1 2 Previous Next 11 Replies Latest reply on Jul 11, 2016 3:48 PM by rth67

    Watchlists:   Domain vs web_domain ?

    Regis

      Greetings,

       

      When creating a watchlist, does anyone know the difference between the watchlist types domain and web_domain? 

       

      Which would be more appropriate as a target for cyber threat feeds where they identify malicious domains?

       

      I spent 15 minutes outlining the question to one support rep but was getting nowhere.

        • 1. Re: Watchlists:   Domain vs web_domain ?
          acommons

          Domain is a String and web_domain is a Random string.

           

          From the product itself:

           

          The String data type should be used for strings that appear frequently, such as a user name. Random string should be used if the data appears to be random or does not frequently repeat, such as full URLs. Random strings will not be able to use the Alias or case insensitive options while filtering. Too many entries in a string type may cause a decrease in performance on the ESM. Please select the appropriate string type for the intended use.

           

          Malicious domains from threat feeds can build up to very long lists if you do not prune them which leans towards web-domain but case sensitivity issues might favour Domain.

           

          cheers

          Andrew

          • 2. Re: Watchlists:   Domain vs web_domain ?
            Regis

            Andrew, you forgot [mic drop]  on an epic and informative answer.  :-)  Thank you.

             

            Where specifically did you unearth these nuggets of documentation?   

            • 3. Re: Watchlists:   Domain vs web_domain ?
              minsktractorworks

              Hey Regis,

               

              These descriptions are under custom types. You can only see these when logged in as NGCP.

               

              Capture.PNG

              • 4. Re: Watchlists:   Domain vs web_domain ?
                minsktractorworks

                Something else to keep in mind is that a field such as "Domain" which is an indexed string cannot have Regex used on it within correlation rules. However "web_domain" which is an indexed random string can have Regex applied, which is extremely useful for picking certain elements out of a domain such as an actual IP address being access through a proxy server.

                • 5. Re: Watchlists:   Domain vs web_domain ?
                  acommons

                  Our comrades at the tractor works are correct, the information is cunningly presented as part of the Add Custom Type dialogue You stumble upon these nuggets from time to time.

                   

                  Another factor, and one which may be very important, is the target fields you want to use the Watchlist with....most parsers put the Domain in the Domain field and the Web Domain watchlist is not available for selection in Views when the fields is a Domain. I know the various interfaces have subtle differences but I think this will probably be global.

                   

                  This may force your hand.

                   

                  cheers,

                  Andrew

                  1 of 1 people found this helpful
                  • 6. Re: Watchlists:   Domain vs web_domain ?
                    Regis

                    minsktractorworks wrote:

                     

                    Hey Regis,

                     

                    These descriptions are under custom types. You can only see these when logged in as NGCP.

                     

                    Capture.PNG

                     

                     

                    Holy cat crap.     What brain trust decided that only NGCP is worthy of useful help text here?     

                     

                    Thank you so much for this tip of the hidden documentation.     Product management,  if this user-specific documentation level isn't going to be fixed in 10,  could ya add it to the list?  :-) 

                    • 7. Re: Watchlists:   Domain vs web_domain ?
                      Regis

                      acommons wrote:

                       

                      Our comrades at the tractor works are correct, the information is cunningly presented as part of the Add Custom Type dialogue You stumble upon these nuggets from time to time.

                       

                      Another factor, and one which may be very important, is the target fields you want to use the Watchlist with....most parsers put the Domain in the Domain field and the Web Domain watchlist is not available for selection in Views when the fields is a Domain. I know the various interfaces have subtle differences but I think this will probably be global.

                       

                      This may force your hand.

                       

                      cheers,

                      Andrew

                      LOL.   This mix of pith and tech info is so up my alley.   Bravo.  Thank you.

                      • 8. Re: Watchlists:   Domain vs web_domain ?
                        Regis

                        I wish the forum would allow me to flag 2 correct answers.

                        • 9. Re: Watchlists:   Domain vs web_domain ?
                          minsktractorworks

                          Give it to acommons, he's funnier than me.

                          1 2 Previous Next