This commit is contained in:
Pete Bryan 2019-11-25 13:05:31 +00:00 коммит произвёл GitHub
Родитель 5a8bf935e8
Коммит 60de91234f
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
1 изменённых файлов: 2 добавлений и 2 удалений

Просмотреть файл

@ -306,7 +306,7 @@
"type": 3,
"content": {
"version": "KqlItem/1.0",
"query": "DnsEvents\r\n| extend IPAddresses = iif(IPAddresses==\"\", \"empty\", IPAddresses)\r\n| where \"{IpAddresses:label}\" == \"All\" or IPAddresses in ({IpAddresses})\r\n| extend NameParts = split(Name,'.')\r\n//Break the domain into its parts\r\n| extend Top_Level_Domain = strcat(NameParts[toint(array_length(NameParts)-2)],'.',NameParts[toint(array_length(NameParts)-1)] )\r\n//Use the rightmost parts of the URL\r\n| extend Top_Level_Domain = iif(strlen(Top_Level_Domain)<7,strcat(NameParts[toint(array_length(NameParts)-3)],'.',Top_Level_Domain),Top_Level_Domain)\r\n//If the two right most parts are too short (e.g. \"co.uk\" or \"com.tr\", add another part\r\n| summarize SubDomainCount = count() by Top_Level_Domain, Name\r\n| join kind= inner\r\n(\r\n DnsEvents\r\n | extend NameParts = split(Name,'.')\r\n //Break the domain into its parts\r\n | extend Top_Level_Domain = strcat(NameParts[toint(array_length(NameParts)-2)],'.',NameParts[toint(array_length(NameParts)-1)] )\r\n //Use the rightmost parts of the URL\r\n | extend Top_Level_Domain = iif(strlen(Top_Level_Domain)<7,strcat(NameParts[toint(array_length(NameParts)-3)],'.',Top_Level_Domain),Top_Level_Domain)\r\n //If the two right most parts are too short (e.g. \"co.uk\" or \"com.tr\", add another part\r\n | summarize Total_Sub_Domains = count() by Top_Level_Domain\r\n)\r\non Top_Level_Domain\r\n| extend pk = SubDomainCount/todouble(Total_Sub_Domains)\r\n| extend h1= -log2(pk)*pk\r\n//calculate entropy according to Sannon function https://en.wiktionary.org/wiki/Shannon_entropy\r\n| summarize Sub_Domain_Entropy = sum(h1), Total_Sub_Domains = any(Total_Sub_Domains) ,makelist(Name) by Top_Level_Domain\r\n| order by Sub_Domain_Entropy desc",
"query": "DnsEvents\r\n| extend IPAddresses = iif(IPAddresses==\"\", \"empty\", IPAddresses)\r\n| where \"{IpAddresses:label}\" == \"All\" or IPAddresses in ({IpAddresses})\r\n| extend NameParts = split(Name,'.')\r\n//Break the domain into its parts\r\n| extend Top_Level_Domain = strcat(NameParts[toint(array_length(NameParts)-2)],'.',NameParts[toint(array_length(NameParts)-1)] )\r\n//Use the rightmost parts of the URL\r\n| extend Top_Level_Domain = iif(strlen(Top_Level_Domain)<7,strcat(NameParts[toint(array_length(NameParts)-3)],'.',Top_Level_Domain),Top_Level_Domain)\r\n//If the two right most parts are too short (e.g. \"co.uk\" or \"com.tr\", add another part\r\n| summarize SubDomainCount = count() by Top_Level_Domain, Name\r\n| join kind= inner\r\n(\r\n DnsEvents\r\n | extend NameParts = split(Name,'.')\r\n //Break the domain into its parts\r\n | extend Top_Level_Domain = strcat(NameParts[toint(array_length(NameParts)-2)],'.',NameParts[toint(array_length(NameParts)-1)] )\r\n //Use the rightmost parts of the URL\r\n | extend Top_Level_Domain = iif(strlen(Top_Level_Domain)<7,strcat(NameParts[toint(array_length(NameParts)-3)],'.',Top_Level_Domain),Top_Level_Domain)\r\n //If the two right most parts are too short (e.g. \"co.uk\" or \"com.tr\", add another part\r\n | summarize Total_Sub_Domains = count() by Top_Level_Domain\r\n)\r\non Top_Level_Domain\r\n| extend pk = SubDomainCount/todouble(Total_Sub_Domains)\r\n| extend h1= -log2(pk)*pk\r\n//calculate entropy according to Sannon function https://en.wiktionary.org/wiki/Shannon_entropy\r\n| summarize Sub_Domain_Entropy = sum(h1), Total_Sub_Domains = any(Total_Sub_Domains) ,make_list(Name) by Top_Level_Domain\r\n| order by Sub_Domain_Entropy desc",
"size": 0,
"exportToExcelOptions": "visible",
"title": "Domain entropy",