Search: Network IoCs tab

The Network IoCs tab displays lists of connected domains and IP addresses observed in association with the searched IoC(s). These lists help you enrich your starting set of IoC(s) with additional connected network IoCs. These additional IoCs provide you with an increased coverage of the threat, corresponding to different potential executions of the attack or different stages of the attack (for example, dropper source location). The domains and IPs lists are enriched with reputation tags allowing you to do a quick triage between malicious IoCs and legitimate domains and IP addresses used by the threat for poisoning or to abuse the service they provide. The lists are constructed using a range of sampled analysis reports (up to 100 reports) and the number of reports actually used in the computation is reported next to the tab title.

Above the Reports listing is a widget carousel. Results in the list can be modified or updated using the widget filters. Privacy is also enforced on this tab (see Results Privacy).

Domains list

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

Use the Select pull-down menu to fine-tune your selection. Its options allow you to select All visible or All pages domains or to Clear selection. You can also select Blocked (all pages) domains.

Click the cloud download Export selected domains to export the selected domains in either STIX or plain text format.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Customize the number of rows to be displayed. The default is 50 entries. Use the left arrow (back) and right arrow (forward) icons to navigate through multiple pages.

Each row displays a summary of a report. The list contains the following columns:

Occurrences

Indicates how many times the IoC was seen across the reports.

The list is sorted by occurrences, by default in decreasing order (greatest number at the top). Click the angle up icon to sort the list in increasing order (least at the top). Click the angle down icon to toggle to the default.

Domain

The domain name of the network IoC.

Click the sort icon to sort the list alphabetically by domain name.

Tags

Reputation tags for the domain. Malicious tags are red, suspicious tags are orange, and legitimate tags are green. Hover over the help icon to access a descriptive pop-up for the tag.

IP addresses list

The quick search field above the list provides fast, as-you-type search. It filters the rows in the list, displaying only those rows that have text, in any field, that matches the query string.

Use the Select pull-down menu to fine-tune your selection. Its options allow you to select All visible or All pages IP addresses or to Clear selection. You can also select Blocked (all pages) IP addresses.

Click the cloud download Export selected IPs to export the selected IP addresses in either STIX or plain text format.

The columns to be displayed in the list can be customized by clicking the additional content icon.

Customize the number of rows to be displayed. The default is 50 entries. Use the left arrow (back) and right arrow (forward) icons to navigate through multiple pages.

Each row displays a summary of a report. The list contains the following columns:

Occurrences

Indicates how many times the IoC was seen across the reports.

The list is sorted by occurrences, by default in decreasing order (greatest number at the top). Click the angle up icon to sort the list in increasing order (least at the top). Click the angle down icon to toggle to the default.

IP

The IP address name of the network IoC.

Click the sort icon to sort the list by IP address.

Tags

Reputation tags for the domain. Malicious tags are red, suspicious tags are orange, and legitimate tags are green. Hover over the help icon to access a descriptive pop-up for the tag.