Tines¶

Quick Start with Stories¶

DomainTools provides Tines Stories.

Verify signed authentication data for DomainTools¶

This playbook was created to help with the Signed Authentication method which will generate the hash value that can be used during the API call. You can think of this as a sub-playbook that should be used in the main playbook.

The incoming payload should contain the ‘uri’ value

{ "uri": "/v1/iris-investigate/" }

The playbook should return the following data that can be used to call the API:

{
  "signature": {
    "FULL_API_URL": "https://api.domaintools.com/v1/iris-investigate/?signature=5731",
    "API_URL": "https://api.domaintools.com/v1/iris-investigate/",
    "URI": "/v1/iris-investigate/",
    "signature ": "SIGNATURE",
    "timestamp": "2023-03-16T20:01:02Z",
    "host": "api.domaintools.com"
  }
}

This playbook was created to find all the connected domains for the attribute type. You can think of this as a sub-playbook that should be used in the main playbook but you can use this as a standalone which might error out due to a large result set.

The incoming payload should contain the following data:

{
  "type": "<ip | email | name_server>",
  "value": "<array value for the type>",
  "full_data": "<boolean value if wanting full data or only the domain value>"
}

The playbook should return in one of the following formats based on the incoming setting:

As domain only (the playbook will sort the domain based on the risk score):

{
  "low": <domain array>,
  "medium": <domain array>,
  "high": <domain array>
}

As Full Data:

{
   "type": "<ip | email | name_server>",
   "value": "<the requested value>",
   "results": "Iris Investigate data"
}

This story will find all which attributes (IP, email, name_server, phone) from the Iris Investitage response payload meet the guided pivot requirement. You can think of this as a sub-playbook that should be used in the main playbook.

The incoming payload should contain: Iris Investigate data set for a single domain.

The playbook should return in one of the following formats based on the incoming setting:

{
  "IP": "<array of IP>",
  "email": "<array of email>",
  "name_server": "<array of NS>",
  "phone": "<array of phone>"
}

Fetch & block high-risk domains with DomainTools and NextDNS¶

This should be used in conjunction with the Iris Detect platform where you should mark the domain to be blocked.

Normally, this playbook is scheduled to pick up escalated domains for blocking, but for demo purposes only. You can trigger the playbook to run manually.

This will loop through every monitor term to find the escalated domain. There is a parameter that tells the API how far back to look up the domain.

Monitor a domain for risk score changes with DomainTools' Iris Enrich¶

Monitor a set of domains to detect risk score changes and notify the user. You can use the playbook to add the domain or enter into the resource and manually add the domain to be monitored. The threshold value can be adjusted in the action step.

The playbook should be run on a schedule but may also be run manually. To run manually, select the first action in the playbook and select Run.

Using the same playbook, you can monitor other attributes from Iris Enrich. You just need to adjust the compare operator and the field that you are comparing against.

Retrieve all subdomains & resource records for a domain with Farsight DNSDB by DomainTools¶

This can be run manually or called within the main playbook by passing the domain. The input payload should be: { “domain”: “<DOMAIN>“ }.

The output will be an array of sub-domains.

Retrieve domain risk scores in Slack using DomainTools API¶

This playbook is triggered by the Slack command. The organization should set up the Slack command according to the Slack document.

Usage: <slack command> <domain>

Using Slack with DomainTools' Iris Investigate API¶