DomainTools Iris Investigate

This app supports investigative actions to profile domain names, get risk scores, and find connected domains that share the same Whois details, web hosting profiles, SSL certificates, and more on DomainTools Iris Investigate

Supported Actions

• test connectivity: Validate the asset configuration for connectivity
• domain reputation: Evaluates the risk of a given domain
• pivot action: Find domains connected by any supported Iris Investigate search parameter
• reverse domain: Extract IPs from a single domain response for further pivoting
• reverse ip: Find domains with web hosting IP, NS IP or MX IP
• load hash: Load or monitor Iris Investigate search results by Iris Investigate export hash
• reverse email: Find domains with email in Whois, DNS SOA or SSL certificate
• lookup domain: Get all Iris Investigate data for a domain using the Iris Investigate API endpoint (required)
• enrich domain: Get all Iris Investigate data for a domain except counts using the high volume Iris Enrich API endpoint (if provisioned)
• configure scheduled playbooks: Run on initial setup to configure the optional monitoring playbooks. This action creates a custom list to manage the playbook scheduling and run status
• on poll: Execute scheduled playbooks based on the set interval(mins) in 'domaintools_scheduled_playbooks' custom list. Smaller intervals will result in more accurate schedules
• parsed domain rdap: The Parsed Domain RDAP API returns the most recent Domain-RDAP registration record in response to a HTTP GET query. This API compliments the Parsed Whois API as some registries and registrar are beginning to support RDAP as an alternative to Whois for providing domain registration data
• nod feed: Apex-level domains (e.g. example.com but not www.example.com) observed for the first time by the DomainTools sensor network, and which are not present in our DNSDB historical database
• nad feed: Apex-level domains (e.g. example.com but not www.example.com) DomainTools has newly observed in our DNS sensor network. This includes domains observed in DNS for the first time as well as domains observed in DNS again after not being observed for at least 10 days
• noh feed: Contains fully qualified domain names (i.e. host names) that have never been seen before in passive DNS, emitted as soon as they are first observed. Hostname resolutions that we observe for the first time with our global DNS sensor network
• domain discovery feed: New domains as they are either discovered in domain registration information, observed by our global sensor network, or reported by trusted third parties
• domain rdap feed: List of records for a given domain may be provided by a domain registry, registrar, or both. Domain registries maintain authoritative information about one or more top-level domains (e.g., .com), while domain registrars manage apex domains (e.g., domaintools.com). When domain information is present from both the registry and registrar, this API presents a record containing both sets of results, as well the original raw JSON record, from both the registry and registrar