Mar 17 2022 04:27 PM
Is it possible to do KQL string searches with wildcards?
For example, I'm hunting for files written to C:\ProgramData\ but I don't want to see files written to subfolders. I've done this in Splunk so I was surprised that the last line in my query below does not filter out anything.
Show this: C:\ProgramData\evil.exe
Filter this out: C:\ProgramData\MyApp\NotEvil.exe
Query:
DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath contains "ProgramData"
| where FolderPath !contains "ProgramData\\*\\*"
Mar 18 2022 02:42 AM - edited Mar 18 2022 02:52 AM
You can parse out the stuff between the C:\ProgramData\ and \ to a new column and then search on it
DeviceFileEvents
| parse FolderPath with * 'C:\\ProgramData\\' file '\\' *
| where file contains "evil.exe"
Alternate way, search for startswith then split based on the \
DeviceFileEvents
| where FolderPath startswith "C:\\ProgramData\\"
| extend paths = split(FolderPath,"\\")
| extend file = paths.[2]
| where file contains "evil.exe"
Mar 18 2022 03:49 AM - edited Mar 18 2022 03:49 AM
SolutionCould use regex as well.
DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath matches regex @"(.*\\ProgramData\\[^\\]+)$"
Mar 18 2022 03:49 AM - edited Mar 18 2022 03:49 AM
SolutionCould use regex as well.
DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath matches regex @"(.*\\ProgramData\\[^\\]+)$"