Hello,
I'm looking at setting up Automated Threat Detection as per ATD: Configuring Automated Threat Detection for Suspicious Domains. The guide talks about making sure the 'FQDN' META is being parsed but it doesn't talk to why this is required. I'm ingesting no web proxy appliance logs specifically, however we have Palo Alto logs which reports web browsing traffic. When I filter on the 'fqdn exists' I get no logs, suggesting none of the ingested logs use this field. Would I need to modify existing META to change this to 'FQDN' or does this ATD technology search for domains across a bunch of other META fields as well?
Cheers
