DomainTools

DomainTools is a leading provider of Whois and other DNS profile data for threat intelligence enrichment. It is a part of the Datacenter Group (DCL Group SA). DomainTools data helps security analysts investigate malicious activity on their networks. Using IOCs (Indicators of Compromise), including domains and IPs, analysts can build a map of connected infrastructure. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure.

Integration with LogicHub

Connecting with DomainTools

To connect to DomainTools following details are required:

  • Label: Connection name.
  • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
  • API Username: Your DomainTools API Username.
  • API Key: Your DomainTools API Key.

Actions with DomainTools

Account Information

Get a snapshot of API product usage for connected accounts. Usage is broken down by day and by month.

Inputs to this Action

  • Connection: Choose a connection that you have created.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • other keys containing usage details of different DomainTools products.
{
   "has_error":true,
   "error":{
      "error":{
         "code":403,
         "message":"The credentials you entered do not match an active account."
      },
      "resources":{
         "support":"http://www.domaintools.com/support/"
      }
   }
}

Domain Profile

Returns basic registrant, server, and registration data for a domain name, plus preview data for other products.

Inputs to this Action

  • Connection: Choose connection that you have created.
  • Domain Name: Select column containing domain.
  • Result Format (Optional): Select result format JSON/HTML/XML. (Default is JSON format)

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • other keys containing details on the corresponding domain's profile.
{
   "lhub_ts":"null",
   "exit_code":"0",
   "result":"{\"error\": {\"error\": {\"code\": 403, \"message\": \"The credentials you entered do not match an active account.\"}, \"resources\": {\"support\": \"http://www.domaintools.com/support/\"}}, \"has_error\": true}",
   "stdout":"",
   "stderr":"",
   "domainname":"example.com",
   "IP address":"10.2.3.4",
   "email":"[email protected]",
   "username":"user1",
   "Extension ID":"1234",
   "machinename":"pc2",
   "columname":"Col A"
}

Domain Reputation

Provides risk scores based on a domain's proximity to known-bad domains.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Domain Name: Select column containing domain.
  • Include Reasons (Optional): Select True/False (default is False).
  • Result Format (Optional): Select result format JSON/HTML/XML (default is JSON format).

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • other keys containing details on the corresponding domain's reputation.

Domain Risk Score

Provides risk scores and threat predictions based on DomainTools Proximity and Threat Profile algorithms.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Domain Name: Select column containing domain.
  • Risk Evidence (Optional): Return Risk Score with Evidence (default is 'Without Evidence').
  • Result Format (Optional): Select result format JSON/HTML/XML (default is JSON format).

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • other keys containing details on the corresponding domain's risk score.

Domain Hosting History

Provides the registrar, IP, and name server history for a domain name.

Inputs to this Action

  • Connection: Choose connection that you have created.
  • Domain Name: Select column containing domain.
  • Result Format (Optional): Select result format JSON/HTML/XML (default is JSON format).

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • other keys containing details on the corresponding domain's hosting history.

Domain Search

Searches active and deleted domain names that match a query string.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Query String: Enter Jinja templated Query string to search domains. Example: {{domain_column}}1.com
  • Exclude Query (Optional): Terms to exclude from matching - each term in the query string must be at least three characters long. Use spaces to separate multiple terms.
  • Max Length (Optional): Limit the maximum domain character count (default is 25 characters).
  • Min Length (Optional): Limit the minimum domain character count (default is 2 characters).
  • Has Hyphen (Optional): Select option (True/False) to include results that have hyphens also in the domain name (default is True).
  • Has Numbers (Optional): Select option (True/False) to include results that have numbers also in the domain name (default is True).
  • Active Only (Optional): Select option (True/False) to return only domains currently registered (default is False).
  • Deleted Only (Optional): Select option (True/False) to return only domains previously registered but not currently registered (default is False).
  • Anchor Left (Optional): Select option (True/False) to return only domains that start with the query term (default is False).
  • Anchor Right (Optional): Select option (True/False) to return only domains that end with the query term (default is False).
  • Max Results (Optional): Set the maximum number of results to retrieve from the server (default is 100 results).

Output of Action
Multiple rows of result JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • other keys containing details on matching domains.

Iris Enrich

Enrich proxy and DNS logs at scale across an organization. Enrich at least 6,000 domains per minute with multiple attributes, including Domain risk scores from proximity and threat profile algorithms, and Whois, IP, active DNS, website & SSL data.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Domain Name: Select column containing domain.

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • other keys containing various details such as Whois, IP, and active DNS.

Whois Lookup

Get Whois records for domain names and IP addresses.

Inputs to this Action

  • Connection: Choose a connection that you have created.
  • Domain Name/IP: Select column containing domain/IP.
  • Parsed Response (Optional): Select option (True/False) to specify whether to parse the raw response (default is True).
  • Result Format (Optional): Select result format JSON/HTML/XML (default is JSON format).

Output of Action
JSON containing the following items:

  • has_error: True/False
  • error: message/null
  • other keys containing Whois information.

Did this page help you?