Symantec Endpoint Detection and Response provides in-depth information on the Domain details page about a domain that is involved in an incident. It provides all of the information that Symantec EDR has discovered about the domain. It describes the domain's relationship to other entities in your environment, and provides a list of other events that the domain is involved in. You can also perform actions on the domain from this page.
To view detailed information about a domain
Do any of the following:
In the EDR cloud console, click Tasks and then click on an incident to view the Tasks details page. On the Events tab, click on the domain hyperlink to go to the domain entity details page.
In the EDR appliance console, click Incident Manager. Select an incident to view its Incidents details page. Do any of the following:
In the Incident Graph, right-click on the domain entity node and select Go to details page.
On the Events tab, click on a domain hyperlink to go to that domain's entity details page.
Click on the interactive domain node anywhere it appears in the EDR appliance console to open that domain's entity details page.
Click any of the following links to learn more about that section of the Domain details page.
Overview | Actions | Details | Related Events
The name that appears is the domain name (if available), URL, or the IP address of the external computer that is involved in the incident. The graphic beneath the domain name provides a visual depiction of the health of that domain.
Beneath the entity graphic is the following domain information based on DeepSight Intelligence scores:
The overview also provides the following information about the domain:
See Blacklisting and whitelisting suspicious domains, URLs, and IP addresses.
See How Symantec EDR applies Blacklist policies based on your operating mode.
Only users with the Admin role or Controller role can perform actions. Actions that are not permitted based on your role appear in the EDR appliance console as inactive.
See Viewing the status of actions taken on entities in the Actions log.
See How long it takes for Symantec EDR to perform an action on an entity
The Details tab provides additional information about the entity. If more than five rows exist in a section, click {n} Total to view the entire list. In the entire list dialog box, you can click on any entity to view its entity details page.
Related Incidents |
Other incidents in which this external computer is associated. Click on a row to open that incident's details page. Tip: You might want to evaluate other related incidents to see if they require similar remediation. |
Files Downloaded |
Files that were downloaded from the external computer and the endpoint it was downloaded on. This list includes files intentionally downloaded and drive-by downloads. Click on any hyperlink (in blue) to show that file's details page. |
Endpoints that Communicated with this External Domain |
Other endpoints in your organization that have visited this external computer. Click on a row to open that endpoint's details page. Tip: If you have concerns that these endpoints could infect your network, consider isolating these endpoints until you can remediate them or re-image them. |
Emails that were sent from this domain. |
|
IPs Associated with this Domain |
The list of all of the IP addresses that have been associated with the external computer. Click on a row to open that external computer's details page. Tip: You might want to blacklist these IP addresses if you deem them suspicious. See Blacklisting and whitelisting suspicious domains, URLs, and IP addresses. |
Malicious URLs Associated with this Domain |
The list of all of the URLs that are associated with the external computer. Click on a row to open that external computer's details page. Tip: You might want to blacklist these URLs if you deem them suspicious. See Blacklisting and whitelisting suspicious domains, URLs, and IP addresses. |
The Related Events tab shows the last 7 days of events that are related to this entity. Click the following link to learn more about using the Events Summary view.
Subscribing will provide email updates when this Article is updated. Login is required.
This will clear the history and restart the chat.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)