cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
SOLVED

KQL - endswith Operator Against an Array of Strings

mczelen
Copper Contributor

‎Jun 16 2022 09:56 AM

‎Jun 16 2022 09:56 AM

KQL - endswith Operator Against an Array of Strings

Hello,

 

I have a monitoring use-case where I wish find certain events where a FileName ends with a specific subset of extensions (e.g. common ransomware extensions). Using the has_any operator returns too many false positives; I'm looking specifically for filenames with this string at the end.

 

The below query doesn't find the data I'm looking for, and it does not return a syntax error. Can the endswith operator accept string arrays? Could anyone kindly suggest a solution that returns the intended results?

 

let extensionList = pack_array(

'.foo1',

'.foo2',

'.bar1',

'.bar2'

);

DeviceFileEvents
| where ActionType has_any ("FileCreated", "FileModified", "FileDeleted")
| where FileName endswith (extensionList)

 

 

Thank you all in advance,

4,021 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by mczelen (Copper Contributor)
Gary Bushey

‎Jun 16 2022 01:57 PM

‎Jun 16 2022 01:57 PM

Solution

Re: KQL - endswith Operator Against an Array of Strings

@mczelen You can create a new column in DeviceFileEvents that uses an array to split the name using the period (in case there is more than one period in the name) and then use array_length-1 to get the extension of the FileName.   Then, rather than using pack_array, use datatable to create a new table of the extensions in question and perform a join where the new column  matches the column in this new table.  Code would look something like what is shown below:

 

let Extensions = datatable (extension: string) [
'.foo1', '.foo2', '.bar1', '.bar2'
];
DeviceFileEvents
| extend fileName="Testfile.Name.foo1"
| extend indexArray = split(fileName,'.')
| extend extension = strcat(".",indexArray[array_length(indexArray)-1])
| project fileName, indexArray, extension
| join Extensions on $left.extension == $right.extension
0 Likes
Reply
1 best response

Accepted Solutions
best response confirmed by mczelen (Copper Contributor)
Gary Bushey

‎Jun 16 2022 01:57 PM

‎Jun 16 2022 01:57 PM

Solution

Re: KQL - endswith Operator Against an Array of Strings

@mczelen You can create a new column in DeviceFileEvents that uses an array to split the name using the period (in case there is more than one period in the name) and then use array_length-1 to get the extension of the FileName.   Then, rather than using pack_array, use datatable to create a new table of the extensions in question and perform a join where the new column  matches the column in this new table.  Code would look something like what is shown below:

 

let Extensions = datatable (extension: string) [
'.foo1', '.foo2', '.bar1', '.bar2'
];
DeviceFileEvents
| extend fileName="Testfile.Name.foo1"
| extend indexArray = split(fileName,'.')
| extend extension = strcat(".",indexArray[array_length(indexArray)-1])
| project fileName, indexArray, extension
| join Extensions on $left.extension == $right.extension

View solution in original post

0 Likes
Reply