Skip to content

Palo Alto XSOAR: DomainTools app

The Palo Alto XSOAR Iris app brings contextual Domain Name System (DNS) intelligence from DomainTools Iris to Palo Alto XSOAR. You can leverage the app to automate the enrichment of malicious observables within incidents. Security analysts can use DomainTools intelligence across all their response workflows and automate mundane tasks.

For more information about XSOAR, see the official Palo Alto XSOAR documentation. For playbooks, see the DomainTools GitHub repository.

Key capabilities

With this Iris app, you can use the capabilities of Iris Investigate API within Palo Alto XSOAR and access a richer dataset to economize the enrichment process. You can leverage Palo Alto XSOAR's investigation and case management capabilities to investigate domain observables with greater context and speed.

The app enables:

  • Adhoc investigations of domain Indicators of Compromise (IOCs) inside Palo Alto XSOAR incidents
  • Triage with DomainTools Risk Score, Threat Profile Scores, and other actionable analytics
  • Persistent DomainTools intelligence inside Palo Alto XSOAR
  • Discovery of connected infrastructure for a malicious domain
  • Automated triaging of DomainTools Iris tags inside Palo Alto XSOAR
  • Automated enrichment process using DomainTools playbooks
  • Targeted threat hunting at key aspects of a domain name's registration profile

Before you begin

You need:

  • Palo Alto XSOAR Server 6.6.0 or later
  • Palo Alto XSOAR Content version 1.32.44 (6877054) or later
  • Active DomainTools Iris Investigate API credentials (username and key)

Set up the Iris integration

DomainTools offers two integrations: DomainTools Iris Investigate (as DomainTools Iris), and the DomainTools Real-time Threat Feeds (as FeedDomainTools). This guide provides instructions for both integrations, which you configure independently.

Install and configure Iris Investigate

  1. Select Settings > Integrations > Servers & Services
  2. Search for "DomainTools" to find the DomainTools Iris (Partner Contribution) integration
  3. Select Add Instance to configure the DomainTools instance
  4. Enter the configuration parameters described in the following table:
Parameter name Required Description
API Username Yes Authentication key to connect to DomainTools. Used for making API calls.
API Key Yes API secret to connect to DomainTools. Used for making API calls.
High-Risk Threshold Yes A configurable threshold for DomainTools Risk Score that flags risky domains within your Palo Alto XSOAR instance. Default is 70.
Young Domain Timeframe Yes A configurable threshold (in days) used to calculate if a domain is considered a 'young domain' within Palo Alto XSOAR.
Guided Pivot Threshold Yes Guided pivots are data points where 500 or fewer domains (by default) have that exact same value for the data point. You can configure the exact threshold number as desired.
Fetch Incidents Yes Determines if the system enables the fetching of incidents (monitoring of Iris hash and Iris tag).
Classifier No Determines the classifier to use when incidents are fetched or created. Classifies the incident type. You can choose DomainTools_Iris_Classifier. Required if Fetch Incidents is enabled.
Incident Type No Determines what type of incident to create. Should default to "N/A" because there are two types of incidents. The classifiers handle this.
Mapper No Determines the mapper to use when incidents are fetched or created. Maps the result with a given key to the created incident. Currently maps the domain key from Iris result to Additional Indicators incident field. You can choose DomainTools_Iris_Mapper. Required if Fetch Incidents is enabled.
Enabled on Monitoring Domains by Iris Hash No Determines what method to use. Options are Import Indicators Only and Create Incident and Import Indicators. Default is Import Indicators Only. Required if Fetch Incidents is enabled.
DomainTools Iris Investigate Search Hash No Required if Fetch Incidents is enabled.
Enabled on Monitoring Domains by Iris Tags No Determines what method to use. Options are Import Indicators Only and Create Incident and Import Indicators. Default is Import Indicators Only. Required if Fetch Incidents is enabled.
DomainTools Iris Tags No Contains the Iris tags to monitor. Creates incident or creates an indicator for each new domain found based on the tags. Required if Fetch Incidents is enabled.
Maximum Incidents to Fetch No Determines the maximum incidents to fetch. Default is 2 (one for each possible feed type: iris search hash and iris tags).
Incidents Fetch Interval No Determines the interval to fetch incidents (fetch results from Iris Investigate API with the given iris hash and iris tags). Required if Fetch Incidents is enabled.
  1. Test connectivity with DomainTools by clicking Test and look for the Success! indicator

Configure domain enrichment

To enable DomainTools to contribute to domain verdicts in XSOAR, you need to configure the domain-type indicator to use the DomainTools Iris domain command as part of its enrichment process.

Set the DomainTools domain command as the auto-enrichment or reputation command for domain indicators:

  1. Navigate to Settings > Objects Setup
  2. Select the Indicators tab
  3. Locate and select the Domain indicator type
  4. Click Edit
  5. Under the Reputation Command section, add the DomainTools domain command
  6. Save your changes

After you configure this setting, every time a domain indicator is encountered, XSOAR automatically runs the DomainTools command to enrich the indicator and contribute to the overall verdict (for example, via DBotScore and Domain.Malicious context fields).

Set up the Real-time Threat Feeds integration

  1. Select Settings > Integrations > Servers & Services
  2. Search for "DomainTools" to find the DomainTools Iris (Partner Contribution) integration
  3. Select Add Instance to configure the DomainTools instance
  4. Enter the configuration parameters described in the following table

For more information on these parameters, see the Real-time Threat Feeds user guide.

Parameter Description Required
API Username The DomainTools API username Yes
API Key The DomainTools API key Yes
Session ID A string that serves as a unique identifier for the session, used for resuming data retrieval from the last point. Default is dt-cortex-feeds. No
After The start of the query window in seconds, relative to the current time, inclusive. Default is -3600. No
Top Limits the number of results in the response payload. Especially useful for testing. Default is 5000. No
Feed Type The DomainTools feed type to fetch. Default is ALL. No
Indicator Reputation Indicators from this integration instance are marked with this reputation. No
Source Reliability Reliability of the source providing the intelligence data. Yes
Feed Fetch Interval The feed fetching interval to use. No
Bypass exclusion list When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. No
Trust any certificate (not secure) No
Use system proxy settings No
Tags Supports comma-separated values (CSV). No
Traffic Light Protocol Color Applied to indicators fetched from the feed. No

Use DomainTools Iris commands

For more information about the DomainTools Iris suite, see the Iris documentation.

Command Description
domain Provides data enrichment for domains.
domaintools-hosting-history Lists Internet Protocol (IP) address, name server, and registrar history.
domaintools-reverse-whois Lists domain names that share the same registrant information. Enter terms that describe a domain owner, like an email address or a company name, to retrieve a list of domain names that have your search terms listed in the registration information.
domaintools-whois Provides parsed information extracted from the raw Whois record. Ideal for searching, indexing, or cross-referencing multiple registration records.
domaintools-whois-history Returns up to 100 historical Whois records associated with a domain name.
domaintoolsiris-analytics Displays DomainTools analytic data in a markdown format table.
domaintoolsiris-enrich Returns a complete profile of the domain (second-level domain and top-level domain) using Iris Enrich. If parsing of URLs or fully qualified domain names (FQDNs) is desired, see domainExtractAndEnrich.
domaintoolsiris-investigate Returns a complete profile of the domain (second-level domain and top-level domain) using Iris Investigate. If parsing of FQDNs is desired, see domainExtractAndInvestigate.
domaintoolsiris-pivot Pivot on connected infrastructure (IP, email, Secure Sockets Layer (SSL)), or import domains from Iris Investigate using a search hash. Retrieves up to 5000 domains at a time. Optionally exclude results from context with include_context=false.
domaintoolsiris-threat-profile Displays DomainTools Threat Profile data in a markdown format table.

Use DomainTools Real-time Threat Feeds commands

The dtfeeds-get-indicators command returns the indicator from the feeds and displays it to the war room. It accepts the following arguments:

Argument name Description Required
feed_type The DomainTools integration feed type to fetch. Default is nod. No
session_id Session unique identifier. No
domain Filter results for a top-level domain. No
after The start of the query window in seconds, relative to the current time, inclusive. Default is -3600 (3600 seconds or 1 hour). No
before The end of the query window in seconds, relative to the current time, inclusive. No
top Limits the number of results in the response payload. Default is 50. No

Use DomainTools Iris automations

Automation Description
AddDomainRiskScoreToContext Sets average risk score to context for pivot result.
AssociateIndicatorsToIncident Associates indicators to an incident.
CheckLastEnrichment Checks if DomainTools data needs enrichment.
CheckPivotableDomains Checks for guided pivots for a given domain.
CheckTags Checks DomainTools domain tags and if a tag is found, marks incident as high severity.
DomainExtractAndEnrich Resolves a URL or fully qualified domain name (FQDN) and looks up a complete profile of the domain on the DomainTools Iris Enrich API.
DomainExtractAndInvestigate Resolves a URL or fully qualified domain name (FQDN) and looks up a complete profile of the domain on the DomainTools Iris Investigate API.
SetIndicatorTableData Sets data for a domain in the indicator table.

Use DomainTools Iris playbooks

Get started with custom playbooks

In addition to the automation available within Palo Alto XSOAR, DomainTools continues to build additional content for XSOAR users. You can download automation scripts directly from the DomainTools Palo Alto XSOAR repository in GitHub.

Customize error handling

XSOAR playbooks halt on errors by default. Currently, some DomainTools playbooks may generate errors (such as when fed unregistered domains) that you want to skip over.

You can modify a playbook's error handling via its On Error tab in Task Details in several ways:

  • Specify a permitted number of retries and the time between retries
  • Set the task to continue through an error
  • Set the task to take an error path

For more information about customized error handling, see this YouTube video from Palo Alto.

Check prerequisites

Before you upload these custom playbooks, review the Prerequisites section for each. It identifies any additional configurations and dependencies associated with these playbooks.

Playbook: DomainTools Auto Pivots

View on GitHub

This playbook fetches the Iris Investigate profile of a domain and automatically identifies related infrastructure artifacts based on DomainTools Guided Pivot values.

Benefits:

  • Automated investigations: Streamlines the investigative process by automatically identifying connected infrastructure, saving analysts time and reducing human error
  • Comprehensive understanding: Gain a more complete understanding of threats by uncovering associated infrastructure, enabling better threat assessment
  • Proactive threat detection: Assists in the early detection of threats associated with a specific domain by automating pivot lookups

Playbook: DomainTools Check Domain Risk Score By Iris Tags

View on GitHub

This playbook periodically checks domains for risk based on Iris Investigate tags. You can define a list of tags to monitor, and the playbook adds new high-risk domains as indicators on associated incidents.

Benefits:

  • Proactive risk management: Proactively monitor domains associated with specific tags, enabling early risk detection and mitigation
  • Automation: Automates the process of tracking and alerting on domain risk, reducing manual effort and ensuring timely responses
  • Incident enrichment: Enriches incidents with high-risk domain indicators, providing context for incident responders and aiding in swift decision-making

Playbook: DomainTools Check New Domains by Iris Hash

View on GitHub

This playbook assists in monitoring new domains based on predefined infrastructure criteria, such as registrar, DNS, SSL certificates, and so on. It uses Iris Investigate data to identify newly registered domains.

Benefits:

  • Timely threat detection: Detect new domains associated with specific infrastructure parameters, allowing you to identify potential threats in their early stages
  • Customizable monitoring: Define specific criteria for monitoring, tailoring the playbook to your organization's unique threat landscape
  • Integration with Iris Investigate: Leverages DomainTools' data to enhance monitoring capabilities, ensuring comprehensive threat visibility

Playbook: DomainTools Domain Auto Enrichment

View on GitHub

Although Palo Alto XSOAR users can leverage the enrichment capability out-of-the-box, this playbook extends the ability to optimize the auto-enrichment process. This playbook:

  • Checks if enrichment data is recent; if so, skips redundant enrichment of the domain
  • Performs domain enrichment
  • Stores key enrichment intelligence in Palo Alto XSOAR indicator table

Prerequisites

Automation scripts: The playbook uses the following automation scripts to deliver these functionalities. Both of these are available for download in the scripts folder of the same repository:

  • DomainToolsCheckLastEnrichment
  • DomainToolsSetIndicatorTable

Custom indicator fields: The playbook leverages the following custom fields in the indicator table to store the domain intelligence inside Palo Alto XSOAR. Create these fields before you execute the playbook:

  1. Select Settings > Advanced > Fields
  2. Select Indicator from the dropdown list
  3. Add new fields per the following table:
Field name Field type Mandatory
additionalWhoisEmails Short text No
domainAge Short text No
emailDomains Short text No
ipAddresses Short text No
mailServers Short text No
nameServers Short text No
soaEmail Short text No
spfRecord Short text No
sslCertificate Short text No
  1. The same fields appear in an indicator table after you create them successfully

Playbook: DomainTools Iris Tags

View on GitHub

The DomainTools_Iris_Tags playbook helps you flag any domains that have already been flagged in the DomainTools Iris investigation platform. This helps various cross-functional teams within the Security Operations Center (SOC) to collaborate during an investigation. It provides you with the following functionalities:

  • Allows Palo Alto XSOAR users to configure a list of 'Iris tags' to monitor inside Palo Alto XSOAR
  • Automates checking for any indicators that match one of the tags
  • Escalates the incident severity to 'High'

Prerequisites

Create tags in DomainTools Iris: To leverage this feature, Palo Alto XSOAR users must use the tagging capabilities from DomainTools Iris Investigation platform. After you tag a domain in Iris, the tags become available for consumption within Palo Alto XSOAR. For more information, see "Tagging domains" in the Iris Investigate user guide.

Automation scripts: The playbook uses the DomainToolsCheckTags script, which is available for download in the scripts folder of the same repository.

Custom tag list: Palo Alto XSOAR users can store the list of tags inside Palo Alto XSOAR by following these steps:

  1. Select Settings > Advanced > Lists > New List
  2. Set values:
  3. Name: tags
  4. Data: Your comma-delimited list of tags

Usage examples

Enrich a domain

Enriches domain-related data from the Iris dataset, including domain risk scores, WHOIS, IP, active DNS, website, and SSL data. Enables rapid enrichment of proxy and DNS logs, enhancing the ability to detect and respond to threats in real-time. You can identify malicious domains and assess their risk levels efficiently.

Query DomainTools for DNS intelligence for a specific indicator:

!domain domain="example.com"

Retrieve DomainTools analytics

Actionable analytics from Iris

!domaintoolsiris-analytics domain="example.com"

Risk scores, threat profiles, and evidence

!domaintoolsiris-threat-profile domain=example.com

Discover connected infrastructure

Pivot on any of the following DomainTools attributes to discover potentially malicious infrastructure associated with the DNS artifact:

  • IP
  • Email
  • Mailserver_Host
  • Nameserver_Host
  • Nameserver_IP
  • SSL Hash

For example, a pivot on the hosting IP address:

!domaintoolsiris-pivot ip="199.79.62.18"

Retrieve latest results for Newly Observed Domains (NOD) Threat Feed

!dtfeeds-get-indicators session_id=mysession feed-type=nod