FQDN

Parse ASIM Compatible

Synopsis

Parses FQDNs (Fully Qualified Domain Names); that is URLs and hostnames to extract individual components like hostname, domain, domain type, and normalized FQDN using ASIM logic.

Schema

- fqdn:
    description: <text>
    field: <ident>
    hostname_field: <ident>
    domain_field: <ident>
    domain_type_field: <ident>
    fqdn_field: <ident>
    if: <script>
    ignore_failure: <boolean>
    ignore_missing: <boolean>
    on_failure: <processor[]>
    on_success: <processor[]>
    tag: <string>

Configuration

The following fields are used to define the processor:

Field	Required	Default	Description
field	Y		Field containing the hostname, FQDN, or URL to parse
hostname_field	N	{field}_hostname	Field to store the extracted hostname
domain_field	N	{field}_domain	Field to store the extracted domain
domain_type_field	N	{field}_domain_type	Field to store the domain type
fqdn_field	N	{field}_fqdn	Field to store the normalized FQDN
description	N	-	Explanatory notes
if	N	-	Condition to run
ignore_failure	N	false	See Handling Failures
ignore_missing	N	false	Continue processing if the field is missing
on_failure	N	-	See Handling Failures
on_success	N	-	See Handling Success
tag	N	-	Identifier

Details

The processor analyzes hostname strings and extracts meaningful components based on ASIM (Azure Sentinel Information Model) logic. It supports multiple input formats:

• URLs: Full URLs with protocols (http://, https://) are parsed to extract the hostname component
• FQDNs: Domain names like web01.example.com are split into hostname and domain parts
• Windows format: NetBIOS names like DOMAIN\hostname are recognized and parsed accordingly
• Simple hostnames: Single names without domain components

The processor determines the domain type based on the input format:

• FQDN: For dot-separated domain names (e.g., server.company.com)
• Windows: For backslash-separated NetBIOS names (e.g., CONTOSO\WEB01)
• Empty: For simple hostnames without domain information

info

This processor follows ASIM hostname parsing standards, making it ideal for security analytics and network monitoring scenarios where consistent hostname normalization is required.

note

The processor automatically handles URL parsing and will extract hostnames from full URLs, stripping protocol, path, and query parameters to focus on the host component.

tip

Use custom field names to organize extracted components according to your data model. The default field naming convention appends suffixes to the source field name for easy identification.

Examples

Basic FQDN Parsing

Parse a fully qualified domain name...	{ "server_name": "web01.company.com" } - fqdn: field: server_name
into its components:	{ "server_name": "web01.company.com", "server_name_hostname": "web01", "server_name_domain": "company.com", "server_name_domain_type": "FQDN", "server_name_fqdn": "web01.company.com" }

URL Hostname Extraction

Extract hostname from URLs...	{ "request_url": "https://api.example.com/v1/users" } - fqdn: field: request_url hostname_field: api_host domain_field: api_domain domain_type_field: host_type fqdn_field: full_hostname
with custom field names:	{ "request_url": "https://api.example.com/v1/users", "api_host": "api", "api_domain": "example.com", "host_type": "FQDN", "full_hostname": "api.example.com" }

Windows NetBIOS Format

Parse Windows domain\hostname format...	{ "computer_name": "CONTOSO\\WEB01" } - fqdn: field: computer_name
recognizing the Windows format:	{ "computer_name": "CONTOSO\\WEB01", "computer_name_hostname": "WEB01", "computer_name_domain": "CONTOSO", "computer_name_domain_type": "Windows", "computer_name_fqdn": "CONTOSO\\WEB01" }

Simple Hostname

Handle simple hostnames without domains...	{ "host": "localhost" } - fqdn: field: host
with empty domain information:	{ "host": "localhost", "host_hostname": "localhost", "host_domain": "", "host_domain_type": "", "host_fqdn": "" }

Subdomain Parsing

Parse complex subdomains...	{ "service_endpoint": "user-service.staging.internal.company.com" } - fqdn: field: service_endpoint hostname_field: service_name domain_field: service_domain
extracting the service name and full domain:	{ "service_endpoint": "user-service.staging.internal.company.com", "service_name": "user-service", "service_domain": "staging.internal.company.com", "service_endpoint_domain_type": "FQDN", "service_endpoint_fqdn": "user-service.staging.internal.company.com" }

URL with Path and Parameters

URLs with paths and parameters...	{ "full_url": "http://shop.example.com/products?category=electronics&page=2" } - fqdn: field: full_url
are parsed to extract only the hostname:	{ "full_url": "http://shop.example.com/products?category=electronics&page=2", "full_url_hostname": "shop", "full_url_domain": "example.com", "full_url_domain_type": "FQDN", "full_url_fqdn": "shop.example.com" }

IP Address Handling

IP addresses are treated as simple hostnames...	{ "server_ip": "192.168.1.100" } - fqdn: field: server_ip
without domain information:	{ "server_ip": "192.168.1.100", "server_ip_hostname": "192.168.1.100", "server_ip_domain": "", "server_ip_domain_type": "", "server_ip_fqdn": "" }

Mixed Case Handling

Mixed case URLs are handled correctly...	{ "website": "HTTPS://WWW.EXAMPLE.COM/Home" } - fqdn: field: website
preserving original hostname case:	{ "website": "HTTPS://WWW.EXAMPLE.COM/Home", "website_hostname": "WWW", "website_domain": "EXAMPLE.COM", "website_domain_type": "FQDN", "website_fqdn": "WWW.EXAMPLE.COM" }

Empty and Invalid Input

Empty or invalid input...	{ "empty_host": "", "null_host": null } - fqdn: field: empty_host - fqdn: field: null_host ignore_missing: true
results in empty component fields:	{ "empty_host": "", "null_host": null, "empty_host_hostname": "", "empty_host_domain": "", "empty_host_domain_type": "", "empty_host_fqdn": "", "null_host_hostname": "", "null_host_domain": "", "null_host_domain_type": "", "null_host_fqdn": "" }