Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 5 Next »

The Dossier Related IPs report provides a comprehensive, one-page report detailing current related IPs information obtained when conducting a threat indicator search on a threat indicator. The Related IPs report shows IP addresses associated with a threat indicator. The Related IPs report includes the following information:

  • IP: The IP addresses associated with the indicator. Passive DNS is the historical DNS record for hostnames. When searching a domain or hostname, Passive DNS will return all IPs that the domain or hostname has resolved to and those that were caught by the PDNS sensors in the previous year. If researching an IP address, Dossier will perform “inverse” passive DNS lookups, returning all domains that have resolved to the particular IP. Clicking any of the hyperlinked records indicated in light blue under the IP column will display the Summary report for the selected IP address.
  • LAST REPORT The last reported date the data was conducted listed in descending order with the most recent detection date listed at the top of the column.
  • SOURCE: The source is the data partner making the report.
  • HOST: The host associated with the related IP address. Clicking any of the hyperlinked records indicated in light blue under the HOST column will display the Summary report for the selected host.
  • CNAME: The Canonical name record associated with the IP address. 


The Dossier Related IPs report also contains the following features:

Search Field

The search field is located at the top of the page and is used to search for threat indicators. You can run a search based on domain name, IP address, hostname, URL, email, or hash value. 

Resources

Click Resources located on the top right-hand side of the Summary page to display a drop-down list of additional Dossier and TIDE resources.

Dossier resources include the following: 

  • Dossier & TIDE Quick Start Guide
  • Dossier API Calls Reference
  • Dossier Source Descriptions
  • Dossier User Guide
  • Threat Classification Guide

Top Navigation Menu

Click on one of the icons to perform a task.

You can do the following, by clicking on the appropriate icon:

Reload Page

Click  to reload the Timeline Report page. 

Add to Custom List 

To add a domain or IP address, complete the following:

  1. On the Dossier Timeline report page, click  located at the top, right-hand side of the Action bar.
  2. On the Add to Custom List page, select what custom list or lists from among the list of available custom lists to add the domain or IP address by clicking the blue arrowassociated with the custom list. If you cannot locate the custom list you want to add the domain or IP address to, you can use the search feature to search for the custom list. Alternatively, you can clickto add the domain or IP address to all custom lists. If you inadvertently add the domain or IP address, in the Selected column of custom lists, you can click the blue arrow associated with the custom list to remove the domain or IP address from it.
  3. Once you have added the domain or IP address to your custom list or lists, you can save your configuration by clicking Add.
  4. You should now see the name of the custom list or lists where the domain or IP address has been added populating the Custom Lists section of the Timeline report page.

For information on custom lists, see Creating Custom Lists.  

Generate API Request


Click  to generate an API request. A pop-up window populated with the API information will be displayed.


Copy the information from the pop-up window. Click Full API Guide to view the Swagger Dossier API documentation. Click Close to close the window.

Feedback on Results


Click  to load a webform where you can provide comments and feedback on results you obtained from Dossier. For details, see Dossier Threat Research Feedback.

Export

Click  to export the Dossier Report file. You can choose to include any or all of the report sections by placing a check in the box associated with a specific section of the report. You can choose from among the following sections:

  • Summary
  • Impacted Devices
  • Current DNS
  • Related Domains
  • Related URLs
  • Related IPs
  • Related File Samples
  • Related Contacts
  • Reports
  • Timeline
  • Threat Actor
  • MITRE ATT&CK
  • WHOIS Record
  • Raw Whois

When you have finished selecting what sections of the report to export, click Export in the bottom right-hand corner of the dialogue box. Your report will be exported in PDF format. 


You can also do the following on the page: 

  • Background TasksClick  to open the side panel to view a list of all running background tasks. 

  • Global Search: Click in the Search text box, then enter your search criterion. Alternatively, select the criterion if it appears under Recent Searches, which shows tool information, console messages, and other information used in recent searches. The Cloud Services Portal will show all records that match the search criterion. 

Click here to return to the main Dossier Threat Indicator Report page.


  • No labels