This page will be used as a quick reference guide for KQL regex queries. Those regular expressions can be used within your detection rules. For additional information see the Regex RE2 Library from Microsoft.
To be able to easaly test your regeluar expressions the query below can be used:
let RegexTest = @'\W*((?i)Admin(?-i))\W*';
let DataSet = materialize (range numbers from 1 to 10 step 1);
DataSet
| extend StringTest = iff(numbers % 2 == 0, 'Admin', 'User') // Change Admin to a string that should match the RegexTest, change User to a string that should not match the RegexTest
| where StringTest matches regex RegexTest
let IPRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}';
Example query: AbuseCH IP Blacklist
let IPv4SubnetRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}/[0-9]{1,3}';
Example query:
let MISPFeed = externaldata(Subnet: string)[@"https://raw.githubusercontent.com/ktsaou/blocklist-ipsets/master/firehol_level1.netset"] with (format="txt", ignoreFirstRecord=True);
let IPv4SubnetRegex = '[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}/[0-9]{1,3}';
let x = MISPFeed
| where Subnet matches regex IPv4SubnetRegex
| distinct Subnet;
x
let DomainRegex = @"([a-z0-9|-]+\.)*[a-z0-9|-]+\.[a-z]+";
Example query: Most Unusal Connections Made By office
let FileExtensionRegex = "\\.([a-z])*";
Example query: Most Unusal Connections Made By office
let DomainAdminRegex = @'\W*((?i)Domain Admins(?-i))\W*';
Example query:
let DomainAdminRegex = @'\W*((?i)Domain Admins(?-i))\W*'; // Replace Domain Admins with the string you would like to match on
DeviceProcessEvents
| where ProcessCommandLine matches regex DomainAdminRegex
let BetweenTwoStrings = @'"Path":"([^"]*)"'; //Extract from "Path:""C:\Users\XX\File.txt" to collect C:\Users\XX\File.txt
Example query: Visualisation of the users with the most HardDelete actions performed (Line 8)
let BetweenTwoStrings = @'findstr(.*)password';
Example query:
let BetweenTwoStrings = @'findstr(.*)password'; // Replace findstr and password with the strings you would like to match on
DeviceProcessEvents
| where ProcessCommandLine matches regex BetweenTwoStrings
let BetweenTwoStrings = @'.*/(.*)HTTP'; Between the last '/' and 'HTTP'.
Example query: Executable File Extentions downloaded via HTTP GET (Line 11)
let AfterChar = @'.*\.(.*)$'; // Capture all after last '.'. To collect file extentions.
let AfterString = @'.*test(.*)$';
Example query: Executable File Extentions downloaded via HTTP GET (Line 12)
let Regex = @'Role.DisplayName(.*?)"}'; Between Role.DisplayName until "}.
Example query: List Role Additions (Line 5)
let Regex = @'\\(.*?)\\'; Between \ extra \ to escape and until \ and again an extra \ to excape.
Example query: List Role Additions (Line 6)
let MD5Regex = '[a-f0-9]{32}';
Example query: AbuseCH MD5 Malware Hash
let AzureIdRegex = "[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}";
Example query: Function: AnonymizedMicrosoftGraphActivityLogs()