Insight: Filtering out common schema domains in Domains in Attachments (#3162)

MSAdministrator · web-flow · commit b15b63fac9e5 · 2025-09-03T00:03:41.000Z
diff --git a/insights/attachments/links_domains.yml b/insights/attachments/links_domains.yml
@@ -1,12 +1,29 @@
 name: "Domains in attachments"
 type: "query"
 source: |
-  filter(
-    map(attachments,
-        map(file.explode(.),
-            distinct(map(.scan.url.urls, .domain.domain), .)
-        )
-    ),
-    length(.) > 0
+  filter(map(attachments,
+           map(file.explode(.),
+               distinct(map(filter(.scan.url.urls,
+                                   .domain.root_domain not in $org_domains
+                                   and .domain.root_domain not in (
+                                     "sublimesecurity.com",
+                                     "wps.cn"
+                                   )
+                                   and .domain.domain not in~ (
+                                     "schemas.openxmlformats.org",
+                                     "schemas.microsoft.com",
+                                     "purl.org",
+                                     "www.w3.org",
+                                     "purl.oclc.org",
+                                     "schemas.apple.com"
+                                   )
+                            ),
+                            .url
+                        ),
+                        .
+               )
+           )
+       ),
+       length(.) > 0
   )
 severity: "informational"
