Domain and DNS moved to EU

Another step in reducing dependencies on providers from outside the EU was completed today. All DNS and Domain records have moved from a US company to Openprovider in The Netherlands.

Data model updated, new detections

After updating the API documentation and magic queries, it was now time to update the data model. You'll find all indexes, fields, their datatypes and descriptions. For some indexes it's straight forward, but an index like DNS has many undescriptive fields (k, t, etc.) derived from the underlying DNS records that can be quite confusing without proper documentation.

Besides this, a bunch of new and revised detections have gone to production, along with some bug fixes in the GUI.

Shadowserver integration updated

There is a lot of development going on, but not everything is directly visible. So we'll not bore you with details and stick to the useable stuff.

We recently added integration with Shadowserver.org. Up until now, their data was only used for discovery. For multi-tenant users, each organization had to enter the API keys separately resulting in extra work for users and more load on our servers.

This update allows multi-tenant users like MSSPs, Hosters and Network Operators to add the Shadowserver integration on group level. ShadowTrack will check daily, get all assets and events available in Shadowserver, and map these to the organizations you have in your group.

The new integration also uses the Shadowserver data much better. Besides discovery, you can import the device_id data (both IPv4 and IPv6) in to a special index in ShadowTrackr called shadowserver_device_id. The Shadowserver reports are now also parsed and processed as events. So, if one of your servers is connecting to a sinkhole or honeypot the alert for that will show up in your ShadowTrackr events.