Farsight Labs is an outreach programme from Farsight Security, Inc. to the world's digital defenders including individual contributors from academic, law enforcement, non-profit, for-profit, or private backgrounds. There is no fee for participation, no contract to sign, and no service level guarantee. We want to make the world safer, which we do through our robust commercial services, our Passive DNS network, our Open Source software, and with Farsight Labs.
The apps and services available in Farsight Labs will change over time. Generally these will be technologies that do not fit our usual commercial model, or are early-adopter pre-releases of future Farsight Security products and services. Uptime is not guaranteed, and quality may not be as assured as is our norm.
To sign up, visit https://labs.fsi.io/welcome. You can reach the Farsight Labs team by e-mail at firstname.lastname@example.org.
- Farsight Workbench is now available in the
Farsight Workbench is a graphical interface that enables users to manage
multiple answer sets relating to an investigation, using advanced tools such
as iteration, pivots, time-fenced subselections, and combination of results
obtained from one or several at-rest data troves, ranging from
Search (Farsight and SIE Europe) and other third-party passive
DNS data, to an enterprise's own data set. Previously a stealth product used
by select investigative reporters, threat hunters and security professionals,
Farsight Workbench is now available to all Farsight Labs members.
- DNSDBFront is now available in the
DNSDBFront converts a streaming DNSDB API response into a non-streaming
response that Microsoft Excel -- and other programs -- can understand.
DNSDBFront is a proxy that produces JSON Object output from DNSDB 2.0 ND-JSON
query result that you can use directly within your application. We have also
published an OpenAPI 3.0
specification, which enables you to automatically generate
clients for DNSDB 2.0. The simplified output format enables you to integrate
DNSDB with platforms that do not support ND-JSON or custom encodings. The proxy
uses your existing DNSDB API keys to speak to our default API server on your
- Farsight Labs Virtual Starter Kit is now available in the
Virtual Starter Kit is a new Virtual Machine Image (VMI) built
to assist researchers and investigators by reducing the preparation
costs of accessing Farsight DNSDB (our historical Passive DNS database),
SIE Batch (Security Information Exchange), SIE Remote, and a robust
selection of related open source tools.
- Farsight Punycoder is now available in
the Labs shell.
Farsight Punycoder is a new tool
that enables Security Operations Center (SOC) teams, incident responders,
threat hunters and other security practitioners to validate, dissect, and
bi-directionally convert DNS IDN Punycode. Learn more details about this tool
and how it can benefit your security program in our quarterly newsletter,
Farsight Observer, published in the
- Farsight Security Principal Architect Boris Taratine examines whether there
are other potential candidate domains that are used for Command & Control (C2)
related to the SolarWinds compromise, in addition to those previously
reported. Confirming additional C2 “could be an important
step towards identifying indicators of Compromise (IoCs) that were previously
unknown.” The new research is available in our
entitled, “SUNBURST: Mapping Malicious Activity Using Farsight Historical
Passive DNS (Part II).”
- In his new research published today in the Forum, Farsight Security Principal
Architect Boris Taratine examines the C2 communications used by the malware in
the recent SolarWinds supply chain attack. Visit the
Community Forum to learn how you can
use passive DNS to uncover related assets using historical records, as well as
check the patterns of behaviour going beyond reported IoCs.
- The Farsight Labs Community Forum
allows digital defenders to discuss details of Farsight tools and share tips
and tricks for using DNS Intelligence to improve Internet security. To access
this members-only resource, click on the Forum icon in the main Labs shell.
helps digital defenders by automating the generation of
either through a web interface, the command line, or
Regular expressions are a popular and mature way to describe an approximate
search term, and Expander can be told which of several keyword variation
systems to apply in order to cover the confusing similarities of
interest to an investigator or defender. Notably, the regular expressions
generated by Expander will also work fine in older tools such as UNIX
egrep or Splunk, and not just in
DNSDB 2.0 with Flexible Search.