Investigate a domain
Chronicle enables you to investigate specific domains to determine if any are present within your enterprise, and what impact these outside systems might have had on your assets. Domain view is derived from the security information and data that you have forwarded to Chronicle. Make sure you are ingesting and normalizing data from devices on your network, such as EDR, firewall, web proxy, etc.
To access Domain view in Chronicle, complete the following steps:
- Enter the domain (ending with a known public suffix) or URL you need to investigate in the search bar at the top of the user interface.
- Click SEARCH. If the domain is present within your enterprise, you are taken to Domain view.
1 VT Context
Click VT Context to view the VirusTotal information available for this domain.
Chronicle displays the WHOIS information associated with the registered domain. This information can be useful when assessing a domain's reputation.
Chronicle provides a graphical representation of the historical prevalence of a given FQDN and its TLD. This graph can be used to determine whether the domain has been accessed from within the enterprise before, and can provide an indication of whether the domain is associated with a particular campaign targeting the enterprise. Typically, less prevalent domains, ones that fewer assets have connected to, might represent a greater threat to your enterprise.
4 Domain insights
Domain insights provide you with more context about domains under investigation. You can use them to determine whether a domain is benign or malicious. They also let you further investigate an indicator to determine if there is a broader compromise.
The domain insights displayed vary depending on the availability of information associated with the domain within your Chronicle account, but might include the following:
ET Intelligence Rep List: Checks against ProofPoint's Emerging Threats (ET) Intelligence Rep List and lists known threats tied to specific IP addresses and domains.
ESET Threat Intelligence: Checks against ESET's threat intelligence service.
Resolved IPs: All resolved IP addresses that have been seen in your organization for a given Fully Qualified Domain Name. For example:
- Search for test.altostrat.com (Fully Qualified Domain Name)
- 2 resolved IPs (198.51.100.81 and 203.0.113.81) are displayed
Associated subdomains: All associated subdomains that have been seen in your organization for a given Fully Qualified Domain Name. Many adversaries use the same domain and subdomain for their attacks. For example:
- Search for sandbox.altostrat.com (Fully Qualified Domain Name)
- 2 subdomains (test.sandbox.altostrat.com and staging.sandbox.altostrat.com) are displayed
Sibling Domains: All sibling domains that have been seen in your organization for a given Fully Qualified Domain Name at a given level. For example:
- Search for sandbox.altostrat.com
- 1 sibling domain (foo.altostrat.com) is displayed