watchlist with contains

Question

Hi Team,&nbsp;can someone help me. I have a list of dynamic Dns domain and performing KQL with _Im_Dns table.I have created watchlist of domain and apply to&nbsp;_Im_Dns table. So i am getting the result if exact match in DnsQuery column. Like in my watchlist if microsoft.com is dynamic domain then it getting result only when DnsQuery column has&nbsp;microsoft.com. But my concern is that i want to get result if&nbsp;DnsQuery column has xyz.microsoft.com.Abc.&nbsp;let DynamicDns = _GetWatchlist('dynamic_dns') | project&nbsp; SearchKey;_Im_Dns| where DnsQuery in~ (DynamicDns)&nbsp;My watchlist have 30k+ dynamic DNS. Kindly suggest us.

clive_watson · Answer

akshay25june&nbsp;&nbsp;Maybe something based on this?&nbsp;let DynamicDns = _GetWatchlist('dynamic_dns') | distinct SearchKey, index=1;
let myDNS = _Im_Dns | distinct DnsQuery, index=1;
DynamicDns
| join kind=inner (myDNS) on index_
| where DnsQuery contains SearchKey

Forum Discussion

watchlist with contains

Share

Resources