Submit a Whois lookup with Threat Intelligence

Submit Whois lookups on domain names and URLs to obtain context on URL observables, and to make better determination on threats. Whois URL lookups provide history and domain registration information that offer good insight into the validity of domains and websites.

Before you begin

Role required: sn_ti.write

About this task

If the WhoisXML API Integration plugin is activated, you can submit Whois lookup requests using the following procedure, or you can perform the lookup from within the Security Incident Response module.

Procedure

  1. Navigate to Threat Intelligence > IoC Lookup > Lookups.
    The Lookups list shows all lookups, including those lookups that have not yet executed and those lookups that are complete. Each lookup includes an automatically generated lookup name that identifies the file, hash value, URL, or IP address selected.
  2. Click New.
  3. Fill in the fields on the form, as appropriate.
    Note: Not all fields are supported by all integrated lookup sources.
    Table 1. IoC Lookup
    Field Description
    Number The auto-generated record number for this request.
    Lookup Source Select WHOIS.
    Type Select the type of lookup to perform: IP or URL.
    Attachment queued for lookup Select the attachment for lookup. This field appears only if File or Hash is selected in the Type field.
    Value The IP address or URL to perform the lookup.
    State The current state of the request.
    Time requested The date and time the request was created.
    Requested by The name of the requester.
    Status message A status message generated by the third-party lookup source.
    Reference The URL of the third-party lookup source.
    Raw response The raw results of the lookup form the selected lookup source. To view this field, you must personalize the form and add the Raw response field.
  4. Click Submit.
    The new lookup appears in the Lookups list.
  5. Click the SCN number to view the status of the lookup.
    The Whois lookup returns a combination of this information:
    • domain name
    • registrar
    • sponsoring registrar
    • whois server name
    • name servers
    • lookup statuses
    • updated date
    • creation date
    • expiration date
    • registry ID and contact information
    • admin contact information
    • technical contact information