Run the Whois integration to
perform enrichment lookups on the domains returned from the Reverse Whois integration.
Before you begin
Verify that you have installed and configured the Reverse Whois and Whois plugins. Perform these
steps only after you have run the domain lookup with the Reverse Whois plugin
successfully.
Role required: sn_si.analyst
About this task
Results are displayed on the Observable
Enrichment Results tab on the Observable record.
Procedure
-
Navigate to and locate the security incident you are working with that has
run the domain lookup successfully.
-
Open the record and select Show All Related Lists related link.
-
Select the Reverse Whois Domains tab at the bottom of
the record.
In the Domains column, the list of returned
domains is displayed.
-
In the Observable column, select an observable.
On the Child Observables tab, the child observables are displayed. The child observables are generated only if the initial scan of the observable by the Reverse Whois application returned domains.
-
Select the child observables you want to run the observable enrichment on, and, in the Action on selected rows list, select Run Observable Enrichment.
The Run Observable Enrichment dialog box is displayed.
-
Move the Whois integration from Available to Selected and select Submit.
Results are displayed on the Observable Enrichment Results tab of the observable record.
-
Select the blue information icon then select Open Record in the dialog box that is displayed.
More information and raw data related to the original domain lookup is displayed, such as the registration date, name of registrar, and country of origin.
If you can't locate child observables or enrichment results, verify that the Reverse Whois integration ran successfully and returned domains. Also, refer to the work notes on the record for more information.