Investigate supports pattern search functionality for more flexible and extensive searches of domains. The ability to conduct a pattern search for IP subnets and email addresses will included in an upcoming product update.
The pattern search can be used to discover newly queried domains that include your company’s brand or intellectual property. You can use the pattern search to find minor intentional misspellings, commonly used to confuse users in phishing emails, and then identify campaigns targeted against your employees or customers. From those discoveries, pivot through the attacker’s infrastructures to identify related attacker infrastructure sharing that network space or other domains registered by the same email addresses.
The pattern search functionality in Investigate uses regular expressions (RegEx) to search against the Investigate database. There are several excellent tools online such as http://regexr.com to help you if you’re not familiar with building RegEx. The results for a query in the UI are limited to 500 returns (the API can perform up to 1000). If the results of your query exceed these limits, we recommend refining the RegEx being used and performing multiple pattern searches. Alternately, you can limit the dates for which the results are being returned.
The results only extend back 30 days, and only discovers newly queried domains, whether that domain was registered recently or not. Both the UI and the API include a date which this domain was first seen, which is the first time we saw the domain being queried. This means that domains seen before that time period will not be included in the result, such as almost all common, well-known domains.
The results from the pattern search are generated from a database containing the information about domains that were looked up by Umbrella customers within the time periods specified. As such, you may find results that do not actually match an actual domain that resolves but that people were still doing DNS lookups for. We have done our best to sanitize these results, but domains that do not exist will occasionally appear.
To perform a pattern search in the about, select the tab for Pattern Search. The Search tab is still present for the traditional Investigate search for full domains, IPs, ASN and email.
By default, the search is for the previous 30 days of queries from the Umbrella customer base, which is also the maximum. However, it can be restricted to the past seven days or the past 24 hours to help better pinpoint newly emerging threats by selecting the “Constrain RegEx search to:” dropdown.
To start, in the search bar click the ? (help icon) to display a list of operators for a RegEx search.
- ***—An asterisk matches zero or more instances of the previous token.
- .—A period matches exactly one character.
- [ ]—Brackets matches a class of characters, e.g. [0-9] for all numbers, or [a-z] for all letters.
- ( )—Parentheses group tokens together for modifiers, e.g. (ya)* will match “ya”, “yaya”, “yayaya”.
- ?—Question mark matches one or zero instances of the previous token. For example, hi(ya)? will match "hi" or "hiya"
Note: The “.” character has meaning as a wildcard and as a literal in hostnames. If you would like to use this character as part of your pattern, you must escape it using the “\” backslash character. For example, .\.umbrella\.com will match a.umbrella.com or b.umbrella.com.
To check for ‘typosquatting’ on a domain, enter a range of characters within domain name. For example, “...\.yah[a-z]o\.com”, would match both the correct domain (www.yahoo.com) and the typo for ‘www.yahro.com’, and any other typos with the fourth character in the string along with any other non-www prefixes.
To remove the requirement for the www in the return, simplify the RegEx to ‘yah[a-z]o\.com’.
Note: If the domains returned from your pattern search match any Umbrella security categories, these will be listed here next to the domains.
There is also a column for “First Seen”, which is the first time Umbrella saw a DNS lookup against this hostname.
Investigate Views < Conduct a Pattern Search