About the connector
Domaintools help security analysts turn thread data into thread intelligence. It takes indicators from a network, like domain names and IPs and connects them with nearly every active domain on the Internet. These connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure.
This document provides information about the DomainTools connector, which facilitates automated interactions, with a DomainTools server using FortiSOAR™ playbooks. Add the DomainTools connector as a step in FortiSOAR™ playbooks and perform automated operations, such as getting the reputation for a domain, getting the historic WhoIs records for a domain name, and search for domain names containing a word.
Version information
Connector Version: 1.0.1
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with DomainTools Versions: 0.1.7 and later
Release Notes for version 1.0.1
Following enhancements have been made to the DomainTools Connector in version 1.0.1:
- Added annotations to operations.
- Renamed the configuration parameters.
- Renamed the operations and playbooks.
Installing the connector
For the procedure to install a connector, click here.
Prerequisites to configuring the connector
- You must have the URL, API username and the API key of the DomainTools server to which you will connect and perform the automated operations.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, select the DomainTools connector and click Configure to configure the following parameters:
| Parameter |
Description |
| Server URL |
URL of the DomainTools server to which you will connect and perform the automated operations. |
| Username |
API username that is configured for your account to access the DomainTools server. |
| API Key |
API key that is configured for your account to access the DomainTools server. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Get Domain Reputation |
Retrieves the reputation, i.e. risk score, for the domain you have specified from the DomainTools server. |
domain_reputation
Investigation |
| Get Reverse Domain Details |
Retrieves a list of the domain names from the DomainTools server that share the IP address as that of the domain name that you have specified. |
reverse_domain
Investigation |
| Get Reverse IP Details |
Retrieves a list of the domain names from the DomainTools server that share the IP address that you have specified. |
reverse_ip
Investigation |
| Get Reverse Email Details |
Retrieves a list of the domain names from the DomainTools server that have the email ID you have specified listed in WhoIs records. |
reverse_email
Investigation |
| Get Hosting History Details |
Retrieves a list of changes from the DomainTools server that have occurred for the domain that you have specified. |
hosting_history
Investigation |
| Get Whois History Details |
Retrieves a list of historic WhoIs records for the domain you have specified from WhoIs. |
whois_history
Investigation |
| Get Whois IP Details |
Executes a WhoIs lookup on the IP address you have specified and retrieves the ownership record that contains basic registration details, from WhoIs, for the specified IP address. |
whois_ip
Investigation |
| Get Whois Domain Details |
Executes a WhoIs lookup on the domain name you have specified and retrieves the ownership record that contains basic registration details, from WhoIs, for the specified domain name. |
whois_domain
Investigation |
| Get Recent Domains |
Searches for new domains that contain the terms or string that you have specified in the query parameter on the DomainTools server. This operation retrieves sets consisting of domain names match your queryparameter. |
recent_domains
Investigation |
operation: Get Domain Reputation
Input parameters
| Parameter |
Description |
| Domain Name |
Name of the domain for which you want to get the reputation from the DomainTools server. |
Output
The JSON output contains the risk score obtained from the DomainTools server for the domain that you have specified.
Following image displays a sample output:
operation: Get Reverse Domain Details
Input parameters
| Parameter |
Description |
| Domain Name |
Name of the domain that is shared by multiple IP addresses, based on which you want to retrieve details from the DomainTools server. |
Output
The JSON output contains a list of domain names retrieved from the DomainTools server that share the same IP address as that of the specified domain name.
Following image displays a sample output:
operation: Get Reverse IP Details
Input parameters
| Parameter |
Description |
| IP Address |
IP address that is shared by multiple domain names, based on which you want to retrieve details from the DomainTools server. |
Output
The JSON output contains a list of the domain names retrieved from the DomainTools server that share the specified IP address.
Following image displays a sample output:
operation: Get Reverse Email Details
Input parameters
| Parameter |
Description |
| Email |
Email ID (term) that describes the domain owner, based on which you want to retrieve details from the DomainTools server. |
Output
The JSON output contains the list of domain names retrieved from the DomainTools server that have the specified email ID listed in WhoIs records.
Following image displays a sample output:
operation: Get Hosting History Details
Input parameters
| Parameter |
Description |
| Domain Name |
Name of the domain for which you want to get hosting history from the DomainTools server. |
Output
The JSON output contains a list of changes, i.e. a list of historic WhoIs records, retrieved from the DomainTools server, that have occurred for the specified domain. Changes can include such as updates to the registrar of the domain and updates to the IP address and name server within the domain. IP address and name server events include the value before and after the change and indicate the type of action that triggered the event.
Following image displays a sample output:
operation: Get Whois History Details
Input parameters
| Parameter |
Description |
| Domain Name |
Name of the domain whose history you want to retrieve from WhoIs. |
Output
The JSON output contains a list of historic WhoIs records retrieved from WhoIs for the specified domain name.
Following image displays a sample output:
operation: Get Whois IP Details
Input parameters
| Parameter |
Description |
| IP Address |
IP address whose ownership record you want to retrieve from WhoIs. |
Output
The JSON output contains the ownership record that contains basic registration details, retrieved from WhoIs, for the specified IP address.
Following image displays a sample output:
operation: Get Whois Domain Details
Input parameters
| Parameter |
Description |
| Domain Name |
Name of the domain whose ownership record you want to retrieve from WhoIs. |
Output
The JSON output contains the ownership record that contains basic registration details, retrieved from WhoIs, for the specified domain address.
Following image displays a sample output:
operation: Get Recent Domains
Input parameters
| Parameter |
Description |
| Query(Word) |
One or more terms separated by the pipe character (|) used for the search operation on the DomainTools server. |
| Domain Status |
(Optional) Scope (new or on-hold) of the domain names to be searched for on the DomainTools server. |
| Days Back(1-6) |
(Optional) Number of days prior to the current date from which the search operation must start on the DomainTools server.
You can set this to any number between 1 to 6. For example, if you set this parameter as 3, then the search operation will start 3 days before the current day. |
Output
The JSON output contains sets consisting of domain names, retrieved from the DomainTools server, that contain the terms or string that you have specified in the query parameter.
Following image displays a sample output:
Included playbooks
The Sample-DomainTools-1.0.1 playbook collection comes bundled with the DomainTools connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the DomainTools connector.
- Get Domain Reputation
- Get Hosting History Details
- Get Recent Domains
- Get Reverse Domain Details
- Get Reverse Email Details
- Get Reverse IP Details
- Get Whois Domain Details
- Get Whois History Details
- Get Whois IP Details
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection, since the sample playbook collection gets deleted during connector upgrade and delete.
