+8Hi there, how u doing!
So, im with this block where im trying to find if a domain is suspicious or not.
I receive an domain as input, create the entity, do a whois, and then is there any posibility with siemplify or google chronicle to check if the domain is suspicious or not?
I mean, i dunno if im doing right or not, but i tried the enrich domain from chronicle and it doesnt work. Probably im doing it wrong.
Any ideaas? Thanks!
+10Enrich Domain from Chronicle integration will only return the data if that domain is created as IOC in SIEM (Chronicle).
I recommend you to review this article regarding IOCs in SIEM: https://medium.com/@thatsiemguy/ioc-matching-in-chronicle-siem-45a97c0b91a8
+12Whois wont tell you if it's malicious
For a verdict you should use Threat Intel (VirusTotal, Mandiant, GTI, or any other vendor). If you use a marketplace Action for a TI provider, in addition to the JSON output, the Entity should change colour to red, and [entity.isSuspicious] will be true. From this you can do Flow conditions:
If [entity.isSuspicious] contains True >> this is a catch all 'something in this Alert is bad'
Or you can do more fine controlled testing depending on your usecase
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
