The TLD parser has been updated to now deploy on Log Decoders.
The parser looks for the following keys from log devices to parse out the same information as packets:
- Alias.host
- Host.src
- Host.dst
- Domain.dst
- Domain.src
- FQDN
Which writes out information into:
* alert.id - mapped to risk meta
* analysis.service - hostname characteristics
* cctld - (nonstandard) (optional) country-code top level domain, e.g., www.amazon.co.uk -> co.uk
* sld - (nonstandard) (optional) second level domain, e.g. www.amazon.co.uk -> amazon
* tld - top level domain, e.g. www.amazon.com -> com
When searching for Lua and Log in the RSA Live deployment screen you will see the following:
And linked dependancies:
So this is a really simple method of getting nwll.lua deployed to a log decoder if your custom parser requires that library (PaloAlto URL.raw parser for instance).