Forum Discussion

Copper Contributor

Mar 17, 2022

Solved

KQL String Search With Wildcards?

Is it possible to do KQL string searches with wildcards? For example, I'm hunting for files written to C:\ProgramData\ but I don't want to see files written to subfolders. I've done this in Splu...

KQL

kusto

Jonhed
Mar 18, 2022
Could use regex as well.

DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath matches regex @"(.*\\ProgramData\\[^\\]+)$"

m_zorich

Iron Contributor

Mar 18, 2022

You can parse out the stuff between the C:\ProgramData\ and \ to a new column and then search on it

DeviceFileEvents
| parse FolderPath with * 'C:\\ProgramData\\' file '\\' *
| where file contains "evil.exe"

Alternate way, search for startswith then split based on the \

DeviceFileEvents
| where FolderPath startswith "C:\\ProgramData\\"
| extend paths = split(FolderPath,"\\")
| extend file = paths.[2]

| where file contains "evil.exe"