WhoIsAnalysis -- Remove F_URL observable?

[krayzpipes]

Currently, the WhoIsAnalyzer works with F_URL and F_FQDN observable types.

Wondering if this would be better for the whois analysis module:

• Remove the F_URL observable from whois module
• Rely on analysis modules to extract the domain from an F_URL observable and submit it as an F_FQDN observable.
• WhoIsAnalyzer would then run on the F_FQDN observable only. This should keep ACE from performing whois analysis on the URL AND the FQDN if the domain is ever stripped and submitted separately from F_URL analysis in the future.

Running whois analysis twice is not a big performance hit... so it may not be worth the time. Thoughts?

@seanmcfeely / @unixfreak0037

[seanmcfeely]

Coincidentally, I wrote a module to add FQDN observables for URLs the other day. I wrote it because I wanted to correlated URLs to the IP addresses they're hosted on so I can let my ip inspector module fire a detection when a URL is hosted on a blacklisted network. So yea, I think it's a good idea for the whois module to just work on FQDNs @krayzpipes, because the module to URL->FQDN will be in a PR momentarily.