Cortex XSIAM: DomainTools Iris Investigate¶
The DomainTools Iris Investigate integration for Cortex XSIAM provides automated infrastructure characterization and threat hunting capabilities within the incident response process. You gain access to domain profile, web crawl, Secure Sockets Layer (SSL), and infrastructure data from within Cortex XSIAM.
For more information about Cortex XSIAM, see the official Palo Alto Cortex XSIAM documentation. For the latest integration details, see the Cortex Marketplace.
Key capabilities¶
Together, DomainTools and Cortex automate and orchestrate incident response processes with domain profile, web crawl, SSL, and infrastructure data delivered by the DomainTools Iris Investigate API. You can create custom, automated workflows to trigger Indicator of Compromise (IoC) investigations, block threats based on connected infrastructure, and identify malicious incidents before weaponization.
The integration provides:
- Access to domain profile, web crawl, SSL, and infrastructure data
- Automated workflows for incident response
- Infrastructure characterization and threat hunting
- IoC investigations with connected infrastructure analysis
- Risk scoring with components and evidence
Before you begin¶
You need:
- Active Cortex XSIAM instance
- DomainTools Iris Investigate API credentials (username and key)
- Cortex XSIAM content pack installed from marketplace
Install the integration¶
- Navigate to the Cortex Marketplace
- Select the Cortex XSIAM platform
- Download the DomainTools Iris Investigate pack with dependencies
- Install the pack in your Cortex XSIAM instance
Configure the integration¶
To configure the DomainTools Iris Investigate integration instance:
- Navigate to Settings > Integrations
- Search for "DomainTools Iris"
- Add a new instance
- Configure the following parameters:
| Parameter | Required | Description |
|---|---|---|
| API Username | Yes | DomainTools API username for authentication |
| API Key | Yes | DomainTools API key for authentication |
- Test the connection to verify credentials
What you can do with this integration¶
Get complete domain profiles¶
Fetch comprehensive Iris profiles for domains, including risk scores, WHOIS data, Domain Name System (DNS) records, and infrastructure details.
Automate incident response¶
Create custom workflows to:
- Trigger IoC investigations automatically
- Block threats based on connected infrastructure
- Identify potentially malicious incidents before weaponization
Hunt for threats¶
Use DomainTools data to:
- Characterize infrastructure associated with domains
- Pivot on connected infrastructure elements
- Discover related malicious domains
Enrich domain indicators¶
Enrich domain indicators with:
- Registration and ownership information
- Historical DNS and Internet Protocol (IP) data
- SSL certificate information
- Risk scores and threat profiles
Access infrastructure data¶
The integration provides access to:
- IP addresses, hostname details, name servers, mail servers, and web servers
- SSL certificate details and tracking codes for websites
- Email addresses from DNS Start of Authority (SOA) records
- DomainTools Risk Score with components and evidence
Enable automated actions¶
Enable automated War-Room investigations and workflows within your Cortex XSIAM environment.