DomainTools
Connector Category: Enrichment Tools
Notice
This integration is available in Intel Exchange starting v3.7.4.3 onwards.
About Integration
Intel Exchange integrates with DomainTools to enable security analysts to add contextual information to the threat data and convert it to threat intelligence. This integration allows analysts to identify and understand patterns, prioritize potential threats, and respond effectively.
Use Cases
Enables security analysts to contextualize, correlate, prioritize, and mitigate threats.
Converts raw threat data into actionable threat intelligence to perform threat hunting, incident response, and achieve higher detection rates.
Identify and understand threat patterns, prioritize them, and take timely decisions to control potential exploitation.
Benefits
Saves time and effort spent by analysts in identifying potential threats by automatically correlating the information with data sets.
Important
The DomainTools enrichment tool will be available only on explicit requests made to the Cyware Support team. To utilize the functionalities of DomainTools, contact Cyware Support.
Supported Threat Data Objects for Enrichment Using DomainTools
You can enrich Indicator (Domain and IP) threat data objects using the DomainTools integration in Intel Exchange.
Configure DomainTools as an Enrichment Tool
Configure DomainTools in Intel Exchange to enrich the domain threat data object.
Before you Start
Ensure that you have the Base URL, Access Key, and Secret Key of your DomainTools account.
Ensure that your user group has Create, Update, and View permissions for enrichment tools and their associated policies in Intel Exchange.
Steps
To configure DomainTools as an enrichment tool in Intel Exchange, follow these steps:
Sign in to Intel Exchange and go to Administration > Enrichment Management > Enrichment Tools.
Search and select DomainTools.
Click Add Account and use the following information:
Account Name: Enter a unique account name to identify the instance. For example, DomainTools-Prod
Base URL: Enter the base URL to directly connect to the application's server. For example, https://api.domaintools.com/v1
Access Key: Enter the access key from your DomainTools account for authentication.
Secret Key: Enter the corresponding secret key to complete the credential pair.
Domain Enrichment Using: Select one of the supported DomainTools APIs for domain enrichment:
iris-investigate: This API provides detailed domain intelligence, including WHOIS records, DNS history, risk scores, and infrastructure context for in-depth investigations.
iris-enrich: This API provides fast, lightweight domain data optimized for bulk processing.
For more information about the differences between these APIs, see DomainTools Iris API Comparison.
Note
You must select one of these APIs to enable domain enrichment.
IP Enrichment Using (Optional): Select iris-investigate if you want to enrich IP addresses with connected domains, WHOIS records, and historical DNS data.
Note
If you do not select iris-investigate, the Retrieve IP Detail option will still appear and can be enabled, but you will not be able to use it during IP enrichment. To avoid this, ensure you select iris-investigate when setting up IP enrichment.
Verify SSL: Select this checkbox to verify and secure the connection between the Intel Exchange and DomainTools servers.
If you disable this option, Intel Exchange may configure an instance for an expired SSL certificate. This may not establish the connection properly, and Intel Exchange will not be able to notify you in case of a broken or improper connection. It is recommended to select this option.
Click Save.
After you save the account, you can use DomainTools to enrich domain and IP threat data objects.
You can add multiple instances of this integration by clicking the vertical ellipsis and then Manage > Add More on the Manage Instance screen.
API Usage and Quota
To understand the number of API calls and quota units consumed by the DomainTools enrichment tool, refer to the following table:
Enrichment Tool | Feed Enrichment Type | Number of API Calls | Quota Consumed |
|---|---|---|---|
DomainTools | Domain | 1 | 1 |
IP | 1 | 1 |
Enable DomainTools Enrichment Types
After successfully adding an account, you can view and enable DomainTools feed enrichment types.
Note
While turning on the Retrieve IP Detail toggle, ensure that you have selected iris-investigate for IP enrichment in the same account. Without this, the IP enrichment will appear as enabled but will not work during enrichment.
Configure Enrichment Quota
You can also configure quota to define a limit on the number of enrichment requests Intel Exchange makes to DomainTools. After the quota expires, you cannot make enrichment requests until the quota resets for the next quota duration. For more information, see Define Tools in Configure Enrichment Tools.
You can configure an enrichment policy to automatically enrich threat data objects using the DomainTools enrichment tool. For more information, see Enrichment Policy.
Enrichment Tool | Feed Enrichment Type |
|---|---|
DomainTools | Retrieve Domain Detail |
Retrieve IP Detail |
Enrich Threat Data Object
You can use DomainTools to enrich domain and IP indicators with WHOIS data, DNS history, risk scores, and related infrastructure context.
To enrich a threat data object, follow these steps:
Go to Main Menu > Collection > Threat Data and filter threat data objects by Indicator Object Type.
Select the object you want to enrich.
Note
DomainTools supports enrichment only for domain and IP indicator types.
In the Enrichment tab, select DomainTools under Enrichment Details, then click Enrich.
You can view the enrichment details in Enrichment Payload. You can also click Re-Enrich to enrich the threat data object again.
Enrich Object in Threat Investigation Canvas
Enhance threat data in the Threat Investigation Canvas by interacting directly with nodes. This allows you to gain deeper insights into observable or threat objects and visualize enriched data for more informed analysis.
Before you Start
Ensure that you have Create, View, and Update Threat Investigations permissions.
Steps
To enrich a threat data object using the threat investigation canvas, follow these steps:
Go to Main Menu > Analysis > Threat Investigations.
Enter a unique title for the canvas. For example, Indicator Analysis
Click the Add Node icon on the left. You can view the Indicator, Domain Objects, and Observables.
Select an object type required for your investigation or drag it to the canvas. For DomainTools, you can select Domain or IPv4 from the Indicator object type. For example, Domain
Enter the value of the object. For example, maliciousdomain.com
To enrich the object, right-click the node, expand Enrich, select DomainTools, and click Enrich.
After a successful enrichment, double-click the node and go to the Enrichments tab to view the enrichment details.