Farsight Security Passive DNS Enrichment

Overview

The Farsight Security^® built-in enrichment in ThreatConnect^® lets you access Farsight Security’s historical passive DNS data directly within ThreatConnect, enabling you to investigate and analyze historical relationships between domain names and IP addresses and assess the risk these entities pose.

This article describes how to enable the Farsight Security enrichment service in ThreatConnect, view data retrieved from Farsight Security on the Enrichment tab of an Indicator’s Details screen, and import Indicators from Farsight Security into ThreatConnect.

Before You Start

User Roles

• To enable and configure the Farsight Security enrichment, your user account must have a System role of Administrator.
• To view Farsight Security data on the Enrichment tab of an Indicator’s Details screen, your user account can have any Organization role.
• To retrieve data manually on the Farsight Passive DNS card on the Enrichment tab of an Indicator’s Details screen, your user account can have any Organization role.
• To import Farsight Security data into an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
• To import Farsight Security data into a Community or Source, your user account must have a Community role of Contributor, Editor, or Director for that Community or Source.

Prerequisites

• A Farsight Security API key. To obtain a Farsight Security API key, you must have a subscription to Farsight DNSDB^®.

Enabling the Farsight Security Enrichment

Before you can retrieve data from Farsight Security, you must enable and configure the Farsight Security enrichment in ThreatConnect. Follow these steps to enable and configure the Farsight Security enrichment on your ThreatConnect instance:

1. Hover over Settingson the top navigation bar and select System Settings.
2. Select the Indicators tab on the System Settings screen, and then click Enrichment Tools in the sidebar.
3. Click Editin the Options column for Farsight and fill out the fields on the Edit Vendor window (Figure 1) as follows: 

    

   • Enable Vendor: Select this checkbox to enable Farsight Security.
   • Enable Automatic Retrieval: Select this checkbox to enable automatic data retrieval for Farsight Security. If automatic data retrieval is enabled, Farsight Security data will automatically populate when a user opens an Address or Host Indicator’s  Enrichment tab for the first time. This checkbox is selected by default.
   • API Key: Enter the API key that will be used to retrieve data from Farsight Security.
   • VALIDATE: After entering the Farsight Security API key, click this button to validate it. If the API key is accepted, the VALIDATE button’s label will change to VALID.
   • Lookup/Retrieve: Select one or more Indicator types to retrieve data from Farsight Security for. Available Indicator types include Address and Host.
4. Click SAVE on the Edit Vendor window to save the configuration for the Farsight Security enrichment.

When Farsight Security is enabled, a value of true will be displayed in the Enabled column for its entry on the Enrichment Tools screen.

Data Overview

The Farsight Passive DNS card displays one of the following tables, depending on the type of Indicator you are viewing:

• Historic Domain Resolutions: (Available for Address Indicators only) This table displays Host Indicators representing domains that have resolved to the Address Indicator you are viewing.
• Historic Subdomain & IP Resolutions: (Available for Host Indicators only) This table displays Address Indicators representing historic IP address resolutions and Host Indicators representing historic subdomain resolution for the Host Indicator you are viewing.

Figure 2 shows the Farsight Passive DNS card on the Enrichment tab of an Address Indicator’s Details screen.

Importing Indicators From Farsight Security Into ThreatConnect

You may import Indicators displayed on the Farsight Passive DNS card into ThreatConnect and, if desired, associate them to existing Groups.

Follow these steps to import Indicators from Farsight Security into ThreatConnect:

1. Click Import on the Farsight Passive DNS card (Figure 2). If you are importing Indicators on the Historic Subdomain & IP Resolutions table, you will be prompted to select whether to import Host or Address Indicators after clicking Import.
2. Proceed through the steps on the Import Passive DNS Indicators window to select and configure the Indicators you want to import. There are four steps in this process: Select Indicators (required), Apply Data (optional), Select Associations (optional), and Summary (optional).

Step 1: Select the Indicators to Import

The Select Indicators step of the Import Passive DNS Indicators window (Figure 3) is a required step where you select the Indicators from Farsight Security you want to import and the owner in which to create them.

Follow these steps to proceed through the Select Indicators step:

1. Use the Owner dropdown to select the owner in which to create the Indicators.
2. Select the checkbox for each Indicator you want to import into ThreatConnect, or select the checkbox in the table’s header to import all Indicators in the table.
   
   Important

   If a selected Indicator already exists in the ThreatConnect owner into which you are importing data, that copy of the Indicator will be updated based on the information entered and options configured during the import.
3. Click Next to proceed to the optional Apply Data step, or click Save to create the Indicators.

Step 2: Apply Metadata to the Indicators (Optional)

If you click Next on the Select Indicators step, you will proceed to the optional Apply Data step of the Import Passive DNS Indicators window (Figure 4). Here, you can configure the metadata to apply to the Indicators from Farsight Security that are being created.

Follow these steps to fill out the fields on the Apply Data step:

1. Provide the following details for the Indicators:
   • Security Labels: Select one or more Security Labels to apply to the Indicators.
   • Confidence Rating: Set the Confidence Rating for the Indicators.
   • Threat Rating: Set the Threat Rating for the Indicators.
   • Settings: If you are importing Host Indicators, a Settings section with the following options will be displayed:
     • Enable DNS Tracking: Select this checkbox to enable DNS resolution tracking for the Host Indicators.
     • Enable Whois Lookups: Select this checkbox to enable WHOIS lookups for the Host Indicators.
   • Tags: Enter one or more Tags to apply to the Indicators.
   • Description: Enter a default Description for the Indicators.
   • Source: Enter a default Source for the Indicators.
     
     Note

     You can use plain text or Markdown when filling out the Description and Source fields. If using Markdown, these fields support the Marked library (https://marked.js.org/).
2. Click Next to proceed to the optional Select Associations step, or click Save to create the Indicators

Step 3: Associate Groups to the Indicators (Optional)

If you click Next on the Apply Data step, you will proceed to the optional Select Associations step of the Import Passive DNS Indicators window (Figure 5). Here, you can associate existing Groups to the Indicators from Farsight Security that are being created.

Follow these steps to proceed through the Select Associations step:

1. Select the checkbox for each Group you want to associate to the Indicators, or select the checkbox in the table’s header to associate all Groups displayed on the current page in the table to the Indicators.
2. Click Next to proceed to the optional Summary step, or click Save to create the Indicators and associate them to the selected Groups.

Step 4: Review and Finalize the Import (Optional)

If you click Next on the Select Associations step, you will proceed to the optional Summary step of the Import Passive DNS Indicators window (Figure 6). Here, you can review all options configured in the previous steps and make changes as desired.

Follow these steps to proceed through the Summary step:

1. In the Owner Data section, review the owner in which the Indicators will be created. To change the owner, you must return to the Select Indicators step.
2. In the Selected Indicators section, review the list of Indicators that will be imported into ThreatConnect. To remove an Indicator from this list, click Remove.
   
   Note

   If you are importing only one Indicator, a Removeicon will not be available for it. This is because you must import at least one Indicator.
3. In the Applied Data section, review the metadata that will be applied the Indicators. To return to the Apply Data step and make changes to the metadata, click Edit at the top right of the section.
4. In the Selected Associations section, review the list of existing Groups that will be associated to the Indicators. To remove a Group from this list, click Removefor the Group. To remove all Groups from this list, click Removein the table header.
5. Click the Save button to create the Indicators.

After you complete the import process, the Enrichment tab of the enriched Indicator’s Details screen will be displayed. To locate and view the Indicators from Farsight Security that were imported into ThreatConnect, use the search capabilities of the Browse or Search screen.

Retrieving Data Manually

When you open an Indicator’s Enrichment tab for the first time, data will be retrieved from Farsight Security and displayed on the Farsight Passive DNS card automatically if your System Administrator enabled automatic data retrieval for Farsight Security. Otherwise, the Farsight Passive DNS card will display a message stating “Automatic Data Retrieval has been disabled by the System Administrator,” and you will need to click Retrieve Data on the card to populate it with data. Once data have been retrieved, they will be cached for a period of time configured by your System Administrator. Each time you revisit that Indicator’s Enrichment tab, the cached Farsight Security data will be displayed until this period of time has passed.

To retrieve the latest Farsight Security data for the Indicator manually, click Retrieve Data on the Farsight Passive DNS card.

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
Farsight Security^® and DNSDB^® are registered trademarks of DomainTools, LLC.

20146-06 v.03.A