ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett Academy • Lesson 20 • Using contains_cs for Case-Sensitive Searches

Using contains_cs for Case-Sensitive Searches

Sometimes a normal text search is too broad.
The word matches.
But the casing does not.
And in an investigation, that small difference can matter.

A command, filename, process argument or indicator may appear with a very specific uppercase and lowercase pattern.

In this Agent Foskett Academy lesson, you will learn how defenders use the KQL contains_cs operator to perform case-sensitive searches across Microsoft Defender XDR and Microsoft Sentinel telemetry.

Start Lesson 20 Back to Academy
Agent Foskett Academy lesson explaining how to use contains_cs for case-sensitive KQL searches
Lesson overview

Learn when case-sensitive searching helps reduce noise and find exact text patterns during Microsoft security investigations.

Understand contains_cs
Compare contains and contains_cs
Search command lines and filenames precisely
🔎 Case-sensitive searches help reduce false matches.
When exact casing matters, contains_cs can make your KQL investigation more precise.
Review Lesson 19 →

Why contains_cs matters

The normal contains operator is case-insensitive.

That means it can match text even when the uppercase and lowercase letters are different.

Most of the time, that is helpful. But sometimes an investigation needs a more precise search. The contains_cs operator checks whether a field contains a specific value with the same casing.
Reduce noiseUse case-sensitive matching when ordinary text searches return too many results.
Find exact patternsLook for specific command arguments, filenames, paths or indicator casing.
Support focused huntingUse contains_cs when the exact text format is important to the investigation.

Investigation scenario

An analyst is reviewing PowerShell activity.

A normal search for encoded commands returns too much noise because different scripts and tools use similar words.

The analyst wants to search for a specific case-sensitive command argument so the result set is tighter and easier to review.

Step 1 — Start with a normal contains search

A normal contains search is case-insensitive. It can match the text even when the casing is different.
normal-contains-search.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "powershell.exe"
| where ProcessCommandLine contains "EncodedCommand"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine

Step 2 — Use contains_cs for exact casing

contains_cs only matches when the searched text appears with the same uppercase and lowercase letters.
case-sensitive-contains-search.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName == "powershell.exe"
| where ProcessCommandLine contains_cs "EncodedCommand"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine

Step 3 — Search for specific command casing

Some suspicious commands or script fragments may use a specific casing pattern. contains_cs can help you search for that exact pattern.
specific-command-casing.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine contains_cs "DownloadString"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| sort by Timestamp desc

What contains_cs does

The contains_cs operator searches for text inside a field, but it respects casing.

If you search for DownloadString, it will not match every variation of that word with different casing. This can be useful when you are looking for a very specific pattern.
containsCase-insensitive search. Useful for broad hunting and early investigation work.
contains_csCase-sensitive search. Useful when exact casing helps narrow the results.
Use carefullyCase-sensitive searching can miss results if attackers change the casing.

Step 4 — Find exact file path text

Case-sensitive searches can also be useful when reviewing file paths, script locations or unusual folder names.
case-sensitive-file-path.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
DeviceFileEvents
| where Timestamp > ago(14d)
| where FolderPath contains_cs "Temp\\Update"
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, InitiatingProcessCommandLine
| sort by Timestamp desc

Step 5 — Compare suspicious script names

If a script name appears with a specific casing pattern, contains_cs can help distinguish it from broader text matches.
case-sensitive-script-name.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine contains_cs "Invoke-UpdateCheck.ps1"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| sort by Timestamp desc

Step 6 — Use contains_cs with parameters

You can combine contains_cs with let statements so the search text is easy to change later.
contains-cs-with-parameter.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
let searchText = "EncodedCommand";
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine contains_cs searchText
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| sort by Timestamp desc

Investigator notes

Use contains_cs when exact casing helps answer the investigation question.

Do not use it everywhere by default. Attackers can change casing easily, and a case-sensitive search may miss useful evidence if you are still exploring broadly.
Start broadUse contains first if you are not sure how the text appears in the logs.
Narrow laterUse contains_cs when you need more precise results after understanding the data.
Document the reasonIf using a case-sensitive search in a report, explain why exact casing mattered.
🎓 Agent Foskett Academy — Search with precision
You now understand how to use contains_cs when casing matters in a KQL investigation.
Return to Academy

What you learned

In this lesson, you learned how to use the KQL contains_cs operator for case-sensitive searches.
Using contains_csSearch for text only when the exact uppercase and lowercase pattern matches.
Comparing operatorsUse contains for broad searching and contains_cs for more precise case-sensitive searching.
Reducing noiseCase-sensitive searches can help narrow results when exact text patterns matter.

Continue your investigation

The next step is learning how to use startswith and endswith to find specific command prefixes, file endings and URL patterns.
Agent Foskett Academy Return to the full Academy learning path and review earlier KQL foundation lessons.
Using has_any to Find Suspicious Text Review how defenders search for multiple suspicious terms before narrowing investigations further.

Continue learning with Using in to Search Multiple Indicators, Using let Statements, KQL Threat Hunting Guide and Microsoft Security.

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

Using contains_cs for Case-Sensitive Searches

Agent Foskett Academy Lesson 20 teaches defenders how to use the KQL contains_cs operator to perform case-sensitive searches for commands, filenames, paths and indicators in Microsoft security telemetry.

Learn KQL contains_cs for Microsoft Defender XDR

The KQL contains_cs operator helps analysts search text fields for exact casing across Microsoft Defender XDR and Microsoft Sentinel investigations.

KQL case-sensitive search lesson for Microsoft security analysts

This Agent Foskett Academy lesson explains when to use contains_cs, how it differs from contains and how case-sensitive searches can reduce noise during focused threat hunting.