Note
We’ve renamed Microsoft Cloud App Security. It’s now called Microsoft Defender for Cloud Apps. In the coming weeks, we’ll update the screenshots and instructions here and in related pages. For more information about the change, see this announcement. To learn more about the recent renaming of Microsoft security services, see the Microsoft Ignite Security blog.
This article provides instructions for using RegEx for pattern matching in Defender for Cloud Apps policies.
Regular expressions in Defender for Cloud Apps
The Microsoft Defender for Cloud Apps content inspection policies use RegEx for pattern matching. Content inspection may be applied as part of file policies.
Testing regular expressions
To test regular expressions, you can use the following websites:
- https://regexpal.com/ – Make sure you select Case insensitive.
- https://regex101.com/ – Provides detailed analysis of the RegEx.
Limitations of regular expressions in Defender for Cloud Apps
The following limitations are imposed on custom regular expressions:
- The search is always case-insensitive
- Allowed quantifiers: {n,m} where n, m < 10
- All groups must be non-capturing, for example: (?:xxx)
Instead of (group) use (?:group)
- Disallowed quantifiers: *, +, {n,}
Instead of * use {0,9}
Instead of + use {1,9}
- Disallowed back-references: \<number> or \k<name>
Example expressions
The following table gives you example expressions and if they would match or not.
| Regular expression | Data | Matches |
|---|---|---|
| Colou?r (?:black|blue|white) | Color black
Color white Color red |
Yes
Yes No |
| [a-z0-9]{1,9}@[a-z0-9]{1,9}\.[a-z]{2,3} | [email protected]
@bad.com |
Yes
Yes No |
| 20\d{2}-(?:0[1-9]|1[0-2])-(?:[0-2][0-9]|30|31) | 2015-12-31
2015-01-09 1999-12-31 |
Yes
Yes No |
| d.n’t\s{0,10}c.r. | Don’t care
D!n’tcor0 Doesn’t care |
Yes
Yes No |