79684537

Date: 2025-06-30 09:30:26
Score: 1
Natty:
Report link

I believe that you can use KQL. I created the KQL below example of how to achieve this

let T = datatable(column1:string, column2:string)
[
   "www.Jodc.com", "www.J0dc.com"
];
T
| extend array1 = to_utf8(column1)
| extend array2 = to_utf8(column2)
| extend inter=set_intersect(array1,array2)
| extend un=set_union(array1,array2)
| extend jaccardSimilarity = iff(isempty(un), todouble(0), todouble(array_length(inter)) / todouble(array_length(un)))
| where jaccardSimilarity != 1
| distinct column1, column2, jaccardSimilarity
| sort by jaccardSimilarity desc;

KQL code can be used to create a Sentinel Analytics Rule that calculates the similarity rate between two domains and detects when the similarity calculation results are above a certain level. The code uses the Jaccard similarity algorithm to compare the two domains.
To use the Query above in a Sentinel Analytics Rule, you would need to adapt the query to work with your actual log data.

If you find the answer above helpful, please Accept the answer to help anyone in the community who might have a similar question to quickly find the solution.

Reasons:
  • Blacklisted phrase (1): how to achieve
  • Whitelisted phrase (-1.5): you can use
  • Long answer (-1):
  • Has code block (-0.5):
  • Me too answer (2.5): have a similar question
  • Low reputation (0.5):
Posted by: pauline mbabu