Skip to content

Splunk SOAR app actions reference

This page documents all supported actions for the DomainTools App for Splunk SOAR.

Supported Actions

The following actions are supported:

  • Test Connectivity - Validate the asset configuration for connectivity
  • Domain Reputation - Evaluate the risk of a given domain
  • Pivot Action - Find domains connected by any supported Iris Investigate search parameter
  • Reverse Domain - Extract IPs from a single domain response for further pivoting
  • Reverse IP - Find domains with web hosting IP, NS IP or MX IP
  • Load Hash - Load or monitor Iris Investigate search results by Iris Investigate export hash
  • Reverse Email - Find domains with email in Whois, DNS SOA or SSL certificate
  • Domain Risk Feed - Ingest real-time feed of high-risk domains (risk score 70+)
  • Domain Hotlist Feed - Ingest real-time feed of active high-risk domains (24-hour activity)
  • Lookup Domain - Get all Iris Investigate data for a domain using the Iris Investigate API endpoint (required)
  • Enrich Domain - Get all Iris Investigate data for a domain except counts using the high volume Iris Enrich API endpoint (if provisioned)
  • Configure Scheduled Playbooks - Run on initial setup to configure the optional monitoring playbooks
  • On Poll - Execute scheduled playbooks based on the set interval in domaintools_scheduled_playbooks custom list

Test Connectivity

Validate the asset configuration for connectivity.

Type: test Read only: True

Action Parameters

This action requires no parameters.

Action Output

No Output

Domain Reputation

Evaluate the risk of a given domain.

Type: Investigate Read only: True

Action Parameters

Parameter Required Description Type Contains
domain required Domain or comma-separated list of domains to query string url domain

Action Output

Data Path Type Contains Example Values
action_result.parameter.domain string url domain
action_result.data string
action_result.status string success failed
action_result.message string
action_result.summary.domain_risk numeric
action_result.summary.zerolisted boolean True False
action_result.summary.proximity numeric
action_result.summary.threat_profile numeric
action_result.summary.threat_profile_malware numeric
action_result.summary.threat_profile_phishing numeric
action_result.summary.threat_profile_spam numeric
summary.total_objects numeric 1
summary.total_objects_successful numeric 1

Pivot Action

Find domains connected by any supported Iris Investigate search parameter.

Type: Investigate Read only: True

Action Parameters

Parameter Required Description Type Contains
query_value required Value to query string url domain ip email
pivot_type required Field to pivot on string
status optional Return domains of this registration type string
data_updated_after optional Iris Investigate records that were updated on or after midnight on this date, in YYYY-MM-DD format or relative options ( 'today', 'yesterday' ) string
tld optional Limit results to only include domains in a specific top-level domain (i.e. "tld=com" or "tld=ru") string
create_date optional Only include domains created on a specific date, in YYYY-MM-DD format or relative options ( 'today', 'yesterday' ) string
create_date_within optional Only include domains with a whois create date within the specified number of days (e.g. specifying '1' would indicate within the past day) string
first_seen_within optional Only include domains with a current lifecycle first observed within the specified number of seconds (e.g. specifying '86400' would indicate within the past day) string
first_seen_since optional Only include domains with a current lifecycle first observed since a specified datetime. (Example: 2023-04-10T00:00:00+00:00) string
expiration_date optional Only include domains expiring on a specific date, in YYYY-MM-DD format or relative options ( 'today', 'yesterday' ) string

Action Output

Data Path Type Contains Example Values
action_result.parameter.create_date string
action_result.parameter.create_date_within string
action_result.parameter.data_updated_after string
action_result.parameter.first_seen_within string
action_result.parameter.first_seen_since string
action_result.parameter.expiration_date string
action_result.data.*.first_seen.count numeric
action_result.data.*.first_seen.value string
action_result.data.*.server_type.count numeric
action_result.data.*.server_type.value string
action_result.data.*.website_title.count numeric
action_result.data.*.website_title.value string
action_result.parameter.pivot_type string
action_result.parameter.query_value string url domain ip email
action_result.parameter.status string
action_result.parameter.tld string
action_result.data.*.domain string domain
action_result.data.*.domain_risk.risk_score numeric
action_result.data.*.domain_risk.risk_score_string string
action_result.status string success failed
action_result.message string
action_result.summary string
summary.total_objects numeric 1
summary.total_objects_successful numeric 1

Reverse Domain

Extract IPs from a single domain response for further pivoting.

Type: Investigate Read only: True

Action Parameters

Parameter Required Description Type Contains
domain required Domain or comma-separated list of domains to query string url domain

Action Output

Data Path Type Contains Example Values
action_result.parameter.domain string url domain
action_result.data string
action_result.data.*.first_seen.count numeric
action_result.data.*.first_seen.value string
action_result.data.*.server_type.count numeric
action_result.data.*.server_type.value string
action_result.data.*.website_title.count numeric
action_result.data.*.website_title.value string
action_result.status string success failed
action_result.message string
action_result.summary.ip_list.*.count numeric
action_result.summary.ip_list.*.count_string string
action_result.summary.ip_list.*.ip string ip
action_result.summary.ip_list.*.type string
summary.total_objects numeric 1
summary.total_objects_successful numeric 1

Reverse IP

Find domains with web hosting IP, NS IP or MX IP.

Type: Investigate Read only: True

Action Parameters

Parameter Required Description Type Contains
ip required IP address to query string ip
status optional Return domains of this registration type string
data_updated_after optional Iris Investigate records that were updated on or after midnight on this date, in YYYY-MM-DD format or relative options ( 'today', 'yesterday' ) string
tld optional Limit results to only include domains in a specific top-level domain (i.e. "tld=com" or "tld=ru") string
create_date optional Only include domains created on a specific date, in YYYY-MM-DD format or relative options ( 'today', 'yesterday' ) string
create_date_within optional Only include domains with a whois create date within the specified number of days (e.g. specifying '1' would indicate within the past day) string
first_seen_within optional Only include domains with a current lifecycle first observed within the specified number of seconds (e.g. specifying '86400' would indicate within the past day) string
first_seen_since optional Only include domains with a current lifecycle first observed since a specified datetime. (Example: 2023-04-10T00:00:00+00:00) string
expiration_date optional Only include domains expiring on a specific date, in YYYY-MM-DD format or relative options ( 'today', 'yesterday' ) string

Action Output

Data Path Type Contains Example Values
action_result.parameter.create_date string
action_result.parameter.create_date_within string
action_result.parameter.data_updated_after string
action_result.parameter.expiration_date string
action_result.parameter.first_seen_within string
action_result.parameter.first_seen_since string
action_result.parameter.ip string ip
action_result.parameter.status string
action_result.parameter.tld string
action_result.data.*.domain string domain
action_result.data.*.domain_risk.risk_score numeric
action_result.data.*.domain_risk.risk_score_string string
action_result.status string success failed
action_result.message string
action_result.summary string
summary.total_objects numeric 1
summary.total_objects_successful numeric 1

Load Hash

Load or monitor Iris Investigate search results by Iris Investigate export hash.

Type: Investigate Read only: True

Action Parameters

Parameter Required Description Type Contains
search_hash required Paste the "Current Search Export" string (Advanced -> Import/Export Search) from Iris Investigate in this field to import up to 5000 domains string

Action Output

Data Path Type Contains Example Values
action_result.parameter.search_hash string
action_result.data.*.domain string domain
action_result.data.*.domain_risk.risk_score numeric
action_result.data.*.domain_risk.risk_score_string string
action_result.status string success failed
action_result.message string
action_result.summary string
summary.total_objects numeric 1
summary.total_objects_successful numeric 1

Reverse Email

Find domains with email in Whois, DNS SOA or SSL certificate.

Type: Investigate Read only: True

Action Parameters

Parameter Required Description Type Contains
email required Email query string email
status optional Return domains of this registration type string
data_updated_after optional Iris Investigate records that were updated on or after midnight on this date, in YYYY-MM-DD format or relative options ( 'today', 'yesterday' ) string
tld optional Limit results to only include domains in a specific top-level domain (i.e. "tld=com" or "tld=ru") string
create_date optional Only include domains created on a specific date, in YYYY-MM-DD format or relative options ( 'today', 'yesterday' ) string
create_date_within optional Only include domains with a whois create date within the specified number of days (e.g. specifying '1' would indicate within the past day) string
first_seen_within optional Only include domains with a current lifecycle first observed within the specified number of seconds (e.g. specifying '86400' would indicate within the past day) string
first_seen_since optional Only include domains with a current lifecycle first observed since a specified datetime. (Example: 2023-04-10T00:00:00+00:00) string
expiration_date optional Only include domains expiring on a specific date, in YYYY-MM-DD format or relative options ( 'today', 'yesterday' ) string

Action Output

Data Path Type Contains Example Values
action_result.parameter.create_date string
action_result.parameter.create_date_within string
action_result.parameter.data_updated_after string
action_result.parameter.email string email
action_result.parameter.expiration_date string
action_result.parameter.first_seen_within string
action_result.parameter.first_seen_since string
action_result.parameter.status string
action_result.parameter.tld string
action_result.data.*.domain string domain
action_result.data.*.domain_risk.risk_score numeric
action_result.data.*.domain_risk.risk_score_string string
action_result.data.*.first_seen.count numeric
action_result.data.*.first_seen.value string
action_result.data.*.server_type.count numeric
action_result.data.*.server_type.value string
action_result.data.*.website_title.count numeric
action_result.data.*.website_title.value string
action_result.status string success failed
action_result.message string
action_result.summary string
summary.total_objects numeric 1
summary.total_objects_successful numeric 1

Domain Risk Feed

Ingest real-time feed of high-risk domains with combined Domain Risk Scores of 70 or higher.

Type: ingest Read only: True

This action connects to the DomainTools Real-Time Domain Risk Feed API to continuously ingest domains that have been scored as high-risk (combined score of 70+), regardless of their recent activity. Use this action to maintain comprehensive visibility into potentially dangerous infrastructure for proactive threat detection.

Action Parameters

Parameter Required Description Type Contains
sessionID optional Session identifier for tracking feed position across multiple requests string
limit optional Maximum number of entries to retrieve per request numeric
overall_min optional Minimum overall risk score (0-100) numeric
phishing_min optional Minimum phishing risk score (0-100) numeric
malware_min optional Minimum malware risk score (0-100) numeric
spam_min optional Minimum spam risk score (0-100) numeric
proximity_min optional Minimum proximity risk score (0-100) numeric

Action Output

Data Path Type Contains Example Values
action_result.parameter.sessionID string
action_result.parameter.limit numeric
action_result.parameter.overall_min numeric
action_result.parameter.phishing_min numeric
action_result.parameter.malware_min numeric
action_result.parameter.spam_min numeric
action_result.parameter.proximity_min numeric
action_result.data.*.timestamp string
action_result.data.*.domain string domain
action_result.data.*.phishing_risk numeric
action_result.data.*.malware_risk numeric
action_result.data.*.spam_risk numeric
action_result.data.*.proximity_risk numeric
action_result.data.*.overall_risk numeric
action_result.status string success failed
action_result.message string
action_result.summary string
summary.total_objects numeric 1
summary.total_objects_successful numeric 1

Domain Hotlist Feed

Ingest real-time feed of high-risk domains that have shown activity within the last 24 hours.

Type: ingest Read only: True

This action connects to the DomainTools Real-Time Domain Hotlist Feed API to continuously ingest currently active, high-risk domains. Each entry includes a 24-hour expiration time, making this ideal for building high-confidence block lists and identifying domains that pose immediate threats.

Action Parameters

Parameter Required Description Type Contains
sessionID optional Session identifier for tracking feed position across multiple requests string
limit optional Maximum number of entries to retrieve per request numeric
overall_min optional Minimum overall risk score (0-100) numeric
phishing_min optional Minimum phishing risk score (0-100) numeric
malware_min optional Minimum malware risk score (0-100) numeric
spam_min optional Minimum spam risk score (0-100) numeric
proximity_min optional Minimum proximity risk score (0-100) numeric

Action Output

Data Path Type Contains Example Values
action_result.parameter.sessionID string
action_result.parameter.limit numeric
action_result.parameter.overall_min numeric
action_result.parameter.phishing_min numeric
action_result.parameter.malware_min numeric
action_result.parameter.spam_min numeric
action_result.parameter.proximity_min numeric
action_result.data.*.timestamp string
action_result.data.*.domain string domain
action_result.data.*.phishing_risk numeric
action_result.data.*.malware_risk numeric
action_result.data.*.spam_risk numeric
action_result.data.*.proximity_risk numeric
action_result.data.*.overall_risk numeric
action_result.data.*.expires string
action_result.status string success failed
action_result.message string
action_result.summary string
summary.total_objects numeric 1
summary.total_objects_successful numeric 1

Lookup Domain

Get all Iris Investigate data for a domain using the Iris Investigate API endpoint (required).

Type: Investigate Read only: True

Action Parameters

Parameter Required Description Type Contains
domain required Domain or comma-separated list of domains to query using the Iris Investigate API string url domain

Action Output

Data Path Type Contains Example Values
action_result.status string failed success
action_result.parameter.domain string url domain
action_result.message string
action_result.summary string
summary.total_objects numeric 1
summary.total_objects_successful numeric 1

The action_result.data.* fields are grouped by category below. Each field includes a .count (numeric) and .value (string) pair unless otherwise noted.

WHOIS contact fields

Admin contactaction_result.data.*.admin_contact.*

Field Type
city.count / city.value numeric / string
country.count / country.value numeric / string
fax.count / fax.value numeric / string
name.count / name.value numeric / string
org.count / org.value numeric / string
phone.count / phone.value numeric / string
postal.count / postal.value numeric / string
state.count / state.value numeric / string
street.count / street.value numeric / string

Billing contactaction_result.data.*.billing_contact.*

Same fields as admin contact: city, country, fax, name, org, phone, postal, state, street (each with .count and .value).

Registrant contactaction_result.data.*.registrant_contact.*

Same fields as admin contact, plus:

Field Type
email.*.count / email.*.value numeric / string

Technical contactaction_result.data.*.technical_contact.*

Same fields as admin contact: city, country, fax, name, org, phone, postal, state, street (each with .count and .value).

Registrant (top-level)action_result.data.*

Field Type
registrant_name.count / registrant_name.value numeric / string
registrant_org.count / registrant_org.value numeric / string
registrar.count / registrar.value numeric / string

DNS and infrastructure fields

IP addressesaction_result.data.*.ip.*

Field Type
address.count / address.value numeric / string
asn.*.count / asn.*.value numeric / string
country_code.count / country_code.value numeric / string
isp.count / isp.value numeric / string

Name serversaction_result.data.*.name_server.*

Field Type
domain.count / domain.value numeric / string
host.count / host.value numeric / string
ip.*.count / ip.*.value numeric / string

Mail serversaction_result.data.*.mx.*

Field Type
domain.count / domain.value numeric / string
host.count / host.value numeric / string
ip.*.count / ip.*.value numeric / string

SOA emailaction_result.data.*.soa_email.*

Field Type
*.count / *.value numeric / string

SSL and web fields

SSL infoaction_result.data.*.ssl_info.*

Field Type
alt_names.*.count / alt_names.*.value numeric / string
common_name.count / common_name.value numeric / string
duration.count / duration.value numeric / string
email.*.count / email.*.value numeric / string
hash.count / hash.value numeric / string
issuer_common_name.count / issuer_common_name.value numeric / string
not_after.count / not_after.value numeric / string
not_before.count / not_before.value numeric / string
organization.count / organization.value numeric / string
subject.count / subject.value numeric / string

Web and redirectaction_result.data.*

Field Type
redirect.count / redirect.value numeric / string
redirect_domain.count / redirect_domain.value numeric / string
server_type.count / server_type.value numeric / string
website_title.count / website_title.value numeric / string

Domain metadata fields

Data Path Type
action_result.data.*.additional_whois_email.*.count numeric
action_result.data.*.additional_whois_email.*.value string
action_result.data.*.adsense.count / .value numeric / string
action_result.data.*.alexa numeric
action_result.data.*.create_date.count / .value numeric / string
action_result.data.*.domain_risk.risk_score numeric
action_result.data.*.email_domain.*.count / .value numeric / string
action_result.data.*.expiration_date.count / .value numeric / string
action_result.data.*.first_seen.count / .value numeric / string
action_result.data.*.google_analytics.count / .value numeric / string
action_result.data.*.tld string

Tags

Data Path Type
action_result.data.*.tags.*.label string
action_result.data.*.tags.*.scope string
action_result.data.*.tags.*.tagged_at string

Configure Scheduled Playbooks

Run on initial setup to configure the optional monitoring playbooks. This action creates a custom list to manage the playbook scheduling and run status.

Type: Investigate Read only: True

Action Parameters

This action requires no parameters.

Action Output

Data Path Type Contains Example Values
action_result.status string failed success
action_result.data.* string
action_result.summary string
action_result.message string
summary.total_objects numeric 1
summary.total_objects_successful numeric 1

On Poll

Execute scheduled playbooks based on the set interval in domaintools_scheduled_playbooks custom list. Smaller intervals result in more accurate schedules.

Type: ingest Read only: True

Action Parameters

No parameters are required for this action.

Action Output

No Output