DomainTools is a leading provider of Whois and other DNS profile data for threat intelligence enrichment. It is a part of the Datacenter Group (DCL Group SA). DomainTools data helps security analysts investigate malicious activity on their networks. Using IOCs (Indicators of Compromise), including domains and IPs, analysts can build a map of connected infrastructure. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure.

Connect DomainTools with LogicHub

Navigate to Automations > Integrations.
Search for DomainTools.
Click Details, then the + icon. Enter the required information in the following fields.
- Label: Enter a connection name.
- Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
- Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
- Remote Agent: Run this integration using the LogicHub Remote Agent.
- API Username: Your DomainTools API Username.
- API Key: Your DomainTools API Key.
After you've entered all the details, click Connect.

Actions for DomainTools

Account Information

Get a snapshot of API product usage for connected accounts. Usage is broken down by day and by month.

Input Field

Choose a connection that you have previously created to complete the connection.

Output

A JSON object containing multiple rows of result:

has_error: True/False
error: message/null
other keys containing usage details of different DomainTools products.

{
   "has_error":true,
   "error":{
      "error":{
         "code":403,
         "message":"The credentials you entered do not match an active account."
      },
      "resources":{
         "support":"http://www.domaintools.com/support/"
      }
   }
}

Domain Profile

Returns basic registrant, server, and registration data for a domain name, plus preview data for other products.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required
Domain Name	Select column containing domain.	Required
Result Format	Select result format JSON/HTML/XML. (Default is JSON format).	Required

Output

A JSON object containing multiple rows of result:

has_error: True/False
error: message/null
other keys containing details on the corresponding domain's profile.

{
   "lhub_ts":"null",
   "exit_code":"0",
   "result":"{\"error\": {\"error\": {\"code\": 403, \"message\": \"The credentials you entered do not match an active account.\"}, \"resources\": {\"support\": \"http://www.domaintools.com/support/\"}}, \"has_error\": true}",
   "stdout":"",
   "stderr":"",
   "domainname":"example.com",
   "IP address":"10.2.3.4",
   "email":"[email protected]",
   "username":"user1",
   "Extension ID":"1234",
   "machinename":"pc2",
   "columname":"Col A"
}

Domain Reputation

Provides risk scores based on a domain's proximity to known-bad domains.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required
Domain Name	Select column containing domain.	Required
Include Reasons	Select True/False (default is False).	Optional
Result Format	Select result format JSON/HTML/XML (default is JSON format).	Optional

Output

A JSON object containing multiple rows of result:

has_error: True/False
error: message/null
other keys containing details on the corresponding domain's reputation.

Domain Risk Score

Provides risk scores and threat predictions based on DomainTools Proximity and Threat Profile algorithms.

Input Field

Input Name	Description	Required
Domain Name	Select column containing domain.	Required
Risk Evidence	Return Risk Score with Evidence (default is 'Without Evidence').	Optional
Result Format	Select result format JSON/HTML/XML (default is JSON format).	Optional

Output

A JSON object containing multiple rows of result:

has_error: True/False
error: message/null
other keys containing details on the corresponding domain's risk score.

Domain Hosting History

Provides the registrar, IP, and name server history for a domain name.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required
Domain Name	Select column containing domain.	Required
Result Format	Select result format JSON/HTML/XML (default is JSON format).	Optional

Output

A JSON object containing multiple rows of result:

has_error: True/False
error: message/null
other keys containing details on the corresponding domain's hosting history.

Domain Search

Searches active and deleted domain names that match a query string.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required
Query String	Enter Jinja templated Query string to search domains. Example: {{domain_column}}1.com.	Required
Exclude Query	Terms to exclude from matching - each term in the query string must be at least three characters long. Use spaces to separate multiple terms.	Optional
Max Length	Limit the maximum domain character count (default is 25 characters).	Optional
Min Length	Limit the minimum domain character count (default is 2 characters).	Optional
Has Hyphen	Select option (True/False) to include results that have hyphens also in the domain name (default is True).	Optional
Has Numbers	Select option (True/False) to include results that have numbers also in the domain name (default is True).	Optional
Active Only	Select option (True/False) to return only domains currently registered (default is False).	Optional
Deleted Only	Select option (True/False) to return only domains previously registered but not currently registered (default is False).	Optional
Anchor Left	Select option (True/False) to return only domains that start with the query term (default is False).	Optional
Anchor Right	Select option (True/False) to return only domains that end with the query term (default is False).	Optional
Max Results	Set the maximum number of results to retrieve from the server (default is 100 results).	Optional

Output

A JSON object containing multiple rows of result:

has_error: True/False
error: message/null
other keys containing details on matching domains.

Iris Enrich

Enrich proxy and DNS logs at scale across an organization. Enrich at least 6,000 domains per minute with multiple attributes, including Domain risk scores from proximity and threat profile algorithms, and Whois, IP, active DNS, website & SSL data.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required
Domain Name	Select column containing domain.	Required

Output

A JSON object containing multiple rows of result:

has_error: True/False
error: message/null
other keys containing various details such as Whois, IP, and active DNS.

Whois Lookup

Get Whois records for domain names and IP addresses.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input Name	Description	Required
Domain Name/IP	Select column containing domain/IP.
Parsed Response	Select option (True/False) to specify whether to parse the raw response (default is True).	Optional
Result Format	Select result format JSON/HTML/XML (default is JSON format).	Optional

Output

A JSON object containing multiple rows of result:

has_error: True/False
error: message/null
other keys containing Whois information.

Release Notes

v2.0.0 - Updated architecture to support IO via filesystem