Skip to main content

DomainTools

This Integration is part of the DomainTools Enterprise Pack.#

Domain name, DNS and Internet OSINT-based cyber threat intelligence and cybercrime forensics products and data

Configure DomainTools on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for DomainTools.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    DomainTools API URLTrue
    API UsernameTrue
    API KeyTrue
    Trust any certificate (not secure)False
    Use system proxy settingsFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

domain#


Retrieve domain information.

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainDomain name to check reputation.Required
longShould we return full response with detected URLs.Optional
sampleSizeThe number of samples from each type (resolutions, detections, etc.) to display for long format.Optional
thresholdIf number of positive detected domains is bigger than the threshold we will consider it malicious.Optional
waitWait time between tries if we reach the API rate limit in seconds.Optional
retriesNumber of retries for API rate limit.Optional

Context Output#

PathTypeDescription
Domain.NameunknownThe tested domain
Domain.RiskScoreunknownThe reputation returned from DomainTools
Domain.Malicious.VendorunknownFor malicious domains, the vendor that made the decision
DBotScore.IndicatorunknownThe indicator that was tested.
DBotScore.TypeunknownThe indicator type.
DBotScore.VendorunknownThe vendor used to calculate the score.
DBotScore.ScoreunknownThe actual score.

Command Example#

Human Readable Output#

domainSearch#


Search for domain based on the given parameters

Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.

Base Command#

domainSearch

Input#

Argument NameDescriptionRequired
query(mandatory and default) Query strings. Each term in the query string must be at least three characters long. Use spaces to separate multiple terms.Required
pageNumberSets the page of results to retrieve from the server. Each page is limited to 100 results. Default: 1. Default is 1.Optional
maxLengthLimit the maximum domain character count. Default: 25. Default is 25.Optional
minLengthLimit the minimum domain character count. Default: 1. Default is 1.Optional
hesHyphen(true or false) Return results with hyphens in the domain name. Default: true.Optional
excludeTerms to exclude from matching.Optional
activeOnly(true or false) Return only domains currently registered.Default: false. Possible values are: true, false. Default is false.Optional
deletedOnly(true or false) Return only domains previously registered but not currently registered. Default: false. Possible values are: true, false. Default is false.Optional
anchorLeft(true or false) Return only domains that start with the query term. Default: false. Possible values are: true, false. Default is false.Optional
anchorRight(true or false) Return only domains that end with the query term. Default: false. Possible values are: true, false. Default is false.Optional
hasNumber(true or false) Return results with numbers in the domain name. Default: true. Possible values are: false, true. Default is true.Optional

Context Output#

PathTypeDescription
Domain.NameunknownDomain found by command

Command Example#

Human Readable Output#

reverseIP#


Reverse loopkup of an IP address

Base Command#

reverseIP

Input#

Argument NameDescriptionRequired
ip(default) specify IP address.Optional
domainIf you provide a domain name, DomainTools will respond with the list of other domains that share the same IP.Optional
limitLimits the size of the domain list than can appear in a response. The limit is applied per-IP address, not for the entire request.Optional

Context Output#

PathTypeDescription
Domain.NameunknownDomain name
Domain.DNS.AddressunknownIP address

Command Example#

Human Readable Output#

reverseNameServer#


Reverse nameserver lookup

Base Command#

reverseNameServer

Input#

Argument NameDescriptionRequired
nameServer(default and mandatory) specify the name of the primary or secondary name server.Required
limitLimit the size of the domain list than can appear in a response.Optional

Context Output#

PathTypeDescription
Domain.NameunknownName of domain

Command Example#

Human Readable Output#

reverseWhois#


Reverse lookup of whois information

Base Command#

reverseWhois

Input#

Argument NameDescriptionRequired
terms(mandatory and default) List of one or more terms to search for in the Whois record, separated with the pipe character ( | ).Required
excludeDomain names with Whois records that match these terms will be excluded from the result set. Separate multiple terms with the pipe character ( | ).Optional
onlyHistoricScopeShow only historic records. Possible values are: true, false. Default is false.Optional
quoteModeOnly lists the size and retail price of the query if you have per-domain pricing access purchase : includes the complete list of domain names that match the query. Default is purchase.Optional

Context Output#

PathTypeDescription
Domain.NameunknownName of domain

Command Example#

Human Readable Output#

whois#


Provides registration details about a domain

Base Command#

whois

Input#

Argument NameDescriptionRequired
query(mandatory and default) enter domain (do not use full URL). e.g. !whois [query=]demisto.com.Required
parsedShould return parsed or raw response. Default is true. Possible values are: true, false. Default is true.Optional

Context Output#

PathTypeDescription
Domain.NameunknownRequested domain name
Domain.WhoisunknownWhois data

Command Example#

Human Readable Output#

whoisHistory#


Display a history of whois for a given domain

Base Command#

whoisHistory

Input#

Argument NameDescriptionRequired
domainSpecify domain e.g. mycompany.com.Required

Context Output#

PathTypeDescription
Domain.NameunknownName of domain
Domain.WhoisHistoryunknownDomain Whois history data

Command Example#

Human Readable Output#

domainProfile#


Display profile for a given domain

Base Command#

domainProfile

Input#

Argument NameDescriptionRequired
domainSpecify domain e.g. mycompany.com.Optional

Context Output#

There is no context output for this command.

Command Example#

Human Readable Output#