elastic · natasha-moore-elastic · Aug 29, 2025 · Aug 28, 2025 · Aug 29, 2025
@@ -103,7 +103,7 @@ You can add exceptions to a rule from the rule details page, the Alerts table, t
         * `matches` | `does not match` — Allows you to use wildcards in **Value**, such as `C:\\path\\*\\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). The selected **Field** data type must be [keyword](elasticsearch://reference/elasticsearch/mapping-reference/keyword.md#keyword-field-type), [text](elasticsearch://reference/elasticsearch/mapping-reference/text.md#text-field-type), or [wildcard](elasticsearch://reference/elasticsearch/mapping-reference/keyword.md#wildcard-field-type).
 
             ::::{note}
-            Some characters must be escaped with a backslash, such as `\\` for a literal backslash, `\*` for an asterisk, and `\?` for a question mark. Windows paths must be divided with double backslashes (for example, `C:\\Windows\\explorer.exe`), and paths that already include double backslashes might require four backslashes for each divider.
+            For detection rule exceptions, some characters must be escaped with a backslash, such as `\\` for a literal backslash, `\*` for an asterisk, and `\?` for a question mark. Windows paths must be divided with double backslashes (for example, `C:\\Windows\\explorer.exe`), and paths that already include double backslashes might require four backslashes for each divider.
             ::::
 
 
@@ -208,6 +208,7 @@ Additionally, to add an Endpoint exception to an endpoint protection rule, there
     ::::{note}
     * Fields with conflicts are marked with a warning icon (![Field conflict warning icon](/solutions/images/security-field-warning-icon.png "title =20x20")). Using these fields might cause unexpected exceptions behavior. For more information, refer to [Troubleshooting type conflicts and unmapped fields](../../../troubleshoot/security/detection-rules.md#rule-exceptions-field-conflicts).
     * The `is one of` and `is not one of` operators support identical, case-sensitive values. For example, if you want to match the values `Windows` and `windows`, add both values to the **Value** field.
+    * Unlike detection rule exceptions, Elastic Endpoint exceptions do not require escaping special characters.
 
     ::::
 

@@ -75,6 +75,10 @@ Create event filters from the **Hosts** page or the **Event filters** page.
         * `is not one of`
         * `matches` | `does not match` : Allows you to use wildcards in `Value`, such as `C:\path\*\app.exe`.  Available wildcards are `?` (match one character) and `*` (match zero or more characters).
 
+            ::::{note}
+            Unlike detection rule exceptions, event filters do not require escaping special characters.
+            ::::
+
             ::::{important}
             Using wildcards in file paths can impact performance. To create a more efficient event filter using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching.
             ::::

@@ -65,6 +65,10 @@ To add a trusted application:
         * `is`: Must be *exactly* equal to `Value`; wildcards are not supported. This operator is required for the `Hash` and `Signature` field types.
         * `matches`: Can include wildcards in `Value`, such as `C:\path\*\app.exe`. This option is only available for the `Path` field type. Available wildcards are `?` (match one character) and `*` (match zero or more characters).
 
+          ::::{note}
+          Unlike detection rule exceptions, trusted applications do not require escaping special characters.
+          ::::
+
     4. `Value`: Enter the hash value, file path, or signer name. To add an additional value, click **AND**.
 
         ::::{note}
@@ -88,6 +92,10 @@ To add a trusted application:
        * `is not one of`
        * `matches` | `does not match`:  Allows you to use wildcards in `Value`, such as `C:\path\*\app.exe`.  Available wildcards are `?` (match one character) and `*` (match zero or more characters).
 
+          ::::{note}
+          Unlike detection rule exceptions, trusted applications do not require escaping special characters.
+          ::::
+
           ::::{important}
           Using wildcards can impact performance. To create a more efficient trusted application using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching.
           ::::