regex

Filter events by matching a field against a regular expression.

Description

The regex command filters results to keep only events where a field matches (or does not match) a regular expression pattern. This is equivalent to | where match(field, "pattern") but with a more concise syntax.

Unlike rex which extracts new fields from text, regex filters events based on pattern matching.

Syntax

... | regex <field>="<pattern>"
... | regex <field>!="<pattern>"
... | regex "<pattern>"

Arguments

field Syntax: field="<pattern>" or field!="<pattern>" Description: The field to match against the regex pattern. Use = to keep matching events, != to exclude them. Default: message (if no field is specified)

pattern A regular expression pattern. Supports standard regex syntax including flags like (?i) for case-insensitive matching.

Examples

Filter by file extension

source_type="edr" action="file_create"
| regex file_path="(?i)\.(exe|ps1|bat|vbs|dll)$"
| table timestamp, file_path, process_name

Keeps only events where the file path ends with a suspicious extension.

Exclude static assets from proxy logs

source_type="proxy"
| regex url!="(?i)\.(jpg|png|gif|css|js|woff2?)$"
| stats count() by url_domain

Removes static asset requests to focus on interesting traffic.

Match against message (default field)

source_type="syslog"
| regex "error|fail|denied|unauthorized"
| table timestamp, src_host, message

When no field is specified, matches against the message field.

Find encoded PowerShell

source_type="edr" process_name="powershell.exe"
| regex command_line="(?i)(-enc|-encodedcommand)\s+[A-Za-z0-9+/=]{20,}"
| table timestamp, src_host, user, command_line

Identifies base64-encoded PowerShell commands.

Filter by IP range pattern

source_type="firewall"
| regex src_ip="^10\.1\.(5[0-9]|6[0-3])\."
| stats count() by src_ip, dest_ip

Matches a specific IP subnet using regex (for complex patterns beyond CIDR).

Exclude known-good paths

source_type="edr" action="process_create"
| regex process_path!="(?i)^(C:\\Windows\\|C:\\Program Files)"
| table timestamp, src_host, process_name, process_path

Filters out processes launched from standard system directories.

Find suspicious user agents

source_type="proxy"
| regex http_user_agent="(?i)(curl|wget|python|powershell|nmap)"
| stats count() by src_ip, http_user_agent

Identifies non-browser user agents.

Chain with other commands

source_type="dns"
| regex query="(?i)\.(xyz|top|tk|pw|cc)$"
| stats count() as requests, dc(src_ip) as unique_hosts by query
| where requests > 10
| sort -requests

Finds high-volume DNS queries to suspicious TLDs.

Usage Notes

Comparison with where: | regex field="pattern" is equivalent to | where match(field, "pattern"). Use whichever reads more naturally for your query.

Comparison with rex: regex filters events (keeps/excludes). rex extracts new fields. They serve different purposes.

Case sensitivity: Regex matching is case-sensitive by default. Use (?i) at the start of your pattern for case-insensitive matching.

Performance: Filter data with indexed fields (like source_type, src_ip) before applying regex to minimize the events scanned.

Negation: Use != to exclude matching events: | regex field!="pattern".

Default field: When no field is specified, regex matches against the message field.

Related Commands

• rex - Extract fields using regex capture groups
• where - Filter with boolean expressions (supports match() function)
• eval - Create calculated fields with match() for conditional logic
• search - Filter in the search expression using /pattern/ syntax