ThreatConnect® leverages a number of automated data services to enable automated correlation and discovery of threat intelligence. These services allow analysts to efficiently investigate Domain Name System (DNS) relationships, registrants for Internet resources (using the WHOIS protocol), and IP address geographic information within ThreatConnect. The following data services are currently available from the relevant Indicators’ Details screen:
- IP geolocation data for Address Indicators
- DNS resolutions for Host Indicators (current and historical, as well as subdomains)
- DNS resolutions for Address Indicators (current and historical)
- WHOIS information for Host Indicators
IP Geolocation Data
For Address Indicators, IP geolocation data are available on the Overview tab of the Details screen:
- From the top navigation bar (Figure 1), place the cursor over BROWSE and then over the INDICATORS option. Click on the ADDRESS object to display a results table (Figure 2).
- Click on one of the entries, and the Details flyout for that entry will appear (Figure 3).
- Click the Details icon at the top right corner of the flyout, and the Overview tab of the Details screen will appear (Figure 4). Alternatively, hover over the object's entry in the table in Figure 2 and click on the Details icon that appears on the right side of its Summary cell to go straight to the Overview tab of the Details screen.
- Scroll down to view the GeoLocation Data card (Figure 5).
- If information is not available from the provider, or if the IP geolocation data service is disabled in a user’s ThreatConnect instance, no data will be displayed. Note that IP geolocation data may take up to 60 minutes to appear.
Host DNS Resolutions
A Host Indicator can leverage DNS resolution tracking for ongoing resolution changes. This feature requires the DNS box to be checked in the Details card (Figure 6) on the Overview tab of the Details screen for the Host. Checking this box will enable monitoring of the Host’s DNS resolutions. Note that it may take up to 90 minutes for DNS information to appear after checking the DNS box.
From the Overview tab of the Details screen, click the DNS tab to view the DNS screen (Figure 7).
The DNS Resolution History section of the screen lists the Addresses that have resolved to the Host Indicator, presently or historically. A Host's DNS resolutions will automatically be added as Address Indicators in the same owner as that of the Host and will be associated to the Host.
The Passive DNS section of the screen, if available, provides the ability to view a list of the subdomain resolutions and historic IP address resolutions for the Host. Click the SUBDOMAINS button, and a table of subdomain resolutions, with columns for when they were first and last seen, will appear (Figure 8).
NOTE: The Passive DNS feature will be available only if an Organization Administrator has entered a Farsight Security™ API key from the Organization Settings screen.
Click the IMPORT button at the bottom of the table to import the subdomain resolution data (Figure 9).
To view the Host’s IP address resolutions, click the HISTORIC IPS button at the top of the Passive DNS section of the screen. A list of Address Indicators to which the Host has previously resolved will appear (Figure 10).
Click the IMPORT button at the bottom of the table to import and associate these Indicators (Figure 11).
Address DNS Resolutions
DNS resolutions reveal the Hosts that have resolved to an Address Indicator, presently or historically, which, as stated in the "Host DNS Resolutions" section, allows for automated creation of associations between the Host and the Address, as well as enables easy pivoting. From the Details screen of an Address Indicator (Figure 4), click the DNS Resolutions tab to view Hosts that have resolved to the Address (Figure 12).
The Passive DNS section, if available, provides the ability to look up historic Host resolutions. Click the HISTORIC DOMAINS button to see a list of Host Indicators that have previously resolved to the Address (Figure 13), and click the IMPORT button to import and associate these Indicators.
NOTE: The Passive DNS feature will be available only if an Organization Administrator has entered a Farsight Security API key from the Organization Settings screen.
WHOIS Registration Information
The Whois tab for Host indicators provides WHOIS information, if available. Note that this feature also requires the Whois box to be checked in the Details card (Figure 6) on the Overview tab of the Details screen for the Host. Click on the Whois tab (Figure 14), and, if populated, the screen will display a results table with some hyperlinked items.
Click on any hyperlink to view related Hosts in ThreatConnect that have a matching value in their WHOIS information,and the Related Hosts window will appear (Figure 15).
Click the Details icon on the far right of the WHOIS results table (Figure 14) to view the Host’s full WHOIS record (Figure 16).
Note that it may take up to 60 minutes for WHOIS information to appear after checking the Whois box.
Farsight Security™ is a trademark of Farsight Security, Inc.