DomainTools

By combining the data enrichment and domain monitoring power of DomainTools Iris Investigate with the automation capabilities of ThreatConnect Playbooks, you can now prioritize and mitigate threats more efficiently. Here is what you can do with this powerful integration:

• Retrieve Risk Scores, ThreatProfile, Evidence, and Domain Profile intelligence from Iris. These diverse datasets serve as decision factors for scoring domain indicators or taking further actions inside ThreatConnect.
• Auto-pivot to expand threat investigation out to additional levels by quickly discovering potentially malicious infrastructure connected to a domain
• Perform auto-enrichment of domain artifacts that are part of alerts or incidents with Domain intelligence dataset by submitting single or multiple domains at once. The integration provides all of the information from  DomainTools Iris as output variables inside of ThreatConnect platform, which can be used for making decisions in automated processes.
• Perform a Reverse Search on one or more search fields, such as IP address, SSL hash, email, or more, and the integration will return Domain Profile information for any domain name with a record that matches the search.
• Build automated processes between analyst work in the Iris UI by monitoring for Search Hash results or matching Tags. Users can begin their investigation in the Iris UI and automatically bring the results into ThreatConnect for further correlation and analysis.

The following actions are available:

• Get Single Domain Profile: Get all the information available in DomainTools Iris for a single domain
• Get Multiple Domain Profiles: Get all the information available in DomainTools Iris for multiple domains. Only a small set of the results are parsed as output variables. This action can be used in conjunction with the Parse Results action inside an iterator to leverage the full result set.
• Search & Pivot: Instead of a domain name, provide one or more search fields, such as IP address, SSL hash, email, or more, and Iris will return any domain name with a record that matches those parameters. This enables “reverse” searching on one or more fields with a single API endpoint.
• Get Search Hash Results: Monitor the results of a user’s Iris query over time.
• Parse Domain Profile Results: Use this Action inside an Iterator to parse the “response.results” StringArray into detailed output variables. This action is meant to be used to further process the results from the Get Multiple Domain Profiles, Search & Pivot, or Get Search Hash Results actions.

This listing can be found in the ThreatConnect App Catalog under the name DomainTools Iris Investigate.

The "DomainTools Iris - Auto-Pivot Host > Address > Hosts" Playbook begins with a User Action trigger on a Host indicator and auto-pivots on Reverse Whois where there are < X domains hosted by the IP Address. It is highly recommended that the $domaintools.auto_pivot.domain.limit variable be set to < 500, however, < 10 is a good place to begin if there isn't currently an auto-pivot process in place. Once the auto-pivot takes place, the Playbook will add the IP and Host Indicators to the Incident along with DomainTools enrichment data in ThreatConnect.

The "DomainTools Iris - Host Enrichment" playbook begins with a User Action trigger on a Host Indicator. It requests the Domain Profile from DomainTools Iris and parses the results. It then adds an Attribute and Tags with the enrichment results from DomainTools.

These Playbook templates can be found in the ThreatConnect app catalog under the names: DomainTools Iris - Auto-Pivot Host > Address > Hosts and DomainTools Iris - Host Enrichment

This playbook not only provides DomainTools Iris enrichment, but can also be utilized to monitor specific Iris Search hashes to provide continuous updates. This playbook coupled ThreatConnect's versatile dashboards provides analysts with the most up to date information automatically.

This playbook takes an Iris search hash signature object and extracts all domains from that query. Then each domains is enriched with DomainTools meta data and created as host indicators inside the TC platform. A threat rating and confidence level is also set on the Host Indicator depending on the DomainTools Overall Risk score.