Working with the RegEx engine
Note
Microsoft Defender for Cloud Apps is now part of Microsoft 365 Defender and can be accessed through its portal at: https://security.microsoft.com. Microsoft 365 Defender correlates signals from the Microsoft Defender suite across endpoints, identities, email, and SaaS apps to provide incident-level detection, investigation, and powerful response capabilities. It improves your operational efficiency with better prioritization and shorter response times which protect your organization more effectively. For more information about these changes, see Microsoft Defender for Cloud Apps in Microsoft 365 Defender.
This article provides instructions for using RegEx for pattern matching in Defender for Cloud Apps policies.
Regular expressions in Defender for Cloud Apps
The Microsoft Defender for Cloud Apps content inspection policies use RegEx for pattern matching. Content inspection may be applied as part of file policies.
Testing regular expressions
To test regular expressions, you can use the following websites:
https://regexpal.com/ - Make sure you select Case insensitive.
https://regex101.com/ - Provides detailed analysis of the RegEx.
Limitations of regular expressions in Defender for Cloud Apps
The following limitations are imposed on custom regular expressions:
The search is always case-insensitive
Allowed quantifiers: {n,m} where n, m < 10
All groups must be non-capturing, for example: (?:xxx)
Instead of (group) use (?:group)
Disallowed quantifiers: *, +, {n,}
Instead of * use {0,9}
Instead of + use {1,9}
Disallowed back-references: \<number> or \k<name>
Example expressions
The following table gives you example expressions and if they would match or not.
| Regular expression | Data | Matches |
|---|---|---|
Colou?r (?:black|blue|white) |
Color black Color white Color red |
Yes Yes No |
[a-z0-9]{1,9}@[a-z0-9]{1,9}\\.[a-z]{2,} |
Some1@abc.com user@host.org @bad.com |
Yes Yes No |
20\d{2}-(?:0[1-9]|1[0-2])-(?:[0-2][0-9]|30|31) |
2015-12-31 2015-01-09 1999-12-31 |
Yes Yes No |
d.n't\s{0,10}c.r. |
Don't care D!n'tcor0 Doesn't care |
Yes Yes No |
Next steps
If you run into any problems, we're here to help. To get assistance or support for your product issue, please open a support ticket.
Tilbakemeldinger
Send inn og vis tilbakemelding for