Skip to content

DomainTools App for Palo Alto XSOAR

Consult the official Palo Alto XSOAR documentation for more information about XSOAR itself, and our GitHub repo for playbooks.

Introduction

The Palo Alto XSOAR Iris App brings contextual DNS intelligence from DomainTools Iris to Palo Alto XSOAR. Security teams using Palo Alto XSOAR can leverage the App to automate the enrichment of malicious observables within incidents. Security analysts can now leverage DomainTools intelligence across all their response workflows and automate mundane tasks.

With this Iris App, we enable the capabilities of Iris Investigate API within Palo Alto XSOAR and bring forth a richer dataset and economize the enrichment process for our users. Users can leverage Palo Alto XSOAR's investigation and case management capabilities to investigate Domain observables with greater context and speed.

Key capabilities enabled by the app include:

  • Adhoc investigations of Domain IOCs inside Palo Alto XSOAR Incidents
  • Triage with DomainTools Risk Score, Threat Profile Scores and other actionable Analytics
  • Persist DomainTools Intelligence inside Palo Alto XSOAR
  • Discover Connected Infrastructure for a malicious domain
  • Automate triaging of DomainTools Iris Tags inside Palo Alto XSOAR
  • Automate enrichment process using DomainTools playbooks
  • Target threat hunting at key aspects of a domain name’s registration profile

Getting Started

DomainTools offers two integrations: DomainTools Iris Investigate (as DomainTools Iris), and the DomainTools Real-time Threat Intelligence Feeds (as FeedDomainTools). This guide provides instructions for both integrations, which are configured independently.

Requirements

The following requirements and components need to be installed and activated prior to deployment:

  • Palo Alto XSOAR Server - 6.6.0
  • Palo Alto XSOAR Content version 1.32.44 (6877054)
  • Active DomainTools Iris Investigate API (username and key)

Setup for Iris

  1. Select Settings -> Integrations -> Servers & Services menu options. Search for “DomainTools” in the search integration text box to bring forward the DomainTools Iris (Partner Contribution) integration.
  2. Select Add Instance to configure the DomainTools instance.
  3. Enter configuration parameters described below:
Parameter Name Required Description
API Username Yes Authentication Key to connect to DomainTools. It will be used for making API calls.
API Key Yes API Secret to connect to DomainTools. It will be used for making API calls.
High-Risk Threshold Yes A configurable threshold for DomainTools Risk Score that will be used to flag Risky Domains within your Palo Alto XSOAR Instance. Defaulted to 70.
Young Domain Timeframe Yes A configurable threshold (in days) used to calculate if a domain is considered as a ‘young domain’ within Palo Alto XSOAR.
Guided Pivot Threshold Yes A configurable
Fetch Incidents Yes This field determines if we will enable the fetching of incidents. (Monitoring of Iris Hash and Iris tag)
Classifier No This field determines the Classifier to be used when incidents are fetched/created. It classifies the incident which type it will go to. You may choose: DomainTools_Iris_Classifier If ‘Fetches incident’ is enabled, this field is required.
Incident Type No This field determines what type of incident will be created. It should be default to “N/A” as we have 2 types of Incidents. The Classifiers will be used to handle this.
Mapper No This field determines the Mapper to be used when incidents are fetched/created. It maps the result with a given key to the created incident. Currently maps the domain key from Iris result to Additional Indicators incident field. You may choose: DomainTools_Iris_Mapper. Note: If Fetches incident is enabled, this field is required.
Enabled on Monitoring Domains by Iris Hash No This option determines what method will be used. Options are Import Indicators Only and Create Incident and Import Indicators. Defaults to Import Indicators Only. If ‘Fetches incident’ is enabled, this field is required.
DomainTools Iris Investigate Search Hash No If ‘Fetches incident’ is enabled, this field is required.
Enabled on Monitoring Domains by Iris Tags This option determines what method will be used. Options are Import Indicators Only and Create Incident and Import Indicators. Defaults to Import Indicators Only. Note: If ‘Fetches incident’ is enabled, this field is required.
DomainTools Iris Tags No This field contains the Iris Tags we want to monitor. It creates incident or/and create an indicator for each new domains found based on the Note: If ‘Fetches incident’ is enabled, this field is required.
Maximum Incidents to Fetch No This field determines the maximum incidents to fetch. Defaults to 2. One (1) for each possible feed type iris search hash and iris tags.
Incidents Fetch Interval No This field determines the interval to fetch incidents (fetch results from Iris Investigate API with the given iris hash and iris tags.) Note: If ‘Fetches incident’ is enabled, this field is required.

Test connectivity with DomainTools by clicking the Test button and look for the Success! indicator.

Setup for Realtime Threat Intelligence Feeds

  1. Select Settings -> Integrations -> Servers & Services menu options. Search for “DomainTools” in the search integration text box to bring forward the DomainTools Iris (Partner Contribution) integration.
  2. Select Add Instance to configure the DomainTools instance.
  3. Enter configuration parameters described below. For more information on these parameters, consult the Real-time Threat Intelligence Feeds Userguide.
Parameter Description Required
API Username The DomainTools API Username True
API Key The DomainTools API key. True
Session ID A string that serves as a unique identifier for the session, used for resuming data retrieval from the last point. Defaults to dt-cortex-feeds. False
After The start of the query window in seconds, relative to the current time, inclusive. Defaults to -3600. False
Top Limits the number of results in the response payload. Especially useful for testing. Defaults to 5000. False
Feed Type The DomainTools feed type fo fetch. Defaults to ALL. False
Indicator Reputation Indicators from this integration instance will be marked with this reputation. False
Source Reliability Reliability of the source providing the intelligence data. True
Feed Fetch Interval The feed fetching interval to use. False
Bypass exclusion list When selected, the exclusion list is ignored for indicators from this feed. This means that if an indicator from this feed is on the exclusion list, the indicator might still be added to the system. False
Trust any certificate (not secure) False
Use system proxy settings False
Tags Supports CSV values. False
Traffic Light Protocol Color Applied to indicators fetched from the feed. False

Domaintools Iris Commands

Consult our Iris documentation to learn more about the DomainTools Iris suite.

Command Description
domain Provides data enrichment for domains.
domaintools-hosting-history Hosting History will list IP address, name server and registrar history.
domaintools-reverse-whois Lists domain names that share the same Registrant Information. Enter terms that describe a domain owner, like an email address or a company name, to retrieve a list of domain names that have your search terms listed in the registration information.
domaintools-whois Provides parsed information extracted from the raw Whois record. Ideal for searching, indexing, or cross-referencing multiple registration records.
domaintools-whois-history Returns up to 100 historical Whois records associated with a domain name.
domaintoolsiris-analytics Displays DomainTools Analytic data in a markdown format table.
domaintoolsiris-enrich Returns a complete profile of the domain (SLD.TLD) using Iris Enrich. If parsing of URLs or FQDNs is desired, consult domainExtractAndEnrich.
domaintoolsiris-investigate Returns a complete profile of the domain (SLD.TLD) using Iris Investigate. If parsing of FQDNs is desired, consult domainExtractAndInvestigate.
domaintoolsiris-pivot Pivot on connected infrastructure (IP, email, SSL), or import domains from Iris Investigate using a search hash. Retrieves up to 5000 domains at a time. Optionally exclude results from context with include_context=false.
domaintoolsiris-threat-profile Displays DomainTools Threat Profile data in a markdown format table.

DomainTools Real-time Threat Intelligence Feeds Commands

The dtfeeds-get-indicators command returns the indicator from the feeds and display it to the war room. It accepts the following arguments.

Argument Name Description Required
feed_type The DomainTools integration feed type to fetch. Default is nod. Optional
session_id Session unique identifier. Optional
domain Filter results for a top-level domain. Optional
after The start of the query window in seconds, relative to the current time, inclusive. Defaults to 3600 seconds (1h). Default is -3600. Optional
before The end of the query window in seconds, relative to the current time, inclusive. Optional
top Limits the number of results in the response payload. Default is 50. Optional

DomainTools Iris Automations

Automation Description
AddDomainRiskScoreToContext Sets average risk score to context for pivot result.
AssociateIndicatorsToIncident Associate Indicators to an Incident.
CheckLastEnrichment Check if DomainTools Data is in Need of Enrichment.
CheckPivotableDomains Checks for guided pivots for a given domain.
CheckTags Check DomainTools domain tags and if a tag is found mark incident as high severity.
DomainExtractAndEnrich Resolves a URL or fully qualified domain name (FQDN) and looks up a complete profile of the domain on the DomainTools Iris Enrich API.
DomainExtractAndInvestigate Resolves a URL or fully qualified domain name (FQDN) and looks up a complete profile of the domain on the DomainTools Iris Investigate API.
SetIndicatorTableData Sets Data for a Domain in the Indicator Table.

DomainTools Iris Playbooks

Getting Started with Custom Playbooks

In addition to the automation available within Palo Alto XSOAR, DomainTools continues to build additional content for XSOAR users. You can download our automation scripts directly from the DomainTools Palo Alto XSOAR repository in Github.

Customizing Error Handling

XSOAR playbooks will halt on errors by default. Currently, some DomainTools playbooks may generate errors (such as when fed unregistered domains) that want to skip over.

You can modify a playbook's error handling via its On Error tab in Task Details in several ways:

  • Specify a permitted number of retries and the time between retries
  • Set the task to continue through an error
  • Set the task to take an error path

Palo Alto documents customized error handling in this YouTube video.

Checking Prerequisites

Before you upload these custom playbooks, please review the Prerequisites section for each. It identifies any additional configurations and dependencies associated with these playbooks.

Playbook: DomainTools Auto Pivots

GitHub

This playbook fetches the Iris Investigate profile of a domain and automatically identifies related infrastructure artifacts based on DomainTools Guided Pivot values.

  • Automated Investigations: It streamlines the investigative process by automatically identifying connected infrastructure, saving analysts time and reducing human error.
  • Comprehensive Understanding: Customers gain a more complete understanding of threats by uncovering associated infrastructure, enabling better threat assessment.
  • Proactive Threat Detection: By automating pivot lookups, it assists in the early detection of threats associated with a specific domain.

Playbook: DomainTools Check Domain Risk Score By Iris Tags

GitHub

This playbook periodically checks domains for risk based on Iris Investigate tags. Users can define a list of tags to monitor, and the playbook will add new high-risk domains as indicators on associated incidents.

  • Proactive Risk Management: Customers can proactively monitor domains associated with specific tags, enabling early risk detection and mitigation.
  • Automation: The playbook automates the process of tracking and alerting on domain risk, reducing manual effort and ensuring timely responses.
  • Incident Enrichment: It enriches incidents with high-risk domain indicators, providing context for incident responders and aiding in swift decision-making.

Playbook: DomainTools Check New Domains by Iris Hash

GitHub

This playbook assists in monitoring new domains based on predefined infrastructure criteria, such as registrar, DNS, SSL certs, etc. It uses Iris Investigate data to identify newly registered domains.

  • Timely Threat Detection: Customers can detect new domains associated with specific infrastructure parameters, allowing them to identify potential threats in their early stages.
  • Customizable Monitoring: Users can define specific criteria for monitoring, tailoring the playbook to their organization's unique threat landscape.
  • Integration with Iris Investigate: It leverages DomainTools' data to enhance monitoring capabilities, ensuring comprehensive threat visibility.

Playbook: DomainTools Domain Auto Enrichment

GitHub

Although Palo Alto XSOAR users can leverage the enrichment capability out-of-the-box, we wanted to further extend their ability to optimize the auto-enrichment process. This playbook:

  • Checks if enrichment data is recent if so skips redundant enrichment of the domain
  • Performs Domain Enrichment
  • Stores key Enrichment Intelligence in Palo Alto XSOAR Indicator Table

Prerequisites

Automation Scripts: The playbook uses the following automation scripts to deliver these functionalities. Both of these are available for the download in the scripts folder of the same repository:

  • DomainToolsCheckLastEnrichment
  • DomainToolsSetIndicatorTable

Custom Indicator fields: The playbook leverages the following custom fields in the Indicator table to store the domain intelligence inside Palo Alto XSOAR. These fields must be created prior to executing the playbook:

  1. Select Settings -> Advanced -> Fields menu options
  2. Select Indicator from the dropdown list, shown below
  3. Add New Fields per the table below:
Field Name Field Type Mandatory
additionalWhoisEmails Short text No
domainAge Short text No
emailDomains Short text No
ipAddresses Short text No
mailServers Short text No
nameServers Short text No
soaEmail Short text No
spfRecord Short text No
sslCertificate Short text No
  1. The same fields will appear in an Indicator Table once they are created successfully.

Playbook: DomainTools Iris Tags

GitHub

The DomainTools_Iris_Tags playbook helps users flag any domains that have already been flagged in the DomainTools Iris investigation platform. This helps various cross-functional teams within the SOC to collaborate during an investigation. It provides you with the following functionalities:

  • Allows Palo Alto XSOAR users to configure a list of ‘Iris tags’ they want to monitor inside Palo Alto XSOAR
  • Automate checking for any Indicators that match one of the tags
  • Escalates the Incident Severity to ‘High’

Prerequisites

Creating Tags in DomainTools Iris: To leverage this feature Palo Alto XSOAR Users must be using the Tagging capabilities from DomainTools Iris Investigation platform. Once a Domain is ‘Tagged’ in Iris, the tags become available for consumption within Palo Alto XSOAR. Please refer to ‘Tagging Domains’ in the Iris Investigate User Guide for further reference.

Automation Scripts: The playbook uses the DomainToolsCheckTags script which is available for the download in the scripts folder of the same repository.

Custom Tag List: Palo Alto XSOAR users can store the list of tags inside Palo Alto XSOAR following the below steps:

  1. Select Select Settings -> Advanced -> Lists -> New List menu options
  2. Set values:
  3. Name: ‘tags’
  4. Data: Your comma-delimited list of tags

Usage Examples

Enrich a Domain

Enriches domain-related data from the Iris dataset, including domain risk scores, Whois, IP, active DNS, website, and SSL data. Enables rapid enrichment of proxy and DNS logs, enhancing the ability to detect and respond to threats in real-time. Customers can identify malicious domains and assess their risk levels efficiently.

Query DomainTools for DNS intelligence for a specific Indicator:

!domain domain="example.com"

Retrieve DomainTools Analytics

Actionable Analytics from Iris

!domaintoolsiris-analytics domain="example.com"

Risk Scores, Threat Profiles, and Evidence

!domaintoolsiris-threat-profile domain=example.com

Discover Connected Infrastructure

Pivot on any of the below DomainTools attributes to discover potentially malicious infrastructure associated with the DNS artifact:

  • IP
  • Email
  • Mailserver_Host
  • Nameserver_Host
  • Nameserver_IP
  • SSL Hash

For example, a pivot on the hosting IP address:

!domaintoolsiris-pivot ip="199.79.62.18"

Retrieve latest results for NOD Threat Intelligence Feed

!dtfeeds-get-indicators session_id=mysession feed-type=nod