Hi there, how u doing!
So, im with this block where im trying to find if a domain is suspicious or not.
I receive an domain as input, create the entity, do a whois, and then is there any posibility with siemplify or google chronicle to check if the domain is suspicious or not?
I mean, i dunno if im doing right or not, but i tried the enrich domain from chronicle and it doesnt work. Probably im doing it wrong.
Any ideaas? Thanks!
Enrich Domain from Chronicle integration will only return the data if that domain is created as IOC in SIEM (Chronicle).
I recommend you to review this article regarding IOCs in SIEM: https://medium.com/@thatsiemguy/ioc-matching-in-chronicle-siem-45a97c0b91a8
Oh thanks, so if it doesnt return data, is not suspicious. Thank you!
Whois wont tell you if it's malicious
For a verdict you should use Threat Intel (VirusTotal, Mandiant, GTI, or any other vendor). If you use a marketplace Action for a TI provider, in addition to the JSON output, the Entity should change colour to red, and [entity.isSuspicious] will be true. From this you can do Flow conditions:
If [entity.isSuspicious] contains True >> this is a catch all 'something in this Alert is bad'
Or you can do more fine controlled testing depending on your usecase
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.