Configuration¶
This guide covers setup, monitoring, and configuration for the DomainTools App for Splunk SOAR.
Prerequisites¶
Before configuring monitoring features, generate the required custom list:
- Go to Apps
- Select DomainTools Iris Investigate
- Select a configured asset or create one
- Go to Actions dropdown
- Select configure scheduled playbooks action
- Select Test Action
After completing these steps, return to the custom list page to see the domaintools_scheduled_playbooks list.
The list has 6 columns with the header intact. The last 3 columns are intentionally blank and used by the playbook scheduler.
Sample domaintools_scheduled_playbooks table:
| Repo / playbook_name | event_id | Interval (mins) | last_run (server time) | last_run_status | Remarks |
|---|---|---|---|---|---|
| local/DomainTools Monitor Domain Risk Score | 1440 | ||||
| local/DomainTools Monitor Domain Infrastructure | 1440 | ||||
| local/DomainTools Monitor Search Hash | 1440 |
In this example, three separate monitoring playbooks run on daily schedules. Each scheduled lookup consumes Iris Investigate queries, depending on how many domains or Iris search hashes are monitored.
Monitoring Playbook Feature¶
This feature allows scheduling playbooks to run at specified intervals on specific container/event IDs. Combined with reference playbooks, this provides powerful notifications for domain infrastructure changes or when newly created domains match monitored infrastructure. See individual playbooks for details.
Asset Configuration¶
This feature requires one asset configuration field:
| Name | Description | Default Value | Required |
|---|---|---|---|
| Splunk SOAR HTTPS port (default: 8443) | Splunk SOAR HTTP port if your instance uses one other than the default, 8443 | 8443 | Yes |
To configure:
- Go to Apps
- Select DomainTools Iris Investigate
- Select a configured asset or create one
- Go to Asset Settings
- Locate the Splunk SOAR HTTPS port (default: 8443) field (default value: 8443)
Setting Up Monitoring¶
Follow these steps to configure monitoring:
- Under Apps > DomainTools Iris Investigate > Asset Settings > Ingest Settings > Label, specify or select a label to apply to objects from this source
- Use a custom label rather than predefined labels like events
- Specify a polling interval to check if playbooks need to run. This is separate from the playbook run interval in step 4. Run every minute for accurate scheduling.
- Under Custom Lists > domaintools_scheduled_playbooks, input your desired playbook schedule following the example in the Configuration section
- Ensure the playbook label and event_id match the label selected in Step 1. The
domaintools_scheduled_playbookscustom list should exist after updating or installing the DomainTools app. If missing, generate it following the Prerequisites section. - Go to
domaintools_scheduled_playbookscustom list and modify the table based on your desired values. The interval column specifies the interval in minutes for playbook runs.
For DomainTools reference playbooks, consult the GitHub repository: https://github.com/DomainTools/playbooks/tree/main/Splunk%20SOAR.
Configuration Variables¶
The following configuration variables are required for this connector to operate. Specify these when configuring a DomainTools Iris Investigate asset in SOAR.
| Variable | Required | Type | Description |
|---|---|---|---|
| username | required | string | User Name |
| key | required | password | API Key |
| proxy | optional | boolean | Use Proxy |
| proxy_auth | optional | boolean | Use Proxy Authentication |
| proxy_server | optional | string | Proxy Server |
| proxy_username | optional | string | Proxy Username |
| proxy_port | optional | numeric | Proxy Port |
| proxy_password | optional | password | Proxy Password |
| custom_ssl_certificate | optional | boolean | Use Custom SSL Certificate |
| ssl | optional | boolean | Use SSL |
| custom_ssl_certificate_path | optional | string | Custom SSL Certificate Path |
| http_port | optional | string | Splunk SOAR HTTPS port (default: 8443) |