Forum Discussion

HA13029's avatar
HA13029
Brass Contributor
Feb 08, 2025

KQL to extract URL from TI Feeds

Hello,

I need some help to extract a specific field (URL) from URL Haus Database.

Example

"3430907","2025-02-07 11:02:07","http://chmod0777kk.com/main","online","2025-02-07 11:02:07","malware_download","elf","https://urlhaus.abuse.ch/url/3430907/","anonymous"

 

Needed output

http://chmod0777kk.com/main

Regards,

HA

 

 

KQL
  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor
    Feb 28, 2025

    or

    let url_ = '"3430907","2025-02-07 11:02:07","http://chmod0777kk.com/main","online","2025-02-07 11:02:07","malware_download","elf","https://urlhaus.abuse.ch/url/3430907/","anonymous"';
    print url_
    // assumes that HTTP is always in the 3 column (counting from 0)

    // trim is used to removed any " in the column
    | extend http_ = trim(@"[^\w]+",tostring(split(url_,',')[2]))


  • luchete's avatar
    luchete
    Steel Contributor
    Feb 10, 2025

    Hi HA13029!

    You can use the following KQL query to extract the URL from the given feed:

    | where Column3 contains "http" | project URL = Column3

    This assumes the URL is in the third column of the dataset, so adjust it based on your specific data structure. It will filter the entries containing "http" and show the URL in the result.

Resources