elastic · natasha-moore-elastic · Aug 29, 2025 · Aug 29, 2025
@@ -87,7 +87,7 @@ A warning displays for fields with conflicts. Using these fields might cause une
 =======
     * `matches` | `does not match` — Allows you to use wildcards in *Value*, such as `C:\\path\\*\\app.exe`. Available wildcards are `?` (match one character) and `*` (match zero or more characters). The selected *Field* data type must be {ref}/keyword.html#keyword-field-type[keyword], {ref}/text.html#text-field-type[text], or {ref}/keyword.html#wildcard-field-type[wildcard].
 +
-NOTE: Some characters must be escaped with a backslash, such as `\\` for a literal backslash, `\*` for an asterisk, and `\?` for a question mark. Windows paths must be divided with double backslashes (for example, `C:\\Windows\\explorer.exe`), and paths that already include double backslashes might require four backslashes for each divider.
+NOTE: For detection rule exceptions, some characters must be escaped with a backslash, such as `\\` for a literal backslash, `\*` for an asterisk, and `\?` for a question mark. Windows paths must be divided with double backslashes (for example, `C:\\Windows\\explorer.exe`), and paths that already include double backslashes might require four backslashes for each divider.
 +
 IMPORTANT: Using wildcards can impact performance. To create a more efficient exception using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching.
 
@@ -180,7 +180,8 @@ IMPORTANT: Rule exceptions are case-sensitive, which means that any character th
 [NOTE] 
 ======
 * Fields with conflicts are marked with a warning icon (image:images/field-warning-icon.png[Field conflict warning icon,13,13]). Using these fields might cause unexpected exceptions behavior. For more information, refer to <<rule-exceptions-field-conflicts, Troubleshooting type conflicts and unmapped fields>>.
-* The `is one of` and `is not one of` operators support identical, case-sensitive values. For example, if you want to match the values `Windows` and `windows`, add both values to the **Value** field. 
+* The `is one of` and `is not one of` operators support identical, case-sensitive values. For example, if you want to match the values `Windows` and `windows`, add both values to the **Value** field.
+* Unlike detection rule exceptions, Elastic Endpoint exceptions do not require escaping special characters. 
 ======
 
 . (Optional) Add a comment to the exception.

@@ -54,6 +54,8 @@ This option adds the condition `event.category is process` to narrow the filter
     * `is not one of`
     * `matches` | `does not match` : Allows you to use wildcards in `Value`, such as `C:\path\*\app.exe`.  Available wildcards are `?` (match one character) and `*` (match zero or more characters).
 +
+NOTE: Unlike detection rule exceptions, event filters do not require escaping special characters.
++
 IMPORTANT: Using wildcards in file paths can impact performance. To create a more efficient event filter using wildcards, use multiple conditions and make them as specific as possible. For example, adding conditions using `process.name` or `file.name` can help limit the scope of wildcard matching.
 
   .. `Value`: Enter the value associated with the `Field`. To enter multiple values (when using `is one of` or `is not one of`), enter each value, then press **Return**.

@@ -44,6 +44,8 @@ TIP: To find the signer's name for an application, go to *Kibana* -> *Discover*
 * `Operator`: Select an operator to define the condition:
    ** `is`: Must be _exactly_ equal to `Value`; wildcards are not supported. This operator is required for the `Hash` and `Signature` field types.
    ** `matches`: Can include wildcards in `Value`, such as `C:\path\*\app.exe`. This option is only available for the `Path` field type. Available wildcards are `?` (match one character) and `*` (match zero or more characters).
++
+NOTE: Unlike detection rule exceptions, trusted applications do not require escaping special characters.
 
 * `Value`: Enter the hash value, file path, or signer name. To add an additional value, click *AND*.
 +