DomainTools

Version: 2.0.0

DomainTools is a leading provider of Whois and other DNS profile data for threat intelligence enrichment. It is a part of the Datacenter Group (DCL Group SA). DomainTools data helps security analysts investigate malicious activity on their networks. Using IOCs (Indicators of Compromise), including domains and IPs, analysts can build a map of connected infrastructure. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure.

Connect DomainTools with LogicHub

  1. Navigate to Automations > Integrations.
  2. Search for DomainTools.
  3. Click Details, then the + icon. Enter the required information in the following fields.
    • Label: Enter a connection name.
    • Reference Values: Define variables here to templatize integration connections and actions. For example, you can use https://www.{{hostname}}.com where, hostname is a variable defined in this input. For more information on how to add data, see 'Add Data' Input Type for Integrations.
    • Verify SSL: Select option to verify connecting server's SSL certificate (Default is Verify SSL Certificate).
    • Remote Agent: Run this integration using the LogicHub Remote Agent.
    • API Username: Your DomainTools API Username.
    • API Key: Your DomainTools API Key.
  4. After you've entered all the details, click Connect.

Actions for DomainTools

Account Information

Get a snapshot of API product usage for connected accounts. Usage is broken down by day and by month.

Input Field

Choose a connection that you have previously created to complete the connection.

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • other keys containing usage details of different DomainTools products.
{
   "has_error":true,
   "error":{
      "error":{
         "code":403,
         "message":"The credentials you entered do not match an active account."
      },
      "resources":{
         "support":"http://www.domaintools.com/support/"
      }
   }
}

Domain Profile

Returns basic registrant, server, and registration data for a domain name, plus preview data for other products.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Domain NameSelect column containing domain.Required
Result FormatSelect result format JSON/HTML/XML. (Default is JSON format).Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • other keys containing details on the corresponding domain's profile.
{
   "lhub_ts":"null",
   "exit_code":"0",
   "result":"{\"error\": {\"error\": {\"code\": 403, \"message\": \"The credentials you entered do not match an active account.\"}, \"resources\": {\"support\": \"http://www.domaintools.com/support/\"}}, \"has_error\": true}",
   "stdout":"",
   "stderr":"",
   "domainname":"example.com",
   "IP address":"10.2.3.4",
   "email":"[email protected]",
   "username":"user1",
   "Extension ID":"1234",
   "machinename":"pc2",
   "columname":"Col A"
}

Domain Reputation

Provides risk scores based on a domain's proximity to known-bad domains.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Domain NameSelect column containing domain.Required
Include ReasonsSelect True/False (default is False).Optional
Result FormatSelect result format JSON/HTML/XML (default is JSON format).Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • other keys containing details on the corresponding domain's reputation.

Domain Risk Score

Provides risk scores and threat predictions based on DomainTools Proximity and Threat Profile algorithms.

Input Field

Input NameDescriptionRequired
Domain NameSelect column containing domain.Required
Risk EvidenceReturn Risk Score with Evidence (default is 'Without Evidence').Optional
Result FormatSelect result format JSON/HTML/XML (default is JSON format).Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • other keys containing details on the corresponding domain's risk score.

Domain Hosting History

Provides the registrar, IP, and name server history for a domain name.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Domain NameSelect column containing domain.Required
Result FormatSelect result format JSON/HTML/XML (default is JSON format).Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • other keys containing details on the corresponding domain's hosting history.

Domain Search

Searches active and deleted domain names that match a query string.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Query StringEnter Jinja templated Query string to search domains. Example: {{domain_column}}1.com.Required
Exclude QueryTerms to exclude from matching - each term in the query string must be at least three characters long. Use spaces to separate multiple terms.Optional
Max LengthLimit the maximum domain character count (default is 25 characters).Optional
Min LengthLimit the minimum domain character count (default is 2 characters).Optional
Has HyphenSelect option (True/False) to include results that have hyphens also in the domain name (default is True).Optional
Has NumbersSelect option (True/False) to include results that have numbers also in the domain name (default is True).Optional
Active OnlySelect option (True/False) to return only domains currently registered (default is False).Optional
Deleted OnlySelect option (True/False) to return only domains previously registered but not currently registered (default is False).Optional
Anchor LeftSelect option (True/False) to return only domains that start with the query term (default is False).Optional
Anchor RightSelect option (True/False) to return only domains that end with the query term (default is False).Optional
Max ResultsSet the maximum number of results to retrieve from the server (default is 100 results).Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • other keys containing details on matching domains.

Iris Enrich

Enrich proxy and DNS logs at scale across an organization. Enrich at least 6,000 domains per minute with multiple attributes, including Domain risk scores from proximity and threat profile algorithms, and Whois, IP, active DNS, website & SSL data.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Domain NameSelect column containing domain.Required

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • other keys containing various details such as Whois, IP, and active DNS.

Whois Lookup

Get Whois records for domain names and IP addresses.

Input Field

Choose a connection that you have previously created and then fill in the necessary information in the following input fields to complete the connection.

Input NameDescriptionRequired
Domain Name/IPSelect column containing domain/IP.
Parsed ResponseSelect option (True/False) to specify whether to parse the raw response (default is True).Optional
Result FormatSelect result format JSON/HTML/XML (default is JSON format).Optional

Output

A JSON object containing multiple rows of result:

  • has_error: True/False
  • error: message/null
  • other keys containing Whois information.

Release Notes

  • v2.0.0 - Updated architecture to support IO via filesystem

© Devo Technology Inc. All Rights Reserved.