Forum Discussion
KQL QR Code Phishing
let trustedDomains = dynamic(["microsoft.com"]); let imageFileTypes = dynamic(["png", "jpeg", "svg"]); EmailEvents | where EmailDirection == "Inbound" | where AttachmentCount > 0 | where not(Se...
i need to add a line with regex to exclude files starting image001, image002,image003,image004.
You could use !startswith:
| join EmailAttachmentInfo on NetworkMessageId
| where FileType has_any (imageFileTypes)
| where FileName !startswith "image"
| join EmailAttachmentInfo on NetworkMessageId
| where FileType has_any (imageFileTypes)
| where FileName !startswith "image"