Working with the RegEx engine
This article provides instructions for using RegEx for pattern matching in Defender for Cloud Apps policies.
Regular expressions in Defender for Cloud Apps
The Microsoft Defender for Cloud Apps content inspection policies use RegEx for pattern matching. Content inspection may be applied as part of file policies.
Testing regular expressions
To test regular expressions, you can use the following websites:
https://regexpal.com/ - Make sure you select Case insensitive.
https://regex101.com/ - Provides detailed analysis of the RegEx.
Limitations of regular expressions in Defender for Cloud Apps
The following limitations are imposed on custom regular expressions:
The search is always case-insensitive
Allowed quantifiers: {n,m} where n, m < 10
All groups must be non-capturing, for example: (?:xxx)
Instead of (group) use (?:group)
Disallowed quantifiers: *, +, {n,}
Instead of * use {0,9}
Instead of + use {1,9}
Disallowed back-references: \<number> or \k<name>
Example expressions
The following table gives you example expressions and if they would match or not.
Regular expression | Data | Matches |
---|---|---|
Colou?r (?:black|blue|white) |
Color black Color white Color red |
Yes Yes No |
[a-z0-9]{1,9}@[a-z0-9]{1,9}\\.[a-z]{2,} |
Some1@abc.com user@host.org @bad.com |
Yes Yes No |
20\d{2}-(?:0[1-9]|1[0-2])-(?:[0-2][0-9]|30|31) |
2015-12-31 2015-01-09 1999-12-31 |
Yes Yes No |
d.n't\s{0,10}c.r. |
Don't care D!n'tcor0 Doesn't care |
Yes Yes No |
Next steps
If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for