Kaspersky Threat Intelligence Portal enables you to search for information about domains.
General information about domain
Kaspersky Threat Intelligence Portal provides the following general information about domains:
General information about domain
Field name |
Description |
|---|---|
Status |
Shows whether the requested domain can be classified as malicious, good, or not categorized. The domain can have one of the following statuses: Good—Domain is not malicious. No threats detected—Domain was scanned and/or analyzed by Kaspersky, and no threats were detected. This status is used only in the Timeline section. Dangerous—There are malicious objects related to the domain. Adware and other—There are objects related to the domain, which can be classified as Not-a-virus. Not trusted—Domain is categorized as Infected or Compromised. Not categorized—No or not enough information about the domain is available to define the category. |
IPv4 count |
Number of IP addresses related to the domain. |
File count |
Number of known malicious / all files. |
Owner name |
Domain owner name. |
Owner ID |
Domain owner ID. |
Created |
Domain creation date. |
Updated |
Domain update date. |
Categories |
Categories of the requested domain. If the domain does not belong to any defined categories, the General category is displayed. |
Reports |
Available APT Intelligence, Crimeware Threat Intelligence, and ICS reports. If you have a valid commercial license for the corresponding service and the requested domain is related to an APT attack and/or mentioned in a report, links to the corresponding reports on the Reporting page are displayed. |
Data Feeds |
List of Threat Data Feeds that contain information about the requested domain. You can click a link to view the list of available feeds on the Threat Data Feeds page. |
Graphical information about domain
A timeline shows detection statistics for certain historical periods. The changes in the zone of a categorized object are displayed for two months (by default) or two years. The timeline is generated only when the detection statistics for the period is available for a specific object.
The timeline shows changes only for the following statuses:
If you pause the mouse pointer on a certain point of the timeline, Kaspersky Threat Intelligence Portal displays the date and time of the detection and category of the object.
The category and status of the object on the timeline might not match the category in Categories and status in the object lookup results due to different methods applied.
Additional information about domain
Kaspersky Threat Intelligence Portal provides additional information, displayed in separate tables, about the domain that is being investigated. You can export data from these tables as separate archives.
Additional information about domain
Table name |
Description |
Table fields |
Comments |
|---|---|---|---|
WHOIS |
WHOIS data about the domain that is being investigated. |
Domain name—Name of the requested domain. Domain status—Status of the requested domain. Created—Date when the requested domain was registered. Updated—Date when registration information about the requested domain was last updated. Paid until—Expiration date of the prepaid registration term. Registrar info—Name of the requested domain registrar. IANA ID—IANA ID of the registrar. Email—Email of the registrar. Name servers—List of name servers of the requested domain. Contacts—Contact type (person or organization). Name—Contact name. Role—Role of a contact (for example, owner). Address—Postal address that is registered for the IP address. Phone/Fax—Phone/fax number of a contact. Email—Email address of a contact. |
— |
DNS resolutions for domain |
IP addresses that the requested domain resolves to. |
Status—Status of IP address. Threat score—Probability that the requested IP address will be dangerous (0 to 100). Hits—Number of IP address detections by Kaspersky expert systems. IP—IP addresses. Items are clickable and take you to the Threat Lookup page, where you can search for information about the IP address. The flag of the country to which the IP address belongs is displayed. When you hover your mouse over a flag, a tooltip with a country name appears. First resolved—Date and time when the requested domain first resolved to the IP address. Last resolved—Date and time when the requested domain last resolved to the IP address. Peak date—Date of maximum number of requested domain resolutions to the IP address. Daily peak—Maximum number of requested domain resolutions to the IP address per day. |
Items in the table are grouped by status. Items in each group are sorted by the Threat score field in descending order. |
Files downloaded from requested domain |
MD5 hashes of files that were downloaded from the requested domain and web addresses of the requested domain. |
Status—Status of files that were downloaded. Hits—Number of file downloads from the requested domain as detected by Kaspersky expert systems. File MD5—MD5 hash of the downloaded file. Items are clickable and take you to the Threat Lookup page, where you can search for information about the hash. Last seen—Date and time when the file was last downloaded from the requested domain, according to your computer local time zone. First seen—Date and time when the file was first downloaded from the requested domain, according to your computer local time zone. URL—Web addresses used to download the file. Items are clickable and take you to the Threat Lookup page, where you can search for information about the web address. The length of the web address to be investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message window that opens, you will be asked to confirm that you still want to investigate the shortened web address. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
Items in the table are grouped by status. Items in each group are sorted by the Hits field, and then by the Last seen field in descending order. |
Files that accessed the requested domain |
MD5 hashes of files that accessed the requested domain. |
Status—Status of files that accessed the requested domain. Hits—Number of times the file accessed the requested domain. File MD5—MD5 hash of the file that accessed the requested domain. Items are clickable and take you to the Threat Lookup page, where you can search for information about the hash. Last seen—Date and time when the file last accessed the requested domain, according to your computer local time zone. First seen—Date and time when the file first accessed the requested domain, according to your computer local time zone. Detection name—Name of the detected object (for example, HEUR:Exploit.Script.Blocker). |
— |
Subdomains |
Hosts related to the requested domain (subdomains). |
Status—Status of subdomains. Subdomain name—Name of the detected subdomain. URL count—Number of web addresses related to the subdomain. Hosted files—Number of files hosted on the detected subdomain. First seen—Date and time when the subdomain was first detected, according to your computer local time zone. |
Items in the table are grouped by status. Items in each group are sorted in descending order by the First seen field. |
Referrals to domain |
Web addresses that refer to the requested domain. |
Status—Status of web addresses that refer to the requested domain. URL—Web address that refers to the requested domain. Items are clickable and take you to the Threat Lookup page, where you can search for information about the web address. The length of the web address to be investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message window that opens, you will be asked to confirm that you still want to investigate the shortened web address. Last reference—Date and time when the requested domain was last referred to by listed web addresses. |
Items in the table are grouped by status. Items in each group are sorted by the Last reference field in descending order. |
Domain referred to the following URLs |
Requested domain links, forwards, or redirects to following web addresses. |
Status—Status of web addresses that the requested domain links, forwards, or redirects to. URL—Web address accessed by the requested domain. Items are clickable and take you to the Threat Lookup page, where you can search for information about the web address. The length of the web address to be investigated is limited to a maximum of 2000 characters; other characters will be ignored. In the message window that opens, you will be asked to confirm that you still want to investigate the shortened web address. Last reference—Date and time when the requested domain last linked, forwarded, or redirected to listed web addresses. |
Items in the table are grouped by status. Items in each group are sorted by the Last reference field in descending order. |
URL masks |
The requested domain masks detected by Kaspersky expert systems. If a mask is included in Threat Data Feeds, the feed names are also displayed. |
Status—Status of web addresses covered by the corresponding mask (Dangerous, Not trusted, or Adware and other). Type—Mask type. Mask—Requested domain mask. Each item in the list is clickable—you can click it to navigate to the Threat Lookup results page, which shows investigation results for the domain mask. Investigation results are available only if you have a valid Threat Lookup license and have not exceeded your quota for object investigation. Feeds—Threat Data Feeds that contain the requested domain mask. In this field, any of the following Threat Data Feeds can be displayed: Malicious URL Data Feed, Phishing URL Data Feed, and Botnet CC URL Data Feed. If a mask is detected by Kaspersky expert systems, but not included in any of these Threat Data Feeds, "—" is displayed. Each item in this list is clickable—you can click it to navigate to the corresponding Threat Data Feed on the Data Feeds page. |
— |
Similar domains |
Information about domains with names similar to those of the requested domain. |
Status—Status of a similar domain. Domain—Similar domain name. Registered—Date when a similar domain was registered. Expires—Expiration date of a similar domain. Port status—Information about open ports. |
— |
Spam attacks |
Information about spam attacks associated with the requested domain. |
Number of attacks—Number of spam attacks. Spam ratio—The ratio of spam to other content. Attack type—Types of attacks (Unknown, Phishing, Spoofing). |
— |
Spam attack statistics |
Graph showing the number of spam attacks in the last six months. |
— |
— |
Phishing attacks |
Information about phishing attacks associated with the requested domain. |
Number of attacks—Number of phishing attacks. Phishing kit—Name of a phishing kit (a set of materials and tools) used during the phishing attack. Stolen data type—Type of data stolen during phishing attack, for example, user names, passwords. Attacked industry—Target industry of a phishing attack. Attacked organization—Target organization of a phishing attack. |
— |
Phishing attack statistics |
Graph showing the number of phishing attacks in the last six months. |
— |
— |