Using Automated Data Services

Last Updated: Jul 12, 2018 03:24PM EDT
User and Higher
None

Overview

ThreatConnect® leverages a number of automated data services to enable automated correlation and discovery of threat intelligence. These services allow analysts to efficiently investigate Domain Name System (DNS) relationships, registrants for Internet resources (using the WHOIS protocol), and IP address geographic information within ThreatConnect. The following data services are currently available from the relevant Indicators’ Details screen:

  • IP geolocation data for Address Indicators
  • DNS resolutions for Address Indicators (current and historical)
  • DNS resolutions for Host Indicators (current and historical, as well as subdomains)
  • WHOIS information for Host Indicators

IP Geolocation Data

For Address Indicators, IP geolocation data are available on the Overview tab of the Details screen.

Steps

  1. From the top navigation bar (Figure 1), place the cursor over BROWSE and then over the INDICATORS option. Click on the ADDRESS object to display a results table (Figure 2).
  2. Click on one of the entries, and the Details window for that entry will appear (Figure 3).
  3. Click the Details icon at the top right corner of the window, and the Overview tab of the Details screen will appear (Figure 4).
  4. Scroll down to view the GeoLocation Data card (Figure 5).
  5. If information is not available from the provider, or if the IP geolocation data service is disabled in a user’s ThreatConnect instance, no data will be displayed. Note that IP geolocation data may take up to 60 minutes to appear.

Address DNS Resolutions

DNS resolutions reveal which Hosts have resolved to an Address Indicator, presently or historically, which can allow for automated creation of associations between the Host and the Address, as well as enable easy pivoting. From the Details screen of an Address Indicator (Figure 4), click the DNS Resolutions tab (Figure 6).

The Passive DNS section provides the ability to look up past Host resolutions. Click the HISTORIC DOMAINS button to see a list of Host Indicators that have previously resolved to the Address (Figure 7), and click the IMPORT button to import and associate these Indicators.

NOTE: In order to use the Passive DNS capability, an Organization Administrator must have entered a Farsight Security API key from the Organization Settings screen.

Host DNS Resolutions

As with Address DNS resolutions, a Host Indicator can also leverage DNS resolution tracking for ongoing resolution changes. This feature requires the DNS box to be checked in the Details card (Figure 8) on the Overview tab of the Details screen for the Host. Checking this box will enable monitoring of the Host’s DNS resolutions. Note that it may take up to 90 minutes for DNS information to appear after checking the DNS box.

NOTE: In order to use the Passive DNS capability, an Organization Administrator must have entered a Farsight Security API key from the Organization Settings screen.

Click the DNS tab to view the DNS screen (Figure 9). From this screen, and as described previously, passive DNS lookups can be used to find historic IPs and subdomains, which can be viewed and imported.

WHOIS Registration Information

The Whois tab for Host indicators provides WHOIS information, if available. Note that this feature also requires the Whois box to be checked in the Details card (Figure 8) on the Overview tab of the Details screen for the Host. Click on the Whois tab (Figure 10), and, if populated, the screen will display a results table with some hyperlinked items.

Click on any hyperlink to view related Hosts in ThreatConnect that have a matching value in their WHOIS information,and the Related Hosts window will appear (Figure 11).

Click the Details icon on the far right of the WHOIS results table (Figure 10) to view the Host’s full WHOIS record (Figure 12).

Note that it may take up to 60 minutes for WHOIS information to appear after checking the Whois box.

Farsight Security is a trademark of Farsight Security, Inc.

20030-08 EN Rev. A

Contact Us

  • ThreatConnect, Inc.
    3865 Wilson Blvd.
    Suite 550
    Arlington, VA 22203

    Toll Free:   1.800.965.2708
    Local: +1.703.229.4240
    Fax +1.703.229.4489

    Email Us



https://cdn.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete