a trusted installer so Elastic Endpoint does not block it |
For a comparison of trusted applications, event filters, blocklists, and Elastic Endpoint exceptions — including how each affects performance and visibility — refer to Optimize Elastic Defend.