Entity enrichment and aliasing
May 3, 2017
Announcing two new features called “entity enrichment” and “entity aliasing”.
Entity enrichment allows us to get a more complete picture of an entity. It is a process that happens automatically for certain entities upon their creation. Today IpAddress, DnsRecord, and Uri are supported. For each of these entity types, one or several enrichment tasks will be run as soon as the entity is created, allowing us to discover additional facts and alternate names (“aliases”) for the entity.
How it works: Upon creation, an enrichment task (lib/tasks/enrich/*) will be scheduled and run. In the case of an IpAddress, the name will be resolved to A, CNAME, or PTR records, DnsRecord entities created, and finally “aliased” to the IpAddress.
Let’s show a quick demo.
First, create a new project and select the “Create Entity” task with a DnsRecord entity. In this case, we’ll use the DnsRecord “intrigue.io” with no recursive depth:
Hit “Run Task” and you’ll see that it kicks off the task, creating the entity:
Now browse to the entities page. Notice that there are now 3 total entities, one DnsRecord, and two IpAddress entities. Note also that the IpAddress entities are both are aliased to the “intrigue.io” DnsRecord. In this way, we can quickly find load balancers and other interesting DNS configurations.
Now, let’s try with a larger iteration strategy (3):
Give it a few moments, and now, on the Entities view, filtering for IpAddress only, we can see the correlation of IpAddress to DnsRecord:
This is also a good way to find DNS entries that are no longer active or resolving to an IP, but this is left as an exercise for the reader.