Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

DomainTools is a leading provider of Whois and other DNS profile data for threat intelligence enrichment. It is a part of the Datacenter Group (DCL Group SA). DomainTools data helps security analysts investigate malicious activity on their networks. Using IOCs (Indicators of Compromise), including domains and IPs, analysts can build a map of connected infrastructure. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure.

Connect DomainTools with Devo SOAR

  1. Navigate to Automations > Integrations.

  2. Search for DomainTools.

  3. Click Details, then the + icon. Enter the required information in the following fields.

  4. Label: Enter a connection name.

  5. Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.

  6. Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).

  7. Remote Agent: Run this integration using the Devo SOAR Remote Agent.

  8. API Username: Your DomainTools API Username.

  9. API Key: Your DomainTools API Key.

  10. After you've entered all the details, click Connect.

Actions for DomainTools

Account Information

Get a snapshot of API product usage for connected accounts. Usage is broken down by day and by month.

Input Field

Choose a connection that you have previously created to complete the connection.

Output

A JSON object containing multiple rows of result:

...

Code Block
## Domain Profile

Returns basic registrant, server, and registration data for a domain name, plus preview data for other products.

### Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

| Input Name    | Description                                                   | Required |
| :------------ | :------------------------------------------------------------ | :------- |
| Domain Name   | Select column containing domain.                              | Required |
| Result Format | Select result format JSON/HTML/XML. (Default is JSON format). | Required |

### Output

A JSON object containing multiple rows of result:

- has_error: True/False
- error: message/null
- other keys containing details on the corresponding domain's profile.


``` {json}{
   "lhub_ts":"null",
   "exit_code":"0",
   "result":"{\"error\": {\"error\": {\"code\": 403, \"message\": \"The credentials you entered do not match an active account.\"}, \"resources\": {\"support\": \"http://www.domaintools.com/support/\"}}, \"has_error\": true}",
   "stdout":"",
   "stderr":"",
   "domainname":"example.com",
   "IP address":"10.2.3.4",
   "email":"user@example.coml",
   "username":"user1",
   "Extension ID":"1234",
   "machinename":"pc2",
   "columname":"Col A"
}

Domain Reputation

Provides risk scores based on a domain's proximity to known-bad domains.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Domain Name

Select column containing domain.

Required

Include Reasons

Select True/False (default is False).

Optional

Result Format

Select result format JSON/HTML/XML (default is JSON format).

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • other keys containing details on the corresponding domain's reputation.

Domain Risk Score

Provides risk scores and threat predictions based on DomainTools Proximity and Threat Profile algorithms.

Input Field

Input Name

Description

Required

Domain Name

Select column containing domain.

Required

Risk Evidence

Return Risk Score with Evidence (default is 'Without Evidence').

Optional

Result Format

Select result format JSON/HTML/XML (default is JSON format).

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • other keys containing details on the corresponding domain's risk score.

Domain Hosting History

Provides the registrar, IP, and name server history for a domain name.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Domain Name

Select column containing domain.

Required

Result Format

Select result format JSON/HTML/XML (default is JSON format).

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • other keys containing details on the corresponding domain's hosting history.

Domain Search

Searches active and deleted domain names that match a query string.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Query String

Enter Jinja templated Query string to search domains. Example: {{domain_column}}1.com.

Required

Exclude Query

Terms to exclude from matching - each term in the query string must be at least three characters long. Use spaces to separate multiple terms.

Optional

Max Length

Limit the maximum domain character count (default is 25 characters).

Optional

Min Length

Limit the minimum domain character count (default is 2 characters).

Optional

Has Hyphen

Select option (True/False) to include results that have hyphens also in the domain name (default is True).

Optional

Has Numbers

Select option (True/False) to include results that have numbers also in the domain name (default is True).

Optional

Active Only

Select option (True/False) to return only domains currently registered (default is False).

Optional

Deleted Only

Select option (True/False) to return only domains previously registered but not currently registered (default is False).

Optional

Anchor Left

Select option (True/False) to return only domains that start with the query term (default is False).

Optional

Anchor Right

Select option (True/False) to return only domains that end with the query term (default is False).

Optional

Max Results

Set the maximum number of results to retrieve from the server (default is 100 results).

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • other keys containing details on matching domains.

Iris Enrich

Enrich proxy and DNS logs at scale across an organization. Enrich at least 6,000 domains per minute with multiple attributes, including Domain risk scores from proximity and threat profile algorithms, and Whois, IP, active DNS, website & SSL data.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Domain Name

Select column containing domain.

Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • other keys containing various details such as Whois, IP, and active DNS.

Whois Lookup

Get Whois records for domain names and IP addresses.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name

Description

Required

Domain Name/IP

Select column containing domain/IP.

Parsed Response

Select option (True/False) to specify whether to parse the raw response (default is True).

Optional

Result Format

Select result format JSON/HTML/XML (default is JSON format).

Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False

  • error: message/null

  • other keys containing Whois information.

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem

...