Forum Discussion

TheDilly's avatar
TheDilly
Copper Contributor
Mar 17, 2022

KQL String Search With Wildcards?

Is it possible to do KQL string searches with wildcards?    For example, I'm hunting for files written to C:\ProgramData\ but I don't want to see files written to subfolders. I've done this in Splu...
  • Jonhed's avatar
    Mar 18, 2022

    Could use regex as well.

    DeviceFileEvents

    where ActionType == "FileCreated"
    | where FolderPath matches regex @"(.*\\ProgramData\\[^\\]+)$"

Resources