Search in Active List

Ivan Yakushev · ‎2016-09-08

Hi Everyone, I'm looking for a way to search string in Active List.

I have an events from my Microsoft DNS server, these events contain field named "Target Host Name" for example with value "sales.contoso.com".

I have Active List "Malware Domains" with field named "URL" for example with value "https://sales.contoso.com/products/toys". How I can compare the value of the field "Target Host Name" and field "URL" for find partial matches.

ftavares · ‎2016-09-09

Hi Ivan,

the best approach is to treat the values before inputing them in the list, but of course, it is not always possible.

In your cause, you gonna have to use variables (index_of, substrs) to treat it and return only domain part of the string.

Use that variable to compare with field value where only domain name is saved in your condition and return only result where they match.

Regards,

Fabiano.

adamsca · ‎2016-09-14

I am having the same problem, this works for a single variation but what if you have multiple (in 100s) variations.

I have about 5600 URL on my active list has and for example with<dl.ru>; if an event comes in for <fav.dl.ru> I would like to see a match. Now this is only one example of many variations. Any ideas?

ftavares · ‎2016-11-14

Hi Christopher !

I think you can use the same approach: when you use variables and set dot "." as delimiter, no matter your domain string is, if it always comply with sequence "domain.ru" or "subdomain.domain.ru" (you gonna define that in the variable) variable will always be able to extract correct string part. Then you just use it in Conditional testing for comparsion.

Regards,

Fabiano.

ESM