cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Regis
Regis
Level 12
Report Inappropriate Content
Message 1 of 12
‎06-22-2016 08:28 PM

Watchlists: Domain vs web_domain ?

Jump to solution

Greetings,

When creating a watchlist, does anyone know the difference between the watchlist types domain and web_domain? 

Which would be more appropriate as a target for cyber threat feeds where they identify malicious domains?

I spent 15 minutes outlining the question to one support rep but was getting nowhere.

0 Kudos
Reply
1 Solution

Accepted Solutions
minsktractorwor
minsktractorwor
Level 9
Report Inappropriate Content
Message 4 of 12
‎06-23-2016 05:04 PM

Re: Watchlists: Domain vs web_domain ?

Jump to solution

Hey Regis,

These descriptions are under custom types. You can only see these when logged in as NGCP.

Capture.PNG

View solution in original post

Reply
11 Replies
Highlighted
acommons
acommons
Level 10
Report Inappropriate Content
Message 2 of 12
‎06-23-2016 05:53 AM

Re: Watchlists: Domain vs web_domain ?

Jump to solution

Domain is a String and web_domain is a Random string.

From the product itself:

The String data type should be used for strings that appear frequently, such as a user name. Random string should be used if the data appears to be random or does not frequently repeat, such as full URLs. Random strings will not be able to use the Alias or case insensitive options while filtering. Too many entries in a string type may cause a decrease in performance on the ESM. Please select the appropriate string type for the intended use.

Malicious domains from threat feeds can build up to very long lists if you do not prune them which leans towards web-domain but case sensitivity issues might favour Domain.

cheers

Andrew

Reply
Regis
Regis
Level 12
Report Inappropriate Content
Message 3 of 12
‎06-23-2016 06:28 AM

Re: Watchlists: Domain vs web_domain ?

Jump to solution

Andrew, you forgot [mic drop]  on an epic and informative answer.  🙂  Thank you.

Where specifically did you unearth these nuggets of documentation?   

0 Kudos
Reply
minsktractorwor
minsktractorwor
Level 9
Report Inappropriate Content
Message 4 of 12
‎06-23-2016 05:04 PM

Re: Watchlists: Domain vs web_domain ?

Jump to solution

Hey Regis,

These descriptions are under custom types. You can only see these when logged in as NGCP.

Capture.PNG

View solution in original post

Reply
Regis
Regis
Level 12
Report Inappropriate Content
Message 5 of 12
‎06-24-2016 06:52 AM

Re: Watchlists: Domain vs web_domain ?

Jump to solution 

minsktractorworks wrote:


Hey Regis,


These descriptions are under custom types. You can only see these when logged in as NGCP.


Capture.PNG

Holy cat crap.     What brain trust decided that only NGCP is worthy of useful help text here?     

Thank you so much for this tip of the hidden documentation.     Product management,  if this user-specific documentation level isn't going to be fixed in 10,  could ya add it to the list?  🙂 

0 Kudos
Reply
penoffd
penoffd Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 12
‎06-29-2016 04:25 AM

Re: Watchlists: Domain vs web_domain ?

Jump to solution

This is no different than the many variants of regex flavors allowed for use depending on what device you're working in.  ADM, ACE, Receiver, they all play differently in this respect as if they are completely unique entities.  Confusing and frustrating.  Hopefully some day this will be resolved.

Thank you, Andrew.

0 Kudos
Reply
acommons
acommons
Level 10
Report Inappropriate Content
Message 7 of 12
‎06-23-2016 09:25 PM

Re: Watchlists: Domain vs web_domain ?

Jump to solution

Our comrades at the tractor works are correct, the information is cunningly presented as part of the Add Custom Type dialogue You stumble upon these nuggets from time to time.

Another factor, and one which may be very important, is the target fields you want to use the Watchlist with....most parsers put the Domain in the Domain field and the Web Domain watchlist is not available for selection in Views when the fields is a Domain. I know the various interfaces have subtle differences but I think this will probably be global.

This may force your hand.

cheers,

Andrew

Reply
Regis
Regis
Level 12
Report Inappropriate Content
Message 8 of 12
‎06-24-2016 06:55 AM

Re: Watchlists: Domain vs web_domain ?

Jump to solution 

acommons wrote:


Our comrades at the tractor works are correct, the information is cunningly presented as part of the Add Custom Type dialogue  You stumble upon these nuggets from time to time.


Another factor, and one which may be very important, is the target fields you want to use the Watchlist with....most parsers put the Domain in the Domain field and the Web Domain watchlist is not available for selection in Views when the fields is a Domain. I know the various interfaces have subtle differences but I think this will probably be global.


This may force your hand.


cheers,

Andrew

LOL.   This mix of pith and tech info is so up my alley.   Bravo.  Thank you.

Reply
Regis
Regis
Level 12
Report Inappropriate Content
Message 9 of 12
‎06-24-2016 10:01 AM

Re: Watchlists: Domain vs web_domain ?

Jump to solution

I wish the forum would allow me to flag 2 correct answers.

0 Kudos
Reply
minsktractorwor
minsktractorwor
Level 9
Report Inappropriate Content
Message 10 of 12
‎06-26-2016 06:05 PM

Re: Watchlists: Domain vs web_domain ?

Jump to solution

Give it to acommons, he's funnier than me.

0 Kudos
Reply
You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community


Corporate Headquarters
2821 Mission College Blvd.
Santa Clara, CA 95054 USA

Consumer Support   |   Enterprise Support   |   McAfee.com

Legal   |   Privacy   |   Copyright © 2019 McAfee, LLC