ACSC Logo
© 2026 GEMXIT
GEMXIT Logo
Agent Foskett Academy • Lesson 21 • Using startswith and endswith

Using startswith and endswith

Sometimes you are not searching for a word anywhere in the field.
You are looking for how the value begins.
Or how it ends.
That small detail can separate useful evidence from a log pile big enough to make a hedgehog need a coffee break.

A suspicious filename may end with .ps1. A URL may start with http://. A command line may begin with a trusted-looking executable and end with a risky argument.

In this Agent Foskett Academy lesson, you will learn how defenders use the KQL startswith and endswith operators to find prefixes and endings across Microsoft Defender XDR and Microsoft Sentinel telemetry.

Start Lesson 21 Back to Academy
Agent Foskett Academy lesson explaining how to use startswith and endswith in KQL investigations
Lesson overview

Learn how prefix and ending searches help defenders find suspicious filenames, domains, URLs and command-line behaviour faster.

Understand startswith
Understand endswith
Find suspicious file, URL and command patterns
🎯 Prefixes and endings can tell a story.
startswith and endswith help you search where the suspicious pattern appears, not just whether it appears.
Review Lesson 20 →

Why startswith and endswith matter

The contains operator checks whether text appears anywhere inside a field.

That is useful, but sometimes you need a more focused question:

Does this value start with a certain pattern? Does this filename end with a suspicious extension? Does this URL begin with an insecure or unusual prefix?
Find prefixesUse startswith when the beginning of a value matters, such as URLs, domains, account names or command paths.
Find endingsUse endswith when the end of a value matters, such as file extensions, script names or domain suffixes.
Reduce investigation noiseSearch more precisely when contains returns too many unrelated matches.

Investigation scenario

An analyst is reviewing endpoint activity after a phishing alert.

The user clicked a suspicious link, then a script appeared on the device. The analyst wants to find script files, suspicious download paths and URLs that start with risky prefixes.

Rather than searching every field with broad contains filters, the analyst uses startswith and endswith to ask more precise questions.

Step 1 — Find script files with endswith

Use endswith when you want values that finish with a specific extension or ending.
find-script-files-ending.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
DeviceFileEvents
| where Timestamp > ago(7d)
| where FileName endswith ".ps1"
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, InitiatingProcessCommandLine
| sort by Timestamp desc

Step 2 — Find URLs that start with a risky prefix

Use startswith when the beginning of a URL, domain, path or string is important to the investigation.
find-http-url-prefix.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
UrlClickEvents
| where Timestamp > ago(14d)
| where Url startswith "http://"
| project Timestamp, AccountUpn, Url, ActionType, ThreatTypes, NetworkMessageId
| sort by Timestamp desc

Step 3 — Find command lines that start with PowerShell

startswith can help when you want command lines that begin with a certain executable or path.
commandline-startswith-powershell.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine startswith "powershell"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| sort by Timestamp desc

What the operators do

The startswith operator checks whether a value begins with the text you provide.

The endswith operator checks whether a value finishes with the text you provide.

Both operators are useful when the position of the text matters.
startswithMatches values that begin with the searched text.
endswithMatches values that finish with the searched text.
containsMatches text anywhere in the field, which is broader but often noisier.

Step 4 — Find suspicious file endings

You can use endswith to review script, archive or executable file extensions created on devices.
suspicious-file-endings.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
DeviceFileEvents
| where Timestamp > ago(30d)
| where FileName endswith ".js" or FileName endswith ".vbs" or FileName endswith ".ps1"
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, InitiatingProcessAccountName
| sort by Timestamp desc

Step 5 — Find domain suffixes

endswith can help when you want to find domains or sender addresses ending in a specific suffix.
domain-suffix-search.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
EmailEvents
| where Timestamp > ago(30d)
| where SenderFromDomain endswith ".ru"
| project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, DeliveryAction, ThreatTypes
| sort by Timestamp desc

Step 6 — Use parameters for repeatable searches

Use let statements to make prefix and ending searches easier to reuse during an investigation.
startswith-endswith-with-parameters.kql
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
let urlPrefix = "http://";
let scriptEnding = ".ps1";
DeviceProcessEvents
| where Timestamp > ago(14d)
| where ProcessCommandLine startswith "powershell" or ProcessCommandLine endswith scriptEnding
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
| sort by Timestamp desc

Investigator notes

Use startswith and endswith when the position of the text helps answer the investigation question.

Do not forget that attackers can rename files, alter paths and change command formatting. These operators are excellent for focused hunting, but they should sit alongside broader searches when you are still exploring.
Start with the questionAsk whether the beginning or ending of the value matters before choosing the operator.
Use broader searches tooCombine prefix and ending searches with contains, has_any and in when hunting across noisy telemetry.
Pivot from evidenceUse a suspicious URL, filename or command pattern as a starting point for wider investigation.
🎓 Agent Foskett Academy — Search by position
You now understand how to use startswith and endswith when the beginning or ending of a value matters.
Return to Academy

What you learned

In this lesson, you learned how to use the KQL startswith and endswith operators for prefix and ending searches.
Using startswithSearch for values that begin with a specific prefix, path, protocol or command pattern.
Using endswithSearch for values that finish with a specific file extension, suffix or ending.
Reducing noiseUse position-based searches when contains is too broad for the investigation question.

Continue your investigation

The next step is learning how to use matches regex when you need more flexible pattern matching in KQL.
Agent Foskett Academy Return to the full Academy learning path and review earlier KQL foundation lessons.
Using contains_cs for Case-Sensitive Searches Review how defenders use case-sensitive searching when exact casing matters.

Continue learning with Using has_any, Using in, KQL Threat Hunting Guide and Microsoft Security.

Develop IT. Protect IT. GEMXIT PTY LTD | GEMXIT UK LTD
ACSC Logo

GEMXIT PTY LTD  |  GEMXIT UK LTD  |  © GEMXIT 2026

Using startswith and endswith

Agent Foskett Academy Lesson 21 teaches defenders how to use the KQL startswith and endswith operators to find suspicious prefixes, file endings, URL patterns and command-line behaviour in Microsoft security telemetry.

Learn KQL startswith and endswith for Microsoft Defender XDR

The KQL startswith and endswith operators help analysts search text fields based on how values begin or finish across Microsoft Defender XDR and Microsoft Sentinel investigations.

KQL prefix and ending search lesson for Microsoft security analysts

This Agent Foskett Academy lesson explains when to use startswith, when to use endswith and how position-based searches can reduce noise during focused threat hunting.