I have web proxy url events populated and i want to check these populated urls against a list of domain
i have created a local variable to get activelist value and match it against the populated event
my problem is i can't check if the url populated CONTAINS any of the domain in my list
i only have the option to match with the "=" sign
hope you get my point
Depending on your proxy type and how it is being parsed - have a look in the destinationHostName and also the RequestUrlHost field - that should be the domain data without all the additional query strings that you can then compare with your list?
It may help to understand your use case for this list matching - is it a threat list or some other use?
First a word of warning....
For most threat lists of domains, the subdomain may be relevant to the threat - think of malware hosted on an AWS or Azure hosted server. Additionally - what about the TLD - Facebook.com = Good, Facebook.onion = maybe not good.
Also - stripping down to just the domain and doing a "Contains" will generate false positives and false negatives - think of all the malware domains that may use the name of a bank or google or other valid domains along with some extra text in their phishing domain.
and in other instances, the subdirectory or query may be relevant - i.e a piece of malware or a C2 Connection hosted on a valid domain such as GitHub / AWS etc
That said - to do what you want to achieve - you will need to play with variables to strip the www and .com from the destinationHostName and then compare against your list - along the lines of several local variables that find the index of the . and then strip the text, leaving just the first part of the domain name behind.
There will be scenario's that fail to work correctly by stripping the subdomain and TLD - but have a look and see if it suits your use case?
I have already created a global variable and stripped the url to only the domain
by doing so my list matching only the domain and not subdomains
this is why i needed to use the CONTAINS value and not the "=" value so i can match it
my research lead to a dead-end in this matter all i could find is the "=" value
my scenario is not just for the proxy connector but i have a custom database connector that gets the following:
- device custom string 5: ABCD123123ABC
- my list contains: 3A
this is what i want to match so the solution to trip out the value in front of 3A will not work