Forum Discussion
TheDilly
Mar 17, 2022Copper Contributor
KQL String Search With Wildcards?
Is it possible to do KQL string searches with wildcards? For example, I'm hunting for files written to C:\ProgramData\ but I don't want to see files written to subfolders. I've done this in Splu...
- Mar 18, 2022
Could use regex as well.
DeviceFileEvents| where ActionType == "FileCreated"
| where FolderPath matches regex @"(.*\\ProgramData\\[^\\]+)$"
Jonhed
Mar 18, 2022Steel Contributor
Could use regex as well.
DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath matches regex @"(.*\\ProgramData\\[^\\]+)$"