Skip to main content

TIM - Process Domain Registrant With Whois

This Playbook is part of the Whois Pack.#

Supported versions

Supported Cortex XSOAR versions: 5.5.0 and later.

This playbook compares the domain registrant against the Cortex XSOAR list of approved registrants provided in the inputs. A registrant is the company or entity that owns the domain.


This playbook uses the following sub-playbooks, integrations, and scripts.


This playbook does not use any sub-playbooks.


This playbook does not use any integrations.


  • SetAndHandleEmpty
  • Set
  • FilterByList


  • appendIndicatorField

Playbook Inputs#

NameDescriptionDefault ValueRequired
Indicator QueryIndicators matching the indicator query will be used as playbook inputOptional
ApprovedregistrantsListNameThe Cortex XSOAR list name that contains the approved registrars. A registrant is the company or entity that owns the domain.Optional
RegistrantListDelimiterA one-character string used to delimit fields. This must match the value that you defined in the list separator server configuration.
The default value is a comma, however, as registrants might contain the "," character in their name,
Cortex XSOAR recommends that you select a different delimiter.
WhoisResultsThis input receives the Whois results from the parent playbook.Optional

Playbook Outputs#

RegistrantDomainNotInListDomains for which the registrant wasn't in the list.string
RegistrantDomainInListDomains for which the registrant was in the list.string
DomainsNotResolvedByWhoisDomains which Whois wasn't able to resolve.string
DomainsNotProcessedIn case no registrant list was provided all domains will be outputted to this context path.string

Playbook Image#

TIM - Process Domain Registrant With Whois