AnsweredAssumed Answered

In SA, how do you see HTTPS domain names without the domain name from the cert?

Question asked by RSA Admin Employee on Aug 13, 2015
Latest reply on Aug 14, 2015 by RSA Admin

Hi all,

 

I'm trying to achieve something that I thought would be quite straightforward but is proving a bit tricky.

 

In SA, I'm trying to issue a query to return the domain names of HTTPS connections for a specific 30 minute window.

 

So, I thought, easy enough, 2 steps:

 

  1. Chose 'Custom' in the drop-down list for the time frame and specify my time frame.
  2. Set a filter for: service=443 (or under 'Service' click 'SSL').

 

But of course I'm seeing alias.host entries for things like:

*.google.com

which I assume is the domain name from the SSL certificate.

 

Is it even possible to achieve my goal? I just want to see the domain names which were the target of the HTTPS connections, not the domain names from the certs.

 

Any pointers would be gratefully received!

Outcomes