diff --git a/cyber_narrator/upgrade/2024/CN-24.04/groot_stream/etl_session_record_kafka_to_cn_kafka b/cyber_narrator/upgrade/2024/CN-24.04/groot_stream/etl_session_record_kafka_to_cn_kafka
index 82b4855..96477e4 100644
--- a/cyber_narrator/upgrade/2024/CN-24.04/groot_stream/etl_session_record_kafka_to_cn_kafka
+++ b/cyber_narrator/upgrade/2024/CN-24.04/groot_stream/etl_session_record_kafka_to_cn_kafka
@@ -43,6 +43,17 @@ processing_pipelines:
         parameters:
           value_expression: "recv_time == null ? kafka_recv_time : recv_time"
 
+      - function: DOMAIN
+        lookup_fields: [ http_host, ssl_sni, dtls_sni, quic_sni ]
+        output_fields: [ cn_server_domain ]
+        parameters:
+          option: FIRST_SIGNIFICANT_SUBDOMAIN
+
+      - function: EVAL
+        output_fields: [ server_domain ]
+        parameters:
+          value_expression: "server_domain == null ? cn_server_domain : server_domain"
+
       - function: EVAL
         output_fields: [ domain ]
         parameters:
diff --git a/cyber_narrator/upgrade/2024/CN-24.04/groot_stream/udf.plugins b/cyber_narrator/upgrade/2024/CN-24.04/groot_stream/udf.plugins
index eb9fd57..d482afb 100644
--- a/cyber_narrator/upgrade/2024/CN-24.04/groot_stream/udf.plugins
+++ b/cyber_narrator/upgrade/2024/CN-24.04/groot_stream/udf.plugins
@@ -19,3 +19,4 @@ com.geedgenetworks.core.udf.cn.ArrayElementsPrepend
 com.geedgenetworks.core.udf.cn.IntelligenceIndicatorLookup
 com.geedgenetworks.core.udf.SnowflakeId
 com.geedgenetworks.core.udf.UnixTimestampConverter
+com.geedgenetworks.core.udf.Domain