Page tree

Contents

The Dossier Summary report provides a comprehensive, one-page report summarizing the information obtained when conducting a threat indicator search on a threat indicator.

The Summary report is broken out into the following reporting types: 

  • DNS Record Count: The total number of DNS records.
  • Domain/Subdomain Count: The total number of domain and subdomain records.
  • URL Count: The total number of URL records.
  • IP Count: The total number of IP records.


Image: Sample Summary report. 

Activity Report

The Activity Report provides a summary of the number of DNS queries your organization makes for a specific indicator broken down by day.

Custom Lists

The names of your custom lists are displayed in this section of the Summary report. 

For information on how to add a domain, hostname, or IPv4 address to your custom list or lists, see Add to Custom ListNote: IPv6 addresses, URLs, email addresses, MD5, SHA1, and SHA256 hashes are not supported.

Lookalike Detection

If an indicator has been reported as a lookalike domain, it will be listed in this section of the Summary report. 

Registered Owner (WHOIS)

The Registered Owner (WHOIS) record for the indicator with information about the domain including the following:

  • Created: The domain creation date (month/day/year). 
  • Updated: The date the domain was last updated (month/day/year). 
  • Expires: The date the current domain registration expires (month/day/year). 
  • Registrant Name: The name of the person or entity registering the domain. 
  • Registrant Organization: The name of the organization associated with the domain registration.
  • Registrant Country: The country where the domain registrant resides. 
  • Registrar Name: The name of the domain registrar where the domain was registered. 

SSL Certificate

The SSL Certificate section displays data pulled from the SSL Certificate associated with the queried domain name. This section contains information on the SSL Cert itself as well as information on the issuer and domain. The details dropdown displays the raw data from the SSL Certificate, similar to the Raw WHOIS section.

Application Detection

The application detection section displays applications that have been associated with the queried indicator. This data is provided by the Infoblox Cyber Intel team,

Detection History

The detection history associated with a threat indicator. The report provides the following information:

  • First Report: The date of the indicator was first detected.
  • Last Report: The most recent date the indicator was reported. 
  • Last URL AV Detections: The last date the URL was reported as being a threat.

Threat Scoring

The implied risk of the indicator when taking into account the full range of reports received regarding the indicator.

  • Threat Level: The threat score for an indicator measured on a 0-10 scale. 
  • Infoblox Risk Level: The risk score for an indicator easured on a 0-10 scale. 
  • Infoblox Confidence Level: The confidence score for an indicator measured on a low, medium, or high scale.

Feeds

A list of the threat feeds where information on the indicator threat has been reported. Also included among the feeds is the Infoblox Whitelist, listing all whitelisted domains as determined by Infoblox. 

Categorizations

A list of the threat categories assigned to the indicator through the process of research and investigation as assigned by Infoblox and other threat investigating services. Each threat investigating service is listed along with the threat assigned by each of the services.


The Dossier Summary report also contains the following features:

Search Field

The search field is located at the top of the page and is used to search for threat indicators. You can run a search based on domain name, IP address, hostname, URL, email, or hash value. 

Resources

Click Resources located in the top right-hand side of the Summary page to display a drop-down list containing additional Dossier and TIDE resources.

Resources include the following:

  • Dossier & TIDE Quick Start Guide 

  • Dossier User Guide 

  • Dossier API Calls Reference 

  • Dossier Source Descriptions 

  • Threat Classification Guide 

Add to Custom List 

Dossier allows you to perform custom list management. Domains and IP addresses can be added directly to your custom lists through any of Dossier’s reports pages, including the Summary report page.

Adding a Domain or IP Address to a Custom List in Dossier

To add a domain or IP address to a custom list in Dossier, complete the following:

  1. From the Cloud Services Portal, click Research -> Dossier.
  2. Run a Dossier search on the domain name or IP address.
  3. On the Dossier Summary report page, click Add to Custom List located at the top, right-hand side of the Action bar.
  4. On the Add to Custom List page, select what custom list or lists from among the list of available custom lists to add the domain or IP address by clicking the blue arrowassociated with the custom list. If you cannot locate the custom list you want to add the domain or IP address to, you can use the search feature to search for the custom list. Alternatively, you can clickto add the domain or IP address to all custom lists. If you inadvertently add the domain or IP address, in the Selected column of custom lists, you can click the blue arrow associated with the custom list to remove the domain or IP address from it.
  5. Once you have added the domain or IP address to your custom list or lists, you can save your configuration by clicking Add.
  6. You should now see the name of the custom list or lists where the domain or IP address has been added populating the Custom Lists section of the Summary report page.

Generate API Request

Click Generate API Report  to generate a curl command for the searched domain: curl -X GET -H "Authorization: Token <API_KEY>" "https://csp.infoblox.com/tide/api/services/intel/lookup/indicator/host?value=google.com&wait=true"

Click Full API Guide located on the bottom-right corner of the pop-up window to view the Dossier API Swagger page displaying information on the complete Dossier API implementation. 

Export

Click Export to export the Dossier Report file. You can choose to include any or all of the report sections by placing a check in the box associated with a specific section of the report. You can choose from among the following sections:

  • Summary
  • Impacted Devices
  • Current DNS
  • Related Domains
  • Related URLs
  • Related IPs
  • Related File Samples
  • Related Contacts
  • Reports
  • Timeline
  • Threat Actor
  • MITRE ATT&CK
  • WHOIS Record
  • Raw Whois

When you have finished selecting what sections of the report to export, click Export in the bottom right-hand corner of the dialogue box. Your report will be exported in PDF format.

Close

Click Close to close the Summary Report page. Closing the Summary page returns you to the default Dossier search page.

Click here to return to the main Dossier Threat Indicator Report page.

  • No labels

This page has no comments.