Splunk Enterprise Security

In ES 6.6.x and higher: What is "Parse Domain from URL" under the Global Setting of Threat Intelligence Management?

Path Finder

In ES 6.6.x and higher, what is the meaning of "Parse Domain from URL" under the Global Setting of Threat Intelligence Management?  Does it try to parse the domain from the URL which are the IOCs/threat artifacts, thus creating more domain IOCs, or is it trying to parse the logs (or Web.url where the events are) to get the domain? I know that in the older version, the "Threat Gen" searches would search for domain IOCs in the Web.url field, but I don't think the new version is doing that anymore.

Labels (1)
0 Karma


I believe this is tied to the threatmatch modular input that dispatches a search to use regex to parse the domain out from the URL, for example in the http_collection. You can see that in action by opening up the http_collection with |inputlookup http_collection, while paying attention to the URL that and how the domain gets extracted from it.

The Threat Gen search out the box actually is not responsible for searching domain IOCs in the web.url field, its the "threat matching" tab within threat intelligence management that provides the match configuration logic for "domain" in the Web.url field for that respective data model. I am unsure if this configuration changed out the box from version to version, but the search is just to allow that logic to create notable events based on how the threat match is configured.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud | Customer Survey!

If you use Splunk Observability Cloud, we invite you to share your valuable insights with us through a brief ...

Happy CX Day, Splunk Community!

Happy CX Day, Splunk Community! CX stands for Customer Experience, and today, October 3rd, is CX Day — a ...

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...