Whois
Whois Pack.#
This Integration is part of theProvides data enrichment for domains. This integration was integrated and tested with version 1.0 of Whois
#
Configure Whois on Cortex XSOARNavigate to Settings > Integrations > Servers & Services.
Search for Whois.
Click Add instance to create and configure a new integration instance.
Parameter Description Required Return Errors False Proxy URL Supports socks4/socks5/http connect proxies (e.g. socks5h://host:1080). Will effect all commands except for the `ip` command. False Use system proxy settings Effect the `ip` command and the other commands only if the Proxy URL is not set. False Source Reliability Reliability of the source providing the intelligence data. True Click Test to validate the URLs, token, and connection.
#
CommandsYou can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.
#
whoisProvides data enrichment for domains. This pack relies on free services for WHOIS information. As with many free services, the availability is not guaranteed. Free WHOIS providers may block or be reject queries.
#
Base Commandwhois
#
InputArgument Name | Description | Required |
---|---|---|
query | The domain to enrich. | Required |
recursive | Whether to get the raw response from the whois servers recursively. Default value is True. | Optional |
verbose | Whether to add the raw response as a dictionary to the context. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Score | string | The actual score. |
DBotScore.Indicator | string | The indicator that was tested. |
DBotScore.Type | string | The indicator type. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
Domain.Name | string | The domain name. |
Domain.Whois.Name | string | The domain name. |
Domain.Whois.DomainStatus | string | The domain status. |
Domain.Whois.DNSSec | string | The domain name system security extension (DNSSEC). |
Domain.Whois.NameServers | string | The name servers. |
Domain.Whois.CreationDate | date | The date that the domain was created. |
Domain.Whois.UpdatedDate | date | The date that the domain was last updated. |
Domain.Whois.ExpirationDate | date | The date that the domain expires. |
Domain.Whois.Registrar.Name | string | The name of the registrar. |
Domain.Whois.Emails | string | The abuse emails. |
Domain.Whois.Registrar.AbuseEmail | string | The email address of the contact for reporting abuse. |
Domain.Whois.Registrant.name | string | The name of the registrant. |
Domain.Whois.Registrant.email | string | The email address of the registrant. |
Domain.Whois.Raw | string | The raw output. |
Domain.Whois.Administrator.country | string | The country of the domain administrator. |
Domain.Whois.Administrator.name | string | The name of domain administrator. |
Domain.Whois.Administrator.state | string | The state of domain administrator. |
Domain.Whois.Administrator.email | string | The email address of the domain administrator. |
Domain.Whois.Administrator.organization | string | The organization of the domain administrator. |
Domain.Whois.Administrator.postalcode | string | The postal code of the domain administrator |
Domain.Whois.Administrator.street | string | The street of the domain admin |
Domain.Whois.Administrator.phone | string | The phone number of the domain administrator. |
Domain.Whois.Administrator.city | string | The city of the domain administrator. |
Domain.Whois.TechAdmin.country | string | The country of tech administrator. |
Domain.Whois.TechAdmin.name | string | The name of tech administrator. |
Domain.Whois.TechAdmin.state | string | The state of tech administrator. |
Domain.Whois.TechAdmin.email | string | The email address of the tech administrator. |
Domain.Whois.TechAdmin.organization | string | The organization of the tech administrator. |
Domain.Whois.TechAdmin.postalcode | string | The postal code of the tech administrator. |
Domain.Whois.TechAdmin.street | string | The street of the tech administrator. |
Domain.Whois.TechAdmin.phone | string | The phone number of the tech administrator. |
Domain.Whois.TechAdmin.city | string | The city of the tech administrator. |
Domain.Whois.Registrant.country | string | The country of the registrant. |
Domain.Whois.Registrant.state | string | The state of the registrant. |
Domain.Whois.Registrant.organization | string | The organization of the registrant. |
Domain.Whois.Registrant.postalcode | string | The postal code of the registrant. |
Domain.Whois.Registrant.street | string | The street of the registrant. |
Domain.Whois.Registrant.phone | string | The phone number of the registrant. |
Domain.Whois.Registrant.city | string | The city of the registrant. |
Domain.Whois.ID | string | The ID of the domain. |
Domain.Whois.QueryStatus | string | The result of the command ("Success" or "Failed"). |
Domain.Whois.QueryValue | string | The query requested by the user. |
Domain.Whois.QueryResult | Boolean | Whether the query found a matching result. |
#
Command example!whois query=paloaltonetworks.com
#
Context Example#
Human Readable Output#
Whois results for paloaltonetworks.com
Administrator Creation Date Domain Status Emails Expiration Date ID Name NameServers QueryStatus Registrant Registrar Tech Admin Updated Date name: Palo Alto Networks, Inc.
state: CA
country: US21-02-2005 clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited),
clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited),
clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited)abusecomplaints@markmonitor.com,
whoisrequest@markmonitor.com21-02-2024 143300555_DOMAIN_COM-VRSN paloaltonetworks.com ns4.p23.dynect.net,
ns7.dnsmadeeasy.com,
ns2.p23.dynect.net,
ns3.p23.dynect.net,
ns1.p23.dynect.net,
ns5.dnsmadeeasy.com,
ns6.dnsmadeeasy.comSuccess organization: Palo Alto Networks, Inc.
state: CA
country: USMarkMonitor, Inc. organization: Palo Alto Networks, Inc.
state: CA
country: US11-08-2022
#
domainProvides data enrichment for domains.
#
Base Commanddomain
#
InputArgument Name | Description | Required |
---|---|---|
domain | The domain to enrich. | Required |
recursive | Whether to get the raw response from the whois servers recursively. Default value is True. | Optional |
#
Context OutputPath | Type | Description |
---|---|---|
DBotScore.Score | string | The actual score. |
DBotScore.Indicator | string | The indicator that was tested. |
DBotScore.Type | string | The indicator type. |
DBotScore.Vendor | string | The vendor used to calculate the score. |
Domain.Name | string | The domain name. |
Domain.Whois.Name | string | The domain name. |
Domain.Whois.DomainStatus | string | The domain status. |
Domain.Whois.DNSSec | string | The domain name system security extension (DNSSEC). |
Domain.Whois.NameServers | string | The name servers. |
Domain.Whois.CreationDate | date | The date that the domain was created. |
Domain.Whois.UpdatedDate | date | The date that the domain was last updated. |
Domain.Whois.ExpirationDate | date | The date that the domain expires. |
Domain.Whois.Registrar.Name | string | The name of the registrar. |
Domain.Whois.Emails | string | The abuse emails. |
Domain.Whois.Registrar.AbuseEmail | string | The email address of the contact for reporting abuse. |
Domain.Whois.Registrant.name | string | The name of the registrant. |
Domain.Whois.Registrant.email | string | The email address of the registrant. |
Domain.Whois.Raw | string | The raw output. |
Domain.Whois.Administrator.country | string | The country of the domain administrator. |
Domain.Whois.Administrator.name | string | The name of domain administrator. |
Domain.Whois.Administrator.state | string | The state of domain administrator. |
Domain.Whois.Administrator.email | string | The email address of the domain administrator. |
Domain.Whois.Administrator.organization | string | The organization of the domain administrator. |
Domain.Whois.Administrator.postalcode | string | The postal code of the domain administrator |
Domain.Whois.Administrator.street | string | The street of the domain admin |
Domain.Whois.Administrator.phone | string | The phone number of the domain administrator. |
Domain.Whois.Administrator.city | string | The city of the domain administrator. |
Domain.Whois.TechAdmin.country | string | The country of tech administrator. |
Domain.Whois.TechAdmin.name | string | The name of tech administrator. |
Domain.Whois.TechAdmin.state | string | The state of tech administrator. |
Domain.Whois.TechAdmin.email | string | The email address of the tech administrator. |
Domain.Whois.TechAdmin.organization | string | The organization of the tech administrator. |
Domain.Whois.TechAdmin.postalcode | string | The postal code of the tech administrator. |
Domain.Whois.TechAdmin.street | string | The street of the tech administrator. |
Domain.Whois.TechAdmin.phone | string | The phone number of the tech administrator. |
Domain.Whois.TechAdmin.city | string | The city of the tech administrator. |
Domain.Whois.Registrant.country | string | The country of the registrant. |
Domain.Whois.Registrant.state | string | The state of the registrant. |
Domain.Whois.Registrant.organization | string | The organization of the registrant. |
Domain.Whois.Registrant.postalcode | string | The postal code of the registrant. |
Domain.Whois.Registrant.street | string | The street of the registrant. |
Domain.Whois.Registrant.phone | string | The phone number of the registrant. |
Domain.Whois.Registrant.city | string | The city of the registrant. |
Domain.Whois.ID | string | The ID of the domain. |
Domain.Whois.QueryStatus | string | The result of the command ("Success" or "Failed"). |
Domain.Whois.QueryResult | Boolean | Whether the query found a matching result. |
Domain.Admin.Country | String | The country of the domain administrator. |
Domain.Admin.Name | String | The name of domain administrator. |
Domain.Admin.State | String | The state of domain administrator. |
Domain.Admin.country | String | The country of the domain administrator. |
Domain.Admin.name | String | The name of domain administrator. |
Domain.Admin.state | String | The state of domain administrator. |
Domain.CreationDate | Date | The date that the domain was created. |
Domain.DomainStatus | String | The domain status. |
Domain.ExpirationDate | Date | The date that the domain expires. |
Domain.FeedRelatedIndicators.type | String | Indicators that are associated with the Domain. |
Domain.FeedRelatedIndicators.value | String | The type of the indicators that are associated with the Domain. |
Domain.Name | String | The domain name. |
Domain.NameServers | String | The name servers. |
Domain.Organization | String | The organization name. |
Domain.Registrant.Country | String | The country of the registrant. |
Domain.Registrant.Organization | String | The organization of the registrant. |
Domain.Registrant.State | String | The state of the registrant. |
Domain.Registrant.country | String | The country of the registrant. |
Domain.Registrant.organization | String | The organization of the registrant. |
Domain.Registrant.state | String | The state of the registrant. |
Domain.Registrar.Name | String | The name of the registrar. |
Domain.Tech.Country | String | The country of tech administrator. |
Domain.Tech.Organization | String | The organization of the tech administrator. |
Domain.UpdatedDate | Date | The date that the domain was last updated. |
#
Command example!domain domain=google.com
#
Context Example#
Human Readable Output#
Whois results for google.com
Administrator Creation Date Domain Status Emails Expiration Date ID Name NameServers QueryStatus Registrant Registrar Tech Admin Updated Date name: Google LLC
state: CA
country: US15-09-1997 clientUpdateProhibited (https://www.icann.org/epp#clientUpdateProhibited),
clientTransferProhibited (https://www.icann.org/epp#clientTransferProhibited),
clientDeleteProhibited (https://www.icann.org/epp#clientDeleteProhibited),
serverUpdateProhibited (https://www.icann.org/epp#serverUpdateProhibited),
serverTransferProhibited (https://www.icann.org/epp#serverTransferProhibited),
serverDeleteProhibited (https://www.icann.org/epp#serverDeleteProhibited)abusecomplaints@markmonitor.com,
whoisrequest@markmonitor.com13-09-2028 2138514_DOMAIN_COM-VRSN google.com ns2.google.com,
ns1.google.com,
ns4.google.com,
ns3.google.comSuccess organization: Google LLC
state: CA
country: USMarkMonitor, Inc. organization: Google LLC
state: CA
country: US09-09-2019
#
ipProvides data enrichment for ips.
#
Base Commandip
#
InputArgument Name | Description | Required |
---|---|---|
ip | The IP to enrich. | Required |
#
Context OutputPath | Type | Description |
---|---|---|
Whois.IP.asn | string | Globally unique identifier used for routing information exchange with Autonomous Systems. |
Whois.IP.asn_cidr | string | Network routing block assigned to an ASN. |
Whois.IP.asn_country_code | string | ASN assigned country code in ISO 3166-1 format. |
Whois.IP.asn_date | Date | ASN allocation date in ISO 8601 format. |
Whois.IP.asn_description | string | The ASN description |
Whois.IP.asn_registry | string | ASN assigned regional internet registry. |
Whois.IP.entities | string | list of object names referenced by an RIR network. Map these to the objects dictionary keys. |
Whois.IP.network.cidr | string | Network routing block an IP address belongs to. |
Whois.IP.network.country | string | Country code registered with the RIR in ISO 3166-1 format. |
Whois.IP.network.end_address | string | The last IP address in a network block. |
Whois.IP.network.events.action | string | The reason for an event. |
Whois.IP.network.events.actor | string | The identifier for an event initiator (if any). |
Whois.IP.network.events.timestamp | Date | The date an event occurred in ISO 8601 format. |
Whois.IP.network.handle | string | Unique identifier for a registered object. |
Whois.IP.network.ip_version | string | IP protocol version (v4 or v6) of an IP address. |
Whois.IP.network.links | string | HTTP/HTTPS links provided for an RIR object. |
Whois.IP.network.name | string | The identifier assigned to the network registration for an IP address. |
Whois.IP.network.notices.description | string | The description/body of a notice. |
Whois.IP.network.notices.links | string | list of HTTP/HTTPS links provided for a notice. |
Whois.IP.network.notices.title | string | The title/header for a notice. |
Whois.IP.network.parent_handle | string | Unique identifier for the parent network of a registered network. |
Whois.IP.network.remarks | string | List of remark (notice) dictionaries. |
Whois.IP.network.start_address | string | The first IP address in a network block. |
Whois.IP.network.status | string | List indicating the state of a registered object. |
Whois.IP.network.type | string | The RIR classification of a registered network. |
Whois.IP.query | string | The IP address |
IP.Address | string | IP address |
IP.ASN | string | The autonomous system name for the IP address, for example: "AS8948". |
IP.Geo.Country | string | The country in which the IP address is located. |
IP.Organization.Name | string | The organization name. |
IP.feed_related_indicators.value | string | Indicators that are associated with the IP. |
IP.feed_related_indicators.type | string | The type of the indicators that are associated with the IP |
DBotScore.Indicator | String | The indicator that was tested. |
DBotScore.Type | String | The indicator type. |
DBotScore.Vendor | String | The vendor used to calculate the score. |
DBotScore.Score | Number | The actual score. |
DBotScore.Reliability | String | Reliability of the source providing the intelligence data. |
#
Command example!ip ip=8.8.8.8
#
Context Example#
Human Readable Output#
Whois results:
asn asn_cidr asn_date country_code network_name query 15169 8.8.8.0/24 1992-12-01 LVLT-GOGL-8-8-8 8.8.8.8
#
Troubleshooting- The error message Bad Gateway (502) might occur when using a firewall/proxy. To fix the issue, make sure the whois TLD provider exists in your allowlist.
#
Known limitations- The IP lookup has a rate limit of 1 lookup per second.