Working with the RegEx engine

This article provides instructions for using RegEx for pattern matching in Defender for Cloud Apps policies.

Regular expressions in Defender for Cloud Apps

The Microsoft Defender for Cloud Apps content inspection policies use RegEx for pattern matching. Content inspection may be applied as part of file policies.

Testing regular expressions

To test regular expressions, you can use the following websites:

Limitations of regular expressions in Defender for Cloud Apps

The following limitations are imposed on custom regular expressions:

  • The search is always case-insensitive

  • Allowed quantifiers: {n,m} where n, m < 10

  • All groups must be non-capturing, for example: (?:xxx)

    Instead of (group) use (?:group)

  • Disallowed quantifiers: *, +, {n,}

    Instead of * use {0,9}

    Instead of + use {1,9}

  • Disallowed back-references: \<number> or \k<name>

Example expressions

The following table gives you example expressions and if they would match or not.

Regular expression Data Matches
Colou?r (?:black&#124;blue&#124;white) Color black

Color white

Color red
Yes

Yes

No
[a-z0-9]{1,9}@[a-z0-9]{1,9}\\.[a-z]{2,} Some1@abc.com

user@host.org

@bad.com
Yes

Yes

No
20\d{2}-(?:0[1-9]|1[0-2])-(?:[0-2][0-9]|30|31) 2015-12-31

2015-01-09

1999-12-31
Yes

Yes

No
d.n't\s{0,10}c.r. Don't care

D!n'tcor0

Doesn't care
Yes

Yes

No

Next steps

If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.