Clarify escaping rules

natasha-moore-elastic · natasha-moore-elastic · commit 8adde2cecfc7 · 2025-08-28T13:55:41.000+01:00
diff --git a/docs/detections/add-exceptions.asciidoc b/docs/detections/add-exceptions.asciidoc
@@ -87,7 +87,7 @@ A warning displays for fields with conflicts. Using these fields might cause une
 =======
     * `matches` | `does not match` — Allows you to use wildcards in *Value*, such as `C:\\path\\*\\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). The selected *Field* data type must be {ref}/keyword.html#keyword-field-type[keyword], {ref}/text.html#text-field-type[text], or {ref}/keyword.html#wildcard-field-type[wildcard].
 +
-NOTE: Some characters must be escaped with a backslash, such as `\\` for a literal backslash, `\*` for an asterisk, and `\?` for a question mark. Windows paths must be divided with double backslashes (for example, `C:\\Windows\\explorer.exe`), and paths that already include double backslashes might require four backslashes for each divider.
+NOTE: For detection rule exceptions, some characters must be escaped with a backslash, such as `\\` for a literal backslash, `\*` for an asterisk, and `\?` for a question mark. Windows paths must be divided with double backslashes (for example, `C:\\Windows\\explorer.exe`), and paths that already include double backslashes might require four backslashes for each divider.
 +
 IMPORTANT: Using wildcards can impact performance. To create a more efficient exception using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching.
 
@@ -180,7 +180,8 @@ IMPORTANT: Rule exceptions are case-sensitive, which means that any character th
 [NOTE] 
 ======
 * Fields with conflicts are marked with a warning icon (image:images/field-warning-icon.png[Field conflict warning icon,13,13]). Using these fields might cause unexpected exceptions behavior. For more information, refer to <<rule-exceptions-field-conflicts, Troubleshooting type conflicts and unmapped fields>>.
-* The `is one of` and `is not one of` operators support identical, case-sensitive values. For example, if you want to match the values `Windows` and `windows`, add both values to the **Value** field. 
+* The `is one of` and `is not one of` operators support identical, case-sensitive values. For example, if you want to match the values `Windows` and `windows`, add both values to the **Value** field.
+* Unlike detection rule exceptions, Elastic Endpoint exceptions do not require escaping special characters. 
 ======
 
 . (Optional) Add a comment to the exception.
diff --git a/docs/detections/images/exception-item-example.png b/docs/detections/images/exception-item-example.png
diff --git a/docs/management/admin/event-filters.asciidoc b/docs/management/admin/event-filters.asciidoc
@@ -54,6 +54,8 @@ This option adds the condition `event.category is process` to narrow the filter
     * `is not one of`
     * `matches` | `does not match` : Allows you to use wildcards in `Value`, such as `C:\path\*\app.exe`.  Available wildcards are `?` (match one character) and `*` (match zero or more characters).
 +
+NOTE: Unlike detection rule exceptions, event filters do not require escaping special characters.
++
 IMPORTANT: Using wildcards in file paths can impact performance. To create a more efficient event filter using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching.
 
   .. `Value`: Enter the value associated with the `Field`. To enter multiple values (when using `is one of` or `is not one of`), enter each value, then press **Return**.
diff --git a/docs/management/admin/trusted-apps.asciidoc b/docs/management/admin/trusted-apps.asciidoc
@@ -44,6 +44,8 @@ TIP: To find the signer's name for an application, go to *Kibana* -> *Discover*
 * `Operator`: Select an operator to define the condition:
    ** `is`: Must be _exactly_ equal to `Value`; wildcards are not supported. This operator is required for the `Hash` and `Signature` field types.
    ** `matches`: Can include wildcards in `Value`, such as `C:\path\*\app.exe`. This option is only available for the `Path` field type. Available wildcards are `?` (match one character) and `*` (match zero or more characters).
++
+NOTE: Unlike detection rule exceptions, trusted applications do not require escaping special characters.
 
 * `Value`: Enter the hash value, file path, or signer name. To add an additional value, click *AND*.
 +

Original file line number	Diff line number	Diff line change
@@ -54,6 +54,8 @@ This option adds the condition `event.category is process` to narrow the filter
`54`	`54`	* `is not one of`
`55`	`55`	* `matches` \| `does not match` : Allows you to use wildcards in `Value`, such as `C:\path\\app.exe`. Available wildcards are `?` (match one character) and `` (match zero or more characters).
`56`	`56`	`+`
	`57`	`+NOTE: Unlike detection rule exceptions, event filters do not require escaping special characters.`
	`58`	`++`
`57`	`59`	IMPORTANT: Using wildcards in file paths can impact performance. To create a more efficient event filter using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching.
`58`	`60`
`59`	`61`	.. `Value`: Enter the value associated with the `Field`. To enter multiple values (when using `is one of` or `is not one of`), enter each value, then press Return.
Original file line number	Diff line number	Diff line change
`@@ -44,6 +44,8 @@ TIP: To find the signer's name for an application, go to Kibana -> Discover`
`44`	`44`	* `Operator`: Select an operator to define the condition:
`45`	`45`	** `is`: Must be _exactly_ equal to `Value`; wildcards are not supported. This operator is required for the `Hash` and `Signature` field types.
`46`	`46`	** `matches`: Can include wildcards in `Value`, such as `C:\path\\app.exe`. This option is only available for the `Path` field type. Available wildcards are `?` (match one character) and `` (match zero or more characters).
	`47`	`++`
	`48`	`+NOTE: Unlike detection rule exceptions, trusted applications do not require escaping special characters.`
`47`	`49`
`48`	`50`	* `Value`: Enter the hash value, file path, or signer name. To add an additional value, click AND.
`49`	`51`	`+`