Skip to main content


This Integration is part of the Dnstwist Pack.#

Cortex XSOAR interfaces with dnstwist to research what sort of trouble users can get in trying to type a domain name. Find similar-looking domains that adversaries can use for attacking. dnstwist detect typosquatting, phishing attacks, fraud, and corporate espionage. Useful as an additional source of targeted threat intelligence.

The integration uses Docker image demisto/dnstwist:1.0 .

Use Cases

dnstwist takes in a domain name as a seed, generates a list of potential phishing domains, and then checks to see if they are registered.

Additionally, it can test if the mail server from MX (mail exchange) record can be used to intercept misdirected corporate e-mails, and it can generate fuzzy hashes of the web pages to see if they are live phishing sites.

Configure dnstwist on Cortex XSOAR

  1. Navigate to Settings > Integrations > Servers & Services .
  2. Search for dnstwist.
  3. Click Add instance to create and configure a new integration instance.
    • Name : a textual name for the integration instance.
  1. Click Test to validate the new instance.


You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook.
After you successfully execute a command, a DBot message appears in the War Room with the command details.

  1. Check domain variations: dnstwist-domain-variations

1. Check domain variations

Checks domain variations.

Base Command


Argument Name Description Required
The domain name for which to check for variations.
Maximum number results to return in the context. This helps manage browser performance. The Markdown entry will display all results.
Whether to perform a query for the Whois creation or last updated time (slow).

Context Output
Path Description
Domain name variations.
IP addresses that resolved to domain name variations.
Mail exchange records that resolved to domain name variations.
Server names that resolved to domain name variations .
Whois updated for domain name variations .
Whois created for domain name variations.

Command Example


Context Example
		"Domain": {
				"Name": "",
				"IP" : [""]
				"Domains": [
							"Name": "",
						        "IP": ["",""]
							 "Name": "",
						         "IP": [""]									     
Human Readable Output