cancel
Showing results for 
Search instead for 
Did you mean: 
Regis
Level 12
Report Inappropriate Content
Message 1 of 12

Watchlists: Domain vs web_domain ?

Jump to solution

Greetings,

When creating a watchlist, does anyone know the difference between the watchlist types domain and web_domain? 

Which would be more appropriate as a target for cyber threat feeds where they identify malicious domains?

I spent 15 minutes outlining the question to one support rep but was getting nowhere.

1 Solution

Accepted Solutions

Re: Watchlists: Domain vs web_domain ?

Jump to solution

Hey Regis,

These descriptions are under custom types. You can only see these when logged in as NGCP.

Capture.PNG

View solution in original post

11 Replies
acommons
Level 10
Report Inappropriate Content
Message 2 of 12

Re: Watchlists: Domain vs web_domain ?

Jump to solution

Domain is a String and web_domain is a Random string.

From the product itself:

The String data type should be used for strings that appear frequently, such as a user name. Random string should be used if the data appears to be random or does not frequently repeat, such as full URLs. Random strings will not be able to use the Alias or case insensitive options while filtering. Too many entries in a string type may cause a decrease in performance on the ESM. Please select the appropriate string type for the intended use.

Malicious domains from threat feeds can build up to very long lists if you do not prune them which leans towards web-domain but case sensitivity issues might favour Domain.

cheers

Andrew

Highlighted
Regis
Level 12
Report Inappropriate Content
Message 3 of 12

Re: Watchlists: Domain vs web_domain ?

Jump to solution

Andrew, you forgot [mic drop]  on an epic and informative answer.  🙂  Thank you.

Where specifically did you unearth these nuggets of documentation?   

Re: Watchlists: Domain vs web_domain ?

Jump to solution

Hey Regis,

These descriptions are under custom types. You can only see these when logged in as NGCP.

Capture.PNG

View solution in original post

Regis
Level 12
Report Inappropriate Content
Message 5 of 12

Re: Watchlists: Domain vs web_domain ?

Jump to solution

minsktractorworks wrote:



Hey Regis,



These descriptions are under custom types. You can only see these when logged in as NGCP.



Capture.PNG


Holy cat crap.     What brain trust decided that only NGCP is worthy of useful help text here?     

Thank you so much for this tip of the hidden documentation.     Product management,  if this user-specific documentation level isn't going to be fixed in 10,  could ya add it to the list?  🙂 

penoffd Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 12

Re: Watchlists: Domain vs web_domain ?

Jump to solution

This is no different than the many variants of regex flavors allowed for use depending on what device you're working in.  ADM, ACE, Receiver, they all play differently in this respect as if they are completely unique entities.  Confusing and frustrating.  Hopefully some day this will be resolved.

Thank you, Andrew.

acommons
Level 10
Report Inappropriate Content
Message 7 of 12

Re: Watchlists: Domain vs web_domain ?

Jump to solution

Our comrades at the tractor works are correct, the information is cunningly presented as part of the Add Custom Type dialogue You stumble upon these nuggets from time to time.

Another factor, and one which may be very important, is the target fields you want to use the Watchlist with....most parsers put the Domain in the Domain field and the Web Domain watchlist is not available for selection in Views when the fields is a Domain. I know the various interfaces have subtle differences but I think this will probably be global.

This may force your hand.

cheers,

Andrew

Regis
Level 12
Report Inappropriate Content
Message 8 of 12

Re: Watchlists: Domain vs web_domain ?

Jump to solution

acommons wrote:



Our comrades at the tractor works are correct, the information is cunningly presented as part of the Add Custom Type dialogue You stumble upon these nuggets from time to time.



Another factor, and one which may be very important, is the target fields you want to use the Watchlist with....most parsers put the Domain in the Domain field and the Web Domain watchlist is not available for selection in Views when the fields is a Domain. I know the various interfaces have subtle differences but I think this will probably be global.



This may force your hand.



cheers,


Andrew


LOL.   This mix of pith and tech info is so up my alley.   Bravo.  Thank you.

Regis
Level 12
Report Inappropriate Content
Message 9 of 12

Re: Watchlists: Domain vs web_domain ?

Jump to solution

I wish the forum would allow me to flag 2 correct answers.

Re: Watchlists: Domain vs web_domain ?

Jump to solution

Give it to acommons, he's funnier than me.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community