Page tree

Contents

Lookalike domains are domains that are found to be visually similar (look-alike) with other domains. These domains are composed using methods such as replacing letters with visually confusing ones (e.g. o to 0, l to 1, w to vv), switching to different top-level domains (e.g. .com to .cc), among others. These domains are often found in cyber attacks seeking brandjacking, traffic redirection, and phishing.

TIDE supports searching for lookalike domains through the UI and the API.

To retrieve records through the TIDE UI, use the Indicator Search.

To retrieve records through API, two methods are supported:

  1. Running an API call using the Swagger page.
  2. Running an API call through Terminal.

Searching for Lookalike Domains via the TIDE UI

You can use the Indicator Search in the TIDE UI to search for lookalike domains. Note that Indicator Search is limited to a maximum of 25,000 records. The default number of search returns is limited to 1,000 records.

To search for lookalike domains using Indicator Search, follow these steps:

  1. Select Hostnames for the data type.
  2. For Threat Class, deselect All and select Policy.
  3. From the Data Provider options, deselect All and select IID.
  4. Click the Search button to run the search query.
  5. From the returned search results, in the Property column, apply a sort to classify the different policies according to type.
  6. Scroll through the returned search results until the lookalike domains are located (Policy_LookalikeDomains).

From the returned indicator search results, you can perform a Dossier search against a selected lookalike domain to discover additional details on the indicator.

You can download the search results as an XML, CSV, or JSON file.

Searching for Lookalike Domains using an API call on the Swagger page

To run a search for a lookalike domain in TIDE using Swagger, follow these steps:

  1. Navigate to the Manage API Keys page (user name > User Settings > User ManagementManage API Keys).
  2. Select an active API key and copy it.
  3. Navigate to the Data API Guide (Resources > API guides > Data API Guide).
  4. Paste the copied API key into the API Key text field.
  5. Click the Enter API Key button. A modal window will appear acknowledging that your API key has been accepted.
  6. From the list of BloxOne Platform Data Service REST APIs, click threat: Threat APIs to reveal all available API GET calls.
  7. From the list of GET calls, click State Table API (/data/threats/state/(type)) to display all available search parameters. Note that while running any of the threat API calls, TIDE will return data on lookalike domains. The recommended GET call to run when querying the system for lookalike domains is the State Table.
  8. For the type parameter, select Host.
  9. For the property parameter, input Policy_LookalikeDomains.
  10. Click the Try it out button to run the call.

Once you execute the API call, the Response Body of the returned search yields the requested lookalike domain data. By default, TIDE returns 100 lookalike domain records. However, by adjusting the limit parameter of the query, you may request fewer or more records (as few as one record and as many as 500 records).

A lookalike domain query returns data as shown in the following example:

{
     "id": "dc396246y-56554-11e6-91e8-77e31fb69hcv",
     "type": "HOST",
     "host": "whatsapp.qxowgqhtny.site",
     "domain": "lookalikedomain.site",
     "tld": "site",
     "profile": "IID",
     "property": "Policy_LookalikeDomains",
     "class": "Policy",
     "threat_level": 100,
     "detected": "2018-05-15T02:15:07.473Z",
     "received": "2018-05-15T15:37:24.173Z",
     "imported": "2018-05-15T15:37:24.173Z",
     "expiration": "2018-05-29T02:15:07.473Z",
     "dga": false,
     "up": true,
     "batch_id": "dc396246y-56554-11e6-91e8-77e31fb69hcve",
     "extended": {
      "extended": "301a337ecd3490a61bc54e4dfd2bcg610ded2"
     }
}

Searching for Lookalike Domains using an API Call in Terminal

When using an API call in Terminal, all records within the system can be obtained. To run a search for a lookalike domain in TIDE using Terminal, use the following API call.

curl
 -u [YOUR_API_KEY]: 
'https://platform.activetrust.net:8000/api/data/threats/state/host?property=Policy_LookalikeDomains&rlimit=100'

The resulting response will retrieve the requested number of records.

  • No labels

This page has no comments.