DomainTools
App Vendor: DomainTools
App Category: Data Enrichment & Threat Intelligence
Connector Version: 2.3.0
API Version: V1 and V2
About App
DomainTools is a proprietary threat intelligence and investigation platform that combines enterprise-grade domain and DNS-based intelligence with an intuitive web interface.
The DomainTools app is configured with the Orchestrate application to perform the following actions:
Action Name | Description |
|---|---|
Get Account Information | This action provides a quick and easy way to get a snapshot of the product usage for an account. |
Brand Monitor | This action performs a search across all the new domain registrations worldwide, and returns the result sets consisting of domain names that contain a customer's brand or monitored word/string. |
Get Domain Profile | This action provides basic domain name registration details and a preview of additional data available from DomainTools membership and report products. |
Get Domain Reputation | This action provides a reputation of a specific domain. |
Get Domain Risk Score | This action gets a risk score for the domain. It performs large-scale enrichment and triaging of domain names within custom tools or one of the DomainTools SIEM/TIP integrations and supports a higher query rate. |
Domain Search | This action searches currently registered or previously registered domain names that are either currently registered or have been registered in the past under one of the major generic top-level domains (.com, .net, .org, .info, .us, or .biz), many country code top level domains (TLDs), or the new GLTDs. |
Get Hosting Information | This action retrieves the hosting history and provides a list of changes that have occurred in a domain name's registrar, IP address, and name servers. |
IP Monitor | This action searches the daily activity of all our monitored top level domains (TLD) on any given IP address. All new, deleted and transferred domains records can be queried up to six days in the past. |
IP Registrant Monitor | This action finds currently registered or previously registered domain names that are either currently registered or have been registered in the past under one of the major GLTDs (.com, .net, .org, .info, .us, or .biz), many country code TLDs, or the new GLTDs. |
List IP Reverse | This action provides a list of domain names that share the same internet host (same IP address). You can request an IP address directly, or you can provide a domain name. If you provide a domain name, the action responds with the list of other domains that share the same IP. |
Reverse IP Whois | This action provides a list of IP ranges that are owned by an organization. You can enter an organization’s name and receive a list of all of the organization’s currently owned IP ranges. |
Reverse Name Server | This action provides a list of domain names that share the same primary or secondary name server. You can provide a domain name and the action provides the list of domain names pointed to the same name servers as those listed as the primary and secondary name servers on the domain name you requested. |
Reverse Whois | This action provides a list of domain names that share the same registrant information. You can enter terms that describe a domain owner, such as an email address or a company name, and you will retrieve a list of domain names that have your search terms listed in the whois record. |
Whois History | The action gets historical Whois records for a domain. |
Whois Lookup | This action retrieves the Whois records for domain names and IP addresses. |
Iris Enrich | This action offers comparable performance over a greatly expanded dataset. The Iris enrich action includes at least 6,000 domains per minute with multiple attributes, including domain risk scores from proximity and threat profile algorithms, and more. |
Iris Investigate | This action is suited for investigation and orchestration at human scale. The Iris investigate delivers dozens of domain name attributes on every result. |
Parsed Whois | This action is suited for investigation and orchestration at a human scale. The Iris investigation delivers dozens of domain name attributes on every result. |
Generic Action | This is a generic action to perform any additional use case that you want on DomainTools. |
Configuration Parameters
The following configuration parameters are required for the DomainTools app to communicate with the DomainTools enterprise application. The parameters can be configured by creating instances in the app.
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
API Username | Enter the API username. Example: SampleAPIUser | Text | Required | |
API Key | Enter the API key to be used. Example: xxx-12@-xxK9 | Text | Required |
Action: Get Account Information
This action provides a quick and easy way to get a snapshot of the product usage for an account.
Action Input Parameters
This action does not require any input parameter.
Action: Brand Monitor
This action searches across all new domain registrations worldwide, and returns result sets consisting of domain names that contain a customer's brand or monitored word/string.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter one or more terms, where the pipe character ( | ) may be used as a logical and operator which requires that all strings be present in order to match. Example: domain | tools will match "domaintools" but will not match "domain" or "tools." | Text | Required | |
Exclude | Enter the domain names to be excluded from the result set. For exclusions of multiple terms, use the ( | ) character as a logical and operator. In such a case, a domain would have to contain all of the excluded strings in order to be excluded from matching. To exclude individual terms, create separate exclude parameters. Example: domain.com | tools.edu | Text | Optional | |
Domain Status | Enter the domain names to search. By default, the action performs a search with both the new domain names and domains which are now on-hold (pending delete). To narrow your search to only one of these status codes, set this parameter to either new or on-hold. Example: domaintools.com | Text | Optional | |
Days Back | Enter the value of this parameter in exceptional circumstances where you need to search domains registered up to six days prior to the current date. Set the value to an integer in the range of 1-6. Example: 3 | Integer | Optional |
Example Request
[
{
"query": "domain | tools",
"exclude": "domain.com | tools.edu",
"domain_status": "domaintools.com",
"days_back": 3
}
]Action: Get Domain Profile
This action provides basic domain name registration details and a preview of additional data available from DomainTools.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain Name | Enter the domain name or URL to get a profile. Example:
| Text | Required |
Example Request
[
{
"domain_name": "domaintools.com"
}
] Action: Get Domain Reputation
This action retrieves the reputation of a specific domain provided.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain Name | Enter the domain name or URL for which the risk score is desired. If you provide a hostname (example: www.domaintools.com) rather than a domain (example: domaintools.com), the action returns the risk score for the domain, and the domain used to lookup the risk score will always be returned in the response. Example:
| Text | Required | |
Include Reasons | Choose to include reasons for the risk score determination. Example: True | Boolean | Optional | Allowed values:
|
Example Request
[
{
"domain_name": "domaintools.com",
"include_reasons": true
}
]Action: Get Domain Risk Score
This action retrieves the risk score for a domain. It is designed for large-scale enrichment and triaging of domain names within custom tools or one of the DomainTools SIEM/TIP integrations and supports a higher query rate.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain Name | Enter the domain name or URL for which the risk score is desired. If you provide a hostname (example: www.domaintools.com) rather than a domain (example: domaintools.com), the action returns the risk score for the domain, and the domain used to lookup the risk score will always be returned in the response. Example:
| Text | Required |
Example Request
[
{
"domain_name": "domaintools.com"
}
]Action: Domain Search
This action searches for currently registered or previously registered domain names that are either currently registered or have been registered in the past under one of the major GTLDs (.com, .net, .org, .info, .us, or .biz), many country code TLDs, or the new GTLDs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter a query string. Each term in the query string must be at least three characters long. Use spaces to separate multiple terms, but make sure to encode the URL values before passing them. Example: domaintools123 | Text | Required | |
Exclude Query | Enter the terms to exclude from matching. Each term in the query string must be at least three characters long. Use spaces to separate multiple terms, but make sure to encode the URL values before passing them. Example: domaintools score | Text | Optional | Default value: None |
Max Length | Enter the maximum domain character count. Example: 20 | Integer | Optional | Default value: 25 |
Min Length | Enter the minimum domain character count. Example: 3 | Integer | Optional | Default value: 2 |
Has Hyphen | Choose to return the results with hyphens in the domain name. Example: True | Boolean | Optional | Default value: True |
Has Number | Choose to return results with numbers in the domain name. Example: False | Boolean | Optional | Default value: True |
Active Only | Choose to return only domains currently registered. Example: True | Boolean | Optional | Default value: False |
Deleted Only | Choose to return only domains previously registered but not currently registered. Example: False | Boolean | Optional | Default value: False |
Anchor Left | Choose to return only domains that start with the query term. Example: True | Boolean | Optional | Default value: False |
Anchor Right | Choose to return only domains that end with the query term. Example: False | Boolean | Optional | Default value: False |
Page | Enter the number of results to retrieve from the server. Each page is limited to 100 results. Example: 20 | Integer | Optional | Default value: 1 |
Example Request
[
{
"query": "domaintools123",
"exclude_query": "domaintools score",
"max_length": 20,
"min_length": 3,
"has_hyphen": true,
"has_number": false,
"active_only": true,
"deleted_only": false,
"anchor_left": true,
"anchor_right": false,
"page": 20
}
]Action: Get Hosting Information
This action provides a list of changes that have occurred in a domain name's registrar, IP address, and name servers.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain Name | Enter the domain name or URL to get the information. Example:
| Text | Required |
Example Request
[
{
"domain_name": "domaintools.com"
}
]Action: IP Monitor
This action searches the daily activity of all our monitored TLDs on any given IP address. The new, deleted, and transferred domain records can be queried up to six days in the past.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter the IP address you wish to query. Example: 65.55.53.233 | Text | Required | |
Days back | Enter this parameter in exceptional circumstances where you need to search domain changes up to six days prior to the current date. Set the value to an integer in the range of 1-6. Example: 3 | Integer | Optional | Default value: 0 |
Page | Enter the page count value. If the result set is larger than 1000 records for a given day, request additional pages with this parameter. Set the value to an integer up to a maximum of the returned page_count value. Example: 4 | Integer | Optional | Default value: 1 |
Example Request
[
{
"query": "65.55.53.233",
"days_back": 3,
"page": 4
}
]Action: IP Registrant Monitor
This action searches any currently registered or previously registered domain names that are either currently registered or have been registered in the past under one of the major GTLD's (.com, .net, .org, .info, .us, or .biz), many country code TLDs, or the new GTLDs.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Query | Enter a space separated list of free text query terms to display the list of IP ranges that satisfy the query. Example: +domain -tools *.com | Text | Required | The query terms have the following rules:
|
Include Total Count | Enter the total number of results to be returned for a query. This must typically be used only for the first page of a large result set. Example: true | Boolean | Optional | Allowed values:
Default value: False |
Page | Enter the page number to access the additional pages of data. Results are returned 1000 ranges at a time. The maximum allowed value is 5. Example: 3 | Integer | Optional | Default value: 1 |
Search Type | Enter the type of changes to return. Example: Modifications | Text | Optional | Allowed values:
Default value: All |
Country | Enter the country code to limit the results to IP addresses allocated to an entity with a particular country. Valid options are ISO 3166-1 two character country codes. Example: +93 | Text | Optional | Default value: All country codes |
Server | Enter the server to limit the results to a range from a particular Whois server. Example: whois.arin.net | Text | Optional | Allowed values:
Default value: All Whois servers |
Example Request
[
{
"query": "+domain -tools *.com",
"include_total_count": true,
"page": 3,
"search_type": "Modifications",
"country": "+93",
"server": "whois.arin.net"
}
]Action: List IP Reverse
This action provides a list of domain names that share the same internet host (i.e. the same IP address). You can request an IP address directly, or you can provide a domain name. If you provide a domain name, the action responds with the list of other domains that share the same IP.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain Name or IP Address | Enter the domain name. Example: 55.53.65.234 | Text | Required | |
Inputted Data is Domain | Choose to set as true if the input data under "domain_name_or_ip_address" is a domain. If it is an IP address, set this as false. Example: False | Boolean | Required | Allowed values:
|
Limit | Enter the limit of the size of the domain list that can appear in a response. The limit is applied per-IP address and not for the entire request. Example: 5 | Integer | Optional | Default value: 10 |
Example Request
[
{
"domain_name_or_ip_address": "55.53.65.234",
"inputted_data_is_domain": false,
"limit": 5
}
]Action: Reverse IP Whois
This action provides a list of IP ranges that are owned by an organization. You can enter an organization’s name and receive a list of all of the organization’s currently owned IP ranges.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
IP | Enter the IP range to return the most recent cached IP Whois records for the allocated range the IP is in. Example: 10-20 | Text | Required | |
Query | Enter the query which is a space separated list of free text query terms. Returns the list of IP ranges that satisfy the query. The query terms have the following rules: +term: term must be included in the results. -term: term must not be included in the results. term*: term as a prefix must be included in the results. no modifiers: the search performed is a phrase search. Example: +domain -tools *.com | Text | Required | Example: If you provide a query of "google inc", then only results that include both the terms in the order provided will be included. Search terms are case-insensitive. Search terms must be URL encoded, including modifiers. Example: + should be encoded as %2b to avoid interpretation as a space. |
Country | Enter the country code to Limit results to IP addresses allocated to an entity with a particular country. Valid options are ISO 3166-1 two character country codes. Example: +93 | Text | Optional | Default value: All country codes |
Server | Enter the server to limit results to ranges from a particular Whois server. Example: whois.arin.net | Text | Optional | Allowed values:
Default value: All whois servers |
Include Total Count | Choose to return the total number of results for a query. This should typically be used only for the first page of a large result set. Example: True | Boolean | Optional | Allowed values:
Default value: False |
Page | Enter the page number to allow access to additional pages of data. The results are returned 1000 ranges at a time. The maximum allowed value is 5. Example: 3 | Integer | Optional | Default value: 1 |
IP Version | Enter the IP version to limit the query search results to a particular IP version. If omitted, the default is to query against IPv4. Example: 4 | Integer | Optional | Allowed values:
Default value: 4 |
Example Request
[
{
"ip": "10-20",
"query": "+domain -tools *.com",
"country": "+93",
"server": "whois.arin.net",
"include_total_count": false,
"page": 3,
"ip_version": 4
}
]Action: Reverse Name Server
This action provides a list of domain names that share the same primary or secondary name server. You can provide a domain name and the action provides the list of domain names pointed to the same name servers as those listed as the primary and secondary name servers on the domain name you requested.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain Name | Enter the domain name or URL to get a profile. Example:
| Text | Required | |
Limit | Enter the limit which is the size of the domain list that can appear in a response. Example: 5 | Integer | Optional | Default value: 10 |
Example Request
[
{
"domain_name": "domaintools.com",
"limit": 5
}
]Action: Reverse Whois
This action provides a list of domain names that share the same registrant information. You can enter terms that describe a domain owner, like an email address or a company name, and you will get a list of domain names that have your search terms listed in the Whois record.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Terms | Enter the list of one or more terms to search for in the Whois record, separated by the pipe character ( | ). Example: domain | tools | Text | Required | |
Exclude | Enter words that you want to exclude. The domain names with Whois records that match these terms will be excluded from the result set. Separate multiple terms with the pipe character ( | ). Example: score | card | Text | Optional | |
Scope | Set the scope of the report to include only current Whois records, or to include both current and historic records. The value must be current (the default) or historic. Example: 11/09/21 - 31/09/21 | Text | Optional | |
Mode | Confirm the mode:
Example: Purchase | Text | Optional |
Example Request
[
{
"terms": "domain | tools",
"exclude": "score | card",
"scope": "11/09/21 - 31/09/21",
"mode": "Purchase"
}
]Action: Whois History
The action retrieves the historical Whois records for domain.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain Name | Enter the domain name or URL for which the Whois data is desired. Example:
| Text | Required | |
Limit | Specify the maximum number of records to retrieve between 1 to 100. For example, to retrieve a maximum of 2 historical records associated with a domain, add limit=2. If the limit is 0, no historical records are provided. If the limit is more than 100, only the first 100 records are provided. To retrieve subsequent records, pagination must be used. This action does not provide validation of the limit parameter value. Example: 50 | Integer | Optional | Default value: 100 |
Sort | Sort the records returned in either ascending or descending order.
Example: date_asc | Text | Optional | Default value: date_desc |
Offset | Enter the offset value to paginate results if there are more than 100 results. This supports up to 100 results per query. Use this parameter to skip results. For example, if the record_count is 150, set the offset value to 100 to skip the first 100 results and see the rest of the 50 results. To retrieve a maximum of 20 subsequent historical records using pagination, add both the offset and limit parameters as offset=100 & limit=20. Example: 10 | Integer | Optional | Default value: 0 (no records are skipped) |
Mode | Enter the mode to change the mode of the API result. The following values are supported:
Example: check_existence | Text | Optional |
Example Request
[
{
"domain_name": "domaintools.com",
"limit": 50,
"sort": "date_asc:,
"offset": 10,
"mode": "check_existence"
}
]Action: Whois Lookup
Enter the Whois records for domain names and IP addresses.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain Name or IP Address | Enter the domain or IP address you would like to look up. Example: 55.53.65.235 | Text | Required |
Example Request
[
{
"domain_name_or_ip_address": "55.53.65.235"
}
]Action: Iris Enrich
This action is an improved alternative that offers comparable performance over a greatly expanded dataset.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain Name | Enter the domain name or URL to get the enrichment. Example:
| Text | Required | |
Format | Enter the data format for response. Example: JSON | Text | Optional | Allowed values:
|
App Name | Enter the app name, module name, Playbook name, or a combination of these parameters. Example: domaintools_api | Text | Required | |
Extra Param | Enter the extra parameters to query. | Key-value | Optional | Allowed keys:
|
Example Request
[
{
"domain_name": "domaintools.com",
"app_name": "domaintools_api",
"format": "json",
"extra_params": {}
}
]Action: Iris Investigate
This action is suited to investigate and orchestrate use cases on a human scale. It returns dozens of domain name attributes on every result, including Whois, IP, active DNS, website & SSL data, and more.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
|---|---|---|---|---|
Domain name | Enter the domain name or URL. Example:
| Text | Optional | Default value: google.com |
IP address | Enter the IP address. Example: 1.1.1.1 | Text | Optional | |
Extra Param | Enter the extra parameters to the query. Example: "email": "abc@gmail.com" | Key-value | Optional | Allowed keys:
For more information on the allowed keys, see DomainTools API Documentation. |
Example Request
[
{
"domain_name": "domaintools.com",
"ip_address": "1.1.1.1",
"email": "abc@gmail.com"
}
]Action: Parsed Whois
This action provides parsed information extracted from the raw Whois record. It is optimized to retrieve the Whois record, and group data and return a well-structured format.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
IP Address or Domain Name | Enter an IP address or domain name. Example:
| Text | Required |
Example Request
[
{
"ip_or_domain": "domaintools.com"
}
]Action: Generic Action
This is a generic action to perform any additional use case on DomainTools.
Action Input Parameters
Parameter | Description | Field Type | Required/Optional | Comments |
HTTP Method | Enter the HTTP method. Example:
| Text | Required | |
URL | Enter the complete URL to initiate the API call. Example: "https://api.domaintools.com/v1/reverse-whois" | Text | Required | |
Request Body | Enter the request body in JSON format. Example: {"data": [{"reason": "security operation"}]} | Any | Optional | |
Query Params | Enter the query parameters in JSON format. Example: {"limit": 10} | Any | Optional |
Example Request
[
{
"http_method":"GET",
"url":"/v1/yourdomain.com/whois",
"request_body":{
"data":[
{
"reason":"security_testing"
}
]
},
"query_params":{
"limit":"10"
}
}
]