--- title: "Context Similarity Tab View" slug: "contextsimiliarity-tab" tags: ["Context Similarity", "Risk Assessment", "Threat Intelligence"] updated: 2025-12-22T20:55:28Z published: 2025-12-22T20:55:28Z canonical: "help.silentpush.com/contextsimiliarity-tab" --- > ## Documentation Index > Fetch the complete documentation index at: https://help.silentpush.com/llms.txt > Use this file to discover all available pages before exploring further. # Context Similarity Tab View A suspect domain, like `adsitct.bgjutdqwpcdddtj[.]com`, surfaces in your alerts without context. Is it isolated noise, or does it mirror infrastructure from known threats, such as phishing kits? Manual pivots across DNS, certs, and feeds drain your triage time. The **Context Similarity** view uncovers malicious domains from Silent Push Indicator of Future Attack (IOFA) feeds that share setup and management patterns with your target indicator, all in [Total View](/v1/docs/total-view). It ranks similarities via a graph and table, utilizing over 50 traits, including shared nameservers, ASNs, certificate handling, reputation scores, and open directories, to highlight behavioral ties. Available for domains, this view leverages Silent Push's DNS and Web Data aggregation to enhance tools like Infrastructure Variance for ownership shifts and PADNS for resolution details. Unknown indicators require quick context, but scattered analysis hinders the hunt. This view provides instant “directionality,” guiding next steps without prior knowledge, by clustering similar threats and revealing patterns, such as overlaps in bulletproof hosting. Security teams assess the likelihood of malicious activity, infer activity types (e.g., malware C2), and prioritize pivots, thereby freeing resources for overstretched SOCs. It supports proactive hunting, such as linking a novel domain to FIN7-style infrastructure via certificate similarities, or auditing open directories for data leaks, essential for rapid attribution in defender workflows. ## How It Works Silent Push's proprietary engine profiles every IOFA domain with 50+ characteristics, computing similarity scores to benchmark your input against the corpus. The graph orders results from left to right (most to least similar), with colors indicating feed types. The table expands on traits (green for matches, red for differences) for nuanced judgments. No third-party reliance ensures gap-free datasets tailored for unknowns. It integrates seamlessly: A high-similarity hit might echo PADNS anomalies, flagging dynamic resolutions, while tying into Total View for layered enrichment. ## Generate a Set of Results Input a domain (e.g., `adsitct.bgjutdqwpcdddtj[.]com`) in the search bar to launch **Total View**, then select **Context Similarity**. The graph and table populate, allowing you to hover over dots for feed details, expand rows for traits, and filter by similarity threshold or feed color. ## Example Query `adsitct.bgjutdqwpcdddtj[.]com`**in Context Similarity**: The graph shows a leftmost red dot for `lukkal[.]cyou` (Bulletproof Hosting Feeds), with 85% trait overlap on nameservers and ASNs. Farther right, `muvisfaeco[.]top` clocks 62% similarity, still viable for review. The table ranks `lukkal[.]cyou` first, expanding to green-matched cert issuers and red-diffed reputation scores, with a trend line peaking at 1,247 indicators (2025-10-08). Hover the cluster for feed notes: Description flags bulletproof ties to evasion TTPs. ![Chart displaying similarity between domains related to paypal.com and their indicators.](https://cdn.document360.io/8e5460b3-9d96-4b01-8bb3-6591a4af3a8c/Images/Documentation/Screenshot 2025-10-13 at 11.14.13 AM.png) ## Fields - **Similarity rank**: The ordinal position based on trait matches (e.g., #1 for closest infra twin). - **Domain**: The matched malicious indicator from IOFA Feeds (e.g., `lukkal[.]cyou`). - **Feed Color/Legend**: Visual cue for Source Type, with hovers showing descriptions. ## Context Similarity view The table view logs ranked domains with expandable trait breakdowns for deep dives. For benign inputs like `example.com`, it may return sparse or low-similarity results. It lists domains (e.g., Bulletproof Hosting Feeds), similarity percentages, and IOFA flags. Expand for 50+ diffs: Shared ASNs in green, unique open dirs in red. Hover graph lines for granular info: Trait weights, update timestamps, and pivot links. ## Use Case Spot phishing patterns, like cert-managed domains tied to credential harvesters. ## Work with Context Similarity Results The view supports one-click actions, such as pivoting to DNS records or Live Scans for real-time infrastructure snapshots. Customize columns (e.g., add reputation diffs), export CSVs for intel sharing, or save clusters to Draft Feeds for ongoing similarity monitoring, such as emerging campaign spikes. > [!NOTE] > Tips > > - Scan the leftmost dots and legend colors for high-fidelity threats, such as phishing feeds. > - Sort by Similarity Rank, expand traits to cross-check with external intel. > - Pair with Infrastructure Variance or PADNS for full infra storytelling. ### A predictive threat signal derived from Silent Push’s analysis of attacker behavior and infrastructure, enabling proactive mitigation of potential cyberattacks before they occur. A suite of tools in a threat intelligence platform for scanning and analyzing web-based content, including clearnet, dark web, and non-web services, to identify threats and vulnerabilities. The format or origin of a data source, such as a file or URL, used to create a threat intelligence feed or collection.