https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/extracting-domains-not-from-url/m-p/588008#M3343 <P>Hello Live Comm,</P> <P>I am working on a use-case that allows us to extract indicators from specific reports and then pushes them to monitoring systems.&nbsp;</P> <P>We have seen that using the built-in Extract Indicator command causes domains to be extracted from URLs. Is there a way to allow only domains that are not in a URL to be extracted? I can see that you cant detach the indicator type or edit its Regex property.</P> <P>For example:</P> <P>github.com/malicious/repo is extracting github.com. This can cause a lot of havoc as many FP alerts can be encountered from this generally legitimate domain.&nbsp;</P> <P>Many thanks,</P> <P>MR</P> <P><LI-PRODUCT title="Cortex XSOAR" id="Cortex_XSOAR"></LI-PRODUCT>&nbsp;</P> Mon, 27 May 2024 13:19:20 GMT michaelsysec242 2024-05-27T13:19:20Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/extracting-domains-not-from-url/m-p/588008#M3343 <P>Hello Live Comm,</P> <P>I am working on a use-case that allows us to extract indicators from specific reports and then pushes them to monitoring systems.&nbsp;</P> <P>We have seen that using the built-in Extract Indicator command causes domains to be extracted from URLs. Is there a way to allow only domains that are not in a URL to be extracted? I can see that you cant detach the indicator type or edit its Regex property.</P> <P>For example:</P> <P>github.com/malicious/repo is extracting github.com. This can cause a lot of havoc as many FP alerts can be encountered from this generally legitimate domain.&nbsp;</P> <P>Many thanks,</P> <P>MR</P> <P><LI-PRODUCT title="Cortex XSOAR" id="Cortex_XSOAR"></LI-PRODUCT>&nbsp;</P> Mon, 27 May 2024 13:19:20 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/extracting-domains-not-from-url/m-p/588008#M3343 michaelsysec242 2024-05-27T13:19:20Z https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/extracting-domains-not-from-url/m-p/588044#M3344 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/209373">@michaelsysec242</a>, I don't think there is a way to ignore the domains without modifying the regex. I use the below method.&nbsp;</P> <P>&nbsp;</P> <P>1. Run the&nbsp;<CODE>extractIndicators</CODE> command (This will generate the list of URLs and Domains under the <STRONG>ExtractedIndicators</STRONG> key, the list of domains also contain domain-only IOCs)</P> <P>2. Run the&nbsp;<CODE>extractIndicators</CODE> command on the&nbsp;<STRONG>ExtractedIndicators.URL</STRONG> key. You'll need to run the command with some DT to extract the domains. (Note, the list of domains added to&nbsp;<STRONG>domainfromURL</STRONG> key are domains extracted from URLs only)</P> <P><CODE>!extractIndicators text=${ExtractedIndicators.URL} ignore-outputs=true extend-context=domainfromURL=.=JSON.parse(val).Domain[0]</CODE></P> <P>3. Then run the set function with a filter to ignore Domains that are in the&nbsp;<STRONG>domainfromURL</STRONG> list. Example below.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="example_of_set_function.png" style="width: 704px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60057i7562A61A21272C60/image-dimensions/704x331?v=v2" width="704" height="331" role="button" title="example_of_set_function.png" alt="example_of_set_function.png" /></span></P> <P>&nbsp;</P> <P>I hope this helps.&nbsp;</P> Tue, 28 May 2024 03:08:49 GMT https://live.paloaltonetworks.com/t5/cortex-xsoar-discussions/extracting-domains-not-from-url/m-p/588044#M3344 jfernandes1 2024-05-28T03:08:49Z