Check IOC reports threats and metadata associated with a hostname or IP address.

Overview

The Check Indicator of Compromise (Check IOC) utility allows for in-depth analysis of a returned result, available search methods are:

  • Domain Name
  • Wildcard
  • IP address
  • Threat Name

The utility itself returns known Targets, a DNS Lookup, Whois information, and Passive DNS data, as well as providing links for Additional Research.

Targets

Active targets are the targets that currently contain the IOC. Historical targets contained the IOC in the past, but not currently.

  • IOC: The requested Indicator Of Compromise (IOC). This should match the data provided to the query.
  • First Identified: First date the IOC was seen and recorded in the security feeds.
  • Last Time Present: Most recent time the IOC was seen and recorded in the security feeds.
  • Present In Targets: Targets the IOC is currently listing as an Active threat.

For domain IOCs, this shows which threats are associated with A DNS records currently associated with the IOC.

  • Relationship: How the IOC has been related to other targets.
  • RelationshipFirst Identified: First date the IOC was seen and recorded in the security feeds.
  • RelationshipLast Time Present: Most recent time the IOC was seen and recorded in the security feeds.
  • RelationshipPresent In Targets: Targets with which the IOC is currently associated.

DNS Lookup

Performs a DNS lookup for the IOC using dig.

Whois

Provides the Whois (registration and contact information) for the domain

  • Created: The date a record was created in the Domain Name System.
  • Last Updated: The last time the record was updated.
  • Expiration: The date a DNS record will expire and be removed from the DNS pool.
  • Contacts: Provides contact information regarding the DNS record. The following information is available:
  • Name: Person responsible for registering and maintaining the domain name record.
  • Organization: What organization or business they are with.
  • Email: A point of contact email, for the individual.
  • Street: The street address (if one is provided) for the contact or owner of the server.
  • City: Which city the contact is in.
  • State: Which state the contact lives in (may not apply outside of the United States).
  • Postal Code: The code established by the post office to speed up mail sorting.
  • Country: Which country the contact resides in.

Passive DNS

Passive DNS is the list of domains that have resolved to the IP address, currently and in the past. Read more about Passive DNS on FarSight Security’s site.

  • Resource Record Name: The Domain Name of the service being researched.
  • Record Data: Displays IP addresses, and DNS Name servers known to spread information about the Domain Name being researched.
  • Resource Record Type: Establishes the type of Resource Record provided by the listed host, possibilities include:
  • SOA - Indicating a Start Of Authority (SOA) for the listed zone.
  • NS - Indicating a nameserver for the listed zone.
  • A - For name-to-address mapping. That is, this record shows with which IP addresses a Domain Name is associated.
  • PTR - For address-to-name mapping. These records show with which Domain Names an IP address is mapped.
  • CNAME - Indicating that this is a canonical name. The the Domain Name being researched is an alias these records show what Domain Name is the canonical (or “real”) Domain Name being reached.
  • Count: The number of passive DNS records associated with the Domain Name.
  • Last Time: The most recent time the Resource Record appears in the DNS record.
  • First Time: The first time the Resource Record appears in the DNS record.

Additional Research

The Additional Research section provides links to tools provided by our partners.