This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Getting to Know Google SecOps: Extracting Domains & Hostnames

on ‎12-05-2024 08:00 AM

jstoner
Staff
0 0 446

Today we are going to look at two string functions that will extract hostnames and domains from longer strings, whether they are found in URLs, email addresses or anywhere else!

Strings Function - Domain & Host.png

The strings.extract_domain function extracts a domain without having to build regular expressions. The function accepts a single argument and outputs the domain from that string. This domain value can then be used in a search or rule. 

Strings Function - Domain & Host (1).png

strings.extract_hostname is equally important because it serves a similar purpose but rather than just the domain, it extracts the fully qualified domain name. For example, if we have a URL that contains smtp.gmail.com and used these functions, the domain extraction would be gmail.com and the hostname extraction would be smtp.gmail.com.

There will be times when the extract hostname function will return data but the extract domain function won’t. For instance, if a URL contains an IP address, the domain function will return a null value, but the hostname function will return the IP.

Another example would be a string where the domain does not exist in publicsuffix.org. If a URL or DNS query ends in .internal, for instance, the domain extraction will be null, but the hostname extraction would be metadata.google.internal or whatever the fully qualified domain name is.

Follow along in this video to see how we can apply strings.extract_domain and strings.extract_hostname to our searches and rules. 

 strings.extract_domain and strings.extract_hostname provides the ability to extract hostnames and domains from strings that can then be used throughout searches and rules. Once extracted, this value can be used to filter, aggregate or output in a search or rule. Remember that strings.extract_domain uses publicsuffix.org to drive the domain values that are extracted, so if you are trying to extract IPs from URLs or non-public facing domains like .internal, you will need to use the strings.extract_hostname to output the fully qualified domain name.

Strings Function - Domain & Host (2).png

 Check out these additional resources with more information and learning opportunities:

Topic Labels
Contributors
0 Likes
Version history
Last update:
‎12-05-2024 08:00 AM
Updated by: