In ES 6.6.x and higher: What is "Parse Domain from...

teresachila · ‎02-25-2022

In ES 6.6.x and higher, what is the meaning of "Parse Domain from URL" under the Global Setting of Threat Intelligence Management? Does it try to parse the domain from the URL which are the IOCs/threat artifacts, thus creating more domain IOCs, or is it trying to parse the logs (or Web.url where the events are) to get the domain? I know that in the older version, the "Threat Gen" searches would search for domain IOCs in the Web.url field, but I don't think the new version is doing that anymore.

jaspersplunkfu · ‎05-18-2023

I believe this is tied to the threatmatch modular input that dispatches a search to use regex to parse the domain out from the URL, for example in the http_collection. You can see that in action by opening up the http_collection with |inputlookup http_collection, while paying attention to the URL that and how the domain gets extracted from it.

The Threat Gen search out the box actually is not responsible for searching domain IOCs in the web.url field, its the "threat matching" tab within threat intelligence management that provides the match configuration logic for "domain" in the Web.url field for that respective data model. I am unsure if this configuration changed out the box from version to version, but the search is just to allow that logic to create notable events based on how the threat match is configured.

In ES 6.6.x and higher: What is "Parse Domain from URL" under the Global Setting of Threat Intelligence Management?

using Enterprise Security

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life