Using IP Address Intelligence Card Extensions

This page is intended to help you use the OMNI Intelligence Partner Extensions for IP Address Cards.

Applicable Intelligence Partners: Cisco Umbrella, DomainTools, Farsight Security, FireEye iSIGHT Intelligence, IBM X-Force Exchange, PhishMe, ReversingLabs, Shodan, VirusTotal

Step 1: Identify a suspicious IP Address

  • The top IP address indicators from the Cyber Dashboard are often good starting points for an investigation.  Note that it is not uncommon to find IP addresses without hits in one or more of the extensions, so don't be surprised if you have to try a few IP addresses before getting data through the extension.
  • We are exploring ways to 'precheck' whether an extension has relevant data so the user knows if it's worth clicking 'look up' 
  • To explore the information accessible through different partners, here is a list of selected IPs with known extension responses:
Related to...

IP Address

Has Data?

DomainTools

Farsight

FireEye iSIGHT PhishMe ReversingLabs
Dridex

80.88.89.222

Yes

Yes

No

Yes

Yes
Locky

188.138.88.184

Yes

Yes

No*

Yes

Yes
Dridex

117.239.192.228

No No No* Yes Yes
SNS Locker 5.9.82.18 Yes Yes No* No No
DGA

54.210.47.225

Yes Yes No* No No
RDP attack

45.32.68.241

 Yes  Yes  Yes  No No
  • The IP address 188.138.88.184 (Locky) is a good example because it has a high-risk score (90 as of June 7, 2016) and includes hits from all our currently available extensions. Screen shot after step 3 is of this IP Address Card.
  • (*) Recorded Future's access to Fireeye iSight's API is limited to a developer license that only queries a static subset of the Fireeye iSight database.  The areas marked "No*" have data in the live iSight database, but will not turn up results using Recorded Future's demo credentials. 

Step 2: Open the Recorded Future IP Address Card for this IP Address

  • You can click on the IP address in the Cyber dashboard, or type the IP address into the Quick Search box

Step 3: Click "Lookup" for the extensions you have enabled for your account

  • Below is an example of a IP Address Card including the lookup (expanded) of DomainTools, Farsight (partial), iSIGHT, and PhishMe data:

This content is confidential. Do not distribute or download content in a manner that violates your Recorded Future license agreement. Sharing this content outside of licensed Recorded Future users constitutes a breach of the terms and/or agreement and shall be considered a breach by your organization.
Was this article helpful?
2 out of 3 found this helpful

Articles in this section