Symantec Endpoint Detection and Response provides in-depth information on the Domain details page about a domain that is involved in an incident. It provides all of the information that Symantec EDR has discovered about the domain. It describes the domain's relationship to other entities in your environment, and provides a list of other events that the domain is involved in. You can also perform actions on the domain from this page.

To view detailed information about a domain

  • Do any of the following:

    • In the EDR cloud console, click Tasks and then click on an incident to view the Tasks details page. On the Events tab, click on the domain hyperlink to go to the domain entity details page.

    • In the EDR appliance console, click Incident Manager. Select an incident to view its Incidents details page. Do any of the following:

      • In the Incident Graph, right-click on the domain entity node and select Go to details page.

      • On the Events tab, click on a domain hyperlink to go to that domain's entity details page.

      • Click on the interactive domain node anywhere it appears in the EDR appliance console to open that domain's entity details page.

Click any of the following links to learn more about that section of the Domain details page.

Overview | Actions | Details | Related Events

Overview

The name that appears is the domain name (if available), URL, or the IP address of the external computer that is involved in the incident. The graphic beneath the domain name provides a visual depiction of the health of that domain.

Good

Suspicious

Bad

Unknown

Beneath the entity graphic is the following domain information based on DeepSight Intelligence scores:

DISPOSITION

Symantec EDR's evaluation of the domain.

  • Good

    The domain or IP address is whitelisted.

  • Suspicious

    Malicious activity was detected from the domain or IP address more than a week ago. However, no malicious activity has been detected recently.

  • Bad

    Malicious activity was detected from the domain or IP address within the last 24 hours.

  • Unknown

    Symantec EDR has insufficient information to determine the domain's disposition.

REPUTATION

The domain's reputation score.

Values range from 1-10, with 10 being the worst reputation.

HOSTILITY

The hostility score is calculated based on the frequency of activity.

Values range from 1-5, with 5 being the most malicious.

CONFIDENCE

Symantec's confidence in the information's validity.

Values range from 1 - 5, with 5 being the highest confidence.

BEHAVIOR

The domain's behavior as observed by DeepSight. Behaviors include: Attack, Command and Control, Fraud, Phishing, and URL Malware.

The overview also provides the following information about the domain:

FIRST ACCESSED INTERNALLY

The first time an endpoint in your environment accessed this external computer.

LAST ACCESSED INTERNALLY

The last time an endpoint in your environment accessed this external computer.

ENDPOINTS THAT ACCESSED DOMAIN

The number of endpoints in your environment that accessed this external computer. To see a list of all the endpoints that access this external computer, see Endpoints that Communicated with this External Machine in the Details table.

NUMBER OF FILE DOWNLOADS

The number of files that were downloaded from this external computer. To see a list of all the files that were downloaded from this external computer, see Files Downloaded in the Details table.

LAST IP ASSOCIATED WITH DOMAIN

The address of the last IP that was created that is associated with the site.

An external computer can have many IP addresses associated with it. This field indicates the last IP address that was created. Tip: An IP address that has been very recently created may be suspicious.

DeepSight Intelligence

CREATED DATE

The date the domain was originally registered.

UPDATED DATE

The date the domain registration was last updated.

PERSON

The organization that registered the domain and the administrator.

ORGANIZATION

The organization that registered the domain.

CITY

The city of the organization that registered the domain.

COUNTRY

The country of the organization that registered the domain.

Actions

You can take the following actions on external computers:

  • Add to Whitelist | Remove Whitelist

  • Add to Blacklist | Remove Blacklist

See Blacklisting and whitelisting suspicious domains, URLs, and IP addresses.

See How Symantec EDR applies Blacklist policies based on your operating mode.

Only users with the Admin role or Controller role can perform actions. Actions that are not permitted based on your role appear in the EDR appliance console as inactive.

See Viewing the status of actions taken on entities in the Actions log.

See How long it takes for Symantec EDR to perform an action on an entity

Details

The Details tab provides additional information about the entity. If more than five rows exist in a section, click {n} Total to view the entire list. In the entire list dialog box, you can click on any entity to view its entity details page.

Related Incidents

Other incidents in which this external computer is associated. Click on a row to open that incident's details page.

Tip: You might want to evaluate other related incidents to see if they require similar remediation.

See Viewing detailed information about an Incident.

Files Downloaded

Files that were downloaded from the external computer and the endpoint it was downloaded on. This list includes files intentionally downloaded and drive-by downloads. Click on any hyperlink (in blue) to show that file's details page.

See Viewing detailed information about a file.

Endpoints that Communicated with this External Domain

Other endpoints in your organization that have visited this external computer. Click on a row to open that endpoint's details page.

Tip: If you have concerns that these endpoints could infect your network, consider isolating these endpoints until you can remediate them or re-image them.

See Viewing detailed information about an endpoint .

See Viewing detailed information about a domain.

Emails Associated with this Domain

Emails that were sent from this domain.

IPs Associated with this Domain

The list of all of the IP addresses that have been associated with the external computer. Click on a row to open that external computer's details page.

Tip: You might want to blacklist these IP addresses if you deem them suspicious.

See Blacklisting and whitelisting suspicious domains, URLs, and IP addresses.

Malicious URLs Associated with this Domain

The list of all of the URLs that are associated with the external computer. Click on a row to open that external computer's details page.

Tip: You might want to blacklist these URLs if you deem them suspicious.

See Blacklisting and whitelisting suspicious domains, URLs, and IP addresses.

Related Events

The Related Events tab shows the last 7 days of events that are related to this entity. Click the following link to learn more about using the Events Summary view.

See Working in the Events Summary view.

See Event Summary Type IDs.

Legacy ID: v114008896_v128921691

Thanks for your feedback. Let us know if you have additional comments below. (requires login)

    © 1995-2019 Symantec Corporation