0 Replies Latest reply on Nov 6, 2017 6:40 PM by ericappelboom

    Indexing DataType "URL" for use in watchlists and TAXII STIXX IoC alerting

    ericappelboom

      Hi In the default configuration the data type URL is defined as a "Random String" Custome Field 8 (short) and is available for selection in Summaries ,watchlists and dashboards.

      All searches have to be done on a regex if trying to report on objects in the URI i.e. /chrome.exe

       

      As we receive a number of TAXI feeds as Cyber threat Feeds that populate watchlists we cant use them as there is no Index.

       

      What is the recommended solution here, create a new custom  Data Type and set indexes?

      Conscious of partition rollover if URL's are added to indexes.