Farsight Security Passive DNS Enrichment

Enabling the Farsight Security Enrichment

Before you can retrieve passive DNS data from Farsight Security for Address and Host Indicators, a System Administrator must first enable and configure the Farsight Security enrichment in ThreatConnect.

1. Log into ThreatConnect with a System Administrator account.
2. On the top navigation bar, hover over Settingsand select System Settings. The System Settings screen will be displayed with the Settings tab selected.
3. Select the Indicators tab. The Indicators screen will be displayed.
4. Click Enrichment Tools in the menu on the left side of the Indicators screen. The Enrichment Tools screen will be displayed.
5. Click Editin the Options column for Farsight. The Edit Vendor window will be displayed (Figure 1).
   

    

   • Enable Vendor: Select this checkbox to enable Farsight Security.
   • Enable Automatic Retrieval: Select this checkbox to enable automatic data retrieval for Farsight Security. If automatic data retrieval is enabled, Farsight Security data will automatically populate when a user clicks on an Indicator’s Enrichment tab for the first time. This checkbox is selected by default.
   • API Key: Enter the API key that will be used to retrieve data from Farsight Security.
   • VALIDATE: After entering the Farsight Security API key, click this button to validate it. If the API key is accepted, the VALIDATE button’s label will change to VALID, indicating that a valid API key has been entered. If the API key is not accepted, a message stating “API Key is invalid.” will be displayed at the top of the Edit Vendor window.
   • Lookup/Retrieve: Select the Indicator type(s) for which to retrieve data from Farsight Security. Available Indicator types include Address and Host.
   • Click the SAVE button.

When Farsight Security is enabled, a value of true will be displayed in the Enabled column for its entry on the Enrichment Tools screen.

Data Overview

The Farsight Passive DNS card displays one or both of the following Indicator types in a paginated table, with the total number of Indicators displayed to the right of the card’s header:

• Address: This Indicator type will be displayed if viewing the Details screen for a Host Indicator. These Indicators represent the historic IP address resolutions for the Host Indicator.
• Host: This Indicator type will be displayed if viewing the Details screen for an Address or Host Indicator. For Address Indicators, these Indicators represent the domains that have resolved to the Address; for Host Indicators, these Indicators represent the  historic subdomain resolutions for the Host.

Figure 2 shows the Farsight Passive DNS card on the Enrichment tab of an Address Indicator’s Details screen with a table containing Host Indicators.

Importing Indicators From Farsight Security Into ThreatConnect

If passive DNS data are retrieved from Farsight Security and displayed on the Farsight Passive DNS card, you can import those data into your Organization or one of your Communities or Sources.

1. Click the Import button at the top right of the Farsight Passive DNS card (Figure 2). If viewing the Farsight Passive DNS card for a Host Indicator, you will be prompted to select whether to import Host or Address Indicators; if viewing the Farsight Passive DNS card for an Address Indicator, you will not be prompted to make this selection, as you can import only Host Indicators.
2. The Select Indicators section of the Import Passive DNS Indicators window will be displayed (Figure 3).
   

    

   • Owner: Select the owner (i.e., Organization, Community, or Source) into which the selected Indicator(s) will be imported.
   • Select the checkbox for each Indicator you want to import into ThreatConnect. To select all Indicators, select the checkbox in the table’s header.
     
     Important

     If a selected Indicator already exists in the ThreatConnect owner into which you are importing data, that copy of the Indicator will be updated based on the information entered and options configured during the import.
   • Click one of the following buttons to proceed with the import:
     • Next: Click this button to proceed to the optional Apply Data section. (See Step 3 for further instruction.)
     • Save: Click this button to import the selected Indicator(s) into the selected owner and complete the import.
3. If you clicked the Next button on the Select Indicators section, the Apply Data section will be displayed (Figure 4). Apply Data is an optional section where you can enter details for the selected Indicator(s).
   

    

   • Security Labels: Select one or more Security Labels to apply to the Indicator(s).
   • Confidence Rating: Use the slider to set the Confidence Rating for the Indicator(s).
   • Threat Rating: Use the skull icons to set the Threat Rating for the Indicator(s).
   • Settings: If you are importing Host Indicators, a Settings section containing the following options will be displayed:
     • Enable DNS Tracking: Select this checkbox to enable DNS resolution tracking for the Host Indicator(s).
     • Enable Whois Lookups: Select this checkbox to enable WHOIS lookups for the Host Indicator(s).
   • Tags: Enter one or more Tags to apply to the Indicator(s).
   • Description: Enter a default Description for the Indicator(s), either in plain text or in Markdown. If using Markdown, click the Preview Markdownlink to preview the text with the rendered Markdown formatting.
   • Source: Enter a default Source for the Indicator(s), either in plain text or in Markdown. By default, a value of “Imported from Farsight Passive DNS” is populated in the Source text box automatically. If using Markdown, click the Preview Markdownlink to preview the text with the rendered Markdown formatting.
     
     Note

     The Description and Source text boxes support the Marked library (https://marked.js.org/).
   • Click one of the following buttons to proceed with the import:
     • Next: Click this button to proceed to the optional Select Associations section. (See Step 4 for further instruction.)
     • Save: Click this button to import the selected Indicator(s) into the selected owner and complete the import.
4. If you clicked the Next button on the Apply Data section, the Select Associations section will be displayed (Figure 5). Select Associations is an optional section where you can associate one or more existing Groups in ThreatConnect to the selected Indicator(s).
   

    

   • Select the checkbox for each Group you want to associate to the selected Indicator(s). To select all Groups, select the checkbox in the table’s header. If desired, use the Filtersmenu to filter Groups by type, a range of dates within which they were created, or a range of dates within which they were last modified. You can also enter text in the box to the left of the Filtersmenu to filter Groups by summary. If cross-owner associations are enabled on your ThreatConnect instance, you can filter Groups by owner and add associations to Groups in other owners to which you have access.
   • Click one of the following buttons to proceed with the import:
     • Next: Click this button to proceed to the optional Summary section. (See Step 5 for further instruction.)
     • Save: Click this button to import the selected Indicator(s) into the selected owner and complete the import.
5. If you clicked the Next button on the Select Associations section, the Summary section will be displayed (Figure 6). Summary is an optional section where you can review all options configured in the previous sections and make changes as desired.
   

    

   • Owner Data: This section displays the owner into which the selected Indicator(s) will be imported. Note that you cannot change the selected owner on the Summary section.
   • Selected Indicators: This section displays the Indicator(s) that will be imported into ThreatConnect. To remove an Indicator from this list, click Removein the rightmost column for the Indicator.
     
     Note

     If only one Indicator is displayed in the list, a Removeicon will not be displayed in the rightmost column for it. This is because you must import at least one Indicator.
   • Applied Data: This section displays the details entered for the selected Indicator(s). To return to the Apply Data section (Figure 5) and make changes to these details, click the Edit button at the top right of the section.
   • Selected Associations: This section displays the Group(s) that will be associated to the selected Indicator(s). To remove a Group from this list, click Removein the rightmost column for the Group; to remove all Groups from this list, click Removein the table header.
   • Click the Save button to import the selected Indicator(s) into the selected owner and complete the import.

Retrieving Data Manually

When you click on an Indicator’s Enrichment tab for the first time, data will be retrieved from Farsight Security automatically if your System Administrator has enabled automatic data retrieval Farsight Security. Otherwise, a message stating that “Automatic Data Retrieval has been disabled by the System Administrator” will be displayed on the card, and you will need to click the Retrieve Data button to populate the card with data. Once data have been retrieved, they will be cached for a period of time configured by your System Administrator. Each time you revisit that Indicator’s Enrichment tab, the cached Farsight Security data will be displayed until this period of time has passed.

To retrieve the latest Farsight Security data for the Indicator manually, click the Retrieve Data button on the Farsight Passive DNS card (Figure 2).

ThreatConnect^® is a registered trademark of ThreatConnect, Inc.
Farsight Security® is a registered trademark of DomainTools, LLC.

20146-06 v.02.A