Investigation Tools

The DomainTools App provides powerful investigation capabilities including Domain Profile, Iris Investigate integration, Farsight DNSDB passive DNS, and threat feeds.

Iris Investigate

Domain Profile

The Domain Profile page provides a search function for ad hoc lookups of a single domain. The results provide a single pane of glass view of the domain, a contextual panel, tags, connected infrastructure information, contact details, and related events. Hover over the tooltips about the panel sections and click on the data points to interact. Use these results for further investigations in DomainTools.

Tip: Users can import lists of domains of interest into Splunk. All domains are imported along with their DomainTools Risk Profile for convenient triaging and subsequent monitoring. See the Importing Domains from an Iris Investigation section for more information.

To access and interact with the Domain Profile, visit Investigate → Domain Profile and add the domain in SLD.TLD format.

Tags

The tags associated with the domain. See Set Up Monitoring for Domains with Iris Tags for more information.

Connected infrastructure

Connected Infrastructure information (such as Mail Servers, IP addresses, SPF information, Name Servers, SSL information, Registrar/Registry) comes from DomainTools datasets.

Guided pivoting and discovery

Ad hoc investigations with guided pivots will surface potential investigation points.

Hover over the gray gear icon wheel to show the number of connected domains. If the gray icon is clickable, a blue Pivot button appears. Select this button to import the list of domains associated with this data point.

In cases where the connected domains are larger than the Guided Pivot threshold configured, the gray gear icon is not made into a guided pivot and is not clickable. The Guided Pivot threshold is configurable under DT Settings → Configure Enrichment & Alerting.

Contact information

The contact information (Admin, Technical, Billing, and Registrant) comes from the DomainTools WHOIS dataset and appears in the Splunk app.

Recent events

While investigating a domain, users can see any related and recent events from their configured log sources across different timeframes.

Domain intelligence from such investigations is automatically added to the cache for future references.

Importing domains from an Iris investigation

Import the list of domains from Iris into Splunk using the Export and Import functions.

1. In the Iris Investigation platform, go to the Navigation Menu (3 lines) → under Search → select Import/Export.
2. The subsequent dialog contains the Search Hash to export.
3. From the DomainTools Splunk App, go to Investigate → Import from Iris Investigate, and paste the copied Search Hash in the input field.
4. After submitting, if the Search Hash has no results in the Iris Pivot Engine, there are no domains to import and Splunk will show the message "No results found". The imported domains will be shown as below:

Investigate domains within recent events

Investigate any domain or URL listed in an Incident Review event with a couple clicks. (Note that URLs are shortened to a domain lookup). Expand the arrow on the incident review event, and next to a domain or URL, expand the arrow under Action.

Farsight DNSDB

Investigate current and historical domain infrastructure with Passive DNS (pDNS) using Farsight's DNSDB Standard or Flexible search (API Key Required). Please contact enterprisesupport@domaintools.com for provisioning.

DNSDB is a database that stores and indexes both the passive DNS data available via DomainTools Security Information Exchange (SIE), as well as the authoritative DNS data that various zone operators make available.

Enter your Farsight DNSDB API key on the API Keys page.

Farsight pDNS Standard Search (found under the Investigate menu) is a powerful search tool used to uncover related infrastructure against a specific Domain or IP.

Input parameters are as follows:

• Time Range: the time range that should be queried for DNS observations.
• Resource Record Type (RRType): Optionally specify which Record Resource Type (RRType) to search for. RRtype declares the type of mapping that a Resource Record Set establishes. ANY will match all RRTypes except DNSSEC RRTypes and is the default. ANY-DNSSEC will match only the DNSSEC RRTypes. Or enter a custom RRtype in the following text field.
• IP or Domain Name: Specify an IP (IPv4/IPv6), CIDR netblock, hostname (FQDN), or domain to search for. Left- or right-side wildcards are supported. Internationalized Domain Names (IDNs) will be automatically converted to Punycode.

Farsight pDNS Flexible Search (found under the Investigate menu) extends the Farsight DNSDB API with additional search capabilities. It provides more powerful searching capabilities (e.g. wildcards, regular expressions) than Standard Search, but the results won't be as complete as those from Standard Search.

Input parameters:

• Time Range: the time range that should be queried for DNS observations.
• Query: Flexible Searches support strings and patterns. This field will use the selected Syntax under "Match type". For an expanded explanation please visit the user guide.
• Query Type: Specifies which field of the DNS resource record to search. RDATA is the record data value or the "right hand side" of a DNS resource record set. Its content can be IP address(es), domain names, or other content (such as text), depending on the RRtype. An RRname is the owner name of the RRset, or the "left hand side" of a DNS resource record set. It will always be a domain name.
• Match Type: Which Flexible Search syntax to use. Regular expression is more common and represents the egrep-like Farsight Compatible Regular Expression ("FCRE") syntax, and Globbing is simpler wildcard pattern matching.
• Resource Record Type (RRType): Optionally specify which Resource Record Type (RRType) to search for. RRtype declares the type of mapping that a Resource Record Set establishes. ANY will match all RRTypes except DNSSEC RRTypes and is the default. ANY-DNSSEC will match only the DNSSEC RRTypes.

Iris Detect

The Iris Detect Splunk integration allows you to triage new domains matching Iris Detect Monitors within Splunk, and synchronize the Iris Detect Watch List with the Splunk Monitoring list to watch for new domain activity within your environment.

Interpret Iris Detect results

The Monitored Term filter at the top of the page displays the results for all monitors or a selected monitor. The Time Range Filter filters for updates within a specified time. The Type filter tab at the top of the results page allows you to select between New domains matching the enabled search terms, or Watched domains (domains that have been added to your account's Iris Detect Watch List) matching the selected terms, or the list of Ignored domains in case of erroneously triaging a domain to the wrong queue.

When new domains are discovered for the Enabled Monitors Terms, they are added in the results table with these fields. Click a field heading to sort:

• Domain: The full domain name including TLD.
• TLD: The top-level domain for the selected domain.
• Country Code: The country code where the domain is registered.
• ISP: the Internet Service Provider associated with the IP address used by the domain.
• Registrar Name: The name of the registrar.
• Risk Score: The DomainTools Risk Score.
• Risk Score Status: The risk score status indicates whether the scoring is provisional or full. Newly discovered domains will have initial proximity or phishing scores within a few minutes and the score is provisional. Full risk scoring (across all 4 algorithms including malware and spam) is typically available within 15-20 minutes of discovery. Risk scores are also updated when significant changes are detected to a domain's DNS records or other attributes. All active domains continue to be scored daily.
• First Seen/Lifecycle First Seen: the date and time that DomainTools learned that a domain is likely active (or reactivated after going inactive).
• Last Updated: The date Iris Detect last observed any changes to the DNS or Whois attributes associated with the domain.
• IP Address: The numerical address that the domain name resolves to.
• Name Server: The server that translates a domain name into its numerical IP address.
• Mail Server: The server that handles emails sent to the domain.

The Act Column in Iris Detect Results helps triage discovered domains with the following actions:

• Add to the Iris Detect Watchlist: Adds the listed domain to the Iris Detect Watchlist, which provides alerts on changes to these domains if hosting infrastructure or webpage changes are seen. This gives you the ability to track evolving threat campaigns, classify, and identify which domains are most likely to do harm. Such domains are candidates for escalation. The Iris Detect Watchlist can optionally be synchronized with the Splunk Monitoring list.
• Add to the Detect Blocklist API: Marks the domain for blocking. Useful for internal network defense infrastructure. The blocking designation is transmitted through the Iris Detect APIs.
• Escalate to Google Phishing Protection: Domains can be sent to Google's Phishing Protection team. If Google agrees the domain is malicious, it will be blocked in Chrome browsers globally. This list is also picked up by Safari and Firefox.
• Add to the Splunk Monitoring List: Adds the listed domain to the Monitored Domains List within the DomainTools Splunk App. This can enable detection and alerting if the domain is seen within your monitored log sources.
• Ignore This Domain: If a domain is a false positive, Ignoring the domain removes it from the "new" list on the next refresh. Watched Domains can be ignored if they are no longer of interest for change tracking.
• View Domain Profile: Load the Domain Profile page within Splunk, pulling up the Iris Investigate results for the listed domain.
• Farsight pDNS Search: Run a Farsight pDNS Standard Search (if provisioned) in DNSDB for RRNames containing the listed domain. This is useful for finding any active subdomains as well as seeing the dates when a domain has been active based on DNS traffic observed on Farsight's Security Information Exchange (SIE).

See the Iris Detect User Guide for more information.

Alert on Iris Detect monitors

The DomainTools App for Splunk supports monitoring and alerting against domains in the Monitoring List. See Set Up Monitoring for Domains for more information. Synchronize the Iris Detect Watch List with the Monitored Domains List under Monitoring → Managed Monitored Domains.

Selecting the option for Automatic Sync will add and remove watched domains on an automatic schedule based on the Sync Iris Detect Watchlist saved search. The default schedule is every day. Sync Splunk Monitoring List and Iris Detect Watch List will perform the sync on a one-time basis.

This option is also available under the Monitoring → Manage Monitored Domains page, where Sync with Iris Detect Monitoring List means that Automatic Sync will be enabled (both pages mirror the same setting).

Consult the Set up Monitoring section for more details and to set up alerting against monitored domains.

Enrichment Explorer and Enrichment Dashboard

The Enrichment Explorer section available from the main menu provides a user-facing front of the DomainTools enrichment dataset or cache. This allows the user to browse and search from the enrichment cache based on filters.

Selecting the Monitor field to add or remove a domain from your monitoring list. Clicking on the "Allowlist" button will add or remove a domain from your allow list.

If the information for a domain observable appears to be dated (that is, enrichment date from the past, or a set of domains from an Iris Investigate Search Hash import), the user can explicitly refresh their KV store with the latest Domain Intelligence, or reduce the Cache Retention Period under DT Settings → Configure Enrichment & Alerting.

Enrichment Dashboard

The Enrichment Dashboard visualizes and lists information in a set of panels for frequently encountered domain attributes. Use each panel to search, set the time period of the search, and click through to Splunk search for more information.

• Top Registrars
• Top Nameservers
• Top ISPs
• Top IP Addresses
• Top ASNs
• Top Expired SSL Certificate

WHOIS history

Access WHOIS History in the WHOIS History menu.

Return WHOIS History search results with dtwhoishistory (see the saved searches table for configuration details).

The search supports list (lists results), check_existence (returns a boolean has_history_entries), and count (lists entry count) modes. Sort by date_asc or date_desc.

Domain RDAP (API)

Access the Parsed Domain RDAP API from the Domain RDAP menu.

Return Parsed Domain RDAP Feed results with the dtparseddomainrdap search command. dtparseddomainrdap only supports the domain parameter.

Threat Feeds

The DomainTools App for Splunk supports the following DomainTools Threat Feeds, listed with their index name for searching:

• Domain Discovery Feed: dtfeeddomaindiscovery
• Domain RDAP Feed: dtfeeddomainrdap
• Newly Active Domains (NAD) Feed: dtfeednad
• Newly Observed Domains (NOD) Feed: dtfeednod
• Newly Observed Hostnames (NOH): dtfeednoh

Use these feeds in the Search section. The pre-defined [saved searches] are documented in the Saved Searches Table, below (configuration instructions are in advanced features).

Threat feed parameters

Consult Threat Feed parameters.

Schedule feed results

Create scheduled NAD or NOD activities in DT Settings -> Configure Saved Searches.

Next steps

• Commands Reference - Learn about custom search commands and examples
• Configuration Tables & Troubleshooting - Technical reference and troubleshooting