Domaintools help security analysts turn thread data into thread intelligence. It takes indicators from a network, like domain names and IPs and connects them with nearly every active domain on the Internet. These connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure.
This document provides information about the DomainTools connector, which facilitates automated interactions, with a DomainTools server using FortiSOAR™ playbooks. Add the DomainTools connector as a step in FortiSOAR™ playbooks and perform automated operations, such as getting the reputation for a domain, getting the historic WhoIs records for a domain name, and search for domain names containing a word.
Connector Version: 1.0.1
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with DomainTools Versions: 0.1.7 and later
Following enhancements have been made to the DomainTools Connector in version 1.0.1:
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the DomainTools connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | URL of the DomainTools server to which you will connect and perform the automated operations. |
Username | API username that is configured for your account to access the DomainTools server. |
API Key | API key that is configured for your account to access the DomainTools server. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Domain Reputation | Retrieves the reputation, i.e. risk score, for the domain you have specified from the DomainTools server. | domain_reputation Investigation |
Get Reverse Domain Details | Retrieves a list of the domain names from the DomainTools server that share the IP address as that of the domain name that you have specified. | reverse_domain Investigation |
Get Reverse IP Details | Retrieves a list of the domain names from the DomainTools server that share the IP address that you have specified. | reverse_ip Investigation |
Get Reverse Email Details | Retrieves a list of the domain names from the DomainTools server that have the email ID you have specified listed in WhoIs records. | reverse_email Investigation |
Get Hosting History Details | Retrieves a list of changes from the DomainTools server that have occurred for the domain that you have specified. | hosting_history Investigation |
Get Whois History Details | Retrieves a list of historic WhoIs records for the domain you have specified from WhoIs. | whois_history Investigation |
Get Whois IP Details | Executes a WhoIs lookup on the IP address you have specified and retrieves the ownership record that contains basic registration details, from WhoIs, for the specified IP address. | whois_ip Investigation |
Get Whois Domain Details | Executes a WhoIs lookup on the domain name you have specified and retrieves the ownership record that contains basic registration details, from WhoIs, for the specified domain name. | whois_domain Investigation |
Get Recent Domains | Searches for new domains that contain the terms or string that you have specified in the query parameter on the DomainTools server. This operation retrieves sets consisting of domain names match your query parameter. |
recent_domains Investigation |
Parameter | Description |
---|---|
Domain Name | Name of the domain for which you want to get the reputation from the DomainTools server. |
The JSON output contains the risk score obtained from the DomainTools server for the domain that you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain Name | Name of the domain that is shared by multiple IP addresses, based on which you want to retrieve details from the DomainTools server. |
The JSON output contains a list of domain names retrieved from the DomainTools server that share the same IP address as that of the specified domain name.
Following image displays a sample output:
Parameter | Description |
---|---|
IP Address | IP address that is shared by multiple domain names, based on which you want to retrieve details from the DomainTools server. |
The JSON output contains a list of the domain names retrieved from the DomainTools server that share the specified IP address.
Following image displays a sample output:
Parameter | Description |
---|---|
Email ID (term) that describes the domain owner, based on which you want to retrieve details from the DomainTools server. |
The JSON output contains the list of domain names retrieved from the DomainTools server that have the specified email ID listed in WhoIs records.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain Name | Name of the domain for which you want to get hosting history from the DomainTools server. |
The JSON output contains a list of changes, i.e. a list of historic WhoIs records, retrieved from the DomainTools server, that have occurred for the specified domain. Changes can include such as updates to the registrar of the domain and updates to the IP address and name server within the domain. IP address and name server events include the value before and after the change and indicate the type of action that triggered the event.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain Name | Name of the domain whose history you want to retrieve from WhoIs. |
The JSON output contains a list of historic WhoIs records retrieved from WhoIs for the specified domain name.
Following image displays a sample output:
Parameter | Description |
---|---|
IP Address | IP address whose ownership record you want to retrieve from WhoIs. |
The JSON output contains the ownership record that contains basic registration details, retrieved from WhoIs, for the specified IP address.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain Name | Name of the domain whose ownership record you want to retrieve from WhoIs. |
The JSON output contains the ownership record that contains basic registration details, retrieved from WhoIs, for the specified domain address.
Following image displays a sample output:
Parameter | Description |
---|---|
Query(Word) | One or more terms separated by the pipe character (|) used for the search operation on the DomainTools server. |
Domain Status | (Optional) Scope (new or on-hold) of the domain names to be searched for on the DomainTools server. |
Days Back(1-6) | (Optional) Number of days prior to the current date from which the search operation must start on the DomainTools server. You can set this to any number between 1 to 6. For example, if you set this parameter as 3 , then the search operation will start 3 days before the current day. |
The JSON output contains sets consisting of domain names, retrieved from the DomainTools server, that contain the terms or string that you have specified in the query
parameter.
Following image displays a sample output:
The Sample-DomainTools-1.0.1
playbook collection comes bundled with the DomainTools connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the DomainTools connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
Domaintools help security analysts turn thread data into thread intelligence. It takes indicators from a network, like domain names and IPs and connects them with nearly every active domain on the Internet. These connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure.
This document provides information about the DomainTools connector, which facilitates automated interactions, with a DomainTools server using FortiSOAR™ playbooks. Add the DomainTools connector as a step in FortiSOAR™ playbooks and perform automated operations, such as getting the reputation for a domain, getting the historic WhoIs records for a domain name, and search for domain names containing a word.
Connector Version: 1.0.1
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with DomainTools Versions: 0.1.7 and later
Following enhancements have been made to the DomainTools Connector in version 1.0.1:
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the DomainTools connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Server URL | URL of the DomainTools server to which you will connect and perform the automated operations. |
Username | API username that is configured for your account to access the DomainTools server. |
API Key | API key that is configured for your account to access the DomainTools server. |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get Domain Reputation | Retrieves the reputation, i.e. risk score, for the domain you have specified from the DomainTools server. | domain_reputation Investigation |
Get Reverse Domain Details | Retrieves a list of the domain names from the DomainTools server that share the IP address as that of the domain name that you have specified. | reverse_domain Investigation |
Get Reverse IP Details | Retrieves a list of the domain names from the DomainTools server that share the IP address that you have specified. | reverse_ip Investigation |
Get Reverse Email Details | Retrieves a list of the domain names from the DomainTools server that have the email ID you have specified listed in WhoIs records. | reverse_email Investigation |
Get Hosting History Details | Retrieves a list of changes from the DomainTools server that have occurred for the domain that you have specified. | hosting_history Investigation |
Get Whois History Details | Retrieves a list of historic WhoIs records for the domain you have specified from WhoIs. | whois_history Investigation |
Get Whois IP Details | Executes a WhoIs lookup on the IP address you have specified and retrieves the ownership record that contains basic registration details, from WhoIs, for the specified IP address. | whois_ip Investigation |
Get Whois Domain Details | Executes a WhoIs lookup on the domain name you have specified and retrieves the ownership record that contains basic registration details, from WhoIs, for the specified domain name. | whois_domain Investigation |
Get Recent Domains | Searches for new domains that contain the terms or string that you have specified in the query parameter on the DomainTools server. This operation retrieves sets consisting of domain names match your query parameter. |
recent_domains Investigation |
Parameter | Description |
---|---|
Domain Name | Name of the domain for which you want to get the reputation from the DomainTools server. |
The JSON output contains the risk score obtained from the DomainTools server for the domain that you have specified.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain Name | Name of the domain that is shared by multiple IP addresses, based on which you want to retrieve details from the DomainTools server. |
The JSON output contains a list of domain names retrieved from the DomainTools server that share the same IP address as that of the specified domain name.
Following image displays a sample output:
Parameter | Description |
---|---|
IP Address | IP address that is shared by multiple domain names, based on which you want to retrieve details from the DomainTools server. |
The JSON output contains a list of the domain names retrieved from the DomainTools server that share the specified IP address.
Following image displays a sample output:
Parameter | Description |
---|---|
Email ID (term) that describes the domain owner, based on which you want to retrieve details from the DomainTools server. |
The JSON output contains the list of domain names retrieved from the DomainTools server that have the specified email ID listed in WhoIs records.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain Name | Name of the domain for which you want to get hosting history from the DomainTools server. |
The JSON output contains a list of changes, i.e. a list of historic WhoIs records, retrieved from the DomainTools server, that have occurred for the specified domain. Changes can include such as updates to the registrar of the domain and updates to the IP address and name server within the domain. IP address and name server events include the value before and after the change and indicate the type of action that triggered the event.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain Name | Name of the domain whose history you want to retrieve from WhoIs. |
The JSON output contains a list of historic WhoIs records retrieved from WhoIs for the specified domain name.
Following image displays a sample output:
Parameter | Description |
---|---|
IP Address | IP address whose ownership record you want to retrieve from WhoIs. |
The JSON output contains the ownership record that contains basic registration details, retrieved from WhoIs, for the specified IP address.
Following image displays a sample output:
Parameter | Description |
---|---|
Domain Name | Name of the domain whose ownership record you want to retrieve from WhoIs. |
The JSON output contains the ownership record that contains basic registration details, retrieved from WhoIs, for the specified domain address.
Following image displays a sample output:
Parameter | Description |
---|---|
Query(Word) | One or more terms separated by the pipe character (|) used for the search operation on the DomainTools server. |
Domain Status | (Optional) Scope (new or on-hold) of the domain names to be searched for on the DomainTools server. |
Days Back(1-6) | (Optional) Number of days prior to the current date from which the search operation must start on the DomainTools server. You can set this to any number between 1 to 6. For example, if you set this parameter as 3 , then the search operation will start 3 days before the current day. |
The JSON output contains sets consisting of domain names, retrieved from the DomainTools server, that contain the terms or string that you have specified in the query
parameter.
Following image displays a sample output:
The Sample-DomainTools-1.0.1
playbook collection comes bundled with the DomainTools connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the DomainTools connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.