The Dossier Summary report provides a comprehensive, one-page report summarizing the information obtained when conducting a threat indicator search on a threat indicator.
The Summary report is broken out into the following reporting types:
- DNS Record Count: The total number of DNS records.
- Domain/Subdomain Count: The total number of domain and subdomain records.
- URL Count: The total number of URL records.
- IP Count: The total number of IP records.
Image: Sample Summary report.
The Activity Report provides a summary of the number of DNS queries your organization makes for a specific indicator broken down by day.
The names of your custom lists are displayed in this section of the Summary report.
For information on how to add a domain, hostname, or IPv4 address to your custom list or lists, see Add to Custom List. Note: IPv6 addresses, URLs, email addresses, MD5, SHA1, and SHA256 hashes are not supported.
If an indicator has been reported as a lookalike domain, it will be listed in this section of the Summary report.
Registered Owner (WHOIS)
The Registered Owner (WHOIS) record for the indicator with information about the domain including the following:
- Created: The domain creation date (month/day/year).
- Updated: The date the domain was last updated (month/day/year).
- Expires: The date the current domain registration expires (month/day/year).
- Registrant Name: The name of the person or entity registering the domain.
- Registrant Organization: The name of the organization associated with the domain registration.
- Registrant Country: The country where the domain registrant resides.
- Registrar Name: The name of the domain registrar where the domain was registered.
The SSL Certificate section displays data pulled from the SSL Certificate associated with the queried domain name. This section contains information on the SSL Cert itself as well as information on the issuer and domain. The details dropdown displays the raw data from the SSL Certificate, similar to the Raw WHOIS section.
The application detection section displays applications that have been associated with the queried indicator. This data is provided by the Infoblox Cyber Intel team,
The detection history associated with a threat indicator. The report provides the following information:
- First Report: The date of the indicator was first detected.
- Last Report: The most recent date the indicator was reported.
- Last URL AV Detections: The last date the URL was reported as being a threat.
The implied risk of the indicator when taking into account the full range of reports received regarding the indicator.
- Threat Level: The threat score for an indicator measured on a 0-10 scale.
- Infoblox Risk Level: The risk score for an indicator easured on a 0-10 scale.
- Infoblox Confidence Level: The confidence score for an indicator measured on a low, medium, or high scale.
A list of the threat feeds where information on the indicator threat has been reported. Also included among the feeds is the Infoblox Whitelist, listing all whitelisted domains as determined by Infoblox.
A list of the threat categories assigned to the indicator through the process of research and investigation as assigned by Infoblox and other threat investigating services. Each threat investigating service is listed along with the threat assigned by each of the services.
The Dossier Summary report also contains the following features:
The search field is located at the top of the page and is used to search for threat indicators. You can run a search based on domain name, IP address, hostname, URL, email, or hash value.
Click Resources located in the top right-hand side of the Summary page to display a drop-down list containing additional Dossier and TIDE resources.
Resources include the following:
Dossier & TIDE Quick Start Guide
Dossier User Guide
Dossier API Calls Reference
Dossier Source Descriptions
Threat Classification Guide
Add to Custom List
Dossier allows you to perform custom list management. Domains and IP addresses can be added directly to your custom lists through any of Dossier’s reports pages, including the Summary report page.
Adding a Domain or IP Address to a Custom List in Dossier
To add a domain or IP address to a custom list in Dossier, complete the following:
- From the Cloud Services Portal, click Research -> Dossier.
- Run a Dossier search on the domain name or IP address.
- On the Dossier Summary report page, click Add to Custom List located at the top, right-hand side of the Action bar.
- On the Add to Custom List page, select what custom list or lists from among the list of available custom lists to add the domain or IP address by clicking the blue arrow Selected column of custom lists, you can click the blue arrow associated with the custom list to remove the domain or IP address from it.associated with the custom list. If you cannot locate the custom list you want to add the domain or IP address to, you can use the search feature to search for the custom list. Alternatively, you can click to add the domain or IP address to all custom lists. If you inadvertently add the domain or IP address, in the
- Once you have added the domain or IP address to your custom list or lists, you can save your configuration by clicking Add.
- You should now see the name of the custom list or lists where the domain or IP address has been added populating the Custom Lists section of the Summary report page.
Generate API Request
Click Generate API Report to generate a curl command for the searched domain: curl -X GET -H "Authorization: Token <API_KEY>" "https://csp.infoblox.com/tide/api/services/intel/lookup/indicator/host?value=google.com&wait=true"
Click Full API Guide located on the bottom-right corner of the pop-up window to view the Dossier API Swagger page displaying information on the complete Dossier API implementation.
Click Export to export the Dossier Report file. You can choose to include any or all of the report sections by placing a check in the box associated with a specific section of the report. You can choose from among the following sections:
- Impacted Devices
- Current DNS
- Related Domains
- Related URLs
- Related IPs
- Related File Samples
- Related Contacts
- Threat Actor
- MITRE ATT&CK
- WHOIS Record
- Raw Whois
When you have finished selecting what sections of the report to export, click Export in the bottom right-hand corner of the dialogue box. Your report will be exported in PDF format.
Click Close to close the Summary Report page. Closing the Summary page returns you to the default Dossier search page.
Click here to return to the main Dossier Threat Indicator Report page.
This page has no comments.