In my custom schema, my "url" indicator is not populating the p_any_domain_names
or p_any_ip_addresses
columns in Panther's Data Explorer.
To resolve this issue:
Ensure that any fields which contain indicators (url, emails, ip addresses, AWS account IDs, etc.) are marked with an indicator type.
Ensure that your url value starts with http:// or https://, otherwise, the format won't be recognized.
Please note that the extracted value will be explicitly the domain name in the p_any_domain_names
.
For example, http://panther.com/mypost-page will populate panther.com in p_any_domain_names
.
While http://111.111.111.111/blogs will populate 111.111.111.111 in p_any_ip_addresses.
You can also use different indicator fields if you want to extract the domain name such as the hostname
or the domain
field.
This behavior triggers when the URL format is not following the default URL scheme containing the protocol at the start of the value (http:// or https://).