Skip to main content

JsonWhoIs

Use the JsonWhoIs integration to enrich domain indicators.

Configure JsonWhoIs on Cortex XSOAR#

  1. Navigate to Settings > Integrations  > Servers & Services.

  2. Search for JsonWhoIs.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionExample
    NameA meaningful name for the integration instance.JsonWhoIs_instance_1
    API TokenYour JsonWhoIs API tokenN/A
    System proxyRuns the integration instance using the proxy server (HTTP or HTTPS) that you defined in the server configuration.https://proxyserver.com
    Trust any certificate (not secure)When selected, certificates are not checked.N/A
    Do Not Use by DefaultIf checked the commands will not be used by default (this is influenced if two command are the same).N/A
  4. Click Test to validate the new instance.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

Get enriched data#

Returns enriched data for Domains, URLs, and IP addresses.

Base Command#

whois

Input#
Argument NameDescriptionRequired
queryThe URL, IP address, or domain to enrich.Required
Context Output#
PathTypeDescription
Domain.WHOIS.DomainStatusBooleanWhether the domain is registered.
Domain.WHOIS.NameServersStringThe name servers.
Domain.WHOIS.CreationDateDateThe creation date.
Domain.WHOIS.UpdatedDateDateThe updated date.
Domain.WHOIS.ExpirationDateDateThe expiration date.
Domain.WHOIS.Registrant.NameStringThe registrant name.
Domain.WHOIS.Registrant.EmailStringThe registrant email.
Domain.WHOIS.Registrant.PhoneStringThe registrant phone.
Domain.WHOIS.Registrar.NameStringThe registrar name.
Domain.WHOIS.Registrar.UrlStringThe registrar email.
Domain.WHOIS.Registrar.OrganizationStringThe registrar organization name.
Domain.WHOIS.Registrar.IdNumberThe registrar ID.
Domain.WHOIS.Admin.NameStringThe Admin name.
Domain.WHOIS.Admin.EmailStringThe Admin email.
Domain.WHOIS.Admin.PhoneStringThe Admin phone.
Command Example#
!whois query=demisto.com
Context Example#
{
"Domain": {
"WHOIS": {
"Admin": [
{
"Email": "5be9245893ff486d98c3640879bb2657.protect@whoisguard.com",
"Name": "WhoisGuard Protected",
"Phone": "+507.8365503"
}
],
"CreationDate": "2015-01-16T21:36:27.000Z",
"DomainStatus": "registered",
"ExpirationDate": "2026-01-16T21:36:27.000Z",
"NameServers": [
{
"Name": "pns31.cloudns.net"
},
{
"Name": "pns32.cloudns.net"
},
{
"Name": "pns33.cloudns.net"
},
{
"Name": "pns34.cloudns.net"
}
],
"Registrant": [
{
"Email": "5be9245893ff486d98c3640879bb2657.protect@whoisguard.com",
"Name": "WhoisGuard Protected",
"Phone": "+507.8365503"
}
],
"Registrar": {
"Id": "1068",
"Name": "NameCheap, Inc.",
"Url": "http://www.namecheap.com"
},
"UpdatedDate": "2019-05-14T16:14:12.000Z"
}
}
}
Human Readable Output#
Admin account#
EmailNamePhone
5be9245893ff486d98c3640879bb2657.protect@whoisguard.comWhoisGuard Protected+507.8365503
Name servers#
Name
pns31.cloudns.net
pns32.cloudns.net
pns33.cloudns.net
pns34.cloudns.net
Registrant#
EmailNamePhone
5be9245893ff486d98c3640879bb2657.protect@whoisguard.comWhoisGuard Protected+507.8365503
Registrar#
IdNameUrl
1068NameCheap, Inc.http://www.namecheap.com
Others#
CreationDateDomainStatusExpirationDateUpdatedDate
2015-01-16T21:36:27.000Zregistered2026-01-16T21:36:27.000Z2019-05-14T16:14:12.000Z

Troubleshooting#

The JsonWhoIs API is not stable. We recommend attempting a query three times before considering the query to fail.