Mullets4All
Reputation: 49
Find a domain within URL with Kusto (Defender ATP Advanced Hunting)
There's an external list of malicious domains/URL's, and I want to periodically search the logs, but there's an obvious problem:
let abuse_domain = (externaldata(sentinel_domain: string )
[@"https://managedsentinel.com/downloads/covid19_domains.txt"]
with (format="txt"))
| where sentinel_domain !startswith "#"
| project sentinel_domain;
abuse_domain
| join
(
DeviceNetworkEvents
| where Timestamp > ago(1h)
) on $left.sentinel_domain == $right.RemoteUrl
| project Timestamp,DeviceName,RemoteUrl,DeviceId,ReportId
The On clause isn't going to work because the two items will never completely match. How can I get a match when $left.sentinel_domain is a substring of $rightRemoteUrl ?
Upvotes: 1
Views: 7157
Answers (1)
Jonathan Myers
Reputation: 887
Try using parse_url to extract the domain (Host) from RemoteUrl first.
Like so:
let abuse_domain = (externaldata(sentinel_domain: string )
[@"https://managedsentinel.com/downloads/covid19_domains.txt"]
with (format="txt"))
| where sentinel_domain !startswith "#"
| project sentinel_domain;
abuse_domain
| join
(
DeviceNetworkEvents
| where Timestamp > ago(1h)
| extend Host = tostring(parse_url(RemoteUrl).Host)
) on $left.sentinel_domain == $right.Host
| project Timestamp,DeviceName,RemoteUrl,DeviceId,ReportId
Upvotes: 1
Related Questions
- Azure Kusto - how to fetch urls from a string using parse
- how to parse an URL string to get domain only In Kotlin?
- Extract domain from URLs using scala
- Kibana - find http-URLs
- How to find domain names which start with “karath”?
- Match a domain in a urls ending with specified word
- How to filter URL on the bases of web domain?
- How to check test RegEx pattern to exactly match a specific URL domain?
- Regex to extract domain from a url
- Matching a domain with a URL