Hiall ,

I've integrated Sentinel with some external TI feeds (like Phishtank, etc) and collected MDE DeviceNetworkEvents.

It seems that most (if not all) HTTPS traffic (URL) is not fully logged.

Example: https://cloudflare-ipfs.com instead of https://cloudflare-ipfs.com/xxx.dat.

PS: with HTTP traffic I got the full URL with path, etc.

It means that the URL doesn't match when trying to compare URL TI source (full URL) and URL  (partial) generated by the browser.

The goal is to push the IOC (in this case the URL) into the Indicators list.

I don't want to populate the indicator with domain list because it can blacklist a full domain.

Example :

https://docs.google.com/presentation/d/e/2

It could be a phishing URL, but don't want to blacklist docs.google.com domain because it can contains valid URL...

Any idea ?

Regards,

HA