使用 Kusto(Defender ATP 高级狩猎)在 URL 中查找域
Find a domain within URL with Kusto (Defender ATP Advanced Hunting)
有一个外部恶意列表 domains/URL,我想定期搜索日志,但有一个明显的问题:
let abuse_domain = (externaldata(sentinel_domain: string )
[@"https://managedsentinel.com/downloads/covid19_domains.txt"]
with (format="txt"))
| where sentinel_domain !startswith "#"
| project sentinel_domain;
abuse_domain
| join
(
DeviceNetworkEvents
| where Timestamp > ago(1h)
) on $left.sentinel_domain == $right.RemoteUrl
| project Timestamp,DeviceName,RemoteUrl,DeviceId,ReportId
On 子句不起作用,因为这两个项目永远不会完全匹配。当 $left.sentinel_domain 是 $rightRemoteUrl 的子字符串时,如何获得匹配项?
首先尝试使用 parse_url
从 RemoteUrl 中提取域 (Host
)。
像这样:
let abuse_domain = (externaldata(sentinel_domain: string )
[@"https://managedsentinel.com/downloads/covid19_domains.txt"]
with (format="txt"))
| where sentinel_domain !startswith "#"
| project sentinel_domain;
abuse_domain
| join
(
DeviceNetworkEvents
| where Timestamp > ago(1h)
| extend Host = tostring(parse_url(RemoteUrl).Host)
) on $left.sentinel_domain == $right.Host
| project Timestamp,DeviceName,RemoteUrl,DeviceId,ReportId
有一个外部恶意列表 domains/URL,我想定期搜索日志,但有一个明显的问题:
let abuse_domain = (externaldata(sentinel_domain: string )
[@"https://managedsentinel.com/downloads/covid19_domains.txt"]
with (format="txt"))
| where sentinel_domain !startswith "#"
| project sentinel_domain;
abuse_domain
| join
(
DeviceNetworkEvents
| where Timestamp > ago(1h)
) on $left.sentinel_domain == $right.RemoteUrl
| project Timestamp,DeviceName,RemoteUrl,DeviceId,ReportId
On 子句不起作用,因为这两个项目永远不会完全匹配。当 $left.sentinel_domain 是 $rightRemoteUrl 的子字符串时,如何获得匹配项?
首先尝试使用 parse_url
从 RemoteUrl 中提取域 (Host
)。
像这样:
let abuse_domain = (externaldata(sentinel_domain: string )
[@"https://managedsentinel.com/downloads/covid19_domains.txt"]
with (format="txt"))
| where sentinel_domain !startswith "#"
| project sentinel_domain;
abuse_domain
| join
(
DeviceNetworkEvents
| where Timestamp > ago(1h)
| extend Host = tostring(parse_url(RemoteUrl).Host)
) on $left.sentinel_domain == $right.Host
| project Timestamp,DeviceName,RemoteUrl,DeviceId,ReportId