Indicator search

The Indicator Search allows you to search for threat information based on domain, threat name, or application name. These searches allow you to discover the following:
  • whether a domain is a threat
  • whether a specific type of threat is active in your network
  • the risk level and the number of events associated with a specific application

In an event or activity report, you are also redirected to the Indicator Search page when you choose to view More Details for a domain and threat name. When viewing threat or access control events, you can also select the information icon associated with a domain to view Indicators of Compromise (IOC) details in a separate window. The IOC details that appear provide the same information that is on the Indicator Search page.

Search by domain

A domain is considered harmful if it is a confirmed threat. If the domain does not host harmful content, the indicator search only shows a graph with DNS activity for the time period you selected. If a domain is detected to host harmful content, this information appears:
  • A graph illustrating the number of DNS requests that occurred for the domain in the specified time period.
  • A table showing the complete history of the domain as tracked by ETP. For example, the table shows when the application began tracking the domain as a threat.
  • Additional information about the domain, such as domain name registrar, detected threat type, and more. For more information see Indicator search: domain information
  • If the domain is associated with a specific threat, the name of the threat appears. You can hover over the threat name to read more information about the threat. The window that appears provides a threat description, the severity level, external links, and a graph with the number of events related to this threat from the last 30 days.
Note: If you believe a domain is misclassified, ETP allows you to report the domain to our analysts. For more information see Report a misclassified domain.

Search by threat name

You can search by a threat name to learn more about a threat and determine whether this threat currently affects your organization. This information can help you and your organization decide how to remediate or remove these threats from your network.
  • Definition of threat. Defines the threat and describes how it spreads and affects a network.
  • Other known names of threat. If the threat is known by other names, these names are also listed.
  • Severity level. Indicates the severity level that is associated with the threat. For more about these levels, see Severity levels.
  • Threat type. Indicates the type of threat. For example, this field indicates if it’s a worm, malware, trojan, or another threat type.
  • External links. For additional information about the threat, external links to resources on the Internet are also provided.
  • Events. If there are events associated with the threat or threat type, a graph appears with a total number of events that occurred during a specified time period.

Search by application name

You can search by the application name to learn whether an application is a risk to your organization. An application search provides this information:

  • Risk level associated with the application. For more information about the risk levels, see Application visibility and control.
  • Application category and description of the category
  • Indicates whether ETP Proxy is required to use the application. If ETP Proxy is not required, ETP may still be able to identify the application based on its hostname.
  • The known URLs that are associated with the application.
  • Events associated with an application. A graph shows the total number of events that occurred during the specified time period.
  • History of when ETP started tracking the application.