The Expanded section, accessible via the tabs below the Highlights panel, leverages our domain and IP enrichment categories to deliver pivotable, granular data for advanced threat investigations. In the Total View, tabs dynamically adapt based on the selected entity (domain or IP), with explicit distinctions between features available for domains (e.g., quasar.com) and IPs (e.g., associated IPv4 addresses). This approach highlights key differences: domains emphasize DNS records, WHOIS History, and subdomain risks, while IPs focus on network infrastructure, scan data, and reputation metrics. Common tabs (e.g., Threat Feeds, Screenshots) are shared but include tailored enrichments for each.
Where applicable, tabs include Domain Enrichment Tables (for domain-specific pivots, such as DNS records) and IPv4 Enrichment Tables (for IP-specific details, including ASNs and subnets). All users can access core features; paid users unlock advanced elements, such as detailed threat feed histories and context similarity scores.
Tab View Breakdown: Domains vs. IPs
In the Total View, tabs dynamically adapt based on the selected entity (domain or IP). Below is a side-by-side comparison of available tabs, followed by detailed breakdowns. Use the "Domain Wide View" toggle to include subdomains or related IPs for broader analysis.
Tab Category | Available for Domains | Available for IPs | Key Differences |
|---|---|---|---|
PADNS | (Full DNS enumeration) | (IP-linked records only) | Domains show complete record types (A, AAAA, etc.); IPs pivot on resolved addresses. |
Infrastructure Variance | (NS-focused changes) | (ASN/subnet-focused) | Domains track nameserver entropy; IPs emphasize IP diversity over time. |
Web Search | (Domain scans + pivots) | (IP-specific scans) | Both include certificates/JARM; domains add HTML/title analysis. |
WHOIS | (Full domain registration) | (N/A) | Exclusive to domains for legitimacy checks. |
Threat Feeds | (Curated + live feeds) | (IP reputation feeds) | Shared, but IPs include subnet-level listings. |
Screenshots | (HTML/favicon visuals) | (IP-hosted page captures) | Visual confirmation for both; domains tie to subdomain views. |
Context Similarity | (Brand/typosquat scoring) | (N/A) | Domain-only for lookalike detection. |
Dangling DNS | (Takeover risk assessment) | (N/A) | Domain-only, leveraging all DNS records. |
Subdomains | (Risk scoring + enumeration) | (N/A) | Domain-only for monitoring child domains. |
Certificates | (Issuer/domain pivots) | (IP-bound certs) | Shared, but domains include multi-domain associations. |
PADNS (DNS Infrastructure Analysis)
Detect unauthorized changes and pivot on resolved IPs. Available for both domains and IPs.
Domain Enrichment Table
Category | Elements | Description |
|---|---|---|
DNS Records | A, AAAA, CNAME, NS, MX, SOA, TXT | Count of linked records; total displayed with pivot options. |
IPv4 Enrichment Table (IPs only)
Category | Elements | Description |
|---|---|---|
Recent DNS Records | Record type, Timestamp, Pivot IP | List of changes: includes total count. |
Infrastructure Variance
Tracks changes over 30+ days. Available for both, with entity-specific metrics.
Domain Enrichment Table
Category | Elements | Description |
|---|---|---|
IP Diversity | Host, ASN Diversity, IP Diversity (All/Groups) | IPs pointed to historically. |
Nameserver Changes | NS Entropy, Number of Changes, Last Change | Frequency and recency of NS updates. |
Nameserver Information | NS Reputation, Nameserver, NS Domain Density, NS Domain Listed | Reputation and usage analysis. |
IPv4 Enrichment Table
Category | Elements | Description |
|---|---|---|
ASN Information | ASN, AS Name, AS Rank, ASN Takedown Reputation, Allocation Age/Date, ASN Reputation | Network provider details. |
Subnet Information | Subnet, Subnet Reputation, Allocation Age/Date | Subnet-level reputation. |
Web Search
Pulls scan data for SSL pivots and content analysis. Available for both.
Domain Enrichment Table
Category | Elements | Description |
|---|---|---|
Certificates | IP, Domains, SHA1, Valid From/Until, Issuer CN/Org, Scan Date | Associated certs for impersonation checks. |
JARM | JARM Hash, Scan Date | TLS fingerprinting. |
Favicon | MD5/Murmur3 Hashes, Path, Scan Date | Icon similarity for branding. |
HTML | Body ssdeep/Murmur3, Title, Scan Date | Content hashing. |
Header | Response, Server, Expires, Content Length/Type, Cache Control, IP/Location, Scan Date | HTTP details. |
IPv4 Enrichment Table: Mirrors the domain table but pivots on IP-hosted assets.
WHOIS
Historical registration data. Domains only.
Domain Enrichment Table
Category | Elements | Description |
|---|---|---|
Whois Information | Created Date, Country/City, Address, Email, Zip, Registrar | Full registrant profile. |
Threat Feeds
Curated and live feeds for triage. Available for both.
Domain/IP Enrichment Table (Shared structure)
Category | Elements | Description |
|---|---|---|
Curated Feed History | Score, First Seen, Listed Recent/Span/All | Timestamps and severity. |
Live Threat Feeds | Feed List | Current listings (e.g., Cobalt Strike tags). |
Screenshots
HTML and favicon captures. Available for both.
Renders page visuals tied to scan dates; pivots to Web Search for context.
Context Similarity
Domains only. Compares against org assets.
Domain Enrichment Table
Category | Elements | Description |
|---|---|---|
Custom Attributes | Customer/Top Brand/Supplier Domain Scores | Similarity thresholds. |
Dangling DNS
Domains only. Assesses expired records.
Counts dangling entries; paid users get full details.
Subdomains
Domains only. Enumerates and scores children.
Domain Enrichment Table
Category | Elements | Description |
|---|---|---|
Basic Information | User Tags, Infratag, First/Last Seen, Age, DGA Score | Overview with DGA detection. |
Certificates
Issuer and validity checks. Available for both.
Mirrors Web Search cert table; flags expired/rogue issuers.