Improve Scoring with a Domain Whitelist
Once you have identified and investigated a potential typosquatted domain and found that it is legitimate, you can stop future alerts by using a domain whitelist enrichment.
- Display the Management module UI.
- Select the Squid sensor from the list of sensors on the main window.
- Click the pencil icon in the list of tool icons for the Squid sensor.
- Click Advanced.
Click (expand window button) next to the RAW
is_potential_typosquatinformation with the following:
"is_potential_typosquat := not (ENRICHMENT_EXISTS('domain_whitelist', domain_without_tld, 'enrichment', 't')) && BLOOM_EXISTS(OBJECT_GET('/tmp/reference/alexa10k_filter.ser'), domain_without_tld)",
- Click SAVE below the JSON panel.
- Click SAVE at the bottom of the Squid sensor configuration panel.
npr.comin the browser connected to the HCP proxy.
- Open the Alerts UI.
Click on the timestamp column header until the events are
sorted descending by timestamp.
Proxy events to
npr.orgare no longer alerts.