Overview

The Check Indicator of Compromise (Check IOC) page provides a tool to lookup IP addresses and Domain names in the ThreatSTOP Threat Intelligence Database. The results will show if the IOC is currently associated (or was previously associated) with a Target, as well as metadata.

The search is accessed via the Analysis > Research IOC menu entry or the Search IOC at the top of every portal page.

Targets

The target section shows which targets the domain or IP address has been included in, identifying the type of Threat associated with it.

There are three classifications for targets:

  • Active targets are the targets that currently contain the IOC.
  • Historical targets contained the IOC in the past, but not currently.
  • Related records:
    • “A Record” lookups: returns results if the requested FQDN currently resolves to an IP address in the database. This is a common and powerful reason for a DNS lookup to be blocked even if the FQDN is not in the database itself.
    • “Subdomain” record: returns result for the subdomains (e.g. matches for sub.example.com or sub1.sub2.example.com when searching for example.com). This can yield a lot of results. It needs to be requested by checking the Include subdomains checkbox and is capped to 200 results.

The table also shows the first time the IOC was added to the ThreatSTOP database, and the last time it was reported as active in each target.

Policies and Devices

This section shows you which of your policies (if any) contain the targets associated with the IOC, and in turn, which of your devices are loading these policies. This includes entries from your User-Defined Lists as well. This is a quick way of understanding why an IOC is currently being blocked by your device.

DNS Lookup

This section performs a DNS lookup for the IOC using dig.

Whois

Provides the Whois (registration and contact information) for the domain.

  • Created: The date a record was created in the Domain Name System.
  • Last Updated: The last time the record was updated.
  • Expiration: The date a domain is set to expire, if not renewed.
  • Contacts: Organization name, email address and Country for the domain contacts. Note that since GDPR went into effect, the Whois database doesn’t report on Personal Information for domain contacts (name and address).

Passive DNS

Passive DNS is the list of domains that have resolved to the requested IP address, currently and in the past. Read more about Passive DNS on FarSight Security’s site.

  • Resource Record Name: The Domain Name of the service being researched.
  • Record Data: Displays IP addresses, and DNS Name servers known to spread information about the Domain Name being researched.
  • Resource Record Type: Establishes the type of Resource Record provided by the listed host, possibilities include:
  • SOA - Indicating a Start Of Authority (SOA) for the listed zone.
  • NS - Indicating a nameserver for the listed zone.
  • A - For name-to-address mapping. That is, this record shows with which IP addresses a Domain Name is associated.
  • PTR - For address-to-name mapping. These records show with which Domain Names an IP address is mapped.
  • CNAME - Indicating that this is a canonical name. The the Domain Name being researched is an alias these records show what Domain Name is the canonical (or “real”) Domain Name being reached.
  • Count: The number of passive DNS records associated with the Domain Name.
  • Last Time: The most recent time the Resource Record appears in the DNS record.
  • First Time: The first time the Resource Record appears in the DNS record.

Metadata

Thus section provide geolocation data for IP addresses.

Additional Research

The Additional Research section provides links to tools provided by Security Partners.