+3Hey friends!
So the requirement is to create a detection rule that enriches all domains except for what's added in the reference list which usually have all my internal domains. I know we do $field in %<reference list>, how would I instruct "Only enrich domains which are given in the reference list.
This doesn't seem to work:
$e1.principal.administrative_domain = $dom
$dom not in %<reference_list_name>?
Best answer by Rene_Figueroa
Enrich as in enriching it further in SOAR using domain/IP/File/header check with the help of MX toolbox integration or Mandiant intelligence. If I do not exclude my internal domains at the rule level, I don't seem to achieve maximum refinement at the very first stage (via detection rule) before I dump all in SOAR.
Thanks for the info. Have you tried using "not $dom in %<reference_list_name>"?
+3Hi @devashishsingh, can you please elaborate on what you mean by "enrich"?
Enrich as in enriching it further in SOAR using domain/IP/File/header check with the help of MX toolbox integration or Mandiant intelligence. If I do not exclude my internal domains at the rule level, I don't seem to achieve maximum refinement at the very first stage (via detection rule) before I dump all in SOAR.
+10Enrich as in enriching it further in SOAR using domain/IP/File/header check with the help of MX toolbox integration or Mandiant intelligence. If I do not exclude my internal domains at the rule level, I don't seem to achieve maximum refinement at the very first stage (via detection rule) before I dump all in SOAR.
Thanks for the info. Have you tried using "not $dom in %<reference_list_name>"?
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
