File Path Pattern Matching for File Integrity Monitoring
When configuring a File Integrity Monitoring (FIM) rule, you can specify certain wildcard characters in designated file paths to be excluded from monitoring.
Descriptions of the most common wildcard patterns along with some examples are listed below.
| Wildcard | Description | Example of Pattern | Example of Matches |
|---|---|---|---|
| Matches any single character, except a path separator | ?at | cat, bat | |
| Matches zero or more characters up to the end of the next path separator | *.txt | Matches any file that ends in ".txt" in a monitored directory | |
| Matches zero or more files to any directory depth | **.txt | Matches any file that ends in ".txt" in a monitored directory, and any of its subdirectories | |
| Matches one character given in the bracket | [CB]at | Cat or Bat | |
| Matches one character from the (locale-dependent) range given in the bracket | Letter[0-1] | Letter0, Letter1 | |
| Matches one character that is not given in the bracket | [!C]at | bat, cat | |
| Matches one character that is not from the range given in the bracket | Letter[!3-5] | Letter1, Letter2 |
Note
The file path separator for Windows is "\" and "/" for Linux.