From 3096ef92b302941c13643252c97aa3216ef89a22 Mon Sep 17 00:00:00 2001
From: thesubtlety <1726821+thesubtlety@users.noreply.github.com>
Date: Wed, 21 Dec 2022 15:44:27 -0700
Subject: [PATCH] add extractor

---
 dns/saas-service-detection.yaml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/dns/saas-service-detection.yaml b/dns/saas-service-detection.yaml
index 19d699f7e5..1e624f9e5e 100644
--- a/dns/saas-service-detection.yaml
+++ b/dns/saas-service-detection.yaml
@@ -13,6 +13,12 @@ dns:
   - name: "{{FQDN}}"
     type: A
 
+    extractors:
+      - type: regex
+        group: 1
+        regex:
+          - 'IN\t(?:A|CNAME)\t([A-Za-z0-9-_.]*([a-zA-Z]+[0-9]+|[0-9.]+[a-zA-Z]+))'
+
     matchers-condition: or
     matchers: