Indicator search

About Indicator Search

The Indicator Search allows you to search for threat information based on domain, threat name, application name, or IP address in CIDR format. These searches allow you to discover:

  • Whether a domain is a threat
  • Whether a specific type of threat is active in your network
  • The risk level and the number of events associated with a specific application

In an event or activity report, you are also redirected to the Indicator Search page when you choose to view More Details for a domain and threat name. When viewing threat or access control events, you can also select the information icon associated with a domain to view Indicators of Compromise (IoC) details in a separate window. The IoC details that appear provide the same information that is on the Indicator Search page.

Search by domain

A domain is considered harmful if it is a confirmed threat. If the domain does not host harmful content, the indicator search only shows a graph with DNS activity for the time period you selected. If a domain is detected to host harmful content, this information appears:

  • A graph illustrating the number of DNS requests that occurred for the domain in the specified time period.

  • A table showing the complete history of the domain as tracked by ​SIA​. For example, the table shows when the application began tracking the domain as a threat.

  • Additional information about the domain, such as domain name registrar, detected threat type, and more. For more information see Indicator search: domain information.

  • If the domain is associated with a specific threat, the name of the threat appears. You can hover over the threat name to read more information about the threat. The window that appears provides a threat description, the severity level, external links, and a graph with the number of events related to this threat from the last 30 days.

📘

If you believe a domain is misclassified, ​SIA​ allows you to report the domain to our analysts. For more information see Report a misclassified domain.

Search by threat name

You can search by a threat name to learn more about a threat and determine whether this threat currently affects your organization. This information can help you and your organization decide how to remediate or remove these threats from your network:

  • Definition of threat. Defines the threat and describes how it spreads and affects a network.

  • Other known names of threat. If the threat is known by other names, these names are also listed.

  • Severity level. Indicates the severity level that is associated with the threat. For more about these levels, see Severity levels.

  • Threat type. Indicates the type of threat. For example, this field indicates if it's a worm, malware, trojan, or another threat type.

  • External links. For additional information about the threat, external links to resources on the Internet are also provided.

  • Events. If there are events associated with the threat or threat type, a graph appears with a total number of events that occurred during a specified time period.

Search by application name

You can search by the application name to learn whether an application is a risk to your organization. An application search provides this information:

  • Risk level associated with the application. For more information about the risk levels, see Application visibility and control.

  • Application category and description of the category

  • Indicates whether ​SIA​ Proxy is required to use the application. If ​SIA​ Proxy is not required, ​SIA​ may still be able to identify the application based on its hostname.

  • The known URLs that are associated with the application.

  • Events associated with an application. A graph shows the total number of events that occurred during the specified time period.

  • History of when ​SIA​ started tracking the application.

Search by CIDR block

You can search by an IP address in CIDR format. If the CIDR is tracked by ​SIA​ as a threat, the search provides this information:

  • Description of the IP address. Describes why the CIDR is a threat.
  • Threat label. Indicates the type of threat that’s associated with the CIDR. For example, ​SIA​ may indicate that the CIDR is known malware.
  • Category of the threat. Indicates the specific threat category.
  • Severity level. Indicates the severity level that’s associated with the threat. For more about these levels, see Severity levels.
  • Status. Indicates how ​SIA​ is tracking the CIDR. For example, what specific threat ​SIA​ tracks it as.
  • Events. If there are events associated with the CIDR, a graph appears with a total number of events that occurred during a specified time period.
  • Tracking History. History of when ​SIA​ started tracking the CIDR as a threat.

Search for threats based on domain

You can complete a domain search on the Indicator Search page. If a domain is blocked or associated with a threat category, detailed information about the domain appears, including a history of when the domain was first detected and upgraded to a security threat.

If the domain does not host harmful content, the indicator search only shows a graph with DNS activity for the time period you selected.

📘

If you believe a domain is misclassified, ​SIA​ allows you to report the domain to our analysts. For more information see Report a misclassified domain.

To search for threats based on domain:

  1. In the Threat Protection menu of Enterprise Center, select Indicator Search.

  2. In the Indicator Search text box, enter a valid domain and press Enter or click the search icon. If the domain is detected to host harmful content, detailed history and information about it appears.

  3. To modify the search time period:

    1. Click the calendar icon.

    2. On the window that displays, select the date range you want or choose a predefined period. Then select a start and end time if you want to limit the search to a specific time range.

    3. Click Apply.

What you should see

If a domain is detected to host harmful content, this information appears:

  • A graph illustrating the number of DNS requests that occurred for the domain in the specified time period.

  • A table showing the complete history of the domain as tracked by ​SIA​. For example, the table shows when the application began tracking the domain as a threat.

  • Additional information about the domain as described in Indicator Search: Additional Domain Information.

  • If the domain is associated with a specific threat, the name of the threat appears. You can hover over the threat name to read more information about the threat. The window that appears provides a threat description, the severity level, external links, and a graph with the number of events related to this threat from the last 30 days.

Search for threat information based on threat name

On the Indicator Search page, you can search for detailed threat information based on the threat name. This search allows you to discover whether a threat is currently active in your network. If events for the threat are detected, the Indicator Search page shows the total number of events in a graph. You can select to show events based on a specific date range or from the last 24 hours, 7 days, 30 days, or this month. You can also filter events by a specific time of day.

To search for threat information based on threat name:

  1. In the Threat Protection menu of Enterprise Center, select Indicator Search.

  2. In the text box, enter the threat name. If ​SIA​ predicts the threat name as you enter it, the name appears in a menu and you can select it.

  3. Review information about the threat.

  4. To modify the search time period:

    1. Click the calendar icon.

    2. On the window that displays, select the date range you want or choose a predefined period. Then select a start and end time if you want to limit the search to a specific time range.

    3. Click Apply.

What you should see

​SIA​ returns the following information about found events:

  • Definition of threat. Defines the threat and describes how it spreads and affects a network.

  • Also known as. If the threat is known by other names, these names are also listed.

  • Severity level. Indicates the severity level that is associated with the threat. For more about these levels, see Severity levels.

  • Type. Indicates the type of threat. For example, this field indicates if it's a worm, malware, trojan, or another threat type.

  • External links. For additional information about the threat, external links to resources on the Internet are also provided.

  • Events. If there are events associated with the threat or threat type, a graph appears with a total number of events that occurred during the specified time period.

Search for applications

You can search for an application to learn:

  • Risk level that ​SIA​ has assigned to it.
  • Known URLs of the application.
  • Number of events that are associated with the application.
  • History of the application as tracked by ​SIA​.

To search for applications:

  1. In the Threat Protection menu of Enterprise Center, select Indicator Search.

  2. In the text box, enter the application name. If ​SIA​ predicts the application name as you enter it, the name appears in a menu and you can select it.

  3. Review the information about the application.

  4. To change the time period for events:

    1. Click the calendar icon.

    2. On the window that displays, select the date range you want or choose a predefined period. Then select a start and end time if you want to limit the search to a specific time range.

    3. Click Apply.

Search for threat information based on CIDR

You can search for threat information based on an IP address in CIDR format. If the CIDR is tracked as a threat in ​SIA​, detailed information about the threat appears, including a history of when ​SIA​ started tracking it.

To search for threats based on CIDR:

  1. In the Threat Protection menu of Enterprise Center, select Indicator Search.

  2. In the text box, enter the CIDR. If the CIDR is associated with a threat, information appears.

  3. To view events from a specific time period:

    1. In the Graphs & Changes section, click the calendar icon.

    2. On the window that displays, select the date range you want or choose a predefined period. Then select a start and end time if you want to limit the search to a specific time range.

    3. Click Apply.

Filter domain history

If you search for a domain and it hosts harmful content, information about the domain, including a history of how the domain is tracked by ​Secure Internet Access Enterprise​, appears on the Indicator Search page.

You can also review and filter domain history when viewing More Details or domain information in the Threat Events or Access Control reports. The options available on these page either direct you to the Indicator Search page or provide information in a separate window.

To filter domain history to locate entries that match specific keywords or terms:

  1. If you are on the Indicator Search page, search for a domain and go to step 3. For instructions see Search for threats based on domain.

  2. To view domain history from a domain in the Threat Events or Access Control report:

    1. In the Threat Protection menu of Enterprise Center, select Reports > Threat Events or Reports > Access Control.

    2. Filter the events as needed. For instructions, see Filter event data and Filter data based on date and time.

    3. If you haven't done so already, click the Domain dimension, and do one of these:

      • If the domain you want to view the history of is listed in the Top 6 domains, hover over the domain and click Domain Details. When hovering over the domain, you can also click the menu icon and click More Details. You are redirected to the Indicator Search page.

      • If the domain you want to view the history of is listed in the events grouped by domain area, click the information icon. The IoC Details appear in a separate window. Otherwise, you can also click the domain and select More Details from the menu to go to the Indicator Search page. The domain history appears in the Changes & Graphs section.

  3. In the Search Domain History box, type a keyword or term that you want to use and press Enter. The search results appear.

Report a misclassified domain

If you believe a domain is misclassified, ​Secure Internet Access Enterprise​ allows you to send ​Akamai​ analysts a message with supporting information or evidence. They will respond to you by email within three business days.

To report a misclassified domain:

  1. If you find a potentially misclassified domain on the Indicator Search page, go to the About area of the page, and click Report Invalid. A dialog appears.

  2. If you find a potentially misclassified domain in an events report:

    1. Ensure that the Domain dimension is selected.

    2. If the domain is listed in the Top 6 Domains, hover over the domain and click the menu icon. Select Report Invalid. A dialog appears.

    3. To report a domain that is listed in the grouped events, click the domain and in the menu, select Report Invalid. A dialog appears.

  3. In the Email field, enter your email address. You can enter more than one email address.

  4. In the Reason menu, select the reason for sending this message. You can select:

    • Malicious Domain. Use for a domain that is not currently tracked as a threat but you believe is malicious.
    • Non-Malicious Domain. Use for a domain that ​SIA​ currently tracks as malicious, but you believe it is not malicious.
    • Miscategorization. Use for a domain that you believe is incorrectly categorized.
    • Not Categorized. Use for a domain that has no categorization.
    • Other. Use for any reason that differs from the others in the menu.
  5. In the Message field, enter supporting information.

  6. Click Send.

Report a threat

When ​SIA​ does not detect a domain is a threat, the Indicator Search page indicates that the domain is not known to host harmful content. As an administrator, ​SIA​ allows you to report that a domain is a potential threat. You can send ​Akamai​ analysts a message with supporting information or evidence. You will receive a response within three business days.

To report a threat:

  1. Do one of the following:

    • From an event or activity report, select the Domain dimension and hover over a domain in the Top 6 Domains area. Click Domain Details. You can also click a domain on the page and click More Details from the menu. You are redirected to the Indicator Search page. If the domain is not known to host harmful content, a message appears with a link that allows you to report the domain as a potential threat.

    • From the Threat Protection navigation menu, select Indicator Search. In the provided field, enter the domain. If ​SIA​ believes the domain is not known to host harmful content, a message appears with a link that allows you to report it as a potential threat.

  2. Click Report Invalid. A dialog appears.

  3. In the Email field, enter your email address. You can enter more than one email address.

  4. In the Reason menu, select Malicious Domain.

  5. In the Message field, enter supporting information.

  6. Click Send.

Severity levels

To help you prioritize threats in your network, each type of threat is assigned a severity level:

Severity LevelDescription
CriticalIndicates there's a severe risk that malicious activity can result in outages, disrupt services, spread throughout a network, or critically impact an organization's infrastructure.
HighIndicates there's significant risk that malicious activity can compromise systems, potentially spread within a network, or interrupt services.
MediumIndicates there’s increased exposure to malicious activity, such as malware or phishing that can potentially damage machines, an organization’s network, or infrastructure. This activity may compromise systems or disrupt services.
LowIndicates there's activity that's low in risk, but it may still concern your organization.
UnclassifiedIndicates that the severity level is unknown.

Indicator search: domain information

This table provides a description of content that appears in the About area of the Indicator Search page when a domain is known to host harmful content.

Additional Domain Information

Information FieldDescription
Domain NameDomain name that was provided in the search and is known to host harmful content.
Last Categorized asIndicates the threat category that was last assigned to the domain.
StatusIndicates the status of the threat in ​SIA​. For example if the threat is a known threat, the status indicates that it is a known threat for a particular threat type.
CategoryThe overall category of the event.

For a threat event, categories can be Malware, Phishing, C&C, Deny List, or Other (if assigned to a custom list).

For an access control event, see Acceptable use policy categories and Application visibility and control.
RegistrarDomain name registrar where the domain is registered.
RegistrantRegistrant information, such as name, email, and country of origin.
Created onDate when the domain was registered.
Expires onDate when the registered domain expires.
Last Updated onDate when the domain was last updated.
Name ServersAuthoritative name servers of the domain.
Name Servers IPsIP addresses of the domain’s authoritative name servers.
Malicious URLsURLs related to the domain that are known to be malicious.

These URLS are organized by the following threat categories:
  • Phishing
  • Malware
  • C&C

Integrate ​SIA​ with MISP Threat Sharing

MISP Threat Sharing is an open source, threat intelligence platform that shares, stores, and correlates data to help an organization identify, analyze, and prevent network threats and attacks. This data includes IOC and other information identifying threats that support security analysts with their daily operations.

To benefit from the data that's shared in this platform, you can add ​SIA​ as an MISP enrichment module. This configuration allows you to correlate ​SIA​ IoC data with the data that is available in the platform.

Add ​SIA​ as a MISP enrichment module

Before you begin

  • Make sure that your organization is licensed for ​SIA​.

  • Make sure that you have Open API credentials. For more information, see Create authentication credentials.

  • Install the MISP platform 2.4 and later. To download and install MISP, see Download and Install MISP.

  • Make sure that you set up Python 3.6 or later.

  • Make sure that you install the akamai.edgegrid package. For more information, see Authenticate with EdgeGrid.

To add ​SIA​ as a MISP enrichment module:

  1. Go to the Akamai-MISP GitHub page.

  2. Download the akamai_ioc.py file.

  3. Add the python file to the MISP expansion directory:

    1. Open a command prompt and run it as an administrator. On a Unix platform, make sure you run commands as a root user.

    2. Enter this command to copy the file to the MISP expansion modules directory.

      cp /local/path/akamai_ioc.py <path_to_misp_modules>/site-packages/
      misp_modules/modules/expansion/
      

      where <path_to_misp_modules> is the location where MISP modules are installed.

    3. Enter this command to restart the MISP modules:

      systemctl restart misp-modules
      
  4. In MISP, set up the ​SIA​ (akamai_ioc) plugin:

    1. Do one of these:

      • In the MISP navigation menu, select Administration > Server Settings and Maintenance and click the Plugin Settings tab.

      • Enter this URL into your browser to go to the MISP Plugin settings:

        https://<misp_server_hostname>/servers/serverSettings/Plugin
        

        where <misp_server_hostname> is the hostname that your organization uses for the MISP server.

    2. Navigate to the Enrichment section and search for the akamai_ioc plugin.

    3. Enter this information:

      • For the Plugin.Enrichment_akamai_ioc_access_enabled setting, enter true.

      • For the Plugin.Enrichment_akamai_ioc_client_secret setting, enter the client secret.

      • For the Plugin.Enrichment_akamai_ioc_apiURL setting, specify the API host information by entering https://<host>/ where is your API host.

      • For the Plugin.Enrichment_akamai_ioc_access_token setting, enter your access token.

      • For the Plugin.Enrichment_akamai_ioc_client_token setting, enter the client token.

      • For the Plugin.Enrichment_akamai_ioc_configID setting, enter the ID that is associated with your contract.

        Note: If you don't have this ID number, you can find it in a URL of ​SIA​. For example, in the following URLs, 99999 is the contract ID.

        • Original ​SIA​ User Interface:

          https://control.akamai.com/apps/etp-ui/#/99999/sites/list

        • Enterprise Center User Interface:

          https://control.akamai.com/apps/zt-ui/#/etp/99999/location/list