Forum Discussion
KQL String Search With Wildcards?
Is it possible to do KQL string searches with wildcards?
For example, I'm hunting for files written to C:\ProgramData\ but I don't want to see files written to subfolders. I've done this in Splunk so I was surprised that the last line in my query below does not filter out anything.
Show this: C:\ProgramData\evil.exe
Filter this out: C:\ProgramData\MyApp\NotEvil.exe
Query:
DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath contains "ProgramData"
| where FolderPath !contains "ProgramData\\*\\*"
Could use regex as well.
DeviceFileEvents| where ActionType == "FileCreated"
| where FolderPath matches regex @"(.*\\ProgramData\\[^\\]+)$"
2 Replies
Could use regex as well.
DeviceFileEvents| where ActionType == "FileCreated"
| where FolderPath matches regex @"(.*\\ProgramData\\[^\\]+)$"You can parse out the stuff between the C:\ProgramData\ and \ to a new column and then search on it
DeviceFileEvents
| parse FolderPath with * 'C:\\ProgramData\\' file '\\' *
| where file contains "evil.exe"Alternate way, search for startswith then split based on the \
DeviceFileEvents
| where FolderPath startswith "C:\\ProgramData\\"
| extend paths = split(FolderPath,"\\")
| extend file = paths.[2]| where file contains "evil.exe"
