Summary

The Dossier Summary report provides a comprehensive overview of threat indicator information, including DNS records, domain/subdomain count, URL count, and IP count.

The Summary report displays a representative screenshot of queried domains.
Infoblox Intelligence section includes Web Category, TLD Score, and Nameserver Reputation.
The report also contains features like Categorizations and Lookalike Detection.
It provides links to generated summary detail reports resulting from conducting a Dossier search.
Sensitive content is blurred with categories such as Terrorism and Pornography.

Reported Threat Classes and Properties

For information on the threat classes and properties reported, see the Infoblox Threat Classification Guide located at Infoblox Platform > Monitor > Research > Resources > Classification Guide. To view the full guide without logging into the Infoblox Portal, see Infoblox Threat Classification Guide.

Image: An example Dossier Summary Report page.

Summary Detail Reports: The links to the generated summary detail reports resulting from conducting a Dossier search are displayed here. Do note that not every Dossier search results in generating all summary setails reports. Only the summary detail reports applicalbe to the Dossier search are returned; these are indicated by a light-blue colored hyperlink. Unavailable reports are indicated in light gray. The following detail reports are available (the quantity and types of available reports are dependent on the threat indicator being searched).

Impacted Devices
Current DNS
Related Domains
Related URLs
Related IPs
Related File Samples
Related Contacts
Reports
Timeline
Threat Actor
MITRE ATT&CK
WHOIS Record
Raw Whois

Dossier Summary: The Summary report displays a representative screenshot of queried domains. Although a screenshot is a cropped version of a website's index page, clicking the Full Image link (located below the screenshot) will call up a screenshot of the entire index page, including the date on which the screenshot was captured and the page's title. Because a screenshot is a cached version of a website's index page, the current index page might or might not reflect what is currently published on the live website's index page.

Disclaimer

The images and screenshots that we provide to you as part of the threads or that you build for use with our products are operated and owned by third parties. We have no control over, are not responsible for, and do not endorse any of these third parties’ websites, materials, or content. We provide these items and access to them “as is” and “as applicable”, and we neither warrant nor take any responsibility for them.

In cases where sensitive content is not displayed on the Summary page, a blurred image of the page will be displayed along with a disclaimer requesting that viewers acknowledge that they are choosing to view sensitive content. We blur the following categories of domains that we know to contain sensitive content:

Abortion
Abortion Pro Choice
Child Inappropriate
Gambling
Gay, Lesbian, or Bisexual
Lingerie, Suggestive and Pinup
Nudity
Pornography
Profanity
R-Rated
Sex and Erotic
Sex Education
Child Abuse images
Terrorism
Unknown

The following information also be viewed in the summary section:

DNS Record Count: The number of DNS records associated with the queried threat indicator.
Domain/Subdomain Count: The number of doamins and/or subdomains associated with the queried threat indicator.
URL Count: The number of URLs associated with the queried threat indicator.
IP Count: The number of IP addresses associated with the queried threat indicator.

Infoblox Intelligence: The Infoblox intelligence section of the report includes information acquired by Infoblox during the course of investigation of the threat indicator. For additional information, the individual information panes of the intelligence section can be expanded by clicking the down-pointing arrow icon. Similarly, the individual information panes for each section can be minimized by clickingthe up-pointing arrow icon.

Information reported in the Infoblox Intelligence section includes the following:

Web Category: The web category the indicator is a member.
Info: Information about the threat indicator.
TLD Score: The risk score for the TLD calculated from the TLD's confidence, rarity, and popularity scores.
Nameserver Reputation: Displays information on the domains associated with the nameserver, along with information on the nameserver's confidence, rarity, and popularity. The reputation of the nameserver is established based on the nameserver's confidence, rarity, and popularity scores.
DNS Ranking: The DNS ranking as determined by Infoblox. Information on its query rank is also provided.
Threat Property: The threat property associated with the indicator. Information on its query rank is also provided.
Industry DNS Rank: A consensus rank determined by the aggragate of rankings provided by industry sources. Information on its query rank is also provided.

Dossier Search: Copy or paste your indicator search parameters into the search field followed by clicking Search to initiate an indicator search. The Dossier search feature accomodates searches for domains, IP addresses, hostnames, URLs, email, or hash value.

Task Navigation Menu: Click on one of the icons to perform a task.

Image: The task navigation menu.

You can do the following, by clicking on the appropriate icon:

Reload Page

Click the reolad icon to reload the Timeline Report page.

Add to Custom List

To add a domain or IP address, complete the following:

On the Dossier Timeline report page, click the add to custom list icon located at the top, right-hand side of the Action bar.
On the Add to Custom List page, select what custom list or lists from among the list of available custom lists to add the domain or IP address by clicking the blue arrowassociated with the custom list. If you cannot locate the custom list you want to add the domain or IP address to, you can use the search feature to search for the custom list. Alternatively, you can clickto add the domain or IP address to all custom lists. If you inadvertently add the domain or IP address, in the Selected column of custom lists, you can click the blue arrow associated with the custom list to remove the domain or IP address from it.
Once you have added the domain or IP address to your custom list or lists, you can save your configuration by clicking Add.

Image: The Add to Cusom List pane.
You should now see the name of the custom list or lists where the domain or IP address has been added populating the Custom Lists section of the Timeline report page.

For informatioon on custom lists, see Creating Custom Lists.

Generate API Request

Click the API Genrate icon to generate an API request. A pop-up window populated with the API information will be displayed.

Image: The Generate API Request window.

Copy the information from the pop-up window. Click Full API Guide to view the Swagger Dossier API documentation. Click Close to close the window.

Feedback on Results

Click the load webform icon to load a webform where you can provide comments and feedback on results you obtained from Dossier. For details, see Dossier Threat Research Feedback.

Image: The Feedback on Results pane.

Export

Click the downloas Dossier report icon to export the Dossier Report file. You can choose to include any or all of the report sections by placing a check in the box associated with a specific section of the report. You can choose from among the following sections:

Summary
Impacted Devices
Current DNS
Related Domains
Related URLs
Related IPs
Related File Samples
Related Contacts
Reports
Timeline
Threat Actor
MITRE ATT&CK
WHOIS Record
Raw Whois

The Export Dossier Report pane.
Image: The Export Dossier Report pane.

When you have finished selecting what sections of the report to export, click Export in the bottom right-hand corner of the dialogue box. Your report will be exported in PDF format.

When available, the top navigation bar also displays a clickable link where you can find additional information on the indicator.

Dossier Search: Copy or paste your indicator search parameters into the search field followed by clicking Search to initiate an indicator search. The Dossier search feature accomodates searches for domains, IP addresses, hostnames, URLs, email, or hash value.

Resources: Click Resources and select an option from the drop-down menu to view a Dossier resource.

The available resources include the following:

Registered Owner (WHOIS): The Registered Owner (WHOIS) record for the indicator contains information about the domain:

Created: the date (month/day/year) on which the domain was created
Updated: the date (month/day/year) on which the domain was updated most recently
Expires: the date (month/day/year) on which the current domain’s registration expires
Registrant Name: the name of the person or entity who registered the domain
Registrant Organization: the name of the organization associated with the domain’s registration
Registrant Country: the country where the domain registrant resides
Registrar Name: the name of the domain’s registrar where the domain was registered

DNS Threat Actor: This section provides information about threat actors associated with the threat indicator.

SSL Certificate: The SSL Certificate section displays the data pulled from the SSL certificate associated with the queried domain name. The section contains information about the SSL certificate itself and about its issuer and domain. As in the Raw WHOIS section, the Details dropdown displays the raw data from the SSL certificate.

Detection History Timeline: This is the timeline of events associated with an indicator. Timeline events are updated with the most current information.

The detection history time line displays information on current (active) threat classifications and past threat classifications for the indicator. The information reported in each timeline includes the following:

Indicator name: The name of the threat indicator.
Feed name: The name of the threat feed where the indicator was detected along with its risk level score.
Detection history date: The date the detection information was obtained/documented.
Threat level: The indicator's threat level classification as of the current date. This is a numerical score which can be translated into a threat classification (High, Medium, Low, or Info).
Risk level: The indicator's risk level. This is a numerical score which can be translated into a threat risk level (High, Medium, Low, or Info).
Threat Confidence: The indicator's threat confidence score.
Infoblox Threat intelligence Group Research Notes: Threat notes acquired by inflblox through investigationh of the threat.

Do note that the historical record is documented based on the date the threat was accessed.

Click View Full Timeline to view the Timeline report.

Note

Data from Mandiant and Emerging Trends Proofpoint will be displayed (in the timeline and elsewhere) only for organizations that possess separate, paid licenses from data vendors. Infoblox does not support free licenses.

Custom List

The custom list section displays information about the custom listswhere the indicator appears.

Image: The Add to Custom List pane.

You can also do the following on the page:

Background Tasks: Click the hourglass icon to open the side panel to view a list of all running background tasks.
Global Search: Click the search icon in the Search text box, then enter your search criterion. Alternatively, select the criterion if it appears under Recent Searches, which shows tool information, console messages, and other information used in recent searches. The Infoblox Portal will show all records that match the search criterion.

Click here to return to the main Dossier Threat indicator Report.