What is an Intake Filter?

Intake filters are used as a way to override the decision to upload a file, and they apply to any scenario where a file may be uploaded. These filters are applied on the server and differ from exclusions in the following ways:

• Intake filters block uploads from all sources: forwarders, API, and even manual upload from the UI. Exclusions are only honored by forwarders.
• Since intake filters are applied on the server, forwarders will still sight files that match intake filters. The forwarder still has to open and hash the file, which can lead to interoperability issues and some performance degradation.

Example 1:

Trying to block all uploads of a .pdf file to ensure that these file types are never uploaded into the platform.

object.name.contains(r".pdf")

Example 2:

Trying to block all Crowdstrike Policy files.

object.path == r"C:\Windows\System32\drivers\CrowdStrike\" && object.name.matches(r".sys$")