Open ericmartin opened 5 years ago
Hi @ericmartin, the required attribute is extracted and attached as attribute to the IPs/URLs. You can use customized filters on the Miner or on the Output node to select only required IPs/URLs. This how an O365 indicator looks like, the required attribute is extracted and place into o365_required:
{
"indicator": "*.localytics.com",
"value": {
"confidence": 100,
"o365_notes": "Portal and shared: 3rd party office integration. (including CDNs)",
"o365_tcpPorts": "443",
"share_level": "green",
"sources": [
"worldwide-exchange"
],
"o365_serviceArea": "Common",
"o365_category": "Default",
"first_seen": 1543921101046,
"type": "URL",
"o365_required": false,
"o365_expressRoute": false,
"last_seen": 1543921101046
}
}
It would be very helpful to have the miners be able to select o365 lists based on whether or not MS says the URL or IP addresses are required.