Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

In ES 6.6.x and higher: What is "Parse Domain from URL" under the Global Setting of Threat Intelligence Management?

teresachila
Path Finder
‎02-25-2022 12:22 PM

In ES 6.6.x and higher, what is the meaning of "Parse Domain from URL" under the Global Setting of Threat Intelligence Management?  Does it try to parse the domain from the URL which are the IOCs/threat artifacts, thus creating more domain IOCs, or is it trying to parse the logs (or Web.url where the events are) to get the domain? I know that in the older version, the "Threat Gen" searches would search for domain IOCs in the Web.url field, but I don't think the new version is doing that anymore.

Labels (1)
Labels
0 Karma
Reply

jaspersplunkfu
Engager
‎05-18-2023 09:19 AM

I believe this is tied to the threatmatch modular input that dispatches a search to use regex to parse the domain out from the URL, for example in the http_collection. You can see that in action by opening up the http_collection with |inputlookup http_collection, while paying attention to the URL that and how the domain gets extracted from it.

The Threat Gen search out the box actually is not responsible for searching domain IOCs in the web.url field, its the "threat matching" tab within threat intelligence management that provides the match configuration logic for "domain" in the Web.url field for that respective data model. I am unsure if this configuration changed out the box from version to version, but the search is just to allow that logic to create notable events based on how the threat match is configured.

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...