Chronicle: DomainTools App¶
Overview¶
DomainTools Platform¶
DomainTools is the global leader for internet intelligence and the first place security practitioners go when they need to know. The world's most advanced security teams use DomainTools solutions to identify external risks, investigate threats, and proactively protect organizations in a constantly evolving threat landscape.
The DomainTools Iris platform is a suite of security SaaS applications that help incident responders, investigators, and security analysts understand the risk of Internet domain names and the infrastructure that supports them.
Google Chronicle Platform¶
Chronicle is a modern, cloud-native SecOps platform that empowers security teams to better defend against today's and tomorrow's threats.
By combining Google's hyper-scale infrastructure, unparalleled visibility, and understanding of cyber adversaries, Chronicle provides curated outcomes that proactively uncover the latest threats in near real-time. This enables security teams to detect, investigate, and respond with speed and precision.
Chronicle App for DomainTools¶
The Chronicle App for DomainTools fetches real-time events from the Chronicle and extracts domains for further enrichment from DomainTools APIs. This app allows users to leverage the ad-hoc enrichment of domains when in need. This also contains Looker dashboards where users can visualize different metrics.
Documentation¶
- Installation - Set up Google Cloud Platform (GCP) resources, deploy cloud functions, and configure Chronicle rules
- Looker Setup - Install and configure Looker dashboards for data visualization
- Dashboards - Reference guide for available dashboards and their features
- Troubleshooting - Common issues, limitations, costs, and references
Changelog¶
| Version | Release Date | Summary |
|---|---|---|
| 1.0.0 | 2023-09-13 | Provided the cloud function to enrich domain data from the DomainTools and import in the Chronicle. |
| Provided the ad-hoc script for the allow list, monitoring list, bulk enrichment, and monitoring tags execution. | ||
| Provided below Chronicle rules to generate detections: high_risk_domain_observed, medium_risk_domain_observed, young_domain, monitoring_list_domain, medium_risk_domain_observed | ||
| Provided below dashboards for visualization: Threat Intelligence, Enrichment Explorer, Domain Profiling, Monitoring Dashboard, Application Diagnostics |