Skip to main content

domain-enrichment

This Script is part of the Aggregated Scripts Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.10.0 and later.

This script enriches Domains data with information from multiple integrations and returns a "DomainEnrichment" object with consolidated information in the context output.

Script Data#


NameDescription
Script Typepython3
Tagsbasescript
Cortex XSOAR Version6.10.0

Inputs#


Argument NameDescription
domain_listAccepts a list of domains to enrich.
- From CLI: Provide a comma-separated list.
If a Domain contains a comma, wrap the domains in a JSON array.
Example: "[\"example.com/search:yellow,red\", \"example2.com\"]".
- From Context: Pass JSON arrays directly, without modification.
external_enrichmentWhether to call external integrations for enrichment: - 'true': enrich using enabled external integrations (e.g., VirusTotal (API v3), AlienVault OTX v2) and run internal commands. - 'false': use only existing TIM data and run internal commands; skip external integrations. If the 'brands' argument is provided, this flag is ignored and enrichment/internal commands will run only on the brands provided.
verboseRetrieve a human-readable entry for each command; if false, only the final result is summarized and errors are suppressed.
brandsA list of integration brands to run enrichment against.
Example: `"VirusTotal (API v3), AlienVault OTX v2"`.
- If provided, only the selected brands are used.
- If left empty, the script runs enrichment on all enabled integrations,
depending on the `external_enrichment` flag.
- In order to run core-get-IP-analytics-prevalence, add Cortex Core - IR to the brands list.
To see the available brands for the `domain` command, run: `!ProvidesCommand command=domain`.
additional_fieldsWhen set to true, the output includes an `AdditionalFields` object
for each of the indicator result.
`AdditionalFields` contains all fields returned by TIM or the integrations
that are not part of the standard output keys: `Name`, `Brand`, `Score`, `Verdict`, `DetectionEngines`,
`PositiveDetections`.
When set to false, only the standard keys are returned.

Outputs#


PathDescriptionType
DomainEnrichment.ValueThe Domain.string
DomainEnrichment.MaxScoreThe max score of all the indicators found.number
DomainEnrichment.MaxVerdictThe max verdict of all the indicators found.string
DomainEnrichment.ResultsList of all indicators found for the domain.array
DomainEnrichment.TIMScoreThe TIM score of the domain.number
DomainEnrichment.StatusThe status of the indicator: "Manual" if the score was changed manually, "Fresh" if modified within the last week, "Stale" if modified more than a week ago, and "None" if never modified.string
DomainEnrichment.ModifiedTimeThe time the indicator was last modified.Date
DomainEnrichment.Results.BrandThe brand of the indicator.string
DomainEnrichment.Results.ScoreThe score of the indicator.number
DomainEnrichment.Results.VerdictThe verdict of the indicator.string
DomainEnrichment.Results.DetectionEnginesThe detection engines of the indicator.number
DomainEnrichment.Results.PositiveDetectionsThe positive detections of the indicator.number
DomainEnrichment.Results.NameThe Domain.string
DomainEnrichment.Results.AdditionalFieldsAll fields extracted from the indicator other then the main keys ("Brand", "Score", "Verdict", "DetectionEngines", "PositiveDetections", "Name").Object
DomainEnrichment.Results.AdditionalFields.Relationships.EntityAThe source of the relationship.string
DomainEnrichment.Results.AdditionalFields.Relationships.EntityBThe destination of the relationship.string
DomainEnrichment.Results.AdditionalFields.Relationships.RelationshipThe name of the relationship.string
DomainEnrichment.Results.AdditionalFields.Relationships.EntityATypeThe type of the source of the relationship.string
DomainEnrichment.Results.AdditionalFields.Relationships.EntityBTypeThe type of the destination of the relationship.string
DomainEnrichment.Results.AdditionalFields.DNSA list of IP objects resolved by DNS.String
DomainEnrichment.Results.AdditionalFields.CreationDateThe date when the domain was created.Date
DomainEnrichment.Results.AdditionalFields.UpdatedDateThe date when the domain was last updated.String
DomainEnrichment.Results.AdditionalFields.ExpirationDateThe expiration date of the domain.Date
DomainEnrichment.Results.AdditionalFields.DomainStatusThe status of the domain.Datte
DomainEnrichment.Results.AdditionalFields.NameServers(List<String>) Name servers of the domain.Unknown
DomainEnrichment.Results.AdditionalFields.OrganizationThe organization of the domain.String
DomainEnrichment.Results.AdditionalFields.Subdomains(List<String>) Subdomains of the domain.Unknown
DomainEnrichment.Results.AdditionalFields.Admin.CountryThe country of the domain administrator.String
DomainEnrichment.Results.AdditionalFields.Admin.EmailThe email address of the domain administrator.String
DomainEnrichment.Results.AdditionalFields.Admin.NameThe name of the domain administrator.String
DomainEnrichment.Results.AdditionalFields.Admin.PhoneThe phone number of the domain administrator.String
DomainEnrichment.Results.AdditionalFields.Registrant.CountryThe country of the registrant.String
DomainEnrichment.Results.AdditionalFields.Registrant.EmailThe email address of the registrant.String
DomainEnrichment.Results.AdditionalFields.Registrant.NameThe name of the registrant.String
DomainEnrichment.Results.AdditionalFields.Registrant.PhoneThe phone number to receive abuse reports.String
DomainEnrichment.Results.AdditionalFields.Tags(List) Tags of the domain.Unknown
DomainEnrichment.Results.AdditionalFields.FeedRelatedIndicators.valueIndicators that are associated with the domain.String
DomainEnrichment.Results.AdditionalFields.FeedRelatedIndicators.typeThe type of the indicators that are associated with the domain.String
DomainEnrichment.Results.AdditionalFields.FeedRelatedIndicators.descriptionThe description of the indicators that are associated with the domain.String
DomainEnrichment.Results.AdditionalFields.MalwareFamilyThe malware family associated with the domain.String
DomainEnrichment.Results.AdditionalFields.WHOIS.DomainStatusThe status of the domain.String
DomainEnrichment.Results.AdditionalFields.WHOIS.NameServers(List<String>) Name servers of the domain.String
DomainEnrichment.Results.AdditionalFields.WHOIS.CreationDateThe date that the domain was created.Date
DomainEnrichment.Results.AdditionalFields.WHOIS.UpdatedDateThe date that the domain was last updated.Date
DomainEnrichment.Results.AdditionalFields.WHOIS.ExpirationDateThe expiration date of the domain.Date
DomainEnrichment.Results.AdditionalFields.WHOIS.Registrant.NameThe name of the registrant.String
DomainEnrichment.Results.AdditionalFields.WHOIS.Registrant.EmailThe email address of the registrant.String
DomainEnrichment.Results.AdditionalFields.WHOIS.Registrant.PhoneThe phone number of the registrant.String
DomainEnrichment.Results.AdditionalFields.WHOIS.Registrar.NameThe name of the registrar, for example, GoDaddy.String
DomainEnrichment.Results.AdditionalFields.WHOIS.Registrar.AbuseEmailThe email address of the contact to report abuse.String
DomainEnrichment.Results.AdditionalFields.WHOIS.Registrar.AbusePhoneThe phone number of the contact to report abuse.String
DomainEnrichment.Results.AdditionalFields.WHOIS.Admin.NameThe name of the domain administrator.String
DomainEnrichment.Results.AdditionalFields.WHOIS.Admin.EmailThe email address of the domain administrator.String
DomainEnrichment.Results.AdditionalFields.WHOIS.Admin.PhoneThe phone number of the domain administrator.String
DomainEnrichment.Results.AdditionalFields.WHOIS.HistoryList of Whois objects.String
DomainEnrichment.Results.AdditionalFields.Malicious.VendorThe vendor reporting the domain as malicious.String
DomainEnrichment.Results.AdditionalFields.Malicious.DescriptionReason the domain was reported as malicious.String
DomainEnrichment.Results.AdditionalFields.DomainIDNNameThe internationalized domain name (IDN) of the domain.String
DomainEnrichment.Results.AdditionalFields.PortPorts associated with the domain.String
DomainEnrichment.Results.AdditionalFields.InternalWhether the domain is internal or external.Bool
DomainEnrichment.Results.AdditionalFields.CategoryThe category associated with the indicator.String
DomainEnrichment.Results.AdditionalFields.CampaignThe campaign associated with the domain.String
DomainEnrichment.Results.AdditionalFields.TrafficLightProtocolThe Traffic Light Protocol (TLP) color that is suitable for the domain.String
DomainEnrichment.Results.AdditionalFields.ThreatTypes.threatcategoryThe threat category associated to this indicator by the source vendor, for example, Phishing, Control, TOR, etc.String
DomainEnrichment.Results.AdditionalFields.ThreatTypes.threatcategoryconfidenceThreat Category Confidence is the confidence level provided by the vendor for the threat type category. For example, a confidence of 90 for the threat type category 'malware' means the vendor estimates a 90% likelihood that it is malware.String
DomainEnrichment.Results.AdditionalFields.Geo.LocationThe geolocation where the domain address is located, in the format: latitude:longitude.String
DomainEnrichment.Results.AdditionalFields.Geo.CountryThe country in which the domain address is located.String
DomainEnrichment.Results.AdditionalFields.Geo.DescriptionAdditional information about the location.String
DomainEnrichment.Results.AdditionalFields.Tech.CountryThe country of the domain technical contact.String
DomainEnrichment.Results.AdditionalFields.Tech.NameThe name of the domain technical contact.String
DomainEnrichment.Results.AdditionalFields.Tech.OrganizationThe organization of the domain technical contact.String
DomainEnrichment.Results.AdditionalFields.Tech.EmailThe email address of the domain technical contact.String
DomainEnrichment.Results.AdditionalFields.CommunityNotes.noteNotes on the domain that were given by the community.String
DomainEnrichment.Results.AdditionalFields.CommunityNotes.timestampTime the note was published.Date
DomainEnrichment.Results.AdditionalFields.Publications.sourceThe source where the article was published.String
DomainEnrichment.Results.AdditionalFields.Publications.titleThe name of the article.String
DomainEnrichment.Results.AdditionalFields.Publications.linkA link to the original article.String
DomainEnrichment.Results.AdditionalFields.Publications.timestampTime the article was published.Date
DomainEnrichment.Results.AdditionalFields.BillingBilling address of the domain.String
Core.AnalyticsPrevalence.Domain.valueWhether the domain is prevalent or not.Boolean
Core.AnalyticsPrevalence.Domain.data.global_prevalence.valueThe global prevalence of the domain.Number
Core.AnalyticsPrevalence.Domain.data.local_prevalence.valueThe local prevalence of the domain.Number
Core.AnalyticsPrevalence.Domain.data.prevalence.valueThe prevalence of the domain.Number