ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett Academy • Lesson 22 • Using matches regex

Using matches regex for Pattern Matching

Sometimes a simple text search is not enough.
You are not just looking for one word.
You are looking for a pattern.
A filename that looks random. A URL with a strange structure. A command line carrying encoded content.

That is where matches regex becomes useful.

In this Agent Foskett Academy lesson, you will learn how defenders use the KQL matches regex operator to search for structured patterns across Microsoft Defender XDR and Microsoft Sentinel telemetry.

Start Lesson 22 Back to Academy
Agent Foskett Academy lesson explaining how to use matches regex in KQL investigations
Lesson overview

Learn how regex-based searches help defenders find suspicious patterns that simple contains, startswith or endswith searches may miss.

Understand matches regex
Search for structured patterns
Hunt suspicious filenames, URLs and commands
🎯 Regex helps when the pattern matters.
matches regex lets you search for structure, not just a single word hiding in the logs.
Review Lesson 21 →

Why matches regex matters

The matches regex operator checks whether a value matches a regular expression pattern.

That means you can search for shapes in text, such as numbers, file extensions, encoded strings, unusual URL formats or command-line patterns.

It is powerful, but it should be used carefully. Regex can turn a simple hunt into a bowl of alphabet soup if you make it too clever.
Find structured textSearch for patterns such as random-looking filenames, version numbers, encoded values and suspicious naming formats.
Hunt beyond simple wordsUse regex when contains, has_any, startswith and endswith are not flexible enough.
Focus the investigationUse pattern matching to reduce noise and surface activity that follows a suspicious structure.

Investigation scenario

An analyst is reviewing suspicious endpoint and email activity.

Several filenames look randomly generated. A URL contains a strange numeric path. A PowerShell command includes encoded content.

Instead of searching for one fixed value, the analyst uses matches regex to find patterns that look suspicious.

Step 1 — Find suspicious script filenames

Use matches regex when you want to find filenames that follow a suspicious structure.
suspicious-script-filenames-regex.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName matches regex @"^[a-zA-Z0-9]{{8,}}\.ps1$"
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, InitiatingProcessCommandLine
| sort by Timestamp desc

Step 2 — Find URLs with unusual numeric paths

Regex can help identify URLs that contain long numeric paths or IDs that may be used in phishing or tracking links.
url-numeric-path-regex.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
UrlClickEvents
| where Timestamp > ago(14d)
| where Url matches regex @"/[0-9]{{6,}}"
| project Timestamp, AccountUpn, Url, ActionType, ThreatTypes, NetworkMessageId
| sort by Timestamp desc

Step 3 — Find encoded PowerShell commands

Use matches regex to find command-line patterns that may indicate encoded or obfuscated execution.
encoded-powershell-regex.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @"(?i)-enc(odedcommand)?\s+[A-Za-z0-9+/=]{{20,}}"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| sort by Timestamp desc

What the operator does

The matches regex operator compares the field against a regular expression pattern.

A regular expression is a structured search pattern. It can describe letters, numbers, symbols, repeated characters, optional text and word positions.

Start simple. Build the pattern slowly. Test it. Then add complexity only when it helps the investigation.
^Marks the start of the value or line.
$Marks the end of the value or line.
{6,}Looks for six or more repeats of the previous pattern.

Step 4 — Find suspicious email subjects

Regex can help identify subjects that contain invoice numbers, ticket numbers or repeated numeric patterns.
email-subject-number-pattern-regex.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
EmailEvents
| where Timestamp > ago(30d)
| where Subject matches regex @"(?i)(invoice|payment|remittance).*[0-9]{{4,}}"
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, ThreatTypes
| sort by Timestamp desc

Step 5 — Find executable downloads from URLs

Use regex when you need to match several risky file endings in a URL.
url-executable-downloads-regex.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
UrlClickEvents
| where Timestamp > ago(30d)
| where Url matches regex @"(?i)\.(exe|msi|scr|bat|cmd|ps1)(\?|$)"
| project Timestamp, AccountUpn, Url, ActionType, ThreatTypes
| sort by Timestamp desc

Step 6 — Use parameters for repeatable regex hunts

Use let statements to store regex patterns so the query is easier to read and reuse.
regex-patterns-with-let.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
let SuspiciousFilePattern = @"(?i)\.(exe|scr|bat|cmd|ps1)$";
DeviceFileEvents
| where Timestamp > ago(14d)
| where FileName matches regex SuspiciousFilePattern
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, InitiatingProcessAccountName
| sort by Timestamp desc

Investigator notes

Regex is useful when you know the shape of what you are looking for.

But do not make every hunt a regex hunt. If a simple has_any, in, startswith or endswith query does the job, use the simpler option first.
Keep it readableA good investigation query should be easy for another defender to understand.
Test the patternStart with a small time range and check whether the results match what you expected.
Use regex with evidenceBuild patterns from filenames, URLs, subjects or commands already seen during the investigation.
🎓 Agent Foskett Academy — Pattern matching unlocked
You now understand how to use matches regex when the structure of the evidence matters.
Return to Academy

What you learned

In this lesson, you learned how to use the KQL matches regex operator for flexible pattern matching.
Using matches regexSearch for structured patterns inside filenames, URLs, email subjects and command lines.
Building useful patternsUse regex carefully to describe repeated characters, endings, prefixes and suspicious formats.
Reducing noiseUse pattern matching when simple text searches are too broad or too limited.

Continue your investigation

The next step is learning how to use extract when you need to pull useful values out of messy text fields.
Agent Foskett Academy Return to the full Academy learning path and review earlier KQL foundation lessons.
Using startswith and endswith Review how defenders search by the beginning or ending of a value.

Continue learning with Using has_any, Using in, KQL Threat Hunting Guide and Microsoft Security.

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

Using matches regex for Pattern Matching

Agent Foskett Academy Lesson 22 teaches defenders how to use the KQL matches regex operator to find structured patterns, suspicious filenames, unusual URLs, encoded commands and email subject patterns in Microsoft security telemetry.

Learn KQL matches regex for Microsoft Defender XDR and Sentinel

This lesson explains how regex pattern matching can support Microsoft Defender XDR and Microsoft Sentinel investigations by helping defenders search for suspicious structures in filenames, URLs, email events and command-line activity.