Power Rules and regular expressions
Power Rules
A Power Rule is a PowerShell based framework that lets you change the outcome of an Application Rule, based on the outcome of a PowerShell script.
Instead of a fixed Default Rule that can either be set to Allow, Elevate, Audit, or Block for the applications in the targeted Application Group, a Power Rule lets you determine your own outcome based on any scenario you can build into a PowerShell script.
Any existing Default Rule within a Workstyle can be updated to a Power Rule by setting the action to a Power Rule script, and importing the PowerShell script you want to use. EPM provides a PowerShell module with an interface to collect information about the user, application, and policy. The module can then send a resulting action back to EPM to apply.
The Power Rules module also provides a variety of message options that allow you to collect additional information to support your PowerShell script logic and provide updates to the user as to the status, progress, or outcome of your rule. The messages that are supported include:
- Authentication message
- Business Justification message
- Information message
- Pass code message
- Vaulted credential message
- Asynchronous progress dialog for long running tasks
Power Rules is a highly flexible feature with unlimited potential. If you can do it in PowerShell, you can do it in a Power Rule. Here are some example use cases for Power Rules:
- Environmental Factors: Collecting additional information about the application, user, computer, or network status to influence whether an application should be allowed to run, or run with elevated privileges.
- Service Management: Automatically submitting tickets to IT Service Management solutions, and determining the outcome of a service ticket.
- File Reputation: Performing additional checks on an application by looking up the file hash in an application store, reputation service, or a vulnerability database.
- Privileged Access Management: Checking out credentials from a password safe or vault, and passing them back to Endpoint Privilege Management to run the application in that context.
Regular expression syntax
Use regular expressions to control applications at a granular level. Endpoint Privilege Management uses the CAtlRegExp library, which is part of the Microsoft ATL Server implementation, and makes use of the regex parser and engine.
Examples
The following examples are from Endpoint Privilege Management QuickStart Templates.
| Application Definition | Regular Expression | Application |
|---|---|---|
| File / Folder Name | %ProgramFiles%( (x86))*\webex\productivity tools\ptupdate.exe | Cisco WebEx ptUpdate |
| File / Folder Name | vcredist_x[0-9][0-9].exe | Microsoft Visual C++ Redistributable Setup |
| File / Folder Name | ((rdbgsetup)|(msvsmon)).exe | Microsoft Visual Studio Remote Debugger |
| Command line | (powershell_ise.exe)|(powershell.exe)|(cmd.exe)|(wscript.exe)|(cscript)|(mshta.exe) | Any Trusted Executable |
| Command line arguments | -[rfRM].*[rfRM]\s\W* | rm |
Syntax
| Metacharacter | Meaning | Example |
|---|---|---|
| Any character except [^$.|?*+() | All characters except the listed special characters match a single instance of themselves. To match one of these listed characters use a backslash escape character (see below). | abc matches abc |
| \ (backslash) | Escape character: interpret the next character literally. | a+b matches a+b |
| . (dot) | Matches any single character. | a.b matches aab, abb or acb, etc. |
| [ ] | Indicates a character class. Matches any character inside the brackets (for example, [abc] matches a, b, and c). | [abc] matches a, b, or c |
| ^ (caret) | If this metacharacter occurs at the start of a character class, it negates the character class. A negated character class matches any character except those inside the brackets (for example, [^abc] matches all characters except a, b, and c). If ^ is at the beginning of the regular expression, it matches the beginning of the input (for example, ^[abc] will only match input that begins with a, b, or c). | [^abc] matches all characters except a, b, and c |
| - (minus character) | In a character class, indicates a range of characters (for example, [0-9] matches any of the digits 0 through 9). | [0-9] matches any of the digits 0 through 9 |
| ? | Indicates that the preceding expression is optional: it matches once or not at all (for example, [0-9][0-9]? matches 2 and 12). | ab?c matches ac or abc |
| - | Indicates that the preceding expression matches one or more times (for example, [0-9]+ matches 1, 13, 999, and so on). | ab+c matches abc and abbc, abbbc, etc. |
| - (asterisk) | Indicates that the preceding expression matches zero or more times | ab*c matches ac and abc, abbc, etc. |
| | (vertical pipe) | Alternation operator: separates two expressions, exactly one of which matches. | a|b matches a or b |
| ??, +?, *? | Non-greedy versions of ?, +, and *. These match as little as possible, unlike the greedy versions which match as much as possible. | Given the input , <.*?> matches while <.*> matches . |
| ( ) | Grouping operator. Example: (\d+,)*\d+ matches a list of numbers separated by commas, such as 1 or 1,23,456. | (One)|(Two) matches One or Two |
| { } | Indicates a match group. The actual text in the input that matches the expression inside the braces can be retrieved through the CAtlREMatchContext object. | |
| \ | Escape character: interpret the next character literally. For example, [0-9]+ matches one or more digits, but [0-9]+ matches a digit followed by a plus character. Also used for abbreviations, such as \a for any alphanumeric character; see table below. If \ is followed by a number n, it matches the nth match group (starting from 0). Example: <{.?}>.?</\0> matches "Contents". Note that in C++ string literals, two backslashes must be used: "\+", "\a", "<{.?}>.?</\0>". | <{.*?}>.*?</\0> matches Contents |
| $ | At the end of a regular expression, this character matches the end of the input. Example: [0-9]$ matches a digit at the end of the input. | [0-9]$ matches a digit at the end of the input |
| | | Alternation operator: separates two expressions, exactly one of which matches. | T|the matches The or the. |
| ! | Negation operator: the expression following ! does not match the input. Example: a!b matches a not followed by b. | a!b matches a not followed by b |
Updated 16 days ago