Overview
The Threat Lookup Results page is an in-depth analytical environment within the CoreTIS platform that displays detailed information about a specific indicator that a user has queried. This section provides a comprehensive view of the threat associated with the indicator.
Accessing Threat Lookup Results
Upon conducting a search in the Threat Lookup module, users are directed to the results page for the indicator they have entered. This page is structured into various sections, each offering different types of information.
Features of the Threat Lookup Results Page
-
Credibility Score: Each indicator is assigned a credibility score ranging from 1 (least credible) to 10 (most credible). This score helps users quickly assess the reliability of the threat intelligence associated with the indicator.
- Location Information: Geographic data associated with the indicator, such as country, city, and the IP address’s corresponding continent.
- Threat Information:
- Creation and modification timestamps for the record.
- Type of threat (e.g., MALICIOUS) and any associated malware name.
- Network and Organization Details: Information regarding the Autonomous System (AS), Internet Service Provider (ISP), and organization responsible for the IP.
- User Votes: A summary of how users have classified the indicator, reflecting community input on whether the indicator is harmful or harmless.
-
Connection Details: Metadata such as whether the IP address is associated with mobile, proxy, or hosting services.
Exporting Data
By clicking the “Export” button, users can download the indicator data in various formats for use with other security tools. Available formats include:
- STIX (Structured Threat Information eXpression)
- Zeek (formerly Bro)
- Snort
- Suricata
Actions Menu
The “Actions” button offers additional interaction options:
- Report Now: Allows users to submit a report for the indicator, contributing to the community’s threat intelligence.
- Add to Community: Enables users to share the indicator with the threat community, alerting other members to the potential threat.
Indicator Page Tabs
The results page is organized into the following tabs:
Detection Tab
This tab contains various analyses based on the type of indicator:
- IP: Antivirus Engine Analysis, User Abuse Report Analysis, Open Threat Exchange Analysis, IP Blocklist information, Port Scan Analysis
- Domain: Antivirus Engine Analysis, User Abuse Report Analysis, Open Threat Exchange Analysis, IP Blocklist Information
- URL: Antivirus Engine Analysis, User Abuse Report, Open Threat Exchange, URL Behaviour Analysis
- File: Antivirus Engine Analysis
- UserAgent: UserAgent Stack Analysis
- Email: Abstract Analysis, Reacher Analysis, hunter.io analysis
Details Tab
Provides in-depth details about the indicator:
- IP: WHOIS data, Communicating Files, Referring Files, Reverse DNS, Passive DNS, SSL Certificates
- Domain: WHOIS data, Communicating Files, Subdomains, Siblings, Passive DNS, SSL Certificates
- URL: SSL Certificate information
- File: Names, Sections, Import Table, File Type Identification, Detection Scenarios, Sandbox Reports
- UserAgent: Not applicable
- Email: WHOIS data, SSL Certificate information
File Behavior Tab
Exclusive to file indicators, this tab offers dynamic analysis, including executed commands, processes, registry manipulations, and network connections.
Relations Tab
Features a relational graph displaying connections between the queried indicator and other associated indicators.
User Reports Tab
Provides access to all the reports submitted by CoreTIS users regarding the indicator.
Best Practices
- Review all sections of the results page to gain a comprehensive understanding of the threat context.
- Utilize the export feature to download the data for further analysis or reporting.
- Engage with the community voting system to contribute to the platform’s crowd-sourced threat intelligence.
- Act upon the information by implementing necessary security measures or conducting further investigations.
- Pay special attention to the Relations tab to understand the broader context of the threat landscape.
