Investigate a domain

Chronicle enables you to investigate specific domains to determine if any are present within your enterprise, and what impact these outside systems might have had on your assets. Domain view is derived from the security information and data that you have forwarded to Chronicle. Make sure you are ingesting and normalizing data from devices on your network, such as EDR, firewall, web proxy, etc.

To access Domain view in Chronicle, complete the following steps:

  1. Enter the domain (ending with a known public suffix) or URL you need to investigate in the search bar at the top of the user interface.
  2. Click SEARCH. If the domain exists, it is listed under the DOMAINS heading. Click the domain name link to pivot to Domain view. If the domain is present within your enterprise, additional information is displayed in Domain view. If the domain is not present, Domain view will be empty.

Domain context

Domain View Domain view

1 VT Context

Click VT Context to view the VirusTotal information available for this domain.

2 WHOIS

Chronicle displays the WHOIS information associated with the registered domain. This information can be useful when assessing a domain's reputation.

3 Prevalence

Chronicle provides a graphical representation of the historical prevalence of a given FQDN and its TLD. This graph can be used to determine whether the domain has been accessed from within the enterprise before, and can provide an indication of whether the domain is associated with a particular campaign targeting the enterprise. Typically, less prevalent domains, ones that fewer assets have connected to, might represent a greater threat to your enterprise.

When you hold the pointer over a bar in the Prevalence graph, the graph lists the assets that accessed the domain. Due to the high prevalence of DNS servers, they aren't listed. If all of the assets are DNS servers, no assets are listed.

4 Domain insights

Domain insights provide you with more context about domains under investigation. You can use them to determine whether a domain is benign or malicious. They also let you further investigate an indicator to determine if there is a broader compromise.

The domain insights displayed vary depending on the availability of information associated with the domain within your Chronicle account, but might include the following:

  • ET Intelligence Rep List: Checks against ProofPoint's Emerging Threats (ET) Intelligence Rep List and lists known threats tied to specific IP addresses and domains.

  • ESET Threat Intelligence: Checks against ESET's threat intelligence service.

  • Resolved IPs: All resolved IP addresses that have been seen in your organization for a given Fully Qualified Domain Name. For example:

    • Search for test.altostrat.com (Fully Qualified Domain Name)
    • 2 resolved IPs (198.51.100.81 and 203.0.113.81) are displayed

  • Associated subdomains: All associated subdomains that have been seen in your organization for a given Fully Qualified Domain Name. Many adversaries use the same domain and subdomain for their attacks. For example:

    • Search for sandbox.altostrat.com (Fully Qualified Domain Name)
    • 2 subdomains (test.sandbox.altostrat.com and staging.sandbox.altostrat.com) are displayed

  • Sibling Domains: All sibling domains that have been seen in your organization for a given Fully Qualified Domain Name at a given level. For example:

    • Search for sandbox.altostrat.com
    • 1 sibling domain (foo.altostrat.com) is displayed

Timeline

The Timeline tab lists all of the events for the domain. The Asset identifier column shows the asset ID. In a small number of cases, Chronicle replaces the asset ID with the IP address of the asset.