Using IP Address Intelligence Card Extensions

This page is intended to help you use the OMNI Intelligence Partner Extensions for IP Address Cards.

Applicable Intelligence Partners: Cisco Umbrella, DomainTools, Farsight Security, FireEye iSIGHT Intelligence, IBM X-Force Exchange, PhishMe, ReversingLabs, Shodan, VirusTotal

Step 1: Identify a suspicious IP Address

• The top IP address indicators from the Cyber Dashboard are often good starting points for an investigation.  Note that it is not uncommon to find IP addresses without hits in one or more of the extensions, so don't be surprised if you have to try a few IP addresses before getting data through the extension.
• We are exploring ways to 'precheck' whether an extension has relevant data so the user knows if it's worth clicking 'look up' 
• To explore the information accessible through different partners, here is a list of selected IPs with known extension responses:

• The IP address 188.138.88.184 (Locky) is a good example because it has a high-risk score (90 as of June 7, 2016) and includes hits from all our currently available extensions. Screen shot after step 3 is of this IP Address Card.
• (*) Recorded Future's access to Fireeye iSight's API is limited to a developer license that only queries a static subset of the Fireeye iSight database.  The areas marked "No*" have data in the live iSight database, but will not turn up results using Recorded Future's demo credentials. 

Step 2: Open the Recorded Future IP Address Card for this IP Address

• You can click on the IP address in the Cyber dashboard, or type the IP address into the Quick Search box

Step 3: Click "Lookup" for the extensions you have enabled for your account

• Below is an example of a IP Address Card including the lookup (expanded) of DomainTools, Farsight (partial), iSIGHT, and PhishMe data: