Highlighted
Ivan Yakushev Valued Contributor.
Valued Contributor.
374 views

Search in Active List

Hi Everyone, I'm looking for a way to search string in Active List.

I have an events from my Microsoft DNS server, these events contain field named "Target Host Name" for example with value "sales.contoso.com".

I have Active List "Malware Domains" with field named "URL" for example with value "https://sales.contoso.com/products/toys". How I can compare the value of the field "Target Host Name" and field "URL" for find partial matches.

Labels (2)
0 Likes
3 Replies
Super Contributor.. ftavares Super Contributor..
Super Contributor..

Re: Search in Active List

Hi Ivan,

the best approach is to treat the values before inputing them in the list, but of course, it is not always possible.

In your cause, you gonna have to use variables (index_of, substrs) to treat it and return only domain part of the string.

Use that variable to compare with field value where only domain name is saved in your condition and return only result where they match.

Regards,

Fabiano.

0 Likes
Frequent Contributor.. adamsca Frequent Contributor..
Frequent Contributor..

Re: Search in Active List

I am having the same problem, this works for a single variation but what if you have multiple (in 100s) variations.

I have about 5600 URL on my active list has and for example with<dl.ru>; if an event comes in for <fav.dl.ru> I would like to see a match. Now this is only one example of many variations. Any ideas?

0 Likes
Super Contributor.. ftavares Super Contributor..
Super Contributor..

Re: Search in Active List

Hi Christopher !

I think you can use the same approach: when you use variables and set dot "." as delimiter, no matter your domain string is, if it always comply with sequence "domain.ru" or "subdomain.domain.ru" (you gonna define that in the variable) variable will always be able to extract correct string part. Then you just use it in Conditional testing for comparsion.

Regards,

Fabiano.

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.