Greetings,
When creating a watchlist, does anyone know the difference between the watchlist types domain and web_domain?
Which would be more appropriate as a target for cyber threat feeds where they identify malicious domains?
I spent 15 minutes outlining the question to one support rep but was getting nowhere.
Solved! Go to Solution.
Hey Regis,
These descriptions are under custom types. You can only see these when logged in as NGCP.
Domain is a String and web_domain is a Random string.
From the product itself:
The String data type should be used for strings that appear frequently, such as a user name. Random string should be used if the data appears to be random or does not frequently repeat, such as full URLs. Random strings will not be able to use the Alias or case insensitive options while filtering. Too many entries in a string type may cause a decrease in performance on the ESM. Please select the appropriate string type for the intended use.
Malicious domains from threat feeds can build up to very long lists if you do not prune them which leans towards web-domain but case sensitivity issues might favour Domain.
cheers
Andrew
Andrew, you forgot [mic drop] on an epic and informative answer. 🙂 Thank you.
Where specifically did you unearth these nuggets of documentation?
Hey Regis,
These descriptions are under custom types. You can only see these when logged in as NGCP.
minsktractorworks wrote:
Hey Regis,
These descriptions are under custom types. You can only see these when logged in as NGCP.
Holy cat crap. What brain trust decided that only NGCP is worthy of useful help text here?
Thank you so much for this tip of the hidden documentation. Product management, if this user-specific documentation level isn't going to be fixed in 10, could ya add it to the list? 🙂
This is no different than the many variants of regex flavors allowed for use depending on what device you're working in. ADM, ACE, Receiver, they all play differently in this respect as if they are completely unique entities. Confusing and frustrating. Hopefully some day this will be resolved.
Thank you, Andrew.
Our comrades at the tractor works are correct, the information is cunningly presented as part of the Add Custom Type dialogue You stumble upon these nuggets from time to time.
Another factor, and one which may be very important, is the target fields you want to use the Watchlist with....most parsers put the Domain in the Domain field and the Web Domain watchlist is not available for selection in Views when the fields is a Domain. I know the various interfaces have subtle differences but I think this will probably be global.
This may force your hand.
cheers,
Andrew
acommons wrote:
Our comrades at the tractor works are correct, the information is cunningly presented as part of the Add Custom Type dialogue You stumble upon these nuggets from time to time.
Another factor, and one which may be very important, is the target fields you want to use the Watchlist with....most parsers put the Domain in the Domain field and the Web Domain watchlist is not available for selection in Views when the fields is a Domain. I know the various interfaces have subtle differences but I think this will probably be global.
This may force your hand.
cheers,
Andrew
LOL. This mix of pith and tech info is so up my alley. Bravo. Thank you.
I wish the forum would allow me to flag 2 correct answers.
Give it to acommons, he's funnier than me.
Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA