Initiate the lookup for Reverse Whois

  • Release version: Zurich
  • Updated March 12, 2026
  • 1 minute to read

    • Initiate domain lookups using search terms in observables that you manually attach to a security incident record.

    Before you begin

    Role required: sn_si.analyst

    Procedure

    1. If not open, navigate to Security Incident > Incidents > Show All Incidents and open the security incident you're working with.
    2. At the bottom of the record, select the Show IoC related link to display the Observables tab.
      Note:
      If you don't see tabs on the security incident, in the upper-right corner of the banner frame, select the Settings gear icon. In the System Settings dialog box that is displayed, select Forms and verify that Tabbed forms and With the Form are selected.
    3. On the Observables tab, select New.
    4. Fill in the fields.
      Table 1. Required fields on the record
      Field Description
      Value Unique search term for a domain.
      Observable type This field is automatically cleared.
      Finding This field is automatically set to Unknown.
    5. Select Submit.
      You're returned to the security incident record and the flow initiates the lookup.

    What to do next

    Verify the lookup results on the security incident. See Verify expected results for Reverse Whois.