Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

In ES 6.6.x and higher: What is "Parse Domain from URL" under the Global Setting of Threat Intelligence Management?

teresachila
Path Finder
‎02-25-2022 12:22 PM

In ES 6.6.x and higher, what is the meaning of "Parse Domain from URL" under the Global Setting of Threat Intelligence Management?  Does it try to parse the domain from the URL which are the IOCs/threat artifacts, thus creating more domain IOCs, or is it trying to parse the logs (or Web.url where the events are) to get the domain? I know that in the older version, the "Threat Gen" searches would search for domain IOCs in the Web.url field, but I don't think the new version is doing that anymore.

Labels (1)
Labels
0 Karma
Reply

jaspersplunkfu
Engager
‎05-18-2023 09:19 AM

I believe this is tied to the threatmatch modular input that dispatches a search to use regex to parse the domain out from the URL, for example in the http_collection. You can see that in action by opening up the http_collection with |inputlookup http_collection, while paying attention to the URL that and how the domain gets extracted from it.

The Threat Gen search out the box actually is not responsible for searching domain IOCs in the web.url field, its the "threat matching" tab within threat intelligence management that provides the match configuration logic for "domain" in the Web.url field for that respective data model. I am unsure if this configuration changed out the box from version to version, but the search is just to allow that logic to create notable events based on how the threat match is configured.

0 Karma
Reply
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey


Introducing Unified TDIR with the New Enterprise Security 8.2

Read the blog
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...