SecurityTrails
SecurityTrails Pack.#
This Integration is part of theSupported versions
Supported Cortex XSOAR versions: 6.0.0 and later.
This integration provides API access to the SecurityTrails platform. This integration was integrated and tested with V1 of SecurityTrails
#
Configure SecurityTrails in CortexParameter | Required |
---|---|
API Key | True |
Trust any certificate (not secure) | False |
Use system proxy settings | False |
Fetch indicators | False |
#
CommandsYou can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
securitytrails-get-subdomainsReturns child and sibling subdomains for a given hostname.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
#
Base Commandsecuritytrails-get-subdomains
#
InputArgument Name | Description | Required |
---|---|---|
hostname | The hostname. | Required |
children_only | Only return children subdomains. Possible values are: true, false. Default is true. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SecurityTrails.Domain.name | string | Hostname |
SecurityTrails.Domain.subdomains | unknown | Subdomains |
Domain.Name | string | Domain name |
Domain.Subdomains | string | Subdomains |
SecurityTrails.Domain.subdomain_count | number | Subdomain Count |
#
Command Example#
Human Readable Output#
securitytrails-get-tagsReturns tags for a given hostname
#
Base Commandsecuritytrails-get-tags
#
InputArgument Name | Description | Required |
---|---|---|
hostname | Hostname. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SecurityTrails.Domain.name | string | Domain name |
SecurityTrails.Domain.tags | unknown | Domain tags |
Domain.Name | string | Domain name |
Domain.Tags | string | Domain tags |
#
Command Example#
Human Readable Output#
securitytrails-get-company-associated-ipsReturns associated IPs for a company domain. The data is based on whois data with the names matched to the domains.
#
Base Commandsecuritytrails-get-company-associated-ips
#
InputArgument Name | Description | Required |
---|---|---|
domain | Domain. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SecurityTrails.Domain.name | string | Domain name |
SecurityTrails.Domain.assocaitedips | unknown | Associated IPs |
SecurityTrails.Domain.assocaitedip_count | number | Associated IP Count |
#
Command Example#
Human Readable Output#
securitytrails-get-dns-historyLists out specific historical information about the given hostname parameter. In addition of fetching the historical data for a particular type, the count statistic is returned as well, which represents the number of that particular resource against current data.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
#
Base Commandsecuritytrails-get-dns-history
#
InputArgument Name | Description | Required |
---|---|---|
hostname | Hostname. | Required |
type | Type. Possible values are: a, aaaa, mx, ns, soa, txt. Default is a. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SecurityTrails.Domain.a_history_records.first_seen | string | First seen |
SecurityTrails.Domain.a_history_records.last_seen | string | Last seen |
SecurityTrails.Domain.a_history_records.organizations | unknown | Organizations |
SecurityTrails.Domain.a_history_records.type | string | Type |
SecurityTrails.Domain.a_history_records.values.ip | string | IP |
SecurityTrails.Domain.a_history_records.values.ipv6 | string | IPv6 |
SecurityTrails.Domain.mx_history_records.values.host | string | Host |
SecurityTrails.Domain.mx_history_records.values.mx_count | number | MX count |
SecurityTrails.Domain.mx_history_records.values.priority | number | Priority |
SecurityTrails.Domain.name | string | Name |
SecurityTrails.Domain.ns_history_records.values.nameserver | string | Name server |
SecurityTrails.Domain.ns_history_records.values.nameserver_count | number | Name server count |
SecurityTrails.Domain.soa_history_records.values.email | string | |
SecurityTrails.Domain.soa_history_records.values.email_count | number | Email count |
SecurityTrails.Domain.soa_history_records.values.ttl | number | TTL |
SecurityTrails.Domain.txt_history_records.values.value | string | Value |
SecurityTrails.Domain.a_history_record_pages | number | A record pages count |
SecurityTrails.Domain.aaaa_history_record_pages | number | AAAA record pages count |
SecurityTrails.Domain.mx_history_record_pages | number | MX record pages count |
SecurityTrails.Domain.ns_history_record_pages | number | NS record pages count |
SecurityTrails.Domain.soa_history_record_pages | number | SOA record pages count |
SecurityTrails.Domain.txt_history_record_pages | number | TXT record pages count |
#
Command Example#
Human Readable Output#
securitytrails-get-ip-neighborsReturns the neighbors in any given IP level range and essentially allows you to explore closeby IP addresses. It will divide the range into 16 groups. Example: a /28 would be divided into 16 /32 blocks or a /24 would be divided into 16 /28 blocks
#
Base Commandsecuritytrails-get-ip-neighbors
#
InputArgument Name | Description | Required |
---|---|---|
ipaddress | Starting IP address (optionally with CIDR subnet mask). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SecurityTrails.IP.ip | string | IP address |
SecurityTrails.IP.block.active_egress | boolean | Active Egress |
SecurityTrails.IP.block.hostnames | string | Hostnames |
SecurityTrails.IP.block.ports | number | Port |
SecurityTrails.IP.block.sites | number | Sites |
IP.Address | string | Address |
#
Command Example#
Human Readable Output#
securitytrails-statistics-domainDomain statistics
#
Base Commandsecuritytrails-statistics-domain
#
InputArgument Name | Description | Required |
---|---|---|
query | The DSL query you want to run (https://docs.securitytrails.com/docs/how-to-use-the-dsl). | Optional |
filter | JSON dicitonary of filter terms (https://docs.securitytrails.com/reference#domain-search). Can not be used together with query. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
SecurityTrails.Domain.Search.DomainStats.domain_count | number | Domain count |
SecurityTrails.Domain.Search.DomainStats.hostname_count.relation | string | Relation |
SecurityTrails.Domain.Search.DomainStats.hostname_count.value | number | Value |
SecurityTrails.Domain.Search.DomainStats.tld_count | number | TLD count |
SecurityTrails.Domain.Search.DomainStats.top_organizations.count | number | Count |
SecurityTrails.Domain.Search.DomainStats.top_organizations.key | string | Key |
SecurityTrails.Domain.Search.DomainStats.whois_organization_count | number | WHOIS count |
#
Command Example#
Human Readable Output#
securitytrails-search-ipSearch for IP addresses. A maximum of 10000 results can be retrieved.
#
Base Commandsecuritytrails-search-ip
#
InputArgument Name | Description | Required |
---|---|---|
page | The page of the returned results, starting at 1. A page returns 100 results. Default is 1. | Optional |
query | The DSL query you want to run (https://docs.securitytrails.com/docs/how-to-use-the-dsl). | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SecurityTrails.IP.Search.ip | string | IP Address |
SecurityTrails.IP.Search.ports.port | number | Port |
SecurityTrails.IP.Search.ports.date_checked | number | Date checked |
SecurityTrails.IP.Search.ptr | string | PTR Record |
IP.Address | string | Address |
IP.Hostname | string | Hostname |
IP.Ports | string | Ports |
#
Command Example#
Human Readable Output#
securitytrails-get-ip-whoisReturns IPs information based on whois information.
#
Base Commandsecuritytrails-get-ip-whois
#
InputArgument Name | Description | Required |
---|---|---|
ipaddress | IP Address. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
SecurityTrails.IP.contact_email | string | |
SecurityTrails.IP.contacts.email | string | |
SecurityTrails.IP.contacts.organization | string | Organization |
SecurityTrails.IP.contacts.telephone | string | Telephone |
SecurityTrails.IP.contacts.type | string | Type |
SecurityTrails.IP.ip | string | IP |
SecurityTrails.IP.source | string | Source |
#
Command Example#
Human Readable Output#
domainProvides data enrichment for domains.
Notice: Submitting indicators using this command might make the indicator data publicly available. See the vendor’s documentation for more details.
#
Base Commanddomain
#
InputArgument Name | Description | Required |
---|---|---|
domain | The domain name to enrich. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Domain.Name | String | The domain name, for example: "google.com". |
Domain.DNS | String | A list of IP objects resolved by DNS. |
Domain.DomainStatus | Datte | The status of the domain. |
Domain.NameServers | Unknown | (List<String>) Name servers of the domain. |
Domain.Organization | String | The organization of the domain. |
Domain.Subdomains | Unknown | (List<String>) Subdomains of the domain. |
Domain.Admin.Country | String | The country of the domain administrator. |
Domain.Admin.Email | String | The email address of the domain administrator. |
Domain.Admin.Name | String | The name of the domain administrator. |
Domain.Admin.Phone | String | The phone number of the domain administrator. |
Domain.Registrant.Country | String | The country of the registrant. |
Domain.Registrant.Email | String | The email address of the registrant. |
Domain.Registrant.Name | String | The name of the registrant. |
Domain.Registrant.Phone | String | The phone number for receiving abuse reports. |
Domain.Tags | Unknown | (List) Tags of the domain. |
Domain.WHOIS.DomainStatus | String | The status of the domain. |
Domain.WHOIS.NameServers | String | (List<String>) Name servers of the domain. |
Domain.WHOIS.CreationDate | Date | The date that the domain was created. |
Domain.WHOIS.UpdatedDate | Date | The date that the domain was last updated. |
Domain.WHOIS.ExpirationDate | Date | The expiration date of the domain. |
Domain.WHOIS.Registrant.Name | String | The name of the registrant. |
Domain.WHOIS.Registrant.Email | String | The email address of the registrant. |
Domain.WHOIS.Registrant.Phone | String | The phone number of the registrant. |
Domain.WHOIS.Registrar.Name | String | The name of the registrar, for example: `GoDaddy` |
Domain.WHOIS.Registrar.Email | String | The email address of the contact. |
Domain.WHOIS.Registrar.Phone | String | The phone number of contact. |
Domain.WHOIS.Admin.Name | String | The name of the domain administrator. |
Domain.WHOIS.Admin.Email | String | The email address of the domain administrator. |
Domain.WHOIS.Admin.Phone | String | The phone number of the domain administrator. |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
#
Command Example#
Human Readable Output#
securitytrails-sql-get-nextRetrieves the next page of results returned from a SQL query where the results exceeded the last page.
#
Base Commandsecuritytrails-sql-get-next
#
InputArgument Name | Description | Required |
---|---|---|
id | The ID to use to retrieve the next page of results. Possible values are: . | Required |
timeout | Read timeout for calls (default is 20 seconds). Possible values are: . Default is 20. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
Securitytrails.SQL.total | number | The total number of hits discovered |
Securitytrails.SQL.records | unknown | The records returned |
Securitytrails.SQL.id | string | The ID to use for further GET calls to retrieve more results |
Securitytrails.SQL.query | string | The original query used |