- 30 Aug 2022
- 4 Minutes to read
-
Print
-
DarkLight
DNS Resolutions
- Updated on 30 Aug 2022
- 4 Minutes to read
-
Print
-
DarkLight
Host Indicators
A Host Indicator can leverage DNS resolution tracking for ongoing resolution changes. To use this feature, the DNS checkbox in the Details card on the Overview tab of the Details screen for the Host must be selected (Figure 1).
On a Host Indicator’s Details screen, click the DNS tab to display the DNS screen (Figure 2).
DNS Resolution History
The DNS Resolution History section of the screen lists the Addresses that have resolved to the Host Indicator, presently or historically. A Host's DNS resolutions will automatically be added as Address Indicators in the same owner as that of the Host and will be associated to the Host.
Passive DNS
The Passive DNS section of the screen, if available, provides the ability to view a list of the subdomain resolutions and historic IP address resolutions for the Host.
Subdomains
Click the SUBDOMAINS button on the Passive DNS section of the screen to display a table of subdomain resolutions, with columns for when they were first and last seen (Figure 3).
Historic IPS
Click the HISTORIC IPS button on the Passive DNS section to view the Host’s IP address resolutions. A list of Address Indicators to which the Host has previously resolved will be displayed.
Import Data
- Click the IMPORT button at the bottom of the table (Figure 3) to import the data displayed in the Subdomains or Historic IPS tables as Host Indicators and Address Indicators, respectively, into ThreatConnect. A new tab will open with the Validate step of the Import Indicators screen displayed (Figure 4).
- Owner: Select the Organization, Community, or Source into which all selected Indicators will be imported.
- Select the checkbox for each Indicator that you want to import into ThreatConnect.
- Click the Next button.
- The Confirm step will be displayed (Figure 5).
- Description: Click Edit
to enter a Description that will be applied to all Indicators to be imported.
- Source: By default, the Source is set to Imported from ThreatConnect Passive DNS. Click Edit
to modify the Source for all Indicators to be imported.
- Threat Rating: Use the skull icons to set the Threat Rating for all Indicators to be imported.
- Confidence Rating: Use the slider to set the Confidence Rating for all Indicators to be imported.
- DNS: Select the checkbox to enable DNS resolution tracking for all Host Indicators to be imported. If importing Historic IPS data as Address Indicators, this checkbox will not be displayed.
- Whois: Select the checkbox to enable the WHOIS feature for all Host Indicators to be imported. If importing Historic IPS data as Address Indicators, this checkbox will not be displayed.
- Click the Next button.
- Description: Click Edit
- The Labels step will be displayed (Figure 6).
- Security Labels: Select Security Labels to apply to all Indicators to be imported, if desired.
- Tags: Enter Tags to apply to all Indicators to be imported, if desired. To view a list of Tags recently used, click Recent Tags….
- Click the Next button.
- The Save step will be displayed (Figure 7). To associate the Indicators to be imported with a Group, follow Steps 5–8. Otherwise, click the SAVE button to complete the import process and view the imported Indicators on the Browse screen.
- Click the + NEW ASSOCIATION button to associate the Indicators to a Group. The Select an Association window will be displayed (Figure 8).
- Select a Group type from the Select Type dropdown menu. All Groups of the selected type will be displayed. If desired, enter text in the Filter box to filter the results further.
- Select one or more of the displayed Groups, and then click the SAVE button (Figure 8). Selected Groups will be displayed in the table at the bottom of the Save screen (Figure 7).NoteOnly one type of Group may be added at a time from the Select an Association window. To add more than one type of Group, click the + NEW ASSOCIATION button in Figure 7 again and select a different type of Group.NoteOnce a Group has been added to the table, it cannot be removed. The only way to exclude the Group is to click the CANCEL button and restart the Indicator import process.
- Click the SAVE button to complete the import process and view the imported Indicators on the Browse screen.
Address Indicators
DNS resolutions reveal the Hosts that have resolved to an Address Indicator, presently or historically, which, as stated in the “Host Indicators” section, allows for automated creation of associations between the Host and the Address, as well as enables easy pivoting.
On an Address Indicator’s Details screen, click the DNS Resolutions tab to view Hosts that have resolved to the Address (Figure 9).
The Passive DNS section, if available, provides the ability to look up historic Host resolutions. Click the HISTORIC DOMAINS button to see a list of Host Indicators that have previously resolved to the Address (Figure 10).
Click the IMPORT button at the bottom of the table to import and associate the displayed Host Indicators. See the “Import Data” section for steps on how to complete the import process.
ThreatConnect® is a registered trademark of ThreatConnect, Inc.
Farsight Security™ is a trademark of Farsight Security, Inc.
20030-02 v.11.A