Fortinet Document Library

Version:


Table of Contents

1.0.1
Copy Link

About the connector

Domaintools help security analysts turn thread data into thread intelligence. It takes indicators from a network, like domain names and IPs and connects them with nearly every active domain on the Internet. These connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure.

This document provides information about the DomainTools connector, which facilitates automated interactions, with a DomainTools server using FortiSOAR™ playbooks. Add the DomainTools connector as a step in FortiSOAR™ playbooks and perform automated operations, such as getting the reputation for a domain, getting the historic WhoIs records for a domain name, and search for domain names containing a word.

 

Version information

Connector Version: 1.0.1

Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later

Compatibility with DomainTools Versions: 0.1.7 and later

 

Release Notes for version 1.0.1

Following enhancements have been made to the DomainTools Connector in version 1.0.1:

  • Added annotations to operations.
  • Renamed the configuration parameters.
  • Renamed the operations and playbooks.

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

  • You must have the URL, API username and the API key of the DomainTools server to which you will connect and perform the automated operations.
  • To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the DomainTools connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the DomainTools server to which you will connect and perform the automated operations.
Username API username that is configured for your account to access the DomainTools server.
API Key API key that is configured for your account to access the DomainTools server.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get Domain Reputation Retrieves the reputation, i.e. risk score, for the domain you have specified from the DomainTools server. domain_reputation
Investigation
Get Reverse Domain Details Retrieves a list of the domain names from the DomainTools server that share the IP address as that of the domain name that you have specified. reverse_domain
Investigation
Get Reverse IP Details Retrieves a list of the domain names from the DomainTools server that share the IP address that you have specified. reverse_ip
Investigation
Get Reverse Email Details Retrieves a list of the domain names from the DomainTools server that have the email ID you have specified listed in WhoIs records. reverse_email
Investigation
Get Hosting History Details Retrieves a list of changes from the DomainTools server that have occurred for the domain that you have specified. hosting_history
Investigation
Get Whois History Details Retrieves a list of historic WhoIs records for the domain you have specified from WhoIs. whois_history
Investigation
Get Whois IP Details Executes a WhoIs lookup on the IP address you have specified and retrieves the ownership record that contains basic registration details, from WhoIs, for the specified IP address. whois_ip
Investigation
Get Whois Domain Details Executes a WhoIs lookup on the domain name you have specified and retrieves the ownership record that contains basic registration details, from WhoIs, for the specified domain name. whois_domain
Investigation
Get Recent Domains Searches for new domains that contain the terms or string that you have specified in the query parameter on the DomainTools server. This operation retrieves sets consisting of domain names match your queryparameter. recent_domains
Investigation

 

operation: Get Domain Reputation

Input parameters

 

Parameter Description
Domain Name Name of the domain for which you want to get the reputation from the DomainTools server.

 

Output

The JSON output contains the risk score obtained from the DomainTools server for the domain that you have specified.

Following image displays a sample output:

 

Sample output of the Get Domain Reputation operation

 

operation: Get Reverse Domain Details

Input parameters

 

Parameter Description
Domain Name Name of the domain that is shared by multiple IP addresses, based on which you want to retrieve details from the DomainTools server.

 

Output

The JSON output contains a list of domain names retrieved from the DomainTools server that share the same IP address as that of the specified domain name.

Following image displays a sample output:

 

Sample output of the Get Reverse Domain Information operation

 

operation: Get Reverse IP Details

Input parameters

 

Parameter Description
IP Address IP address that is shared by multiple domain names, based on which you want to retrieve details from the DomainTools server.

 

Output

The JSON output contains a list of the domain names retrieved from the DomainTools server that share the specified IP address.

Following image displays a sample output:

 

Sample output of the Get Reverse IP Details operation

 

operation: Get Reverse Email Details

Input parameters

 

Parameter Description
Email Email ID (term) that describes the domain owner, based on which you want to retrieve details from the DomainTools server.

 

Output

The JSON output contains the list of domain names retrieved from the DomainTools server that have the specified email ID listed in WhoIs records.

Following image displays a sample output:

 

Sample output of the Get Reverse Email Details operation

 

operation: Get Hosting History Details

Input parameters

 

Parameter Description
Domain Name Name of the domain for which you want to get hosting history from the DomainTools server.

 

Output

The JSON output contains a list of changes, i.e. a list of historic WhoIs records, retrieved from the DomainTools server, that have occurred for the specified domain. Changes can include such as updates to the registrar of the domain and updates to the IP address and name server within the domain. IP address and name server events include the value before and after the change and indicate the type of action that triggered the event.

Following image displays a sample output:

 

Sample output of the Get Hosting History Details operation

 

operation: Get Whois History Details

Input parameters

 

Parameter Description
Domain Name Name of the domain whose history you want to retrieve from WhoIs.

 

Output

The JSON output contains a list of historic WhoIs records retrieved from WhoIs for the specified domain name.

Following image displays a sample output:

 

Sample output of the Get Whois History Details operation

 

operation: Get Whois IP Details

Input parameters

 

Parameter Description
IP Address IP address whose ownership record you want to retrieve from WhoIs.

 

Output

The JSON output contains the ownership record that contains basic registration details, retrieved from WhoIs, for the specified IP address.

Following image displays a sample output:

 

Sample output of the Get Whois IP Details operation

 

operation: Get Whois Domain Details

Input parameters

 

Parameter Description
Domain Name Name of the domain whose ownership record you want to retrieve from WhoIs.

 

Output

The JSON output contains the ownership record that contains basic registration details, retrieved from WhoIs, for the specified domain address.

Following image displays a sample output:

 

Sample output of the Get Whois Domain Details operation

 

operation: Get Recent Domains

Input parameters

 

Parameter Description
Query(Word) One or more terms separated by the pipe character (|) used for the search operation on the DomainTools server.
Domain Status (Optional) Scope (new or on-hold) of the domain names to be searched for on the DomainTools server.
Days Back(1-6) (Optional) Number of days prior to the current date from which the search operation must start on the DomainTools server.
You can set this to any number between 1 to 6. For example, if you set this parameter as 3, then the search operation will start 3 days before the current day.

 

Output

The JSON output contains sets consisting of domain names, retrieved from the DomainTools server, that contain the terms or string that you have specified in the query parameter.

Following image displays a sample output:

 

Sample output of the Get Recent Domains operation

 

Included playbooks

The Sample-DomainTools-1.0.1 playbook collection comes bundled with the DomainTools connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the DomainTools connector.

  • Get Domain Reputation
  • Get Hosting History Details
  • Get Recent Domains
  • Get Reverse Domain Details
  • Get Reverse Email Details
  • Get Reverse IP Details
  • Get Whois Domain Details
  • Get Whois History Details
  • Get Whois IP Details

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.

 

About the connector

Domaintools help security analysts turn thread data into thread intelligence. It takes indicators from a network, like domain names and IPs and connects them with nearly every active domain on the Internet. These connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure.

This document provides information about the DomainTools connector, which facilitates automated interactions, with a DomainTools server using FortiSOAR™ playbooks. Add the DomainTools connector as a step in FortiSOAR™ playbooks and perform automated operations, such as getting the reputation for a domain, getting the historic WhoIs records for a domain name, and search for domain names containing a word.

 

Version information

Connector Version: 1.0.1

Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later

Compatibility with DomainTools Versions: 0.1.7 and later

 

Release Notes for version 1.0.1

Following enhancements have been made to the DomainTools Connector in version 1.0.1:

 

Installing the connector

For the procedure to install a connector, click here.

 

Prerequisites to configuring the connector

 

Configuring the connector

For the procedure to configure a connector, click here.

 

Configuration parameters

In FortiSOAR™, on the Connectors page, select the DomainTools connector and click Configure to configure the following parameters:

 

Parameter Description
Server URL URL of the DomainTools server to which you will connect and perform the automated operations.
Username API username that is configured for your account to access the DomainTools server.
API Key API key that is configured for your account to access the DomainTools server.

 

 

Actions supported by the connector

The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:

 

Function Description Annotation and Category
Get Domain Reputation Retrieves the reputation, i.e. risk score, for the domain you have specified from the DomainTools server. domain_reputation
Investigation
Get Reverse Domain Details Retrieves a list of the domain names from the DomainTools server that share the IP address as that of the domain name that you have specified. reverse_domain
Investigation
Get Reverse IP Details Retrieves a list of the domain names from the DomainTools server that share the IP address that you have specified. reverse_ip
Investigation
Get Reverse Email Details Retrieves a list of the domain names from the DomainTools server that have the email ID you have specified listed in WhoIs records. reverse_email
Investigation
Get Hosting History Details Retrieves a list of changes from the DomainTools server that have occurred for the domain that you have specified. hosting_history
Investigation
Get Whois History Details Retrieves a list of historic WhoIs records for the domain you have specified from WhoIs. whois_history
Investigation
Get Whois IP Details Executes a WhoIs lookup on the IP address you have specified and retrieves the ownership record that contains basic registration details, from WhoIs, for the specified IP address. whois_ip
Investigation
Get Whois Domain Details Executes a WhoIs lookup on the domain name you have specified and retrieves the ownership record that contains basic registration details, from WhoIs, for the specified domain name. whois_domain
Investigation
Get Recent Domains Searches for new domains that contain the terms or string that you have specified in the query parameter on the DomainTools server. This operation retrieves sets consisting of domain names match your queryparameter. recent_domains
Investigation

 

operation: Get Domain Reputation

Input parameters

 

Parameter Description
Domain Name Name of the domain for which you want to get the reputation from the DomainTools server.

 

Output

The JSON output contains the risk score obtained from the DomainTools server for the domain that you have specified.

Following image displays a sample output:

 

Sample output of the Get Domain Reputation operation

 

operation: Get Reverse Domain Details

Input parameters

 

Parameter Description
Domain Name Name of the domain that is shared by multiple IP addresses, based on which you want to retrieve details from the DomainTools server.

 

Output

The JSON output contains a list of domain names retrieved from the DomainTools server that share the same IP address as that of the specified domain name.

Following image displays a sample output:

 

Sample output of the Get Reverse Domain Information operation

 

operation: Get Reverse IP Details

Input parameters

 

Parameter Description
IP Address IP address that is shared by multiple domain names, based on which you want to retrieve details from the DomainTools server.

 

Output

The JSON output contains a list of the domain names retrieved from the DomainTools server that share the specified IP address.

Following image displays a sample output:

 

Sample output of the Get Reverse IP Details operation

 

operation: Get Reverse Email Details

Input parameters

 

Parameter Description
Email Email ID (term) that describes the domain owner, based on which you want to retrieve details from the DomainTools server.

 

Output

The JSON output contains the list of domain names retrieved from the DomainTools server that have the specified email ID listed in WhoIs records.

Following image displays a sample output:

 

Sample output of the Get Reverse Email Details operation

 

operation: Get Hosting History Details

Input parameters

 

Parameter Description
Domain Name Name of the domain for which you want to get hosting history from the DomainTools server.

 

Output

The JSON output contains a list of changes, i.e. a list of historic WhoIs records, retrieved from the DomainTools server, that have occurred for the specified domain. Changes can include such as updates to the registrar of the domain and updates to the IP address and name server within the domain. IP address and name server events include the value before and after the change and indicate the type of action that triggered the event.

Following image displays a sample output:

 

Sample output of the Get Hosting History Details operation

 

operation: Get Whois History Details

Input parameters

 

Parameter Description
Domain Name Name of the domain whose history you want to retrieve from WhoIs.

 

Output

The JSON output contains a list of historic WhoIs records retrieved from WhoIs for the specified domain name.

Following image displays a sample output:

 

Sample output of the Get Whois History Details operation

 

operation: Get Whois IP Details

Input parameters

 

Parameter Description
IP Address IP address whose ownership record you want to retrieve from WhoIs.

 

Output

The JSON output contains the ownership record that contains basic registration details, retrieved from WhoIs, for the specified IP address.

Following image displays a sample output:

 

Sample output of the Get Whois IP Details operation

 

operation: Get Whois Domain Details

Input parameters

 

Parameter Description
Domain Name Name of the domain whose ownership record you want to retrieve from WhoIs.

 

Output

The JSON output contains the ownership record that contains basic registration details, retrieved from WhoIs, for the specified domain address.

Following image displays a sample output:

 

Sample output of the Get Whois Domain Details operation

 

operation: Get Recent Domains

Input parameters

 

Parameter Description
Query(Word) One or more terms separated by the pipe character (|) used for the search operation on the DomainTools server.
Domain Status (Optional) Scope (new or on-hold) of the domain names to be searched for on the DomainTools server.
Days Back(1-6) (Optional) Number of days prior to the current date from which the search operation must start on the DomainTools server.
You can set this to any number between 1 to 6. For example, if you set this parameter as 3, then the search operation will start 3 days before the current day.

 

Output

The JSON output contains sets consisting of domain names, retrieved from the DomainTools server, that contain the terms or string that you have specified in the query parameter.

Following image displays a sample output:

 

Sample output of the Get Recent Domains operation

 

Included playbooks

The Sample-DomainTools-1.0.1 playbook collection comes bundled with the DomainTools connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the DomainTools connector.

Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.