---
title: "Farsight Security Passive DNS Enrichment | ThreatConnect"
slug: "farsight-security-passive-dns-enrichment"
description: "This article describes how to enable the Farsight Security enrichment service in ThreatConnect, view data retrieved from Farsight Security on the Enrichment tab of an Indicator’s Details screen, and import Indicators from Farsight Security."
tags: ["Enriching Data", "Viewing Data", "Markdown"]
updated: 2025-06-16T08:40:53Z
published: 2025-06-16T08:40:53Z
canonical: "knowledge.threatconnect.com/farsight-security-passive-dns-enrichment"
---

> ## Documentation Index
> Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Farsight Security Passive DNS Enrichment

## Overview

The Farsight Security® built-in enrichment in ThreatConnect® lets you access Farsight Security’s historical passive DNS data directly within ThreatConnect, enabling you to investigate and analyze historical relationships between domain names and IP addresses and assess the risk these entities pose.

This article describes how to enable the Farsight Security enrichment service in ThreatConnect, view data retrieved from Farsight Security on the **Enrichment**tab of an Indicator’s **Details**screen, and import Indicators from Farsight Security into ThreatConnect.

NoteFor instruction on viewing and importing Farsight Security passive DNS data on the legacy **Details**screen, see the [“Legacy Details Screen” section of *DNS Resolutions*](https://knowledge.threatconnect.com/docs/dns-resolutions#legacy-details-screen).

## Before You Start

### User Roles

- To enable and configure the Farsight Security enrichment, your user account must have a [System role](https://knowledge.threatconnect.com/docs/threatconnect-system-roles-and-permissions) of Administrator.
- To view Farsight Security data on the **Enrichment** tab of an Indicator’s **Details** screen, your user account can have any [Organization role](https://knowledge.threatconnect.com/docs/organization-roles).
- To retrieve data manually on the **Farsight Passive DNS** card on the **Enrichment** tab of an Indicator’s **Details** screen, your user account can have any Organization role.
- To import Farsight Security data into an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer.
- To import Farsight Security data into a Community or Source, your user account must have a [Community role](https://knowledge.threatconnect.com/docs/community-roles) of Contributor, Editor, or Director for that Community or Source.

### Prerequisites

- A Farsight Security API key. To obtain a Farsight Security API key, you must have a subscription to [Farsight DNSDB®](https://www.domaintools.com/products/farsight-dnsdb/).

## Enabling the Farsight Security Enrichment

Before you can retrieve data from Farsight Security, you must enable and configure the Farsight Security enrichment in ThreatConnect. Follow these steps to enable and configure the Farsight Security enrichment on your ThreatConnect instance:

1. Hover over **Settings![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)**on the top navigation bar and select **System Settings**.
2. Select the **Indicators**tab on the **System Settings**screen, and then click **Enrichment Tools**in the sidebar.
3. Click **Edit![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Pencil%20icon_Black.png)**in the **Options**column for **Farsight** and fill out the fields on the **Edit Vendor**window (Figure 1) as follows: ![Figure 1_Farsight Security Passive DNS Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%201_Farsight%20Security%20Passive%20DNS%20Enrichment_7.8.1.png)
  - **Enable Vendor**: Select this checkbox to enable Farsight Security.
  - **Enable Automatic Retrieval**: Select this checkbox to enable automatic data retrieval for Farsight Security. If automatic data retrieval is enabled, Farsight Security data will automatically populate when a user opens an Address or Host Indicator’s  **Enrichment** tab for the first time. This checkbox is selected by default.
  - **API Key**: Enter the API key that will be used to retrieve data from Farsight Security.
  - **VALIDATE**: After entering the Farsight Security API key, click this****button to validate it. If the API key is accepted, the **VALIDATE**button’s label will change to **VALID**.
  - **Lookup/Retrieve**: Select one or more Indicator types to retrieve data from Farsight Security for. Available Indicator types include Address and Host.
4. Click **SAVE**on the **Edit Vendor**window to save the configuration for the Farsight Security enrichment.

When Farsight Security is enabled, a value of **true**will be displayed in the **Enabled**column for its entry on the **Enrichment Tools**screen.

## Data Overview

The **Farsight Passive DNS**card on the [**Enrichment** tab](https://knowledge.threatconnect.com/docs/the-enrichment-tab#viewing-enrichment-data) of an Address or Host Indicator’s **Details** screen displays one of the following tables, depending on the type of Indicator you are viewing:

- **Historic Domain Resolutions**: (Available for Address Indicators only) This table displays Host Indicators representing domains that have resolved to the Address Indicator you are viewing.
- **Historic Subdomain & IP Resolutions**: (Available for Host Indicators only) This table displays Address Indicators representing historic IP address resolutions and Host Indicators representing historic subdomain resolution for the Host Indicator you are viewing.

Figure 2 shows the **Farsight Passive DNS**card on the **Enrichment**tab of an Address Indicator’s **Details**screen.

![Figure 2_Farsight Security Passive DNS Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%202_Farsight%20Security%20Passive%20DNS%20Enrichment_7.8.1.png)

HintThe number next to the **Farsight Passive DNS**card’s heading indicates the total number of Indicators in the table.ImportantIf more than 1000 results are returned from Farsight Security, the **Farsight Passive DNS**card will display only the first 1000 results.

## Importing Indicators From Farsight Security Into ThreatConnect

You may import Indicators displayed on the **Farsight Passive DNS**card into ThreatConnect and, if desired, associate them to existing Groups.

Follow these steps to import Indicators from Farsight Security into ThreatConnect:

1. Click **Import** on the **Farsight Passive DNS**card (Figure 2). If you are importing Indicators on the **Historic Subdomain & IP Resolutions**table, you will be prompted to select whether to import Host or Address Indicators after clicking **Import**.
2. Proceed through the steps on the **Import Passive DNS Indicators**window to select and configure the Indicators you want to import. There are four steps in this process: [**Select Indicators**](/docs/farsight-security-passive-dns-enrichment#step-1-select-the-indicators-to-import)****(required), [**Apply Data**](/docs/farsight-security-passive-dns-enrichment#step-2-apply-metadata-to-the-indicators-optional)****(optional), [**Select Associations**](/docs/farsight-security-passive-dns-enrichment#step-3-associate-groups-to-the-indicators-optional)****(optional), and [**Summary**](/docs/farsight-security-passive-dns-enrichment#step-4-review-and-finalize-the-import-optional)****(optional).

### Step 1: Select the Indicators to Import

The **Select Indicators**step of the **Import Passive DNS Indicators**window (Figure 3) is a required step where you select the Indicators from Farsight Security you want to import and the [owner](https://knowledge.threatconnect.com/docs/ownership-in-threatconnect) in which to create them.

![Figure 3_Farsight Security Passive DNS Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%203_Farsight%20Security%20Passive%20DNS%20Enrichment_7.8.1.png)

Follow these steps to proceed through the **Select Indicators**step:

1. Use the **Owner**dropdown to select the [owner](https://knowledge.threatconnect.com/docs/ownership-in-threatconnect) in which to create the Indicators.
2. Select the checkbox for each Indicator you want to import into ThreatConnect, or select the checkbox in the table’s header to import all Indicators in the table.  
ImportantIf a selected Indicator already exists in the ThreatConnect owner into which you are importing data, that copy of the Indicator will be updated based on the information entered and options configured during the****import.
3. Click **Next**to proceed to the optional [**Apply Data**step](/docs/farsight-security-passive-dns-enrichment#step-2-apply-metadata-to-the-indicators-optional), or click **Save**to create the Indicators.

### Step 2: Apply Metadata to the Indicators (Optional)

If you click **Next**on the **Select Indicators**step, you will proceed to the optional **Apply Data**step of the **Import Passive DNS Indicators**window (Figure 4). Here, you can configure the metadata to apply to the Indicators from Farsight Security that are being created.

![Figure 4_Farsight Security Passive DNS Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%204_Farsight%20Security%20Passive%20DNS%20Enrichment_7.8.1.png)

Follow these steps to fill out the fields on the **Apply Data**step:****

1. Provide the following details for the Indicators:
  - **Security Labels**: Select one or more [Security Labels](https://knowledge.threatconnect.com/docs/applying-security-labels) to apply to the Indicators.
  - **Confidence Rating**: Set the [Confidence Rating](https://knowledge.threatconnect.com/v1/docs/setting-indicator-threat-and-confidence-ratings) for the Indicators.
  - **Threat Rating**: Set the [Threat Rating](https://knowledge.threatconnect.com/v1/docs/setting-indicator-threat-and-confidence-ratings) for the Indicators.
  - **Settings**: If you are importing Host Indicators, a **Settings**section with the following options will be displayed:
    - **Enable DNS Tracking**: Select this checkbox to enable [DNS resolution tracking](https://knowledge.threatconnect.com/docs/dns-resolutions) for the Host Indicators.
    - **Enable Whois Lookups**: Select this checkbox to enable [WHOIS lookups](https://knowledge.threatconnect.com/docs/whois-registration-information) for the Host Indicators.
  - **Tags**: Enter one or more [Tags](https://knowledge.threatconnect.com/v1/docs/applying-tags) to apply to the Indicators.
  - **Description**: Enter a default [Description](https://knowledge.threatconnect.com/docs/the-description-attribute) for the Indicators.
  - **Source**: Enter a default [Source](https://knowledge.threatconnect.com/docs/the-source-attribute) for the Indicators.  
NoteYou can use plain text or Markdown when filling out the **Description**and **Source**fields. If using Markdown, these****fields support the Marked library ([https://marked.js.org/](https://marked.js.org/)).
2. Click **Next**to proceed to the optional **[](/docs/farsight-security-passive-dns-enrichment#_Step_3%3A_Associate)**[](/docs/farsight-security-passive-dns-enrichment#_Step_3%3A_Associate)[**Select Associations**step](/docs/farsight-security-passive-dns-enrichment#step-3-associate-groups-to-the-indicators-optional)[](/docs/farsight-security-passive-dns-enrichment#_Step_3%3A_Associate)**[](/docs/farsight-security-passive-dns-enrichment#_Step_3%3A_Associate)**, or click **Save**to create the Indicators

### Step 3: Associate Groups to the Indicators (Optional)

If you click **Next**on the **Apply Data**step, you will proceed to the optional **Select Associations**step of the **Import Passive DNS Indicators**window (Figure 5). Here, you can associate existing Groups to the Indicators from Farsight Security that are being created.

![Figure 5_Farsight Security Passive DNS Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%205_Farsight%20Security%20Passive%20DNS%20Enrichment_7.8.1.png)

Follow these steps to proceed through the **Select Associations**step:

1. Select the checkbox for each Group you want to associate to the Indicators, or select the checkbox in the table’s header to associate all Groups displayed on the current page in the table to the Indicators.
2. Click **Next**to proceed to the optional **[](/docs/farsight-security-passive-dns-enrichment#_Step_4%3A_Review)**[](/docs/farsight-security-passive-dns-enrichment#_Step_4%3A_Review)[**Summary**step](/docs/farsight-security-passive-dns-enrichment#step-4-review-and-finalize-the-import-optional)[](/docs/farsight-security-passive-dns-enrichment#_Step_4%3A_Review)**[](/docs/farsight-security-passive-dns-enrichment#_Step_4%3A_Review)**, or click **Save**to create the Indicators and associate them to the selected Groups.

### Step 4: Review and Finalize the Import (Optional)

If you click **Next**on the **Select Associations**step, you will proceed to the optional **Summary**step of the **Import Passive DNS Indicators**window (Figure 6). Here, you can review all options configured in the previous steps and make changes as desired.

![Figure 6_Farsight Security Passive DNS Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%206_Farsight%20Security%20Passive%20DNS%20Enrichment_7.8.1.png)

Follow these steps to proceed through the **Summary**step:****

1. In the **Owner Data** section, review the owner in which the Indicators will be created. To change the owner, you must return to the [**Select Indicators**step](/docs/farsight-security-passive-dns-enrichment#step-1-select-the-indicators-to-import).
2. In the **Selected Indicators**section, review the list of Indicators that will be imported into ThreatConnect. To remove an Indicator from this list, click **Remove![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Remove%20icon.png)**.  
NoteIf you are importing only one Indicator, a **Remove**![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Remove%20icon.png)icon will not be available for it. This is because you must import at least one Indicator.
3. In the **Applied Data** section, review the metadata that will be applied the Indicators. To return to the [**Apply Data**step](/docs/farsight-security-passive-dns-enrichment#step-2-apply-metadata-to-the-indicators-optional) and make changes to the metadata, click **Edit**at the top right of the section.
4. In the **Selected Associations** section, review the list of existing Groups that will be associated to the Indicators. To remove a Group from this list, click **Remove**![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Remove%20icon.png)for the Group. To remove all Groups from this list, click **Remove**![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Remove%20icon.png)in the table header.
5. Click the **Save**button to create the Indicators.

After you complete the import process, the **Enrichment**tab of the enriched Indicator’s **Details**screen will be displayed. To locate and view the Indicators from Farsight Security that were imported into ThreatConnect, use the search capabilities of the **[Browse](https://knowledge.threatconnect.com/docs/the-browse-screen)**or **[Search](https://knowledge.threatconnect.com/docs/search-and-analyze)**screen.

## Retrieving Data Manually

When you open an Indicator’s **Enrichment**tab for the first time, data will be retrieved from Farsight Security and displayed on the **Farsight Passive DNS**card****automatically if your System Administrator enabled automatic data retrieval for Farsight Security. Otherwise, the **Farsight Passive DNS**card will display a message stating “Automatic Data Retrieval has been disabled by the System Administrator,” and you will need to click **Retrieve Data** on the card to populate it with data. Once data have been retrieved, they will be cached for a period of time configured by your System Administrator. Each time you revisit that Indicator’s **Enrichment**tab, the cached Farsight Security data will be displayed until this period of time has passed.

To retrieve the latest Farsight Security data for the Indicator manually, click **Retrieve Data** on the **Farsight Passive DNS**card.

NoteThe API key your System Administrator entered when configuring Farsight Security on the **System Settings**screen will be used each time data are retrieved from Farsight Security for an Indicator.

## Enriching Indicators Using the ThreatConnect API

You can use the ThreatConnect v3 API to enrich Address and Host Indicators with data from Farsight Security. For instructions on using the ThreatConnect v3 API to enrich Indicators, see [*Indicator Enrichment Overview*](https://threatconnect.readme.io/reference/indicator-enrichment-overview).

---

*ThreatConnect® is a registered trademark of ThreatConnect, Inc.* *Farsight Security® and DNSDB® are registered trademarks of DomainTools, LLC.*

20146-06 v.03.C

## Related

- [DNS Resolutions](/dns-resolutions.md)