Creating a Detection Rule Using Application Wildcard Filter For Newly Installed Application in Saner CVEM

Modified on Fri, 18 Jul at 1:18 AM

This article guides you on setting up a detection rule to monitor for newly installed or specific applications using wildcard filters.

Steps to Configure

1. Go to the Posture Anomaly Module

Log in to the Saner CVEM console.
Navigate to the Posture Anomaly module.

2. Open Custom Rules > Detection

On the left sidebar, click on Custom Rules.
Select the Detection tab.
Click on Detection to start building a new detection rule.

3. Use Installed Applications in the Detection Criteria

In the detection rule builder:

Select Installed Applications from the list of detection criteria.
Choose parameters such as:
- Application name
- Application publisher
- Application path, etc.

Use wildcards to match patterns.
Example: Match apps where the Application name contains "oracle" or "microsoft".

4. Schedule and Deploy

Assign the rule to the required device groups or OS types.
Schedule it to run periodically (e.g., daily or hourly).
Enable notifications to get alerted when new or matching applications are detected.

Result

You’ll receive alerts whenever the rule detects new or specified applications on endpoints, helping you monitor unauthorized software effectively.