KQL String Search With Wildcards?

TheDilly · ‎Mar 17 2022

Is it possible to do KQL string searches with wildcards?

For example, I'm hunting for files written to C:\ProgramData\ but I don't want to see files written to subfolders. I've done this in Splunk so I was surprised that the last line in my query below does not filter out anything.

Show this: C:\ProgramData\evil.exe

Filter this out: C:\ProgramData\MyApp\NotEvil.exe

Query:

DeviceFileEvents
| where ActionType == "FileCreated"
| where FolderPath contains "ProgramData"
| where FolderPath !contains "ProgramData\\*\\*"

m_zorich · ‎Mar 18 2022

You can parse out the stuff between the C:\ProgramData\ and \ to a new column and then search on it

DeviceFileEvents
| parse FolderPath with * 'C:\\ProgramData\\' file '\\' *
| where file contains "evil.exe"

Alternate way, search for startswith then split based on the \

DeviceFileEvents
| where FolderPath startswith "C:\\ProgramData\\"
| extend paths = split(FolderPath,"\\")
| extend file = paths.[2]

| where file contains "evil.exe"

TheDilly · ‎Mar 18 2022

Could use regex as well.

DeviceFileEvents

| where ActionType == "FileCreated"
| where FolderPath matches regex @"(.*\\ProgramData\\[^\\]+)$"

TheDilly · ‎Mar 18 2022

Could use regex as well.

DeviceFileEvents

| where ActionType == "FileCreated"
| where FolderPath matches regex @"(.*\\ProgramData\\[^\\]+)$"

View solution in original post

KQL String Search With Wildcards?

KQL String Search With Wildcards?

Re: KQL String Search With Wildcards?

Re: KQL String Search With Wildcards?

Re: KQL String Search With Wildcards?

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

KQL String Search With Wildcards?

KQL String Search With Wildcards?

Re: KQL String Search With Wildcards?

Re: KQL String Search With Wildcards?

Re: KQL String Search With Wildcards?