'Match partial string from list with field

I'm trying to check if a field contains a value from a list using Kusto in Log analytics/Sentinel in Azure.

The list contains top level domains but I only want matches for subdomains of these top levels domains. The list value example.com should match values such as forum.example.com or api.example.com.

I got the following code but it does exact matches only.

let domains = dynamic(["example.com", "amazon.com", "microsoft.com", "google.com"]);
DeviceNetworkEvents
| where RemoteUrl in~ (domains)
| project TimeGenerated, DeviceName, InitiatingProcessAccountUpn, RemoteUrl

I tried with endswith, but couldn't get that to work with the list.

kqlazure-log-analyticsazure-sentinel


Solution 1:[1]

In order to correctly match URLs with a list of domains, you need to build a regex from these domains, and then use the matches regex operator.

Make sure you build the regex correctly, in order not to allow these:

  • example.com.hacker.com
  • hackerexample.com
  • hacker.com/example.com
  • Etc...

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Slavik N

Related Questions

How to remove time part from a datetime in Kusto

Kusto make-series by month

Does materialize function not work with tabular function argument in Kusto?

Convert query to KQL

Kusto for sliding window

Excel removes my query connection on it's own and gives me several error messages

Consider the where condition based on the parameter value in KQL

Insert data into kusto table using flow

How query data use offset in kusto (Azure Data Explorer) KQL for paging

SQL OLAP vs KQL || row_number() over partition by in SQL vs KQL

How to get only distinct values from list

How to calculate time grain based on selected period from azure dashboard in a custom chart

Kusto query using TimeGenerated as Parameter

calculating TotalDomainCount in Azure Resource Graph

App insight query to get result for each id and category mapping with number of count