Indicator search

The Indicator Search allows you to search for threat information based on domain or threat name. These searches allow you to discover whether a domain is a threat or whether a specific type of threat is active in your network.

Search by domain

If a domain is detected to host harmful content, this information appears:

  • A graph illustrating the number of DNS requests that occurred for the domain in the specified time period.
  • A table showing the complete history of the domain as tracked by Enterprise Threat Protector (ETP). For example, the table shows when the application began tracking the domain as a threat.
  • Additional information about the domain, such as domain name registrar, detected threat type, and more. For more information see Indicator Search: Additional Domain Information.
  • If the domain is associated with a specific threat, the name of the threat appears. You can hover over the threat name to read more information about the threat. The window that appears provides a threat description, the severity level, external links, and a graph with the number of events related to this threat from the last 30 days.

A domain is considered harmful if it is a confirmed threat. Otherwise, if the domain does not host harmful content, the indicator search only shows a graph with DNS activity for the time period you selected.

Note: If you believe a domain is misclassified, ETP allows you to report the domain to our analysts. For more information see Report a misclassified domain.
In addition to performing a search from the Indicator Search page, you can also complete a search from the Dashboard. The Dashboard redirects you to the Indicator Search page with search results.
Note: If you are trying ETP with the new Enterprise Center interface, you cannot search for a domain. This functionality is available only in the original ETP user interface. To learn more about the new dashboard, see New Dashboard.

You are also redirected to the Indicator Search page when you choose to view More Details in an event report. When viewing threat or access control events, you can also select the information icon associated with a domain to view Indicators of Compromise (IOC) details in a separate window. The IOC details that appear provide the same information that is on the Indicator Search page.

Search by threat name

On the Indicator Search page, you can also search by a threat name to learn more about a threat and determine whether this threat currently affects your organization. This information can help you and your organization decide how to remediate or remove these threats from your network.
  • Definition of threat. Defines the threat and describes how it spreads and affects a network.
  • Other known names of threat. If the threat is known by other names, these names are also listed.
  • Severity level. Indicates the severity level that is associated with the threat. For more about these levels, see Severity levels.
  • Threat type. Indicates the type of threat. For example, this field indicates if it’s a worm, malware, trojan, or another threat type.
  • External links. For additional information about the threat, external links to resources on the Internet are also provided.
  • Events. If there are events associated with the threat or threat type, a graph appears with a total number of events that occurred during the specified time period. By default, events from the last 24 hours are shown. However, you can also select a specific date range or show events from this month, the last 7 days, or the last 30 days. You can also filter events by a specific time of day. For example, you can enter the start and end times in a 24-hour clock format to show events that occurred within a specific range of time.