Investigating a domain

Chronicle enables you to investigate specific domains to determine if any are present within your enterprise, and what impact these outside systems might have had on your assets. Domain view is derived from the security information and data that you have forwarded to Chronicle. Make sure you are ingesting and normalizing data from devices on your network, such as EDR, firewall, web proxy, etc.

To access Domain view in Chronicle, complete the following steps:

  1. Enter the domain (ending with a known public suffix) or URL you need to investigate in the search bar at the top of the user interface.
  2. Click SEARCH. If the domain is present within your enterprise, you are taken to Domain view.

Domain context

Domain View Domain view

1 Assets

Displays the unique assets within your enterprise that have connected to a particular domain, including a summary of the first time the asset accessed the domain and the most recent time.

2 WHOIS

Chronicle displays the WHOIS information associated with the registered domain. This information can be useful when assessing a domain's reputation.

3 Prevalence

Chronicle provides a graphical representation of the historical prevalence of a given FQDN and its TLD. This graph can be used to determine whether the domain has been accessed from within the enterprise before, and can provide an indication of whether the domain is associated with a particular campaign targeting the enterprise. Typically, less prevalent domains, ones that fewer assets have connected to, might represent a greater threat to your enterprise.

4 Domain insights

Domain insights provide you with more context about domains under investigation. You can use them to determine whether a domain is benign or malicious. They also let you further investigate an indicator to determine if there is a broader compromise.

  • Resolved IPs: All resolved IP addresses that have been seen in your organization for a given Fully Qualified Domain Name. For example:

    • Search for test.altostrat.com (Fully Qualified Domain Name)
    • 2 resolved IPs (198.51.100.81 and 203.0.113.81) are displayed
  • Associated subdomains: All associated subdomains that have been seen in your organization for a given Fully Qualified Domain Name. Many adversaries use the same domain and subdomain for their attacks. For example:

    • Search for sandbox.altostrat.com (Fully Qualified Domain Name)
    • 2 subdomains (test.sandbox.altostrat.com and staging.sandbox.altostrat.com) are displayed
  • Sibling Domains: All sibling domains that have been seen in your organization for a given Fully Qualified Domain Name at a given level. For example:

    • Search for sandbox.altostrat.com
    • 1 sibling domain (foo.altostrat.com) is displayed
  • VirusTotal Insights: Summary of contextual information from VirusTotal

  • ET Intelligence Rep List: Checks against ProofPoint's Emerging Threats (ET) Intelligence Rep List and lists known threats tied to specific IP addresses and domains.