Fix domain identification logic

Refactored the domain identification process in DNS Finder to correctly handle TLDs with multiple segments, ensuring accurate detection of parent domains and subdomains.
thalesgroup-cert · Mar 6, 2025 · 1dd7993 · 1dd7993
1 parent 517b9f7
commit 1dd7993
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/Watcher/Watcher/common/core.py b/Watcher/Watcher/common/core.py
@@ -17,7 +17,7 @@
 from .mail_template.dns_finder_group_template import get_dns_finder_group_template
 from .utils.send_thehive_alerts import send_thehive_alert
 from .utils.update_thehive import search_thehive_for_ticket_id, update_existing_alert_case, create_new_alert
-
+import tldextract
 
 def generate_ref():
     """
@@ -480,8 +480,18 @@ def send_notification(channel, content_template, subscribers_filter, send_func,
 
             current_time = timezone.now()
             subdomain = alert.dns_twisted.domain_name
-            parent_domain = '.'.join(subdomain.split('.')[-2:])
-            is_parent_domain = subdomain == parent_domain
+
+            extracted = tldextract.extract(subdomain)
+            subdomain_part = extracted.subdomain
+            domain_part = extracted.domain
+            suffix_part = extracted.suffix
+
+            if suffix_part:
+                parent_domain = f"{domain_part}.{suffix_part}"
+
+                is_parent_domain = (not subdomain_part)
+            else:
+                return
 
             dns_domain_name_sanitized = (
                 getattr(alert.dns_twisted, 'dns_domain_name_sanitized', None) or