Reverse Whois Tracks in Threatconnect® leverage DomainTools, an external data service that interfaces with ThreatConnect to actively detect and issue alerts about new associations discovered in Whois records between Adversary assets and hosts. After the initial execution, when all current Whois records are examined, the Track searches daily for new Whois records to analyze.
Tracks are created through two methods. The first method, outlined in Create, uses the CREATE option on the top navigation bar. This method offers more options to customize a Track via the Contains/Does Not Contain fields. However, with this method, Hosts imported from Track results will not be automatically associated to an Adversary. The second method, detailed in this article, creates a Track based on an Adversary’s assets.
- From the top navigation bar (Figure 1), place the cursor over BROWSE and then over the GROUPS option. Click on the ADVERSARY object to display a results table (Figure 2).
- Click on one of the entries, and the Details window for that entry will appear (Figure 3).
- Click the Details icon at the top right corner of the window, and the Overview tab of the Details screen will appear (Figure 4).
- Click the Assets tab, and the Assets screen will appear (Figure 5). Verify that at least one asset is listed. If the tab shows No Assets Found, then follow the steps outlined in Adding Adversary Assets.
- Click the Tracking tab, and a results table of assets will appear (Figure 6).
- Click the gray paw print next to an asset. The paw print will turn orange, and the Results column will show results of the initial Reverse Whois lookup (Figure 7).
- Click on the blue text displaying the results total, and the Overview screen will appear (Figure 8).
- Click the Results tab to view domains found in the lookup (Figure 9).
- Click the Associations tab to view associated Indicators (Figure 10).