ThreatConnect® leverages a number of automated data services to enable automated correlation and discovery of threat intelligence. These services allow analysts to efficiently investigate Domain Name System (DNS) relationships, registrants for Internet resources (using the WHOIS protocol), and IP address geographic information within ThreatConnect. The following data services are currently available from the relevant Indicators’ Details screen:
- IP geolocation data for Address Indicators
- DNS resolutions for Host Indicators (current and historical, as well as subdomains)
- DNS resolutions for Address Indicators (current and historical)
- WHOIS information for Host Indicators
IP Geolocation Data
For Address Indicators, IP geolocation data are available on the Overview tab of the Details screen:
- From the top navigation bar (Figure 1), place the cursor over Browse and then over the Indicators option. Select the Address option to display a results table (Figure 2).
- Click on one of the entries, and the Details drawer for that entry will be displayed (Figure 3).
- Click the Details icon at the top right corner of the drawer, and the Overview tab of the Details screen will be displayed (Figure 4). Alternatively, hover over the object's entry in the table in Figure 2 and click on the Details icon that appears on the right side of its Summary cell to go straight to the Overview tab of the Details screen.
- Scroll down to view the GeoLocation Data card (Figure 5).
- If information is not available from the provider, or if the IP geolocation data service is disabled in a user’s ThreatConnect instance, no data will be displayed. Note that IP geolocation data may take up to 60 minutes to appear.
Host DNS Resolutions
A Host Indicator can leverage DNS resolution tracking for ongoing resolution changes. This feature requires the DNS checkbox to be selected in the Details card (Figure 6) on the Overview tab of the Details screen for the Host. Selecting this checkbox will enable monitoring of the Host’s DNS resolutions. Note that it may take up to 90 minutes for DNS information to appear after checking the DNS box.
From the Overview tab of the Details screen for the Host, click the DNS tab to view the DNS screen (Figure 7).
The DNS Resolution History section of the screen lists the Addresses that have resolved to the Host Indicator, presently or historically. A Host's DNS resolutions will automatically be added as Address Indicators in the same owner as that of the Host and will be associated to the Host.
The Passive DNS section of the screen, if available, provides the ability to view a list of the subdomain resolutions and historic IP address resolutions for the Host. Click the SUBDOMAINS button, and a table of subdomain resolutions, with columns for when they were first and last seen, will be displayed (Figure 8).
NOTE: The Passive DNS feature will be available only if an Organization Administrator has entered a Farsight Security™ API key from the Organization Settings screen.
Click the IMPORT button at the bottom of the table (Figure 9) to import the subdomain resolution data.
To view the Host’s IP address resolutions, click the HISTORIC IPS button at the top of the Passive DNS section of the screen. A list of Address Indicators to which the Host has previously resolved will be displayed (Figure 10).
Click the IMPORT button at the bottom of the table (Figure 11) to import and associate these Indicators.
Address DNS Resolutions
DNS resolutions reveal the Hosts that have resolved to an Address Indicator, presently or historically, which, as stated in the "Host DNS Resolutions" section, allows for automated creation of associations between the Host and the Address, as well as enables easy pivoting. From the Details screen of an Address Indicator (Figure 4), click the DNS Resolutions tab to view Hosts that have resolved to the Address (Figure 12).
The Passive DNS section, if available, provides the ability to look up historic Host resolutions. Click the HISTORIC DOMAINS button to see a list of Host Indicators that have previously resolved to the Address (Figure 13).
NOTE: The Passive DNS feature will be available only if an Organization Administrator has entered a Farsight Security API key from the Organization Settings screen.
Click the IMPORT button at the bottom of the table (Figure 14) to import and associate these Indicators.
WHOIS Registration Information
The Whois tab for Host indicators provides WHOIS information, if available. Note that this feature also requires the Whois box to be checked in the Details card (Figure 6) on the Overview tab of the Details screen for the Host. Click on the Whois tab (Figure 15), and, if populated, the screen will display a results table with some hyperlinked items.
Click on any hyperlink to view related Hosts in ThreatConnect that have a matching value in their WHOIS information. The Related Hosts window will be displayed (Figure 16).
Click on one of the Details icons in the column on the far right of the WHOIS results table (Figure 15) to view the full WHOIS record for that entry (Figure 17).
NOTE: It may take up to 60 minutes for WHOIS information to appear after checking the Whois box.
Farsight Security™ is a trademark of Farsight Security, Inc.