Improve Scoring with a Domain Whitelist

Once you have identified and investigated a potential typosquatted domain and found that it is legitimate, you can stop future alerts by using a domain whitelist enrichment.

  1. Display the Management module UI.
  2. Select the Squid sensor from the list of sensors on the main window.
  3. Click the pencil icon in the list of tool icons for the Squid sensor.
  4. Click Advanced.
  5. Click (expand window button) next to the RAW JSON field.
  6. Replace the is_potential_typosquat information with the following:
    "is_potential_typosquat := not (ENRICHMENT_EXISTS('domain_whitelist', domain_without_tld, 'enrichment', 't')) && BLOOM_EXISTS(OBJECT_GET('/tmp/reference/alexa10k_filter.ser'), domain_without_tld)",
  7. Click SAVE below the JSON panel.
  8. Click SAVE at the bottom of the Squid sensor configuration panel.
  9. Open or in the browser connected to the HCP proxy.
  10. Open the Alerts UI.
  11. Click on the timestamp column header until the events are sorted descending by timestamp.
    Proxy events to and are no longer alerts.