This came out of a separate discussion but I thought it could be helpful for others.
A customer was looking to write an ESA rule that essentially was doing an 'ends' against alias.host meta. For example, 'bad.malicousdomain.com' or 'really.bad.maliciousdomain.com' could be looked for by 'maliciousdomain.com' Things like this could actually be done on the decoder and created as meta for easy searching.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.