DomainTools App for Splunk SOAR

Overview

The DomainTools App for Splunk SOAR provides investigative actions to profile domain names, get risk scores, and find connected domains that share the same WHOIS details, web hosting profiles, SSL certificates, and more using DomainTools Iris Investigate.

• Connector Version: 1.8.0
• Minimum Product Version: 6.1.1

Key Features

• Domain profiling and risk scoring - Evaluate domain reputation and risk
• Infrastructure pivoting - Find connected domains by IP, email, SSL certificates, and more
• Iris Investigate integration - Access full Iris Investigate capabilities
• Real-Time Threat Feeds - Monitor NOD, NAD, and other DomainTools feeds
• Automated monitoring - Schedule playbooks to track domain changes
• Search hash import - Load Iris Investigate search results directly into SOAR

Documentation

Getting Started

• Configuration Guide - Set up assets, monitoring, and playbooks
• Actions Reference - Complete list of supported actions and parameters

External Resources

• DomainTools Iris Investigate Connector on GitHub - Detailed connector documentation including monitoring, scheduling, and actions
• DomainTools Iris Investigate Documentation - Learn about Iris Investigate features
• DomainTools Real-time Threat Feeds - Feed documentation and usage
• Splunk SOAR Documentation - Official Splunk SOAR help
• Reference Playbooks on GitHub - Example playbooks for monitoring and automation

Supported Actions

The app supports the following action types:

Investigation Actions

• Domain Reputation - Evaluate domain risk scores
• Pivot Action - Find connected domains by any search parameter
• Reverse Domain - Extract IPs from domain responses
• Reverse IP - Find domains hosted on specific IPs
• Reverse Email - Find domains associated with email addresses
• Load Hash - Import Iris Investigate search results
• Domain Risk Feed - Ingest real-time feed of high-risk domains (risk score 70+)
• Domain Hotlist Feed - Ingest real-time feed of active high-risk domains (24-hour activity)

Lookup Actions

• Lookup Domain - Get complete Iris Investigate data (full API)
• Enrich Domain - Get Iris Investigate data without counts (high-volume API)

Management Actions

• Test Connectivity - Validate asset configuration
• Configure Scheduled Playbooks - Set up monitoring automation
• On Poll - Execute scheduled playbooks

See the Actions Reference for detailed parameters and outputs.

Quick Start

1. Install the app from Splunkbase or your Splunk SOAR instance
2. Configure an asset with your DomainTools API credentials
3. Test connectivity to verify the configuration
4. Run actions to investigate domains and infrastructure
5. Set up monitoring (optional) to track domain changes automatically

For detailed setup instructions, see the Configuration Guide.

Support

Get help with the DomainTools App for Splunk SOAR:

• Contact your Account Manager
• Email DomainTools Enterprise Support at enterprisesupport@domaintools.com
• Review Splunk SOAR documentation