- 02 May 2023
- 3 Minutes to read
- Print
- DarkLight
Domain enrichment categories
- Updated on 02 May 2023
- 3 Minutes to read
- Print
- DarkLight
Enriching a domain observable helps your security teams to understand a domain's origin, function and risk level.
Enriched domain data is spread out across 17 categories and sub-categories, with 70+ individual elements, including:
- Basic Information
- Domain information
- WHOIS information
- DNS Records
- Enriched Attributes
- IP Diversity
- Nameserver Information
- Nameserver Changes
- Curated Feed History
- Custom Attributes
- Live Threat Feeds
- Scan Data (obtained from Silent Push's daily IPv4 scans)
- Certificates
- JARM
- Favicon
- HTML
- Header
Let's take a look at each category in turn, and the individual elements contained within them that make up Silent Push's data enrichment service.
Basic information
Domain information
Element | Description |
---|---|
User Tags | Observable tags added by organizational users |
Infratag | Automatically generated tag that provides an at-a-glance summary of the infrastructure used by a domain |
FirstSeen | The date when this domain was first seen in the zone files |
LastSeen | The date when this domain was last seen in the zone files |
Age | The number of days since the domain was first seen in the zone files |
DGA | How likely it is that a domain was created by an automated generation algorithm |
WHOIS information
Element | Description |
---|---|
Created | The date when the domain was registered |
Country | The country in which the domain is registered |
City | The city in which the domain is registered |
Address | The address at which the domain is registered |
Email | The domain's registered email address |
ZIP code | The domain's registered ZIP code |
Registrar | The domain's registrar |
DNS records
Enriched DNS data consists of a count of each individual DNS record linked to the domain, with a sum total provided underneath the table of records:
A
AAAA
CNAME
NS
MX
SOA
TXT
Enriched attributes
IP diversity
An observable's IP diversity score is a record of the amount of IPs pointed to over a 30-day period.
Element | Description |
---|---|
Host | The host name represents the network or system used to deliver a user to a certain address or location |
ASN Diversity | How frequent an IP changes between AS numbers |
IP Diversity (All) | The amount of IPs pointed to over the last 30 days |
IP Diversity (Groups) | The number of different groups of IPs pointed to over the last 30 days, where a group may concist of one or more IPs pointed to at the same time |
Nameserver information
Each NS listed is analysed across 4 elements, with a seperate table provided for each:
Element | Description |
---|---|
NS Reputation | The ratio of blacklisted domains, taken from the total number of domains using a nameserver |
Nameserver | Nameserver domain name |
NS domain density | How many domains are used by a specific nameserver |
NS domain listed | How many domains are used by a specific nameserver |
Nameserver changes
This category lists the number of changes that have occurred related to a specific nameserver.
Element | Description |
---|---|
NS Entropy | A score that includes recency, frequency, and the number of NS changes |
Number of Changes | The number of times the domain has changed its name servers |
Last Change | The number of times the domain has changed its name servers |
Curated feed history
Name | Description |
---|---|
Curated Feeds History Score | Score based on the frequency and recency of an observable, within trusted feeds |
First Seen | Timestamp of the first time an observable appears in the feed |
Listed Recent | The most recent date where this domain or IP has been listed on at least one of the cureated feeds |
Listed Span | The number of days between the first seen date and the most recent date where this domain or IP has been listed on at least one of the curated feeds |
Listed All | The number of days where this domain or IP has been listed on at least one of the curated feeds (click the > arrow for a detailed breakdown |
Custom Attributes
Organizational asset indicators (domains and IPs)
This is an organization-specific scoring system used to tailor feed items according to unique business or supply chain assets (domains and IPs)
Name | Description |
---|---|
Customer Domain Score | A score that indicates an observable's similarity to other domains |
Top Brand Domain Score | A score that indicates an observable's similarity to top brands domains |
Supplier Domain Score | A score expressing an observable's similarity to your organization's designated supplier domains |
Scan data
Certificates
Click the Show all associated certificates
button to scan for a list of associated domain certificates
Categories:
IP
Domains
SHA1
Valid From
Valid Until
Issuer Common Name
Issuer Organization
Scan Date
JARM
Elements:
JARM
Scan Date
Favicon
Elements:
Favicon md5
Favicon murmur3
Favicon2 md5
Favicon2 murmur3
Favicon2 path
Scan date
HTML
Elements:
Body ssdeep
Body murmur3
Title
Scan date
Header
Elements:
Response
Server
Expires
Content Length
Content Type
Cache Control
IP
Location
Scan Date