DomainTools

By combining the data enrichment and domain monitoring power of DomainTools Iris Investigate with the automation capabilities of ThreatConnect Playbooks, you can now prioritize and mitigate threats more efficiently. Here is what you can do with this powerful integration:

• Retrieve Risk Scores, ThreatProfile, Evidence, and Domain Profile intelligence from Iris. These diverse datasets serve as decision factors for scoring domain indicators or taking further actions inside ThreatConnect.
• Auto-pivot to expand threat investigation out to additional levels by quickly discovering potentially malicious infrastructure connected to a domain
• Perform auto-enrichment of domain artifacts that are part of alerts or incidents with Domain intelligence dataset by submitting single or multiple domains at once. The integration provides all of the information from  DomainTools Iris as output variables inside of ThreatConnect platform, which can be used for making decisions in automated processes.
• Perform a Reverse Search on one or more search fields, such as IP address, SSL hash, email, or more, and the integration will return Domain Profile information for any domain name with a record that matches the search.
• Build automated processes between analyst work in the Iris UI by monitoring for Search Hash results or matching Tags. Users can begin their investigation in the Iris UI and automatically bring the results into ThreatConnect for further correlation and analysis.

The following actions are available:

• Get Single Domain Profile: Get all the information available in DomainTools Iris for a single domain
• Get Multiple Domain Profiles: Get all the information available in DomainTools Iris for multiple domains. Only a small set of the results are parsed as output variables. This action can be used in conjunction with the Parse Results action inside an iterator to leverage the full result set.
• Search & Pivot: Instead of a domain name, provide one or more search fields, such as IP address, SSL hash, email, or more, and Iris will return any domain name with a record that matches those parameters. This enables “reverse” searching on one or more fields with a single API endpoint.
• Get Search Hash Results: Monitor the results of a user’s Iris query over time.
• Parse Domain Profile Results: Use this Action inside an Iterator to parse the “response.results” StringArray into detailed output variables. This action is meant to be used to further process the results from the Get Multiple Domain Profiles, Search & Pivot, or Get Search Hash Results actions.

This listing can be found in the ThreatConnect App Catalog under the name DomainTools Iris Investigate.

The Polarity - DomainTools Iris integration provides analysts with quick access to the vast risk information from the Iris platform. Enabling analysts to understand the depth and breadth of different domains and IP addresses. By providing information such as name servers, registration details, contact information etc. Also providing pivots out to the Iris platform whenever there are associated counts that are greater than a certain number which correlates to your company's risk profile.

Examples

DomainTools Iris Data Overview

• Summary Tags: Analysts can get an understanding on how DomainTools views the risk of a domain or IP and why it is scored the way it is. For example here the risk score is 28 because of the proximity it has to other risky domains/IPs.
• SSL/IP/MX Information: Get a complete picture of the SSL hash and subjects, IP details such as asn, and even the MX host and domain.
• Name Servers: See all related information on name servers that are associated with the domains/IPs.
• Registration and Contact Information: Not only can analysts get the risk and scope of the domain/IP when necessary there is also information on when it was registered and by who to see if the person is potentially doing malicious things.

Links to pivot out to DomainTools Iris, will be dependent on the number of associated records. For example if the integration is set to 500 records for a given value if there are 550 associated records with a person's name who has registered the domain then a link will appear for that domain to pivot to Iris for more in-depth analysis.

The "DomainTools Iris - Auto-Pivot Host > Address > Hosts" Playbook begins with a User Action trigger on a Host indicator and auto-pivots on Reverse Whois where there are < X domains hosted by the IP Address. It is highly recommended that the $domaintools.auto_pivot.domain.limit variable be set to < 500, however, < 10 is a good place to begin if there isn't currently an auto-pivot process in place. Once the auto-pivot takes place, the Playbook will add the IP and Host Indicators to the Incident along with DomainTools enrichment data in ThreatConnect.

The "DomainTools Iris - Host Enrichment" playbook begins with a User Action trigger on a Host Indicator. It requests the Domain Profile from DomainTools Iris and parses the results. It then adds an Attribute and Tags with the enrichment results from DomainTools.

These Playbook templates can be found in the ThreatConnect app catalog under the names: DomainTools Iris - Auto-Pivot Host > Address > Hosts and DomainTools Iris - Host Enrichment

This playbook not only provides DomainTools Iris enrichment, but can also be utilized to monitor specific Iris Search hashes to provide continuous updates. This playbook coupled ThreatConnect's versatile dashboards provides analysts with the most up to date information automatically.

This playbook takes an Iris search hash signature object and extracts all domains from that query. Then each domains is enriched with DomainTools meta data and created as host indicators inside the TC platform. A threat rating and confidence level is also set on the Host Indicator depending on the DomainTools Overall Risk score.