Enrichment results are displayed on the ReverseWhois Domains
tab at the bottom of the security incident record. Locate the lookup results to verify that
the lookup ran successfully.
Before you begin
Role required: sn_si.analyst
Procedure
-
If not already open, navigate to and locate the security incident you're working with.
After the application is configured and you have attached an observable, the flow launches automatically. The work notes on the security incident record display the execution and completion status of the
lookup.
-
If you can't verify that the lookup ran successfully, review the work notes for more information on how to proceed.
-
Navigate to the bottom of the security incident and select Show All Related Lists related link.
Enrichment results are displayed on the ReverseWhois Domains tab. The active domains for this observable are displayed in the Domain column.
-
Select the blue information icon next to an item then select Open record in the dialog box that is displayed.
The record is displayed with enrichment details, including the raw data.
-
Navigate back to the security incident, and with the ReverseWhois
Domains tab selected, click an observable in the
Observable column to open a record.
The child observables are displayed on the Child
Observables tab on the Observable record. The child observables
are generated only if the Reverse Whois application
has returned domains.
If the lookup does not
successfully complete, verify that the search terms you entered are supported by the
integration. Review the work notes for more information.
What to do next
For more enrichment data on the domain lookup results,
you can run the Whois integration
to perform enrichment lookups on the child observables returned by the Reverse Whois integration. This
enrichment data on the child observables includes information on registration date, name
of registrar, and country of origin.