Skip to main content

Whois

This Integration is part of the Whois Pack.#

Provides data enrichment for domains. This integration was integrated and tested with version 1.0 of Whois

Configure Whois on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for Whois.

  3. Click Add instance to create and configure a new integration instance.

    ParameterDescriptionRequired
    Return ErrorsIf set, failed command results will be returned as warnings instead of errors.False
    Proxy URLSupports socks4/socks5/http connect proxies (e.g. socks5h://host:1080). Will effect all commands except for the `ip` command.False
    Use system proxy settingsEffect the `ip` command and the other commands only if the Proxy URL is not set.False
    Use legacy contextIndicates whether to use the previous/legacy implementation of the integration commands and their outputs or the new ones.False
    Source ReliabilityReliability of the source providing the intelligence data.True
    Rate Limit Retry CountThe number of times to try when getting a Rate Limit response.False
    Rate Limit Wait SecondsThe number of seconds to wait between each iteration when getting a Rate Limit response.False
    Suppress Rate Limit errorsWhether Rate Limit errors should be supressed or not.False

  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

whois#

Provides data enrichment for domains. This pack relies on free services for WHOIS information. As with many free services, the availability is not guaranteed. Free WHOIS providers may block or be reject queries.

Base Command#

whois

Input#

Argument NameDescriptionRequired
queryThe domain to enrich.Required
recursiveWhether to get the raw response from the whois servers recursively. Default value is True.Optional
verboseWhether to add the raw response as a dictionary to the context.Optional

Context Output#

PathTypeDescription
DBotScore.ScorestringThe actual score.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
Domain.NamestringThe domain name.
Domain.DomainStatusstringThe domain status.
Domain.DnssecstringThe domain name system security extension (DNSSEC).
Domain.NameServersstringThe name servers.
Domain.CountrystringThe domain country.
Domain.StatestringThe domain state.
Domain.CitystringThe domain city.
Domain.CreationDatedateThe date that the domain was created (UTC).
Domain.UpdatedDatedateThe date that the domain was last updated (UTC).
Domain.ExpirationDatedateThe date that the domain expires (UTC).
Domain.Registrar.NamestringThe name of the registrar.
Domain.Registrar.AddressstringThe address of the registrar.
Domain.Registrar.EmailstringThe email of the registrar.
Domain.Registrar.IdstringThe ID of the registrar.
Domain.Registrar.PhonestringThe phone number of the registrar.
Domain.Registrar.UrlstringThe URL of the registrar.
Domain.Registrar.AbuseEmailstringThe email address of the contact for reporting abuse.
Domain.EmailsstringThe abuse emails.
Domain.AddressstringThe abuse address.
Domain.OrganizationstringThe organization domain name.
Domain.WhoisServerstringThe whois server name.
Domain.PhonestringThe phone number of the tech administrator.
Domain.AdminobjectAdministrator information.
Domain.Admin.AddressstringThe address of the administrator.
Domain.Admin.ApplicationPurposestringThe application purpose of the administrator.
Domain.Admin.CstringThe C field of the administrator.
Domain.Admin.CitystringThe city of the administrator.
Domain.Admin.CountrystringThe country of the administrator.
Domain.Admin.EmailstringThe email address of the administrator.
Domain.Admin.FaxstringThe fax number of the administrator.
Domain.Admin.FaxExtstringThe fax extension of the administrator.
Domain.Admin.IdstringThe ID of the administrator.
Domain.Admin.NamestringThe name of the administrator.
Domain.Admin.OrgstringThe organization of the administrator.
Domain.Admin.PhonestringThe phone number of the administrator.
Domain.Admin.PhoneExtstringThe phone extension of the administrator.
Domain.Admin.PostalCodestringThe postal code of the administrator.
Domain.Admin.StatestringThe state of the administrator.
Domain.Admin.StateProvincestringThe state or province of the administrator.
Domain.Admin.StreetstringThe street of the administrator.
Domain.Registrant.NamestringThe name of the registrant.
Domain.Registrant.EmailstringThe email address of the registrant.
Domain.Registrant.CountrystringThe country of the registrant.
Domain.Registrant.StatestringThe state of the registrant.
Domain.Registrant.OrgstringThe organization of the registrant.
Domain.Registrant.PostalCodestringThe postal code of the registrant.
Domain.Registrant.StreetstringThe street of the registrant.
Domain.Registrant.PhonestringThe phone number of the registrant.
Domain.Registrant.CitystringThe city of the registrant.
Domain.Registrant.AddressstringThe address of the registrant.
Domain.Registrant.ContactNamestringThe contact name of the registrant.
Domain.Registrant.FaxstringThe fax of the registrant.
Domain.Registrant.IdstringThe ID of the registrant.
Domain.Registrant.NumberstringThe number of the registrant.
Domain.Registrant.StateProvincestringThe state province of the registrant.
Domain.RawstringThe raw output from python-whois lib.
Domain.AdministratorstringThe country of the domain administrator.
Domain.Tech.NamestringThe name of the tech contact.
Domain.Tech.AddressstringThe address of the tech contact.
Domain.Tech.CitystringThe city of the tech contact.
Domain.Tech.CountrystringThe country of the tech contact.
Domain.Tech.EmailstringThe email address of the tech contact.
Domain.Tech.FaxstringThe fax number of the tech contact.
Domain.Tech.IDstringThe ID of the tech contact.
Domain.Tech.OrganizationstringThe organization of the tech contact.
Domain.Tech.PhonestringThe phone number of the tech contact.
Domain.Tech.PostalCodestringThe postal code of the tech contact.
Domain.Tech.StatestringThe state of the tech contact.
Domain.Tech.StateProvincestringThe state/province of the tech contact.
Domain.Tech.StreetstringThe street of the tech contact.
Domain.IDstringThe ID of the domain.
Domain.WHOIS.NamestringThe domain name.
Domain.WHOIS.DomainStatusstringThe domain status.
Domain.WHOIS.DnssecstringThe domain name system security extension (DNSSEC).
Domain.WHOIS.NameServersstringThe name servers.
Domain.WHOIS.CountrystringThe domain country.
Domain.WHOIS.StatestringThe domain state.
Domain.WHOIS.CitystringThe domain city.
Domain.WHOIS.CreationDatedateThe date that the domain was created (UTC).
Domain.WHOIS.UpdatedDatedateThe date that the domain was last updated (UTC).
Domain.WHOIS.ExpirationDatedateThe date that the domain expires (UTC).
Domain.WHOIS.Registrar.NamestringThe name of the registrar.
Domain.WHOIS.Registrar.AddressstringThe address of the registrar.
Domain.WHOIS.Registrar.EmailstringThe email of the registrar.
Domain.WHOIS.Registrar.IdstringThe ID of the registrar.
Domain.WHOIS.Registrar.PhonestringThe phone number of the registrar.
Domain.WHOIS.Registrar.UrlstringThe URL of the registrar.
Domain.WHOIS.Registrar.AbuseEmailstringThe email address of the contact for reporting abuse.
Domain.WHOIS.EmailsstringThe abuse emails.
Domain.WHOIS.AddressstringThe abuse address.
Domain.WHOIS.OrganizationstringThe organization domain name.
Domain.WHOIS.WhoisServerstringThe whois server name.
Domain.WHOIS.PhonestringThe phone number of the tech administrator.
Domain.WHOIS.AdminobjectAdministrator information.
Domain.WHOIS.Admin.AddressstringThe address of the administrator.
Domain.WHOIS.Admin.ApplicationPurposestringThe application purpose of the administrator.
Domain.WHOIS.Admin.CstringThe C field of the administrator.
Domain.WHOIS.Admin.CitystringThe city of the administrator.
Domain.WHOIS.Admin.CountrystringThe country of the administrator.
Domain.WHOIS.Admin.EmailstringThe email address of the administrator.
Domain.WHOIS.Admin.FaxstringThe fax number of the administrator.
Domain.WHOIS.Admin.FaxExtstringThe fax extension of the administrator.
Domain.WHOIS.Admin.IdstringThe ID of the administrator.
Domain.WHOIS.Admin.NamestringThe name of the administrator.
Domain.WHOIS.Admin.OrgstringThe organization of the administrator.
Domain.WHOIS.Admin.PhonestringThe phone number of the administrator.
Domain.WHOIS.Admin.PhoneExtstringThe phone extension of the administrator.
Domain.WHOIS.Admin.PostalCodestringThe postal code of the administrator.
Domain.WHOIS.Admin.StatestringThe state of the administrator.
Domain.WHOIS.Admin.StateProvincestringThe state or province of the administrator.
Domain.WHOIS.Admin.StreetstringThe street of the administrator.
Domain.WHOIS.Registrant.NamestringThe name of the registrant.
Domain.WHOIS.Registrant.EmailstringThe email address of the registrant.
Domain.WHOIS.Registrant.CountrystringThe country of the registrant.
Domain.WHOIS.Registrant.StatestringThe state of the registrant.
Domain.WHOIS.Registrant.OrgstringThe organization of the registrant.
Domain.WHOIS.Registrant.PostalCodestringThe postal code of the registrant.
Domain.WHOIS.Registrant.StreetstringThe street of the registrant.
Domain.WHOIS.Registrant.PhonestringThe phone number of the registrant.
Domain.WHOIS.Registrant.CitystringThe city of the registrant.
Domain.WHOIS.Registrant.AddressstringThe address of the registrant.
Domain.WHOIS.Registrant.ContactNamestringThe contact name of the registrant.
Domain.WHOIS.Registrant.FaxstringThe fax of the registrant.
Domain.WHOIS.Registrant.IdstringThe ID of the registrant.
Domain.WHOIS.Registrant.NumberstringThe number of the registrant.
Domain.WHOIS.Registrant.StateProvincestringThe state province of the registrant.
Domain.WHOIS.RawstringThe raw output from python-whois lib.
Domain.WHOIS.AdministratorstringThe country of the domain administrator.
Domain.WHOIS.Tech.NamestringThe name of the tech contact.
Domain.WHOIS.Tech.AddressstringThe address of the tech contact.
Domain.WHOIS.Tech.CitystringThe city of the tech contact.
Domain.WHOIS.Tech.CountrystringThe country of the tech contact.
Domain.WHOIS.Tech.EmailstringThe email address of the tech contact.
Domain.WHOIS.Tech.FaxstringThe fax number of the tech contact.
Domain.WHOIS.Tech.IDstringThe ID of the tech contact.
Domain.WHOIS.Tech.OrgstringThe organization of the tech contact.
Domain.WHOIS.Tech.PhonestringThe phone number of the tech contact.
Domain.WHOIS.Tech.PostalCodestringThe postal code of the tech contact.
Domain.WHOIS.Tech.StatestringThe state of the tech contact.
Domain.WHOIS.Tech.StateProvincestringThe state/province of the tech contact.
Domain.WHOIS.Tech.StreetstringThe street of the tech contact.
Domain.WHOIS.IDstringThe ID of the domain.
Domain.FeedRelatedIndicators.TypeStringIndicators that are associated with the domain.
Domain.FeedRelatedIndicators.ValueStringThe type of the indicators that are associated with the domain.
Domain.WHOIS.FeedRelatedIndicators.TypeStringIndicators that are associated with the domain.
Domain.WHOIS.FeedRelatedIndicators.ValueStringThe type of the indicators that are associated with the domain.
Domain.FeedRelatedIndicators.typeString(Legacy output) Indicators that are associated with the domain.
Domain.FeedRelatedIndicators.valueString(Legacy output) The type of the indicators that are associated with the domain.
Domain.Whois.Namestring(Legacy output) The domain name.
Domain.Whois.DomainStatusstring(Legacy output) The domain status.
Domain.Whois.DNSSecstring(Legacy output) The domain name system security extension (DNSSEC).
Domain.Whois.NameServersstring(Legacy output) The name servers.
Domain.Whois.CreationDatedate(Legacy output) The date that the domain was created (UTC).
Domain.Whois.UpdatedDatedate(Legacy output)The date that the domain was last updated (UTC).
Domain.Whois.ExpirationDatedate(Legacy output)The date that the domain expires (UTC).
Domain.Whois.Registrar.Namestring(Legacy output)The name of the registrar.
Domain.Whois.Emailsstring(Legacy output)The abuse emails.
Domain.Whois.Registrar.AbuseEmailstring(Legacy output) The email address of the contact for reporting abuse.
Domain.Whois.Registrant.namestring(Legacy output) The name of the registrant.
Domain.Whois.Registrant.emailstring(Legacy output) The email address of the registrant.
Domain.Whois.Rawstring(Legacy output) The raw output.
Domain.Whois.Administrator.countrystring(Legacy output) The country of the domain administrator.
Domain.Whois.Administrator.namestring(Legacy output) The name of the domain administrator.
Domain.Whois.Administrator.statestring(Legacy output) The state of the domain administrator.
Domain.Whois.Administrator.emailstring(Legacy output) The email address of the domain administrator.
Domain.Whois.Administrator.organizationstring(Legacy output) The organization of the domain administrator.
Domain.Whois.Administrator.postalcodestring(Legacy output) The postal code of the domain administrator.
Domain.Whois.Administrator.streetstring(Legacy output) The street of the the domain admin.
Domain.Whois.Administrator.phonestring(Legacy output) The phone number of the domain administrator.
Domain.Whois.Administrator.citystring(Legacy output) The city of the domain administrator.
Domain.Whois.TechAdmin.countrystring(Legacy output) The country of the tech administrator.
Domain.Whois.TechAdmin.namestring(Legacy output) The name of the tech administrator.
Domain.Whois.TechAdmin.statestring(Legacy output) The state of the tech administrator.
Domain.Whois.TechAdmin.emailstring(Legacy output) The email address of the tech administrator.
Domain.Whois.TechAdmin.organizationstring(Legacy output) The organization of the tech administrator.
Domain.Whois.TechAdmin.postalcodestring(Legacy output) The postal code of the tech administrator.
Domain.Whois.TechAdmin.streetstring(Legacy output) The street of the tech administrator.
Domain.Whois.TechAdmin.phonestring(Legacy output) The phone number of the tech administrator.
Domain.Whois.TechAdmin.citystring(Legacy output) The city of the tech administrator.
Domain.Whois.Registrant.countrystring(Legacy output) The country of the registrant.
Domain.Whois.Registrant.statestring(Legacy output) The state of the registrant.
Domain.Whois.Registrant.organizationstring(Legacy output) The organization of the registrant.
Domain.Whois.Registrant.postalcodestring(Legacy output) The postal code of the registrant.
Domain.Whois.Registrant.streetstring(Legacy output) The street of the registrant.
Domain.Whois.Registrant.phonestring(Legacy output) The phone number of the registrant.
Domain.Whois.Registrant.citystring(Legacy output) The city of the registrant.
Domain.Whois.IDstring(Legacy output) The ID of the domain.
Domain.Whois.QueryStatusstring(Legacy output) The result of the command ("Success" or "Failed").
Domain.Whois.QueryValuestring(Legacy output) The query requested by the user.
Domain.Whois.QueryResultBoolean(Legacy output) Whether the query found a matching result.

Command example#

!whois query="paloaltonetworks.com"

Context Example#

{
"DBotScore": {
"Indicator": "google.com",
"Type": "domain",
"Vendor": "Whois",
"Score": 0,
"Reliability": "B - Usually reliable"
},
"Domain": {
"WHOIS": {
"Name": "paloaltonetworks.com",
"WhoisServer": "whois.markmonitor.com",
"CreationDate": "21-02-2005",
"ExpirationDate": "21-02-2026",
"UpdatedDate": "08-02-2024",
"Organization": "Palo Alto Networks, Inc.",
"State": "CA",
"Country": "US",
"Dnssec": "signedDelegation",
"Registrar": {
"Name": "MarkMonitor, Inc."
},
"Emails": [
"abusecomplaints@markmonitor.com",
"whoisrequest@markmonitor.com"
],
"NameServers": [
"a1-184.akam.net",
"a11-64.akam.net",
"a12-67.akam.net",
"a13-66.akam.net",
"a2-65.akam.net",
"a4-64.akam.net"
],
"DomainStatus": [
"clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited",
"clientTransferProhibited https://icann.org/epp#clientTransferProhibited",
"clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited",
"clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)",
"clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)",
"clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)"
],
"FeedRelatedIndicators": [
{
"Type": "email",
"Value": "abusecomplaints@markmonitor.com"
},
{
"Type": "email",
"Value": "whoisrequest@markmonitor.com"
}
],
"Raw": "domain_name: ['PALOALTONETWORKS.COM', 'paloaltonetworks.com'], registrar: MarkMonitor, Inc., whois_server: whois.markmonitor.com, referral_url: None, updated_date: [datetime.datetime(2024, 2, 8, 6, 27, 19), datetime.datetime(2024, 2, 8, 6, 27, 19, tzinfo=datetime.timezone.utc)], creation_date: [datetime.datetime(2005, 2, 21, 2, 42, 10), datetime.datetime(2005, 2, 21, 2, 42, 10, tzinfo=datetime.timezone.utc)], expiration_date: [datetime.datetime(2026, 2, 21, 2, 42, 10), datetime.datetime(2026, 2, 21, 0, 0, tzinfo=datetime.timezone.utc)], name_servers: ['A1-184.AKAM.NET', 'A11-64.AKAM.NET', 'A12-67.AKAM.NET', 'A13-66.AKAM.NET', 'A2-65.AKAM.NET', 'A4-64.AKAM.NET', 'a1-184.akam.net', 'a4-64.akam.net', 'a2-65.akam.net', 'a13-66.akam.net', 'a12-67.akam.net', 'a11-64.akam.net'], status: ['clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited', 'clientTransferProhibited https://icann.org/epp#clientTransferProhibited', 'clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited', 'clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)', 'clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)', 'clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)'], emails: ['abusecomplaints@markmonitor.com', 'whoisrequest@markmonitor.com'], dnssec: signedDelegation, name: None, org: Palo Alto Networks, Inc., address: None, city: None, state: CA, registrant_postal_code: None, country: US"
},
"Name": "paloaltonetworks.com",
"WhoisServer": "whois.markmonitor.com",
"CreationDate": "21-02-2005",
"ExpirationDate": "21-02-2026",
"UpdatedDate": "08-02-2024",
"Organization": "Palo Alto Networks, Inc.",
"State": "CA",
"Country": "US",
"Dnssec": "signedDelegation",
"Registrar": {
"Name": "MarkMonitor, Inc."
},
"Emails": [
"abusecomplaints@markmonitor.com",
"whoisrequest@markmonitor.com"
],
"NameServers": [
"a1-184.akam.net",
"a11-64.akam.net",
"a12-67.akam.net",
"a13-66.akam.net",
"a2-65.akam.net",
"a4-64.akam.net"
],
"DomainStatus": [
"clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited",
"clientTransferProhibited https://icann.org/epp#clientTransferProhibited",
"clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited",
"clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)",
"clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)",
"clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)"
],
"FeedRelatedIndicators": [
{
"Type": "email",
"Value": "abusecomplaints@markmonitor.com"
},
{
"Type": "email",
"Value": "whoisrequest@markmonitor.com"
}
],
"Raw": "domain_name: ['PALOALTONETWORKS.COM', 'paloaltonetworks.com'], registrar: MarkMonitor, Inc., whois_server: whois.markmonitor.com, referral_url: None, updated_date: [datetime.datetime(2024, 2, 8, 6, 27, 19), datetime.datetime(2024, 2, 8, 6, 27, 19, tzinfo=datetime.timezone.utc)], creation_date: [datetime.datetime(2005, 2, 21, 2, 42, 10), datetime.datetime(2005, 2, 21, 2, 42, 10, tzinfo=datetime.timezone.utc)], expiration_date: [datetime.datetime(2026, 2, 21, 2, 42, 10), datetime.datetime(2026, 2, 21, 0, 0, tzinfo=datetime.timezone.utc)], name_servers: ['A1-184.AKAM.NET', 'A11-64.AKAM.NET', 'A12-67.AKAM.NET', 'A13-66.AKAM.NET', 'A2-65.AKAM.NET', 'A4-64.AKAM.NET', 'a1-184.akam.net', 'a4-64.akam.net', 'a2-65.akam.net', 'a13-66.akam.net', 'a12-67.akam.net', 'a11-64.akam.net'], status: ['clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited', 'clientTransferProhibited https://icann.org/epp#clientTransferProhibited', 'clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited', 'clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)', 'clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)', 'clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)'], emails: ['abusecomplaints@markmonitor.com', 'whoisrequest@markmonitor.com'], dnssec: signedDelegation, name: None, org: Palo Alto Networks, Inc., address: None, city: None, state: CA, registrant_postal_code: None, country: US"
}
}

Human Readable Output#

Whois results for paloaltonetworks.com#

NameCreationDateExpirationDateUpdatedDateNameServersOrganizationRegistrarDomainStatusEmailsWhoisServer
paloaltonetworks.com21-02-200521-02-202608-02-2024a1-184.akam.net,
a11-64.akam.net,
a12-67.akam.net,
a13-66.akam.net,
a2-65.akam.net,
a4-64.akam.net		Palo Alto Networks, Inc.Name: MarkMonitor, Inc.clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited,
clientTransferProhibited https://icann.org/epp#clientTransferProhibited,
clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited,
clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited),
clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited),
clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)		abusecomplaints@markmonitor.com,
whoisrequest@markmonitor.com		whois.markmonitor.com

domain#

Provides data enrichment for domains.

Base Command#

domain

Input#

Argument NameDescriptionRequired
domainThe domain to enrich.Required
recursiveWhether to get the raw response from the whois servers recursively. Default value is True.Optional

Context Output#

PathTypeDescription
DBotScore.ScorestringThe actual score.
DBotScore.IndicatorstringThe indicator that was tested.
DBotScore.TypestringThe indicator type.
DBotScore.VendorstringThe vendor used to calculate the score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.
Domain.NamestringThe domain name.
Domain.DomainStatusStringThe domain status.
Domain.ExpirationDateDateThe date that the domain expires (UTC).
Domain.NameServersStringThe name servers.
Domain.OrganizationStringThe organization name.
Domain.IDstringThe ID of the domain.
Domain.UpdatedDateDateThe date that the domain was last updated (UTC).
Domain.DnssecstringThe domain name system security extension (DNSSEC).
Domain.CountrystringThe domain country.
Domain.StatestringThe domain state.
Domain.CitystringThe domain city.
Domain.CreationDatedateThe date that the domain was created (UTC).
Domain.Registrar.NamestringThe name of the registrar.
Domain.Registrar.AddressstringThe address of the registrar.
Domain.Registrar.EmailstringThe email of the registrar.
Domain.Registrar.IdstringThe ID of the registrar.
Domain.Registrar.PhonestringThe phone number of the registrar.
Domain.Registrar.UrlstringThe URL of the registrar.
Domain.Registrar.AbuseEmailstringThe email address of the contact for reporting abuse.
Domain.EmailsstringThe abuse emails.
Domain.AddressstringThe abuse address.
Domain.WhoisServerstringThe whois server name.
Domain.PhonestringThe phone number of the tech administrator.
Domain.AdminobjectAdministrator information.
Domain.Admin.AddressstringThe address of the administrator.
Domain.Admin.ApplicationPurposestringThe application purpose of the administrator.
Domain.Admin.CstringThe C field of the administrator.
Domain.Admin.CitystringThe city of the administrator.
Domain.Admin.CountrystringThe country of the administrator.
Domain.Admin.EmailstringThe email address of the administrator.
Domain.Admin.FaxstringThe fax number of the administrator.
Domain.Admin.FaxExtstringThe fax extension of the administrator.
Domain.Admin.IdstringThe ID of the administrator.
Domain.Admin.NamestringThe name of the administrator.
Domain.Admin.OrgstringThe organization of the administrator.
Domain.Admin.PhonestringThe phone number of the administrator.
Domain.Admin.PhoneExtstringThe phone extension of the administrator.
Domain.Admin.PostalCodestringThe postal code of the administrator.
Domain.Admin.StatestringThe state of the administrator.
Domain.Admin.StateProvincestringThe state or province of the administrator.
Domain.Admin.StreetstringThe street of the administrator.
Domain.Registrant.NamestringThe name of the registrant.
Domain.Registrant.EmailstringThe email address of the registrant.
Domain.Registrant.CountrystringThe country of the registrant.
Domain.Registrant.StatestringThe state of the registrant.
Domain.Registrant.OrgstringThe organization of the registrant.
Domain.Registrant.PostalCodestringThe postal code of the registrant.
Domain.Registrant.StreetstringThe street of the registrant.
Domain.Registrant.PhonestringThe phone number of the registrant.
Domain.Registrant.CitystringThe city of the registrant.
Domain.Registrant.AddressstringThe address of the registrant.
Domain.Registrant.ContactNamestringThe contact name of the registrant.
Domain.Registrant.FaxstringThe fax of the registrant.
Domain.Registrant.IdstringThe ID of the registrant.
Domain.Registrant.NumberstringThe number of the registrant.
Domain.Registrant.StateProvincestringThe state province of the registrant.
Domain.RawstringThe raw output from python-whois lib.
Domain.AdministratorstringThe country of the domain administrator.
Domain.Tech.NamestringThe name of the tech contact.
Domain.Tech.AddressstringThe address of the tech contact.
Domain.Tech.CitystringThe city of the tech contact.
Domain.Tech.CountrystringThe country of the tech contact.
Domain.Tech.EmailstringThe email address of the tech contact.
Domain.Tech.FaxstringThe fax number of the tech contact.
Domain.Tech.IDstringThe ID of the tech contact.
Domain.Tech.OrgstringThe organization of the tech contact.
Domain.Tech.PhonestringThe phone number of the tech contact.
Domain.Tech.PostalCodestringThe postal code of the tech contact.
Domain.Tech.StatestringThe state of the tech contact.
Domain.Tech.StateProvincestringThe state/province of the tech contact.
Domain.Tech.StreetstringThe street of the tech contact.
Domain.FeedRelatedIndicators.TypeStringIndicators that are associated with the domain.
Domain.FeedRelatedIndicators.ValueStringThe type of the indicators that are associated with the domain.
Domain.WHOIS.FeedRelatedIndicators.TypeStringIndicators that are associated with the domain.
Domain.WHOIS.FeedRelatedIndicators.ValueStringThe type of the indicators that are associated with the domain.
Domain.WHOIS.NamestringThe domain name.
Domain.WHOIS.IDstringThe ID of the domain.
Domain.WHOIS.DomainStatusstringThe domain status.
Domain.WHOIS.DnssecstringThe domain name system security extension (DNSSEC).
Domain.WHOIS.NameServersstringThe name servers.
Domain.WHOIS.CountrystringThe domain country.
Domain.WHOIS.StatestringThe domain state.
Domain.WHOIS.CitystringThe domain city.
Domain.WHOIS.CreationDatedateThe date that the domain was created (UTC).
Domain.WHOIS.UpdatedDatedateThe date that the domain was last updated (UTC).
Domain.WHOIS.ExpirationDatedateThe date that the domain expires (UTC).
Domain.WHOIS.Registrar.NamestringThe name of the registrar.
Domain.WHOIS.Registrar.AddressstringThe address of the registrar.
Domain.WHOIS.Registrar.EmailstringThe email of the registrar.
Domain.WHOIS.Registrar.IdstringThe ID of the registrar.
Domain.WHOIS.Registrar.PhonestringThe phone number of the registrar.
Domain.WHOIS.Registrar.UrlstringThe URL of the registrar.
Domain.WHOIS.Registrar.AbuseEmailstringThe email address of the contact for reporting abuse.
Domain.WHOIS.EmailsstringThe abuse emails.
Domain.WHOIS.AddressstringThe abuse address.
Domain.WHOIS.OrganizationstringThe organization domain name.
Domain.WHOIS.WhoisServerstringThe whois server name.
Domain.WHOIS.PhonestringThe phone number of the tech administrator.
Domain.WHOIS.AdminobjectAdministrator information.
Domain.WHOIS.Admin.AddressstringThe address of the administrator.
Domain.WHOIS.Admin.ApplicationPurposestringThe application purpose of the administrator.
Domain.WHOIS.Admin.CstringThe C field of the administrator.
Domain.WHOIS.Admin.CitystringThe city of the administrator.
Domain.WHOIS.Admin.CountrystringThe country of the administrator.
Domain.WHOIS.Admin.EmailstringThe email address of the administrator.
Domain.WHOIS.Admin.FaxstringThe fax number of the administrator.
Domain.WHOIS.Admin.FaxExtstringThe fax extension of the administrator.
Domain.WHOIS.Admin.IdstringThe ID of the administrator.
Domain.WHOIS.Admin.NamestringThe name of the administrator.
Domain.WHOIS.Admin.OrgstringThe organization of the administrator.
Domain.WHOIS.Admin.PhonestringThe phone number of the administrator.
Domain.WHOIS.Admin.PhoneExtstringThe phone extension of the administrator.
Domain.WHOIS.Admin.PostalCodestringThe postal code of the administrator.
Domain.WHOIS.Admin.StatestringThe state of the administrator.
Domain.WHOIS.Admin.StateProvincestringThe state or province of the administrator.
Domain.WHOIS.Admin.StreetstringThe street of the administrator.
Domain.WHOIS.Registrant.NamestringThe name of the registrant.
Domain.WHOIS.Registrant.EmailstringThe email address of the registrant.
Domain.WHOIS.Registrant.CountrystringThe country of the registrant.
Domain.WHOIS.Registrant.StatestringThe state of the registrant.
Domain.WHOIS.Registrant.OrgstringThe organization of the registrant.
Domain.WHOIS.Registrant.PostalCodestringThe postal code of the registrant.
Domain.WHOIS.Registrant.StreetstringThe street of the registrant.
Domain.WHOIS.Registrant.PhonestringThe phone number of the registrant.
Domain.WHOIS.Registrant.CitystringThe city of the registrant.
Domain.WHOIS.Registrant.AddressstringThe address of the registrant.
Domain.WHOIS.Registrant.ContactNamestringThe contact name of the registrant.
Domain.WHOIS.Registrant.FaxstringThe fax of the registrant.
Domain.WHOIS.Registrant.IdstringThe ID of the registrant.
Domain.WHOIS.Registrant.NumberstringThe number of the registrant.
Domain.WHOIS.Registrant.StateProvincestringThe state province of the registrant.
Domain.WHOIS.RawstringThe raw output from python-whois lib.
Domain.WHOIS.AdministratorstringThe country of the domain administrator.
Domain.WHOIS.Tech.NamestringThe name of the tech contact.
Domain.WHOIS.Tech.AddressstringThe address of the tech contact.
Domain.WHOIS.Tech.CitystringThe city of the tech contact.
Domain.WHOIS.Tech.CountrystringThe country of the tech contact.
Domain.WHOIS.Tech.EmailstringThe email address of the tech contact.
Domain.WHOIS.Tech.FaxstringThe fax number of the tech contact.
Domain.WHOIS.Tech.IDstringThe ID of the tech contact.
Domain.WHOIS.Tech.OrgstringThe organization of the tech contact.
Domain.WHOIS.Tech.PhonestringThe phone number of the tech contact.
Domain.WHOIS.Tech.PostalCodestringThe postal code of the tech contact.
Domain.WHOIS.Tech.StatestringThe state of the tech contact.
Domain.WHOIS.Tech.StateProvincestringThe state/province of the tech contact.
Domain.WHOIS.Tech.StreetstringThe street of the tech contact.
Domain.Whois.Namestring(Legacy output) The domain name.
Domain.Whois.DomainStatusstring(Legacy output) The domain status.
Domain.Whois.DNSSecstring(Legacy output) The domain name system security extension (DNSSEC).
Domain.Whois.NameServersstring(Legacy output) The name servers.
Domain.Whois.CreationDatedate(Legacy output) The date that the domain was created (UTC).
Domain.Whois.UpdatedDatedate(Legacy output) The date that the domain was last updated (UTC).
Domain.Whois.ExpirationDatedate(Legacy output) The date that the domain expires (UTC).
Domain.Whois.Registrar.Namestring(Legacy output) The name of the registrar.
Domain.Whois.Emailsstring(Legacy output) The abuse emails.
Domain.Whois.Registrar.AbuseEmailstring(Legacy output) The email address of the contact for reporting abuse.
Domain.Whois.Registrant.namestring(Legacy output) The name of the registrant.
Domain.Whois.Registrant.emailstring(Legacy output) The email address of the registrant.
Domain.Whois.Rawstring(Legacy output) The raw output.
Domain.Whois.Administrator.countrystring(Legacy output) The country of the domain administrator.
Domain.Whois.Administrator.namestring(Legacy output) The name of the domain administrator.
Domain.Whois.Administrator.statestring(Legacy output) The state of the domain administrator.
Domain.Whois.Administrator.emailstring(Legacy output) The email address of the domain administrator.
Domain.Whois.Administrator.organizationstring(Legacy output) The organization of the domain administrator.
Domain.Whois.Administrator.postalcodestring(Legacy output) The postal code of the domain administrator.
Domain.Whois.Administrator.streetstring(Legacy output) The street of the domain administrator.
Domain.Whois.Administrator.phonestring(Legacy output) The phone number of the domain administrator.
Domain.Whois.Administrator.citystring(Legacy output) The city of the domain administrator.
Domain.Whois.TechAdmin.countrystring(Legacy output) The country of the tech administrator.
Domain.Whois.TechAdmin.namestring(Legacy output) The name of the tech administrator.
Domain.Whois.TechAdmin.statestring(Legacy output) The state of the tech administrator.
Domain.Whois.TechAdmin.emailstring(Legacy output) The email address of the tech administrator.
Domain.Whois.TechAdmin.organizationstring(Legacy output) The organization of the tech administrator.
Domain.Whois.TechAdmin.postalcodestring(Legacy output) The postal code of the tech administrator.
Domain.Whois.TechAdmin.streetstring(Legacy output) The street of the tech administrator.
Domain.Whois.TechAdmin.phonestring(Legacy output) The phone number of the tech administrator.
Domain.Whois.TechAdmin.citystring(Legacy output) The city of the tech administrator.
Domain.Whois.Registrant.countrystring(Legacy output) The country of the registrant.
Domain.Whois.Registrant.statestring(Legacy output) The state of the registrant.
Domain.Whois.Registrant.organizationstring(Legacy output) The organization of the registrant.
Domain.Whois.Registrant.postalcodestring(Legacy output) The postal code of the registrant.
Domain.Whois.Registrant.streetstring(Legacy output) The street of the registrant.
Domain.Whois.Registrant.phonestring(Legacy output) The phone number of the registrant.
Domain.Whois.Registrant.citystring(Legacy output) The city of the registrant.
Domain.Whois.IDstring(Legacy output) The ID of the domain.
Domain.Whois.QueryStatusstring(Legacy output) The result of the command ("Success" or "Failed").
Domain.Whois.QueryResultBoolean(Legacy output) Whether the query found a matching result.
Domain.Admin.CountryString(Legacy output) The country of the domain administrator.
Domain.Admin.NameString(Legacy output) The name of domain administrator.
Domain.Admin.StateString(Legacy output) The state of domain administrator.
Domain.Admin.countryString(Legacy output) The country of the domain administrator.
Domain.Admin.nameString(Legacy output) The name of domain administrator.
Domain.Admin.stateString(Legacy output) The state of domain administrator.
Domain.Registrant.countryString(Legacy output) The country of the registrant.
Domain.Registrant.organizationString(Legacy output) The organization of the registrant.
Domain.Registrant.stateString(Legacy output) The state of the registrant.
Domain.FeedRelatedIndicators.typeString(Legacy output) Indicators that are associated with the domain.
Domain.FeedRelatedIndicators.valueString(Legacy output) The type of the indicators that are associated with the domain.
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.

Command example#

!domain domain="google.com"

Context Example#

{
"DBotScore": {
"Indicator": "google.com",
"Type": "domain",
"Vendor": "Whois",
"Score": 0,
"Reliability": "B - Usually reliable"
},
"Domain": {
"WHOIS": {
"Name": "google.com",
"WhoisServer": "whois.markmonitor.com",
"CreationDate": "15-09-1997",
"ExpirationDate": "14-09-2028",
"UpdatedDate": "09-09-2019",
"Organization": "Google LLC",
"State": "CA",
"Country": "US",
"Dnssec": "unsigned",
"Registrar": {
"Name": "MarkMonitor, Inc."
},
"Emails": [
"abusecomplaints@markmonitor.com",
"whoisrequest@markmonitor.com"
],
"NameServers": [
"ns1.google.com",
"ns2.google.com",
"ns3.google.com",
"ns4.google.com"
],
"DomainStatus": [
"clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited",
"clientTransferProhibited https://icann.org/epp#clientTransferProhibited",
"clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited",
"serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited",
"serverTransferProhibited https://icann.org/epp#serverTransferProhibited",
"serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited",
"clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)",
"clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)",
"clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)",
"serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)",
"serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)",
"serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)"
],
"FeedRelatedIndicators": [
{
"Type": "email",
"Value": "abusecomplaints@markmonitor.com"
},
{
"Type": "email",
"Value": "whoisrequest@markmonitor.com"
}
],
"Raw": "domain_name: ['GOOGLE.COM', 'google.com'], registrar: MarkMonitor, Inc., whois_server: whois.markmonitor.com, referral_url: None, updated_date: [datetime.datetime(2019, 9, 9, 15, 39, 4), datetime.datetime(2019, 9, 9, 15, 39, 4, tzinfo=datetime.timezone.utc)], creation_date: [datetime.datetime(1997, 9, 15, 4, 0), datetime.datetime(1997, 9, 15, 7, 0, tzinfo=datetime.timezone.utc)], expiration_date: [datetime.datetime(2028, 9, 14, 4, 0), datetime.datetime(2028, 9, 13, 7, 0, tzinfo=datetime.timezone.utc)], name_servers: ['NS1.GOOGLE.COM', 'NS2.GOOGLE.COM', 'NS3.GOOGLE.COM', 'NS4.GOOGLE.COM', 'ns4.google.com', 'ns3.google.com', 'ns1.google.com', 'ns2.google.com'], status: ['clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited', 'clientTransferProhibited https://icann.org/epp#clientTransferProhibited', 'clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited', 'serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited', 'serverTransferProhibited https://icann.org/epp#serverTransferProhibited', 'serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited', 'clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)', 'clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)', 'clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)', 'serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)', 'serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)', 'serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)'], emails: ['abusecomplaints@markmonitor.com', 'whoisrequest@markmonitor.com'], dnssec: unsigned, name: None, org: Google LLC, address: None, city: None, state: CA, registrant_postal_code: None, country: US"
},
"Name": "google.com",
"WhoisServer": "whois.markmonitor.com",
"CreationDate": "15-09-1997",
"ExpirationDate": "14-09-2028",
"UpdatedDate": "09-09-2019",
"Organization": "Google LLC",
"State": "CA",
"Country": "US",
"Dnssec": "unsigned",
"Registrar": {
"Name": "MarkMonitor, Inc."
},
"Emails": [
"abusecomplaints@markmonitor.com",
"whoisrequest@markmonitor.com"
],
"NameServers": [
"ns1.google.com",
"ns2.google.com",
"ns3.google.com",
"ns4.google.com"
],
"DomainStatus": [
"clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited",
"clientTransferProhibited https://icann.org/epp#clientTransferProhibited",
"clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited",
"serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited",
"serverTransferProhibited https://icann.org/epp#serverTransferProhibited",
"serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited",
"clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)",
"clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)",
"clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)",
"serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)",
"serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)",
"serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)"
],
"FeedRelatedIndicators": [
{
"Type": "email",
"Value": "abusecomplaints@markmonitor.com"
},
{
"Type": "email",
"Value": "whoisrequest@markmonitor.com"
}
],
"Raw": "domain_name: ['GOOGLE.COM', 'google.com'], registrar: MarkMonitor, Inc., whois_server: whois.markmonitor.com, referral_url: None, updated_date: [datetime.datetime(2019, 9, 9, 15, 39, 4), datetime.datetime(2019, 9, 9, 15, 39, 4, tzinfo=datetime.timezone.utc)], creation_date: [datetime.datetime(1997, 9, 15, 4, 0), datetime.datetime(1997, 9, 15, 7, 0, tzinfo=datetime.timezone.utc)], expiration_date: [datetime.datetime(2028, 9, 14, 4, 0), datetime.datetime(2028, 9, 13, 7, 0, tzinfo=datetime.timezone.utc)], name_servers: ['NS1.GOOGLE.COM', 'NS2.GOOGLE.COM', 'NS3.GOOGLE.COM', 'NS4.GOOGLE.COM', 'ns4.google.com', 'ns3.google.com', 'ns1.google.com', 'ns2.google.com'], status: ['clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited', 'clientTransferProhibited https://icann.org/epp#clientTransferProhibited', 'clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited', 'serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited', 'serverTransferProhibited https://icann.org/epp#serverTransferProhibited', 'serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited', 'clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited)', 'clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited)', 'clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)', 'serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited)', 'serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited)', 'serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)'], emails: ['abusecomplaints@markmonitor.com', 'whoisrequest@markmonitor.com'], dnssec: unsigned, name: None, org: Google LLC, address: None, city: None, state: CA, registrant_postal_code: None, country: US"
}
}

Human Readable Output#

Whois results for google.com#

NameCreationDateExpirationDateUpdatedDateNameServersOrganizationRegistrarDomainStatusEmailsWhoisServer
google.com15-09-199714-09-202809-09-2019ns1.google.com,
ns2.google.com,
ns3.google.com,
ns4.google.com		Google LLCName: MarkMonitor, Inc.clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited,
clientTransferProhibited https://icann.org/epp#clientTransferProhibited,
clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited,
serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited,
serverTransferProhibited https://icann.org/epp#serverTransferProhibited,
serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited,
clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited),
clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited),
clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited),
serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited),
serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited),
serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)		abusecomplaints@markmonitor.com,
whoisrequest@markmonitor.com		whois.markmonitor.com

ip#

Provides data enrichment for ips.

Base Command#

ip

Input#

Argument NameDescriptionRequired
ipThe IP to enrich.Required

Context Output#

PathTypeDescription
Whois.IP.asnstringGlobally unique identifier used for routing information exchange with Autonomous Systems.
Whois.IP.asn_cidrstringNetwork routing block assigned to an ASN.
Whois.IP.asn_country_codestringASN assigned country code in ISO 3166-1 format.
Whois.IP.asn_dateDateASN allocation date in ISO 8601 format.
Whois.IP.asn_descriptionstringThe ASN description
Whois.IP.asn_registrystringASN assigned regional internet registry.
Whois.IP.entitiesstringlist of object names referenced by an RIR network. Map these to the objects dictionary keys.
Whois.IP.network.cidrstringNetwork routing block an IP address belongs to.
Whois.IP.network.countrystringCountry code registered with the RIR in ISO 3166-1 format.
Whois.IP.network.end_addressstringThe last IP address in a network block.
Whois.IP.network.events.actionstringThe reason for an event.
Whois.IP.network.events.actorstringThe identifier for an event initiator (if any).
Whois.IP.network.events.timestampDateThe date an event occurred in ISO 8601 format.
Whois.IP.network.handlestringUnique identifier for a registered object.
Whois.IP.network.ip_versionstringIP protocol version (v4 or v6) of an IP address.
Whois.IP.network.linksstringHTTP/HTTPS links provided for an RIR object.
Whois.IP.network.namestringThe identifier assigned to the network registration for an IP address.
Whois.IP.network.notices.descriptionstringThe description/body of a notice.
Whois.IP.network.notices.linksstringlist of HTTP/HTTPS links provided for a notice.
Whois.IP.network.notices.titlestringThe title/header for a notice.
Whois.IP.network.parent_handlestringUnique identifier for the parent network of a registered network.
Whois.IP.network.remarksstringList of remark (notice) dictionaries.
Whois.IP.network.start_addressstringThe first IP address in a network block.
Whois.IP.network.statusstringList indicating the state of a registered object.
Whois.IP.network.typestringThe RIR classification of a registered network.
Whois.IP.querystringThe IP address
IP.AddressstringIP address
IP.ASNstringThe autonomous system name for the IP address, for example: "AS8948".
IP.Geo.CountrystringThe country in which the IP address is located.
IP.Organization.NamestringThe organization name.
IP.feed_related_indicators.valuestringIndicators that are associated with the IP.
IP.feed_related_indicators.typestringThe type of the indicators that are associated with the IP
DBotScore.IndicatorStringThe indicator that was tested.
DBotScore.TypeStringThe indicator type.
DBotScore.VendorStringThe vendor used to calculate the score.
DBotScore.ScoreNumberThe actual score.
DBotScore.ReliabilityStringReliability of the source providing the intelligence data.

Command example#

!ip ip=8.8.8.8

Context Example#

{
"DBotScore": {
"Indicator": "8.8.8.8",
"Reliability": "B - Usually reliable",
"Score": 0,
"Type": "ip",
"Vendor": "Whois"
},
"IP": {
"ASN": "15169",
"Address": "8.8.8.8",
"FeedRelatedIndicators": [
{
"description": null,
"type": "CIDR",
"value": "8.8.8.0/24"
}
],
"Organization": {
"Name": "LVLT-GOGL-8-8-8"
}
},
"Whois": {
"IP": {
"asn": "15169",
"asn_cidr": "8.8.8.0/24",
"asn_country_code": "US",
"asn_date": "1992-12-01",
"asn_description": "GOOGLE, US",
"asn_registry": "arin",
"entities": [
"GOGL"
],
"network": {
"cidr": "8.8.8.0/24",
"country": null,
"end_address": "8.8.8.255",
"events": [
{
"action": "last changed",
"actor": null,
"timestamp": "2014-03-14T16:52:05-04:00"
},
{
"action": "registration",
"actor": null,
"timestamp": "2014-03-14T16:52:05-04:00"
}
],
"handle": "NET-8-8-8-0-1",
"ip_version": "v4",
"links": [
"https://rdap.arin.net/registry/ip/8.8.8.0",
"https://whois.arin.net/rest/net/NET-8-8-8-0-1",
"https://rdap.arin.net/registry/ip/8.0.0.0/9"
],
"name": "LVLT-GOGL-8-8-8",
"notices": [
{
"description": "By using the ARIN RDAP/Whois service, you are agreeing to the RDAP/Whois Terms of Use",
"links": [
"https://www.arin.net/resources/registry/whois/tou/"
],
"title": "Terms of Service"
},
{
"description": "If you see inaccuracies in the results, please visit: ",
"links": [
"https://www.arin.net/resources/registry/whois/inaccuracy_reporting/"
],
"title": "Whois Inaccuracy Reporting"
},
{
"description": "Copyright 1997-2022, American Registry for Internet Numbers, Ltd.",
"links": null,
"title": "Copyright Notice"
}
],
"parent_handle": "NET-8-0-0-0-1",
"raw": null,
"remarks": null,
"start_address": "8.8.8.0",
"status": [
"active"
],
"type": "ALLOCATION"
},
"nir": null,
"objects": {
"ABUSE5250-ARIN": {
"contact": {
"address": [
{
"type": null,
"value": "1600 Amphitheatre Parkway\nMountain View\nCA\n94043\nUnited States"
}
],
"email": [
{
"type": null,
"value": "network-abuse@google.com"
}
],
"kind": "group",
"name": "Abuse",
"phone": [
{
"type": [
"work",
"voice"
],
"value": "+1-650-253-0000"
}
],
"role": null,
"title": null
},
"entities": null,
"events": [
{
"action": "last changed",
"actor": null,
"timestamp": "2018-10-24T11:23:55-04:00"
},
{
"action": "registration",
"actor": null,
"timestamp": "2015-11-06T15:36:35-05:00"
}
],
"events_actor": null,
"handle": "ABUSE5250-ARIN",
"links": [
"https://rdap.arin.net/registry/entity/ABUSE5250-ARIN",
"https://whois.arin.net/rest/poc/ABUSE5250-ARIN"
],
"notices": [
{
"description": "By using the ARIN RDAP/Whois service, you are agreeing to the RDAP/Whois Terms of Use",
"links": [
"https://www.arin.net/resources/registry/whois/tou/"
],
"title": "Terms of Service"
},
{
"description": "If you see inaccuracies in the results, please visit: ",
"links": [
"https://www.arin.net/resources/registry/whois/inaccuracy_reporting/"
],
"title": "Whois Inaccuracy Reporting"
},
{
"description": "Copyright 1997-2022, American Registry for Internet Numbers, Ltd.",
"links": null,
"title": "Copyright Notice"
}
],
"raw": null,
"remarks": [
{
"description": "Please note that the recommended way to file abuse complaints are located in the following links.\n\nTo report abuse and illegal activity: https://www.google.com/contact/\n\nFor legal requests: http://support.google.com/legal \n\nRegards,\nThe Google Team",
"links": null,
"title": "Registration Comments"
},
{
"description": "ARIN has attempted to validate the data for this POC, but has received no response from the POC since 2019-10-24",
"links": null,
"title": "Unvalidated POC"
}
],
"roles": [
"abuse"
],
"status": null
},
"GOGL": {
"contact": {
"address": [
{
"type": null,
"value": "1600 Amphitheatre Parkway\nMountain View\nCA\n94043\nUnited States"
}
],
"email": null,
"kind": "org",
"name": "Google LLC",
"phone": null,
"role": null,
"title": null
},
"entities": [
"ABUSE5250-ARIN",
"ZG39-ARIN"
],
"events": [
{
"action": "last changed",
"actor": null,
"timestamp": "2019-10-31T15:45:45-04:00"
},
{
"action": "registration",
"actor": null,
"timestamp": "2000-03-30T00:00:00-05:00"
}
],
"events_actor": null,
"handle": "GOGL",
"links": [
"https://rdap.arin.net/registry/entity/GOGL",
"https://whois.arin.net/rest/org/GOGL"
],
"notices": null,
"raw": null,
"remarks": [
{
"description": "Please note that the recommended way to file abuse complaints are located in the following links. \n\nTo report abuse and illegal activity: https://www.google.com/contact/\n\nFor legal requests: http://support.google.com/legal \n\nRegards, \nThe Google Team",
"links": null,
"title": "Registration Comments"
}
],
"roles": [
"registrant"
],
"status": null
},
"ZG39-ARIN": {
"contact": {
"address": [
{
"type": null,
"value": "1600 Amphitheatre Parkway\nMountain View\nCA\n94043\nUnited States"
}
],
"email": [
{
"type": null,
"value": "arin-contact@google.com"
}
],
"kind": "group",
"name": "Google LLC",
"phone": [
{
"type": [
"work",
"voice"
],
"value": "+1-650-253-0000"
}
],
"role": null,
"title": null
},
"entities": null,
"events": [
{
"action": "last changed",
"actor": null,
"timestamp": "2021-11-10T10:26:54-05:00"
},
{
"action": "registration",
"actor": null,
"timestamp": "2000-11-30T13:54:08-05:00"
}
],
"events_actor": null,
"handle": "ZG39-ARIN",
"links": [
"https://rdap.arin.net/registry/entity/ZG39-ARIN",
"https://whois.arin.net/rest/poc/ZG39-ARIN"
],
"notices": [
{
"description": "By using the ARIN RDAP/Whois service, you are agreeing to the RDAP/Whois Terms of Use",
"links": [
"https://www.arin.net/resources/registry/whois/tou/"
],
"title": "Terms of Service"
},
{
"description": "If you see inaccuracies in the results, please visit: ",
"links": [
"https://www.arin.net/resources/registry/whois/inaccuracy_reporting/"
],
"title": "Whois Inaccuracy Reporting"
},
{
"description": "Copyright 1997-2022, American Registry for Internet Numbers, Ltd.",
"links": null,
"title": "Copyright Notice"
}
],
"raw": null,
"remarks": null,
"roles": [
"technical",
"administrative"
],
"status": [
"validated"
]
}
},
"query": "8.8.8.8",
"raw": null
}
}
}

Human Readable Output#

Whois results:#

asnasn_cidrasn_datecountry_codenetwork_namequery
151698.8.8.0/241992-12-01LVLT-GOGL-8-8-88.8.8.8

Troubleshooting#

  • The error message Bad Gateway (502) might occur when using a firewall/proxy. To fix the issue, make sure the whois TLD provider exists in your allowlist.

Known limitations#

  • The IP lookup has a rate limit of 1 lookup per second.
Edit this page
Report an Issue