Viewing Lookalike Domain Activity

The following Activity page topics are covered in this document.

The Default Card View
The Details Pane
The Table View

Note

Reporting Incorrect Data: To report incorrect data, submit the Dossier Threat Research Feedback from. For information, see Dossier Threat Research Feedback.

The Default Card View

To view the Activity page default card view, do the following:

Log in to the Cloud Services Portal.
Click Reports> Lookalike Domains.
Click the Activity tab.

The default card view of the Activity page.

Image: The default card view of the Activity page.

Note

The description below pertains only to the card view of the Activity page.

The dashboard shows three cards: Total Lookalikes, Total Lookalikes from Custom Watched Domains, and Threats from Custom Watched Domains.Each card shows the total number of detections for the past seven days and the percentage increase or decrease in that number.

Total Lookalikes: The Total Lookalikes card shows the total number of lookalike domains detected in the network over the past seven days, expressed as a numerical value and as a percentage of the increase or decrease over the past seven days. To open the panel for filtering records, click theTotal Domainslink. For more information, see callout L.

Total Lookalikes from Custom Watched Domains: This card shows the total number of lookalike domains detected on the Custom Watched Domains list, expressed as a numerical value and as the percentage of the increase or decrease over the past seven days. To open the panel for filtering records, click the Total Lookalikes from Custom Watched Domains link. For more information, see callout L.

Threats from Custom Watched Domains: This card shows the total number of threats detected on the Custom Watched Domains list, expressed as a numerical value and as the percentage of the increase or decrease over the past seven days. To open the panel for filtering records, click theThreats from Custom Watched Domainslink. For more information, see callout L.

Records in the table can be sorted based on the following criteria:

Show: Click Show to display all lookalike domains for a particular time period. Select Show All, Last 24 hours, Last 7 days, or Last 30 days.

Image: The time period options.

Type: Click Type to see the list of lookalike domains sorted according to the type. Select Show All, Common Watched Domains, or Custom Watched Domains.

Image: The select domain by type options.

Show: Click Show to see all lookalike domains for a specific time period. Select Show All, Last 24 hours, Last 7 days, or Last 30 days.

Image: The time period options.

Threat Classes Chart: The Threat Classes card is located in the top-right corner of the page and contains a bar chart of threat indicators detected for All, Common Watched Domains, or Custom Watched Domains within the past 30 days.

The Threat Classes chart.
Image: The Threat Classes chart.

To view the background tasks and recent search information, specify the following:

Background Tasks: Click the hourglass icon to open the side panel that shows a list of all running background tasks.
Global Search: Click thr search icon, and in the Search text box, enter your search criterion. Alternatively, select the criterion if it appears under Recent Searches, which shows tool information, console messages, and other information used in recent searches. The Cloud Services Portal will show all records that match the search criterion.

Click Select All to select all records on the page. Click Unselect all to unselect all records on the page.

Export: Select the checkbox for each lookalike domain you want to export in the CSV file, and then click Export to download the file. To export the records for all lookalike domains shown in the UI, select the checkbox in the header section of the table. The downloaded records will contain all information on watched domains, lookalike domains, or lookalike hosts, depending on the type of the domain being displayed.

Filtering: Click the filter icon to open the panel for filtering records. In the panel, click thr add icon to filter data by using the available filtering parameters.

Lookalike Records Table: In the card-based view, the table shows records for lookalike domains according to the viewing parameters you selected. Expand individual records to see detailed information about each domain. For details on the information displayed in the lookalike domain details pane, see the section on the lookalike details pane.

Search: Enter a search criterion in the Search text box. The Cloud Services Portal will show all records that match the criterion.

Record Table Format Selector: From the table format selector icon, select the card or table view. You can choose the other format at any time. At any time you can choose to change the view option from one format to the other by clicking on the appropriate symbol on the table format selector.

You can do the following in the table of lookalike domains:

Click the three horizontal dots icon to view the actions available for each record. Click Delete to remove a record, or click Export to export the information associated with a lookalike domain.
Click the down-pointing arrow icon to open the details panel where you can inspect all information associated with the selected record. Clickup-pointing arrow icon to close the details panel.

Click the filter icon to open and close the filtering panel. Callout O shows the information on conducting a filtered search.

You can also do the following on the page:

In the lower-left corner, select the number of records to be shown per page: 25, 50, or 100.
In the bottom-right corner, select the number of the page you want to view: 1,2, ...

The Details Pane

To view the Activity page details pane, do the following:

Log in to the Cloud Services Portal.
Click Reports > Lookalike Domains.
Click the Activity tab.
Click associated with the lookalike domain record you want to to view.

Note

The details pane is available only in the default card view of the Activity page. The details pane is unavailable in the table view.

Image: The details pane of the Activity page.

Lookalike list type: View information about the name of the targeted domain and its classification type. In this example, the targeted domain is airbnb.com and is a Common Watched Domain, so it resides on the Common Watched Domains list.

Lookalike threats: View the number of lookalike domains targeting a particular domain, along with the threat indicators associated with the lookalike domains. In this example, airbnb.com is being targeted by 614 lookalike domains engaged in phishing and other suspicious activities.

Content category and registration date: View the category list or lists the targeted domain is a member of, along with the domain's registration information.

Threat Classes Chart: The Threat Classes card is located in the top-right corner and contains a bar chart for the numbers of threat indicators associated with the lookalike domains targeting the specific domain; the chart includes all common and custom domains. The threat classes supported are suspicious, phishing, and malware C2.

Lookalike domain management options: You can do the following for each lookalike domain in the list:

Add to custom list: Select one or more lookalike domains from the list, and click Add to custom list. Click Select All to select all records to be added to a custom list. Click Unselect all to unselect all records. For more information, see Adding Lookalike Domains to a Custom List.
Mute lookalikes: Select one or more lookalike domains from the list, and click Mute lookalikes to add them to the Muted Lookalikes list. Click Select All to select all records to be added to the Muted Lookalikes list. Click Unselect all to unselect all records.
Export selected: Select one or more records from the list of lookalike domains, and click Export selected to download their information in the CSV format. Export selected allows you to download information for only the most recent 50 records. To export information for all records associated with the target lookalike domain, use Export all lookalikes.
Export all lookalikes: Click Export all lookalikes to download CSV-formatted information for all records associated with the target lookalike domain. Alternatively, click Select All to select all records to be exported. Click Unselect all to unselect all records.

Lookalike domains list: This table shows all lookalike domains and the detailed report for each domain. For information on opening the panel for filtering records, see callout E. The table contains the following information:

Registration Date: The lookalike domain's registration date.
50 Most Recent Lookalikes: A parsed list of the 50 most recent lookalike domains targeting a particular domain.
Category: The category filters that have been assigned to the lookalike domain; for information on category lists, see Configuring Category Filters.
Threat Class: The threat class or classes associated with the lookalike domain.

The Table View

To view the Activity page table view, do the following:

Log in to the Cloud Services Portal.
Click Reports > Lookalike Domains.
To change the default Activity page view to the table view, click Record Table Format Selector. For details, see callout P.

Note

The description below pertains only to the table view of the Activity page.

The dashboard shows three cards: Total Lookalikes, Total Lookalikes from Custom Watched Domains, and Threats from Custom Watched Domains. Each card shows the total number of detections for the past seven days and the percentage increase or decrease in that number.

The Activity page.

Image: The Activity page, table view.

Total Lookalikes: The Total Lookalikes card shows the total number of lookalike domains detected in the network over the past seven days, expressed as a numerical value and as a percentage of the increase or decrease over the past seven days. To open the panel for filtering records, click the Total Domains link. For more information, see callout L.

Total Lookalikes from Custom Watched Domains: This card shows the total number of lookalike domains detected on the Custom Watched Domains list, expressed as a numerical value and as the percentage of the increase or decrease over the past seven days. To open the panel for filtering records, click the Total Lookalikes from Custom Watched Domains link. For more information, see callout L.

Threats from Custom Watched Domains: This card shows the total number of threats detected on the Custom Watched Domains list, expressed as a numerical value and as the percentage of the increase or decrease over the past seven days. To open the panel for filtering records, click the Threats from Custom Watched Domains link. For more information, see callout L.

Records in the table can be sorted based on the following criteria:

Show: Click Show to display all lookalike domains for a particular time period. Select Show All, Last 24 hours, Last 7 days, or Last 30 days.

Image: The time period options menu.

Threat Classes Chart: The Threat Classes card is located in the top-right corner and contains a bar chart of threat indicators detected for All, Common Watched Domains, or Custom Watched Domain within the past 30 days. The threat classes reported in the bar chart are suspicious, phishing, and malware C2.

The Threat Classes chart.
Image: The Threat Classes chart.

To view the background tasks and recent search information, specify the following:

Background Tasks: Click the hourglass icon to open the side panel that shows a list of all running background tasks.

Global Search: Click the search icon and in the Search text box, enter your search criterion. Alternatively, select the criterion if it appears under Recent Searches, which shows tool information, console messages, and other information used in recent searches. The Cloud Services Portal will show all records that match the search criterion.

To mute a lookalike domain, click the expand menu icon next to the domain’s entry. In the pop-up window, click Mute to confirm you want to mute the selected domain(s). The now muted lookalike domain can be viewed on the Muted Lookalikes page. For information on muted lookalike domains , see Viewing Muted Lookalike Domains.

Image: Unmuting a domain.

To investigate a domain further, by using the Dossier suite of threat-investigation tools (see Research > Dossier in the Cloud Services Portal), click the Send to Dossier icon located next to the entry of a lookalike domain. For information on using Dossier to investigate threats, see Dossier Threat Research Portal.

Export: Select the checkbox for each lookalike domain you want to export in the CSV file, and then click Export to download the file. To export the records for all lookalike domains shown in the UI, select the checkbox in the header section of the table. The downloaded records will contain all information on watched domains, lookalike domains, or lookalike hosts, depending on the type of the domain being displayed.

Add to custom list: Select the checkbox for each lookalike domain you want to add to a custom list, and click Add to custom list. The Add to custom list pop-up window will open; use it to add the lookalike domain(s) to one or more specified custom lists. For more information, see Adding Lookalike Domains to a Custom List.

Image: The Add to Custom List pane.

Mute lookalikes: Select the checkbox for each lookalike domain you want to mute, and then click Mute lookalikes to add the selected domain(s) to the list. Alternatively, click the horizontal expand menu icon next to the entry of a lookalike domain you want to mute. For additional information, see callout G.

Filtering: Click the filter icon to open the panel for filtering records. In the panel, click the add icon to filter data by the available filtering parameters. For instructions on opening the panel for filtering records, see callout R.

Lookalike Records Table: The records table (table layout) shows the records according to the viewing parameters you have selected. The table can be viewed in a table or card format (the default view), depending on the viewing option selected. For information on selecting a viewing format, see callout P. The following information can be viewed in the records table:

Lookalike: the name of the lookalike domain or lookalike host attempting to mimic the target domain or reported by the organization and added to the watch list.
Clicking a listed lookalike domain or a lookalike host will direct you to Dossier. On the Dossier report page, you can check whether the lookalike domain or host is associated with any known malicious activity.
Explanation: the explanation added by the organization at the time a targeted domain is added to the watch list.
The explanation includes the name and description of the lookalike domain mimicking the targeted domain. The threat type and creation date are included in the explanation.
Registration Date: the lookalike domain's registration date.
Domain: the name of the targeted domain being mimicked by the lookalike domain.
Threat Class: the threat classes associated with the lookalike domain
The threat classes reported are suspicious, phishing, and malware C2.
Type: the type of the lookalike domain.
The lookalike types include common domains and custom domains, depending on the reporting source of the lookalike domain. Common lookalike domains are reported in threat feeds, but custom lookalike domains are those that your organization determined to be mimicking the targeted domain. Custom domains are identified with gold-colored, crown-shaped icons.
Category: the category filters assigned to the lookalike domain.
For information on category lists, see Configuring Category Filters.

Search: Enter a search criterion in the Search text box. The Cloud Services Portal will show all records that match the criterion.

Threat Warnings: Threat warnings for listed lookalike domains are indicated with a red, triangular warning symbol in the Threat Class information column. The warning symbol indicates the threat(s) identified as being associated with the lookalike domain. The threat classes reported are suspicious, phishing, and malware C2.

Image: Phishing warning.

Record Table Format Selector: From the format selector icon, select the card or table view. You can choose the other format at any time.

call-out Q

On the table header, click the expanable menu icon to select the columns to be added to the report generated from the lookalike table. To reorder information, use the up/down arrow associated with each column. For information on each column, see callout M.

call-out R

Click the filter icon to open and close the filtering panel. For information on conducting a filtered search, see callout L.

You can also do the following on the page:

In the lower-left corner, specify the number of records to be shown per page: 25, 50, or 100.
In the bottom-right corner, select the number of the page you want to view: 1, 2, ...

For additional information on monitoring lookalike domains, see the following:

Custom Lookalike Domain Monitoring