Showing results for 
Search instead for 
Did you mean: 

Indexing DataType "URL" for use in watchlists and TAXII STIXX IoC alerting

Hi In the default configuration the data type URL is defined as a "Random String" Custome Field 8 (short) and is available for selection in Summaries ,watchlists and dashboards.

All searches have to be done on a regex if trying to report on objects in the URI i.e. /chrome.exe

As we receive a number of TAXI feeds as Cyber threat Feeds that populate watchlists we cant use them as there is no Index.

What is the recommended solution here, create a new custom  Data Type and set indexes?

Conscious of partition rollover if URL's are added to indexes.

0 Kudos