...
DomainTools is a leading provider of Whois and other DNS profile data for threat intelligence enrichment. It is a part of the Datacenter Group (DCL Group SA). DomainTools data helps security analysts investigate malicious activity on their networks. Using IOCs (Indicators of Compromise), including domains and IPs, analysts can build a map of connected infrastructure. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure.
Connect DomainTools with Devo SOAR
Navigate to Automations > Integrations.
Search for DomainTools.
Click Details, then the + icon. Enter the required information in the following fields.
Label: Enter a connection name.
Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
Remote Agent: Run this integration using the Devo SOAR Remote Agent.
API Username: Your DomainTools API Username.
API Key: Your DomainTools API Key.
After you've entered all the details, click Connect.
Actions for DomainTools
Account Information
Get a snapshot of API product usage for connected accounts. Usage is broken down by day and by month.
Input Field
Choose a connection that you have previously created to complete the connection.
Output
A JSON object containing multiple rows of result:
...
Code Block |
---|
## Domain Profile Returns basic registrant, server, and registration data for a domain name, plus preview data for other products. ### Input Field Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection. | Input Name | Description | Required | | :------------ | :------------------------------------------------------------ | :------- | | Domain Name | Select column containing domain. | Required | | Result Format | Select result format JSON/HTML/XML. (Default is JSON format). | Required | ### Output A JSON object containing multiple rows of result: - has_error: True/False - error: message/null - other keys containing details on the corresponding domain's profile. ``` {json}{ "lhub_ts":"null", "exit_code":"0", "result":"{\"error\": {\"error\": {\"code\": 403, \"message\": \"The credentials you entered do not match an active account.\"}, \"resources\": {\"support\": \"http://www.domaintools.com/support/\"}}, \"has_error\": true}", "stdout":"", "stderr":"", "domainname":"example.com", "IP address":"10.2.3.4", "email":"user@example.coml", "username":"user1", "Extension ID":"1234", "machinename":"pc2", "columname":"Col A" } |
Domain Reputation
Provides risk scores based on a domain's proximity to known-bad domains.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Domain Name | Select column containing domain. | Required |
Include Reasons | Select True/False (default is False). | Optional |
Result Format | Select result format JSON/HTML/XML (default is JSON format). | Optional |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
other keys containing details on the corresponding domain's reputation.
Domain Risk Score
Provides risk scores and threat predictions based on DomainTools Proximity and Threat Profile algorithms.
Input Field
Input Name | Description | Required |
---|---|---|
Domain Name | Select column containing domain. | Required |
Risk Evidence | Return Risk Score with Evidence (default is 'Without Evidence'). | Optional |
Result Format | Select result format JSON/HTML/XML (default is JSON format). | Optional |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
other keys containing details on the corresponding domain's risk score.
Domain Hosting History
Provides the registrar, IP, and name server history for a domain name.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Domain Name | Select column containing domain. | Required |
Result Format | Select result format JSON/HTML/XML (default is JSON format). | Optional |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
other keys containing details on the corresponding domain's hosting history.
Domain Search
Searches active and deleted domain names that match a query string.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Query String | Enter Jinja templated Query string to search domains. Example: {{domain_column}}1.com. | Required |
Exclude Query | Terms to exclude from matching - each term in the query string must be at least three characters long. Use spaces to separate multiple terms. | Optional |
Max Length | Limit the maximum domain character count (default is 25 characters). | Optional |
Min Length | Limit the minimum domain character count (default is 2 characters). | Optional |
Has Hyphen | Select option (True/False) to include results that have hyphens also in the domain name (default is True). | Optional |
Has Numbers | Select option (True/False) to include results that have numbers also in the domain name (default is True). | Optional |
Active Only | Select option (True/False) to return only domains currently registered (default is False). | Optional |
Deleted Only | Select option (True/False) to return only domains previously registered but not currently registered (default is False). | Optional |
Anchor Left | Select option (True/False) to return only domains that start with the query term (default is False). | Optional |
Anchor Right | Select option (True/False) to return only domains that end with the query term (default is False). | Optional |
Max Results | Set the maximum number of results to retrieve from the server (default is 100 results). | Optional |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
other keys containing details on matching domains.
Iris Enrich
Enrich proxy and DNS logs at scale across an organization. Enrich at least 6,000 domains per minute with multiple attributes, including Domain risk scores from proximity and threat profile algorithms, and Whois, IP, active DNS, website & SSL data.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Domain Name | Select column containing domain. | Required |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
other keys containing various details such as Whois, IP, and active DNS.
Whois Lookup
Get Whois records for domain names and IP addresses.
Input Field
Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.
Input Name | Description | Required |
---|---|---|
Domain Name/IP | Select column containing domain/IP. | |
Parsed Response | Select option (True/False) to specify whether to parse the raw response (default is True). | Optional |
Result Format | Select result format JSON/HTML/XML (default is JSON format). | Optional |
Output
A JSON object containing multiple rows of result:
has_error: True/False
error: message/null
other keys containing Whois information.
Release Notes
v2.0.0
- Updated architecture to support IO via filesystem
...