Makelist Update

2019-11-25 13:05:31 +00:00 · 2019-11-25 13:05:31 +00:00 · 60de91234f
--- a/Workbooks/Dns.json
+++ b/Workbooks/Dns.json
@ -306,7 +306,7 @@
      "type": 3,
      "content": {
        "version": "KqlItem/1.0",
-        "query": "DnsEvents\r\n| extend IPAddresses = iif(IPAddresses==\"\", \"empty\", IPAddresses)\r\n| where \"{IpAddresses:label}\" == \"All\" or IPAddresses in ({IpAddresses})\r\n| extend NameParts = split(Name,'.')\r\n//Break the domain into its parts\r\n| extend Top_Level_Domain =  strcat(NameParts[toint(array_length(NameParts)-2)],'.',NameParts[toint(array_length(NameParts)-1)] )\r\n//Use the rightmost parts of the URL\r\n| extend Top_Level_Domain = iif(strlen(Top_Level_Domain)<7,strcat(NameParts[toint(array_length(NameParts)-3)],'.',Top_Level_Domain),Top_Level_Domain)\r\n//If the two right most parts are too short (e.g. \"co.uk\" or \"com.tr\", add another part\r\n| summarize SubDomainCount = count() by Top_Level_Domain, Name\r\n| join kind= inner\r\n(\r\n    DnsEvents\r\n    | extend NameParts = split(Name,'.')\r\n    //Break the domain into its parts\r\n    | extend Top_Level_Domain =  strcat(NameParts[toint(array_length(NameParts)-2)],'.',NameParts[toint(array_length(NameParts)-1)] )\r\n    //Use the rightmost parts of the URL\r\n    | extend Top_Level_Domain = iif(strlen(Top_Level_Domain)<7,strcat(NameParts[toint(array_length(NameParts)-3)],'.',Top_Level_Domain),Top_Level_Domain)\r\n    //If the two right most parts are too short (e.g. \"co.uk\" or \"com.tr\", add another part\r\n    | summarize Total_Sub_Domains = count() by Top_Level_Domain\r\n)\r\non Top_Level_Domain\r\n| extend pk = SubDomainCount/todouble(Total_Sub_Domains)\r\n| extend h1= -log2(pk)*pk\r\n//calculate entropy according to Sannon function https://en.wiktionary.org/wiki/Shannon_entropy\r\n| summarize Sub_Domain_Entropy = sum(h1), Total_Sub_Domains = any(Total_Sub_Domains) ,makelist(Name)  by Top_Level_Domain\r\n| order by Sub_Domain_Entropy desc",
+        "query": "DnsEvents\r\n| extend IPAddresses = iif(IPAddresses==\"\", \"empty\", IPAddresses)\r\n| where \"{IpAddresses:label}\" == \"All\" or IPAddresses in ({IpAddresses})\r\n| extend NameParts = split(Name,'.')\r\n//Break the domain into its parts\r\n| extend Top_Level_Domain =  strcat(NameParts[toint(array_length(NameParts)-2)],'.',NameParts[toint(array_length(NameParts)-1)] )\r\n//Use the rightmost parts of the URL\r\n| extend Top_Level_Domain = iif(strlen(Top_Level_Domain)<7,strcat(NameParts[toint(array_length(NameParts)-3)],'.',Top_Level_Domain),Top_Level_Domain)\r\n//If the two right most parts are too short (e.g. \"co.uk\" or \"com.tr\", add another part\r\n| summarize SubDomainCount = count() by Top_Level_Domain, Name\r\n| join kind= inner\r\n(\r\n    DnsEvents\r\n    | extend NameParts = split(Name,'.')\r\n    //Break the domain into its parts\r\n    | extend Top_Level_Domain =  strcat(NameParts[toint(array_length(NameParts)-2)],'.',NameParts[toint(array_length(NameParts)-1)] )\r\n    //Use the rightmost parts of the URL\r\n    | extend Top_Level_Domain = iif(strlen(Top_Level_Domain)<7,strcat(NameParts[toint(array_length(NameParts)-3)],'.',Top_Level_Domain),Top_Level_Domain)\r\n    //If the two right most parts are too short (e.g. \"co.uk\" or \"com.tr\", add another part\r\n    | summarize Total_Sub_Domains = count() by Top_Level_Domain\r\n)\r\non Top_Level_Domain\r\n| extend pk = SubDomainCount/todouble(Total_Sub_Domains)\r\n| extend h1= -log2(pk)*pk\r\n//calculate entropy according to Sannon function https://en.wiktionary.org/wiki/Shannon_entropy\r\n| summarize Sub_Domain_Entropy = sum(h1), Total_Sub_Domains = any(Total_Sub_Domains) ,make_list(Name)  by Top_Level_Domain\r\n| order by Sub_Domain_Entropy desc",
        "size": 0,
        "exportToExcelOptions": "visible",
        "title": "Domain entropy",
@ -615,4 +615,4 @@
  },
  "fromTemplateId": "sentinel-DNS",
  "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json"
-}
+}