Excluding Commands using Wildcards in Advanced Breach Detection


Advanced Breach Detection can be configured to whitelist certain commands that run repetitively but have changing command line parameters.


The ability to whitelist these commands should be done from the configuration screen of the app.


From the RocketCyber Dashboard locate the Advanced Breach Detection App Card



Click on Configure


When the configure screen appears, scroll down until you see the edit box titled Excluded CLI Commands

Enter the command that you want to whitelist in the box. You can use * (asterisk) as a wildcard character to substitute parameters that are specific or change periodically such as passwords or hostnames.


The following command is detected when a new user is added to the local administrator group. This might be a routine execution in the environment that you would want to exclude based on the user name being added.


net localgroup Administrators DESKTOP-22AZ0\MYADMIN /add


We want to whitelist this command whenever the user MYADMIN is added to the local group Administrators on any device. The following is the command that you would add to the Excluded CLI Commands.


net localgroup Administrators *\MYADMIN /add


When the command is executed the agent will use the wildcard to match any hostname in the command and therefore whitelist its detection.


Once you have entered the command in the Excluded CLI Commands box, click the Create or Update button to save the changes.

The agent will receive the new configuration and begin excluding the specified commands from being detected.



Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us