rleighton
commented
2 years ago That is true and we have one implicitly. The parser has special code to process the query name as well as extract indicators in the answers.
Closed slw07g closed 2 months ago
rleighton
commented
2 years ago That is true and we have one implicitly. The parser has special code to process the query name as well as extract indicators in the answers.
https://github.com/panther-labs/panther-analysis/blob/6bfdd1357668bd015628471302a4a29a42a03e1b/schemas/logs/aws/vpc_dns.yml#L34-L37
Seems like this is a good place to have a domain/hostname indicator.