Search for threats based on domain

You can complete a domain search on the Indicator Search page. If a domain is blocked or associated with a threat category, detailed information about the domain appears, including a history of when the domain was first detected and upgraded to a security threat.

If the domain does not host harmful content, the indicator search only shows a graph with DNS activity for the time period you selected.

Note: If you believe a domain is misclassified, ETP allows you to report the domain to our analysts. For more information see Report a misclassified domain.

How to

  1. In the Enterprise Center navigation menu, select Threat Analytics > Indicator Search.
  2. In the Indicator Search text box, enter a valid domain and press Enter or click the search icon. If the domain is detected to host harmful content, detailed history and information about it appears.
  3. To modify the search time period, do the following:
    1. Click the calendar icon.
    2. On the window that displays, select the date range you want or choose a predefined period. Then select a start and end time if you want to limit the search to a specific time range.
    3. Click Apply.

What you should see

If a domain is detected to host harmful content, this information appears:
  • A graph illustrating the number of DNS requests that occurred for the domain in the specified time period.
  • A table showing the complete history of the domain as tracked by Enterprise Threat Protector (ETP). For example, the table shows when the application began tracking the domain as a threat.
  • Additional information about the domain as described in Indicator Search: Additional Domain Information.
  • If the domain is associated with a specific threat, the name of the threat appears. You can hover over the threat name to read more information about the threat. The window that appears provides a threat description, the severity level, external links, and a graph with the number of events related to this threat from the last 30 days.