Investigate a domain


Investigate a domain to see if devices and servers in your enterprise network have been communicating with a known malicious domain.

You can investigate a domain by using the search feature or by clicking on a domain link from the Device timeline.

You can see information from the following sections in the URL view:

  • URL details, Contacts, Nameservers

  • Alerts related to this URL

  • URL in organization

  • Most recent observed devices with URL

URL worldwide

The URL Worldwide section lists the URL, a link to further details, the number of related open incidents, and the number of active alerts.


The Incident card displays a bar chart of all active alerts in incidents over the past 180 days.


The Prevalence card provides details on the URL's prevalence within the organization over a specified period of time.

Although the default time period is the past 30 days, you can customize the range by selecting the downward-pointing arrow in the corner of the card. The shortest range available is for prevalence over the past day, while the longest range is over the past six months.


The Alerts tab provides a list of alerts that are associated with the URL. The table shown here's a filtered version of the alerts visible on the Alert queue screen, showing only alerts associated with the domain, their severity, status, the associated incident, classification, investigation state, and more.

The Alerts tab can be adjusted to show more or less information by selecting Customize columns from the action menu above the column headers. The number of items displayed can also be adjusted by selecting items per page on the same menu.

Observed in organization

The Observed in organization tab provides a chronological view of the events and associated alerts observed on the URL. This tab includes a timeline and a customizable table-listing event details, such as the time, device, and a brief description of what happened.

You can view events from different periods of time by entering the dates into the text fields above the table headers. You can also customize the time range by selecting different areas of the timeline.

Investigate a domain:

  1. Select URL from the Search bar drop-down menu.

  2. Enter the URL in the Search field.

  3. Select the search icon or press Enter. Details about the URL are displayed. Search results will only be returned for URLs observed in communications from devices in the organization.

  4. Use the search filters to define the search criteria. You can also use the timeline search box to filter the displayed results of all devices in the organization observed communicating with the URL, the file associated with the communication and the last date observed.

  5. Selecting any of the device names will take you to that device's view, where you can continue to investigate reported alerts, behaviors, and events.