DomainTools Iris

Together, DomainTools and Cortex XSOAR automate and orchestrate the incident response process with essential domain profile, web crawl, SSL and infrastructure data. SOCs can create custom, automated workflows to trigger Indicator of Compromise (IoC) investigations, block threats based on connected infrastructure, and identify potentially malicious domains before weaponization. The DomainTools App for Cortex XSOAR is shipped with pre-built playbooks to enable automated enrichment, decision logic, ad-hoc investigations, and the ability to persist enriched intelligence.

Data Enrichment & Threat Intelligence · DomainTools Iris Investigate

Configuration parameters

  • credentials — API Username
  • username — API Username
  • apikey — API Key
  • risk_threshold — High-Risk Threshold (required)
  • young_domain_timeframe — Young Domain Timeframe (within Days) (required)
  • insecure — Trust any certificate (not secure)
  • proxy — Use system proxy settings
  • domain_result_type — Domain Result Type
  • domain_enrichment_method — Domain Enrichment Method (DomainTools)
  • domain_auto_enrich — Domain Auto-Enrich on Ingestion
  • integrationReliability — Source Reliability
  • feedExpirationPolicy
  • feedExpirationInterval
  • pivot_threshold — Guided Pivot Threshold (required)
  • monitor_iris_search_hash — Enabled on Monitoring Domains by Iris Search Hash
  • domaintools_iris_search_hash — Domaintools Iris Investigate Search Hash
  • monitor_iris_tags — Enabled on Monitoring Domains by Iris Tags
  • domaintools_iris_tags — Domaintools Iris Tags
  • max_fetch — Maximum number of incidents to fetch
  • incidentType — Incident type
  • isFetch — Fetch incidents
  • first_fetch — First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days)

Commands (13)

  • domain

    Provides data enrichment for domains.

  • domainRdap

    Returns the most recent Domain-RDAP registration record.

  • domaintools-hosting-history

    Hosting History will list IP address, name server and registrar history.

  • domaintools-reverse-whois

    The DomainTools Reverse Whois API provides a list of domain names that share the same Registrant Information. You can enter terms that describe a domain owner, like an email address or a company name, and you’ll get a list of domain names that have your search terms listed in the Whois record.

  • domaintools-whois

    The DomainTools Parsed Whois API provides parsed information extracted from the raw Whois record. The API is optimized to quickly retrieve the Whois record, group important data together and return a well-structured format. The Parsed Whois API is ideal for anyone wishing to search for, index, or cross-reference data from one or multiple Whois records.

  • domaintools-whois-history

    The DomainTools Whois History API endpoint returns up to 100 historical Whois records associated with a domain name.

  • domaintoolsiris-analytics

    Displays DomainTools Analytic data in a markdown format table.

  • domaintoolsiris-enrich

    Returns a complete profile of the domain (SLD.TLD) using Iris Enrich. If parsing of URLs or FQDNs is desired, see domainExtractAndEnrich.

  • domaintoolsiris-investigate

    Returns a complete profile of the domain (SLD.TLD) using Iris Investigate. If parsing of FQDNs is desired, see domainExtractAndInvestigate.

  • domaintoolsiris-pivot

    Pivot on connected infrastructure (IP, email, SSL), or import domains from Iris Investigate using a search hash. Retrieves up to 5000 domains at a time. Optionally exclude results from context with include_context=false.

  • domaintoolsiris-threat-profile

    Displays DomainTools Threat Profile data in a markdown format table.

  • reverseIP

    Reverse loopkup of an IP address or a domain.

  • reverseNameServer

    Reverse nameserver lookup.