Skip to content

DomainTools App for ServiceNow

Introduction

DomainTools Platform

DomainTools is the global leader for internet intelligence and the first place security practitioners go when they need to know. The world's most advanced security teams use our solutions to identify external risks, investigate threats, and proactively protect their organizations in a constantly evolving threat landscape.

The DomainTools Iris platform is a suite of security SaaS applications that help incident responders, investigators, and security analysts understand the risk of Internet domain names and the infrastructure that supports them.

ServiceNow Platform

ServiceNow is a powerful cloud-based platform that offers a wide range of services to help organizations streamline their operations, improve efficiency, and enhance overall productivity. At its core, ServiceNow is designed to provide end-to-end solutions for IT service management (ITSM), as well as for various other business functions.

DomainTools App for ServiceNow

When leveraged with ServiceNow, the DomainTools app offers an integrated solution for threat investigation and incident response. By combining DomainTools Iris Investigate with ServiceNow's robust platform, security teams gain access to enterprise-grade domain intelligence and risk scoring, empowering them to quickly and efficiently investigate potential cyber threats.

With Iris Investigate's intuitive web interface and APIs, security analysts can query domain intelligence and passive DNS data directly from within ServiceNow, streamlining the investigation process and enhancing response times. Additionally, the DomainTools Iris Enrich API enables the enrichment of on-network indicators at scale, providing actionable insights for appropriate disposition of indicators. By integrating Farsight DNSDB, the world's largest DNS intelligence database, into ServiceNow, organizations can gain a comprehensive view of the global Internet infrastructure, further enhancing their ability to detect and respond to cyber threats effectively. Together, the DomainTools app and ServiceNow provide security teams with the tools and capabilities needed to proactively identify and mitigate cyber risks, ultimately strengthening the organization's security posture and resilience against evolving threats.

App Installation & Configuration

Prerequisites

  • ServiceNow console and ServiceNow Administrator account
  • DomainTools credentials (API username, API key, DNSDB API key)
  • ServiceNow console with the below required dependencies:
  • Security Incident Response
  • Security Integration Framework
  • Security Support Common
  • Security Support Orchestration

Installing the DomainTools Applications

Install the Iris Investigate and Farsight DNSDB integrations to make them available on your ServiceNow instance.

Follow the instructions on the ServiceNow "Install a ServiceNow Store application" page.

Activating the DomainTools Applications

Follow the instructions on the ServiceNow Activate and configure third-party integrations page.

You will find the DomainTools Iris Investigate and Farsight DNSDB integrations during the install.

Using DomainTools Iris Integration

This integration enables access to the Iris Investigate API and Iris Enrich API from DomainTools.

Iris Investigate is a threat investigation platform that combines enterprise-grade domain intelligence and risk scoring with industry-leading passive DNS data. An intuitive web interface and corresponding APIs query these data sources to help security teams quickly and efficiently investigate potential cybercrime and cyberespionage.

The DomainTools Iris Enrich API supports high query volumes of domain name attributes including Whois, DNS, SSL certificate, and risk scoring elements to help build out the needed context for appropriate disposition of indicators. It provides actionable insights-at-scale with enterprise-scale ingestion of DomainTools data on ServiceNow Platform.

Workflow Actions

  • Investigate Domain: Retrieves the infrastructure and whoIs data associated with a domain or comma-separated list of up to 100 domains.

  • Domain Risk Score: Retrieves the DomainTools risk score of a domain. The numeric score can help prioritize triaging of domain indicators observed. Read more about DomainTools Risk Score.

  • Investigate URL Domain: When an indicator is a URL or Fully Qualified Domain Name (FQDN), this action shortens them to a domain (name.tld) and retrieves the infrastructure and Whois data associated with the domain

  • Reverse IP: Returns up to 500 domains that last resolved to a given IPv4 address during an active DNS check. Use the optional "active" and "date updated after" parameters to pre-filter the result set.

  • Pivot by Registrant Name: Returns up to 500 domains exactly matching the provided Whois registrant field. Use the optional "active" and "date updated after" parameters to pre-filter the result set.

  • Pivot by Registrant Org: Returns up to 500 domains exactly matching the provided Whois registrant organization field. Use the optional "active" and "date updated after" parameters to pre-filter the result set.

  • Pivot by Nameserver IP Address: Returns up to 500 domains served by a provided nameserver IP. Use the optional "active" and "date updated after" parameters to pre-filter the result set.

  • Pivot Nameserver Host: Returns up to 500 domains served by a provided nameserver host. Use the optional "active" and "date updated after" parameters to pre-filter the result set.

  • Pivot by MX IP: Returns up to 500 domains served by a given mail server IP. Use the optional "active" and "date updated after" parameters to pre-filter the result set.

  • Pivot MX Host: Returns up to 500 domains with a mail server on a provided domain name. Use the optional "active" and "date updated after" parameters to pre-filter the result set.

  • Pivot SSL Email: Returns up to 500 domains with a given email address on the SSL certificate. Use the optional "active" and "date updated after" parameters to pre-filter the result set.

  • Pivot by SSL Hash: Returns up to 500 domains with a SSL certificate matching a provided SHA-1 hash. Use the optional "active" and "date updated after" parameters to pre-filter the result set.

  • Reverse Email: Returns up to 500 domains with an email address on the most recently available Whois record, DNS SOA record or SSL certificate. Use the optional "active" and "date updated after" parameters to pre-filter the result set.

  • Reverse Email Domain: Returns up to 500 domains with the domain portion of an email address on the most recently available Whois or DNS SOA record. Use the optional "active" and "date updated after" parameters to pre-filter the result set.

  • Return Domains from Search Hash: Import up to 500 domains from Iris Investigate into the platform. Export your investigation by search hash (Iris Investigate -> Search -> Export). Use the optional "active" and "date updated after" parameters to pre-filter the result set.

  • Return Tagged with Any: Retrieve up to 500 domains tagged within the Iris Investigate UI. Given a comma-separated list of tags, returns domains that are tagged with ANY of the tags. Use the optional "active" and "date updated after" parameters to pre-filter the result set.

  • Return Tagged with All: Retrieve up to 500 domains tagged within the Iris Investigate UI. Given a comma-separated list of tags, returns domains that are tagged with ALL of the tags. Use the optional "active" and "date updated after" parameters to pre-filter the result set.

  • Enrich Domain: Retrieves the infrastructure and whois data associated with a domain or comma-separated list of up to 100 domains.

Using DomainTools Farsight DNSDB Integration

Farsight Security DNSDB® is the world’s largest DNS intelligence database that provides a unique, fact-based, multifaceted view of the configuration of the global Internet infrastructure. DNSDB leverages the richness of Farsight’s Security Information Exchange (SIE) data-sharing platform and is engineered and operated by leading DNS experts. Farsight collects Passive DNS data from its global sensor array. It then filters and verifies the DNS transactions before inserting them into the DNSDB, along with ICANN-sponsored zone file access download data. The end result is the highest-quality and most comprehensive DNS intelligence data service of its kind - with more than 100 billion DNS records since 2010.

Threat Integrations Actions/Sub-Flows/Functions

Actions

  1. Configuration
  2. DNSDB Flex
  3. DNSDB RData
  4. DNSDB Summarize RData
  5. DNSDB RRSet
  6. DNSDB Summarize RRSet
  7. DNSDB Rate Limit

Playbooks

  • DomainTools Iris Investigate Domain: Given a domain or set of domains associated with an incident return all Iris Investigate data for those domains as comments in the incident. This playbook will use the following actions listed above with the Iris Investigate Integration.

  • Investigate domain

  • DomainTools Iris Investigate Domain Risk Score: Given a domain or set of domains associated with an incident return the risk scores and adjust the severity of the incident if a high-risk domain is observed, adding the risk details in the comments of the incident. This playbook will use the following actions listed above with the Iris Investigate Integration.

  • Domain risk score

  • DomainTools Iris Investigate URL Playbook: Given a URL or set of URLs associated with an incident, return all Iris Investigate data for the extracted domains from the URL as comments in the incident. This playbook will use the following actions listed above with the Iris Investigate Integration.

  • Investigate domain

  • DomainTools Iris Investigate Guided Pivots: Given a domain return all the Iris Investigate data, highlighting fields where \< 200 domains share an attribute to clue investigators in to retrieve more data via Iris Investigate UI (or further queries using the Iris Investigate API). This playbook will use the following actions listed above with the Iris Investigate Integration.

  • Reverse Email Domain

  • Reverse IP
  • Pivot MX Host
  • Pivot by MX IP
  • Pivot by Nameserver IP Address
  • Pivot Nameserver Host
  • Pivot by Registrant Name
  • Pivot by Registrant Org
  • Reverse Email
  • Pivot SSL Email

  • Pivot by SSL Hash

  • DomainTools Iris Investigate Malicious Tags: Track the activities of malicious actors using the Iris Investigate UI, tagging domains of interest. Given a domain or set of domains associated with an incident, query Iris Investigate for information on those domains, and if a specified set of tags is observed, mark the incident as “severe” Sentinel and add a comment. This playbook will use the following actions listed above with the Iris Investigate Integration.

  • Investigate Domain

  • DomainTools Iris Investigate With Farsight pDNS: Given a domain or set of domains associated with an incident, enrich the domain using the DomainTools Iris Investigate API, returning whois and infrastructure details. Subsequently retrieve associated subdomains from passive DNS information seen in Farsight’s DNSDB. DomainTools Iris Investigate and Farsight DNSDB API subscriptions are required to run this playbook. This playbook will use the following actions listed above:

  • Investigate Domain

  • DNSDB RData

  • DomainTools Iris Enrich Domain: The DomainTools Iris Enrich API is more suited to high-volume API lookups than Iris Investigate and is able to provide domain infrastructure information for a domain or set of domains associated with an incident. If your account is provisioned for Iris Enrich, use the Iris Enrich endpoint to return all Iris Enrich data for a given domain or set of domains. This playbook will use the following actions listed above.

  • Enrich Domain

References