PARTNER INTEGRATION

DomainTools

Visit their site

DomainTools offers the most comprehensive searchable database of domain name registration, Whois records and hosting data for online investigations and research.   Cyber security analysts, fraud investigators, domain professionals and marketers use DomainTools to investigate cybercrime, protect their assets and monitor online activity. DomainTools has 12 years of history on domain name ownership, Whois records, hosting data, screenshots and other DNS records.  That’s why customers say, “Every online investigation starts with DomainTools.” DomainTools customers include many Fortune 1000 companies, leading vendors in the Security and Threat Intelligence community and most crime-fighting government agencies.

Integrated Dataminr Products
Agentic Threat Intelligence Platform
Investigation Insights

DomainTools Iris Investigate

By combining the data enrichment and domain monitoring power of DomainTools Iris Investigate with the automation capabilities of Dataminr Playbooks, you can now prioritize and mitigate threats more efficiently. Here is what you can do with this powerful integration:

  • Retrieve Risk Scores, ThreatProfile, Evidence, and Domain Profile intelligence from Iris. These diverse datasets serve as decision factors for scoring domain indicators or taking further actions inside Dataminr.
  • Auto-pivot to expand threat investigation out to additional levels by quickly discovering potentially malicious infrastructure connected to a domain
  • Perform auto-enrichment of domain artifacts that are part of alerts or incidents with Domain intelligence dataset by submitting single or multiple domains at once. The integration provides all of the information from  DomainTools Iris as output variables inside of Dataminr platform, which can be used for making decisions in automated processes.
  • Perform a Reverse Search on one or more search fields, such as IP address, SSL hash, email, or more, and the integration will return Domain Profile information for any domain name with a record that matches the search.
  • Build automated processes between analyst work in the Iris UI by monitoring for Search Hash results or matching Tags. Users can begin their investigation in the Iris UI and automatically bring the results into Dataminr for further correlation and analysis.

The following actions are available:

  • Get Single Domain Profile: Get all the information available in DomainTools Iris for a single domain
  • Get Multiple Domain Profiles: Get all the information available in DomainTools Iris for multiple domains. Only a small set of the results are parsed as output variables. This action can be used in conjunction with the Parse Results action inside an iterator to leverage the full result set.
  • Search & Pivot: Instead of a domain name, provide one or more search fields, such as IP address, SSL hash, email, or more, and Iris will return any domain name with a record that matches those parameters. This enables “reverse” searching on one or more fields with a single API endpoint.
  • Get Search Hash Results: Monitor the results of a user’s Iris query over time.
  • Parse Domain Profile Results: Use this Action inside an Iterator to parse the “response.results” StringArray into detailed output variables. This action is meant to be used to further process the results from the Get Multiple Domain Profiles, Search & Pivot, or Get Search Hash Results actions.

This listing can be found in the Dataminr App Catalog under the name DomainTools Iris Investigate.

DomainTools IRIS with Investigation Insights

The Investigation Insights – DomainTools Iris integration provides analysts with quick access to the vast risk information from the Iris platform. Enabling analysts to understand the depth and breadth of different domains and IP addresses. By providing information such as name servers, registration details, contact information etc. Also providing pivots out to the Iris platform whenever there are associated counts that are greater than a certain number which correlates to your company’s risk profile.

Examples

DomainTools Iris Data Overview

  • Summary Tags: Analysts can get an understanding of how DomainTools views the risk of a domain or IP and why it is scored the way it is. For example, here the risk score is 28 because of the proximity it has to other risky domains/IPs.
  • SSL/IP/MX Information: Get a complete picture of the SSL hash and subjects, IP details such as asn, and even the MX host and domain.
  • Name Servers: See all related information on name servers that are associated with the domains/IPs.
  • Registration and Contact Information: Not only can analysts get the risk and scope of the domain/IP when necessary there is also information on when it was registered and by who to see if the person is potentially doing malicious things.

Links to pivot out to DomainTools Iris, will be dependent on the number of associated records. For example if the integration is set to 500 records for a given value if there are 550 associated records with a person’s name who has registered the domain then a link will appear for that domain to pivot to Iris for more in-depth analysis.

Farsight DNSDB with Investigation Insights

The Investigation Insights – Farsight DNSDB quickly searches Farsight’s passive DNS dataset to enable analysts to have a history of what has occurred with an IP and a domain. Allowing them to have insights into the indicators to determine if there is some nefarious occurring.

IP Lookup Example
Domain Lookup Example

Farsight Security DNSDB for Playbooks

Farsight DNSDB Enrichment Playbook App enables Dataminr Platform users to perform On-Demand Enrichment of Passive DNS using the Farsight DNSDB Enrichment source. Farsight playbooks enable users to specify a time window and:

  • Co-located Host/Address Based on Point-in-Time generates a set of domains that also shared the same IP address as the originating domain name.
  • Historical Address Lookup identifies all Addresses used as DNS A records for a given Host.
  • Historical Host Lookup identifies all hosts that resolved to a given address.

Related Resources

DomainTools Iris Playbooks

The “DomainTools Iris – Auto-Pivot Host > Address > Hosts” Playbook begins with a User Action trigger on a Host indicator and auto-pivots on Reverse Whois where there are < X domains hosted by the IP Address. It is highly recommended that the $domaintools.auto_pivot.domain.limit variable be set to < 500, however, < 10 is a good place to begin if there isn’t currently an auto-pivot process in place. Once the auto-pivot takes place, the Playbook will add the IP and Host Indicators to the Incident along with DomainTools enrichment data in Dataminr.

The “DomainTools Iris – Host Enrichment” playbook begins with a User Action trigger on a Host Indicator. It requests the Domain Profile from DomainTools Iris and parses the results. It then adds an Attribute and Tags with the enrichment results from DomainTools.

These Playbook templates can be found in the Dataminr app catalog under the names: DomainTools Iris – Auto-Pivot Host > Address > Hosts and DomainTools Iris – Host Enrichment

DomainTools Iris Search Hash Monitoring Playbook

This playbook not only provides DomainTools Iris enrichment, but can also be utilized to monitor specific Iris Search hashes to provide continuous updates. This playbook coupled Dataminr’s versatile dashboards provides analysts with the most up to date information automatically.

This playbook takes an Iris search hash signature object and extracts all domains from that query. Then each domains is enriched with DomainTools meta data and created as host indicators inside the TC platform. A threat rating and confidence level is also set on the Host Indicator depending on the DomainTools Overall Risk score.

Looking for Integration Not Shown

Contact Us