The "url" indicator is not populating the p_any_domain_names or p_any_ip_addresses columns in Panther's Data Explorer

Last updated
Save as PDF

Issue

In my custom schema, my "url" indicator is not populating the p_any_domain_names or p_any_ip_addresses columns in Panther's Data Explorer.

Resolution

To resolve this issue:

Ensure that any fields which contain indicators (url, emails, ip addresses, AWS account IDs, etc.) are marked with an indicator type.
Ensure that your url value starts with http:// or https://, otherwise, the format won't be recognized.

Please note that the extracted value will be explicitly the domain name in the p_any_domain_names.

For example, http://panther.com/mypost-page will populate panther.com in p_any_domain_names.

While http://111.111.111.111/blogs will populate 111.111.111.111 in p_any_ip_addresses.

You can also use different indicator fields if you want to extract the domain name such as the hostname or the domain field.

Cause

This behavior triggers when the URL format is not following the default URL scheme containing the protocol at the start of the value (http:// or https://).