TIM - Process Domain Registrant With Whois

This playbook compares the domain registrant against the Cortex XSOAR list of approved registrants provided in the inputs. A registrant is the company or entity that owns the domain.

Dependencies

This playbook uses the following sub-playbooks, integrations, and scripts.

Sub-playbooks

This playbook does not use any sub-playbooks.

Integrations

This playbook does not use any integrations.

Scripts

  • SetAndHandleEmpty
  • FilterByList
  • Set

Commands

  • appendIndicatorField

Playbook Inputs


NameDescriptionDefault ValueRequired
Indicator QueryIndicators matching the indicator query will be used as playbook inputOptional
ApprovedregistrantsListNameThe Cortex XSOAR list name that contains the approved registrars. A registrant is the company or entity that owns the domain.Optional
RegistrantListDelimiterA one-character string used to delimit fields. This must match the value that you defined in the list separator server configuration.

The default value is a comma, however, as registrants might contain the "," character in their name, Cortex XSOAR recommends that you select a different delimiter. | | Optional | | WhoisResults | This input receives the Whois results from the parent playbook. | | Optional |

Playbook Outputs


PathDescriptionType
RegistrantDomainNotInListDomains for which the registrant wasn't in the list.string
RegistrantDomainInListDomains for which the registrant was in the list.string
DomainsNotResolvedByWhoisDomains which Whois wasn't able to resolve.string
DomainsNotProcessedIn case no registrant list was provided all domains will be outputted to this context path.string

Playbook Image


TIM - Process Domain Registrant With Whois