DomainTools (Deprecated)
This Integration is part of the DomainTools Enterprise (Deprecated) Pack.#
Deprecated
Use DomainTools Iris Pack instead.
Domain name, DNS and Internet OSINT-based cyber threat intelligence and cybercrime forensics products and data
Configure DomainTools in Cortex#
| Parameter | Required |
|---|---|
| DomainTools API URL | True |
| API Username | True |
| API Key | True |
| Trust any certificate (not secure) | False |
| Use system proxy settings | False |
Commands#
You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
domain#
Retrieve domain information.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
Base Command#
domain
Input#
| Argument Name | Description | Required |
|---|---|---|
| domain | Domain name to check reputation. | Required |
| long | Should we return full response with detected URLs. | Optional |
| sampleSize | The number of samples from each type (resolutions, detections, etc.) to display for long format. | Optional |
| threshold | If number of positive detected domains is bigger than the threshold we will consider it malicious. | Optional |
| wait | Wait time between tries if we reach the API rate limit in seconds. | Optional |
| retries | Number of retries for API rate limit. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Domain.Name | unknown | The tested domain |
| Domain.RiskScore | unknown | The reputation returned from DomainTools |
| Domain.Malicious.Vendor | unknown | For malicious domains, the vendor that made the decision |
| DBotScore.Indicator | unknown | The indicator that was tested. |
| DBotScore.Type | unknown | The indicator type. |
| DBotScore.Vendor | unknown | The vendor used to calculate the score. |
| DBotScore.Score | unknown | The actual score. |
Command Example#
Human Readable Output#
reverseIP#
Reverse loopkup of an IP address
Base Command#
reverseIP
Input#
| Argument Name | Description | Required |
|---|---|---|
| ip | (default) specify IP address. | Optional |
| domain | If you provide a domain name, DomainTools will respond with the list of other domains that share the same IP. | Optional |
| limit | Limits the size of the domain list than can appear in a response. The limit is applied per-IP address, not for the entire request. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Domain.Name | unknown | Domain name |
| Domain.DNS.Address | unknown | IP address |
Command Example#
Human Readable Output#
reverseWhois#
Reverse lookup of whois information
Base Command#
reverseWhois
Input#
| Argument Name | Description | Required |
|---|---|---|
| terms | (mandatory and default) List of one or more terms to search for in the Whois record, separated with the pipe character ( | ). | Required |
| exclude | Domain names with Whois records that match these terms will be excluded from the result set. Separate multiple terms with the pipe character ( | ). | Optional |
| onlyHistoricScope | Show only historic records. Possible values are: true, false. Default is false. | Optional |
| quoteMode | Only lists the size and retail price of the query if you have per-domain pricing access purchase : includes the complete list of domain names that match the query. Default is purchase. | Optional |
Context Output#
| Path | Type | Description |
|---|---|---|
| Domain.Name | unknown | Name of domain |
Command Example#
Human Readable Output#
whoisHistory#
Display a history of whois for a given domain
Base Command#
whoisHistory
Input#
| Argument Name | Description | Required |
|---|---|---|
| domain | Specify domain e.g. mycompany.com. | Required |
Context Output#
| Path | Type | Description |
|---|---|---|
| Domain.Name | unknown | Name of domain |
| Domain.WhoisHistory | unknown | Domain Whois history data |