---
title: Exception types and value syntax
description: Understand the differences in escaping rules for detection rule exceptions and Elastic Endpoint exceptions.
url: https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/solutions/security/manage-elastic-defend/exception-types-and-syntax
products:
  - Elastic Cloud Serverless
  - Elastic Security
applies_to:
  - Serverless Security projects: Generally available
  - Elastic Stack: Generally available
---

# Exception types and value syntax
Different exception types in Elastic Security require different escaping rules for file paths. This page clarifies the syntax differences between each exception type so you can create exceptions that work as expected.

## Value syntax

[Detection rule exceptions](/elastic/docs-content/tree/main/solutions/security/detect-and-alert/add-manage-exceptions#detection-rule-exceptions) require escaping for special characters, while [Elastic Endpoint exceptions](/elastic/docs-content/tree/main/solutions/security/detect-and-alert/add-manage-exceptions#endpoint-rule-exceptions) and [trusted applications](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/solutions/security/manage-elastic-defend/trusted-applications) do not. The following sections explain the syntax for each type.

### Detection rule exceptions (escaping required)

When you use the `matches` or `does not match` operator in a detection rule exception, you must escape special characters with a backslash:
- `\\` for a literal backslash
- `\*` for a literal asterisk
- `\?` for a literal question mark

Windows paths use backslashes as directory separators, so you must double each separator. Paths that already contain double backslashes (such as UNC paths) require four backslashes per separator.
**Examples:**

| What you want to match                  | Value to enter                  |
|-----------------------------------------|---------------------------------|
| `C:\Windows\explorer.exe`               | `C:\\Windows\\explorer.exe`     |
| `C:\Program Files\*\app.exe` (wildcard) | `C:\\Program Files\\*\\app.exe` |
| `\\server\share\file.txt` (UNC path)    | `\\\\server\\share\\file.txt`   |


### Elastic Endpoint exceptions and trusted applications (no escaping)

Elastic Endpoint exceptions and trusted applications interpret values literally. Enter file paths and other values exactly as they appear on the host operating system. Do **not** escape backslashes or other special characters.
**Examples:**

| What you want to match                  | Value to enter               |
|-----------------------------------------|------------------------------|
| `C:\Windows\explorer.exe`               | `C:\Windows\explorer.exe`    |
| `C:\Program Files\*\app.exe` (wildcard) | `C:\Program Files\*\app.exe` |
| `\\server\share\file.txt` (UNC path)    | `\\server\share\file.txt`    |


### Wildcard characters

The `?` and `*` wildcards work the same way across all exception types — `?` matches one character and `*` matches zero or more characters — but only the **detection rule** exception type requires escaping these characters when you want to match them literally.

## Troubleshoot exception values

Because escaping rules differ between exception types, values that work in one context can silently fail in another. The following table describes symptoms and how to resolve them:

| Symptom                                                                                                     | Likely cause                                                                                                            | Resolution                                                                                       |
|-------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------|
| Elastic Endpoint exception or trusted application does not match a Windows path                             | The value contains double backslashes (for example, `C:\\Windows\\explorer.exe`) copied from a detection rule exception | Remove the extra backslashes and enter the path as it appears on disk: `C:\Windows\explorer.exe` |
| Detection rule exception with the `matches` operator does not match a Windows path                          | The value contains single backslashes that are not escaped (for example, `C:\Windows\explorer.exe`)                     | Escape each backslash: `C:\\Windows\\explorer.exe`                                               |
| Exception was copied from a working detection rule into an Elastic Endpoint exception and no longer matches | Detection rule escaping syntax is not valid for Elastic Endpoint exceptions                                             | Re-enter the value without escaping, matching the path exactly as it appears on the host         |


## Exception type comparison

The following table compares how detection rule exceptions and Elastic Endpoint exceptions differ in behavior and risk:

|                                | Detection rule exception                                                                         | Elastic Endpoint exception                                                                             |
|--------------------------------|--------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------|
| **Where it operates**          | Detection engine in Kibana                                                                       | Elastic Endpoint (on the host)                                                                         |
| **Primary purpose**            | Suppress alerts in Kibana                                                                        | Exclude a process from blocking and monitoring on the endpoint                                         |
| **Affects endpoint blocking?** | No — Elastic Endpoint can still block or detect the activity                                     | Yes — prevents blocking and detection on the host                                                      |
| **Affects alert generation?**  | Yes — prevents alerts                                                                            | Sometimes — if Elastic Endpoint never generates an event, the detection engine has nothing to alert on |
| **Used for**                   | Reduce alert noise                                                                               | Prevent endpoint interference with known-safe software                                                 |
| **Risk if used incorrectly**   | Silent blocking on endpoints (Elastic Endpoint still blocks the process, but generates no alert) | Blind spots — Elastic Endpoint may never detect the activity                                           |
| **Example use case**           | Suppress alerts for a harmless administrative script                                             | Allow a trusted installer so Elastic Endpoint does not block it                                        |

For a comparison of trusted applications, event filters, blocklists, and Elastic Endpoint exceptions — including how each affects performance and visibility — refer to [Optimize Elastic Defend](https://docs-v3-preview.elastic.dev/elastic/docs-content/tree/main/solutions/security/manage-elastic-defend/optimize-elastic-defend).