Enricher - DomainTools Iris Investigate#

Note

This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.

Enrichers using the legacy DomainTools V1 endpoints have been removed as of the following versions:

  • EclecticIQ DomainTools Extension version 2.8.2 and newer.

  • EclecticIQ DomainTools Extension version 2.7.2 and newer.

Instead, use the DomainTools Iris Investigate enrichers listed in this article.

For more information on the removed enrichers, see Removed V1 enrichers.

Specifications

Enricher name(s)

  • DomainTools Domain Enricher - Iris Investigate

  • DomainTools Email Enricher - Iris Investigate

  • DomainTools Email Domain Enricher - Iris Investigate

  • DomainTools IP Enricher - Iris Investigate

  • DomainTools Mailserver Domain Enricher - Iris Investigate

  • DomainTools Mailserver Host Enricher - Iris Investigate

  • DomainTools Mailserver IP Enricher - Iris Investigate

  • DomainTools Nameserver Domain Enricher - Iris Investigate

  • DomainTools Nameserver Host Enricher - Iris Investigate

  • DomainTools Nameserver IP Enricher - Iris Investigate

  • DomainTools Redirect Domain Enricher - Iris Investigate

  • DomainTools Registrant Enricher - Iris Investigate

  • DomainTools Registrant Organization Enricher - Iris Investigate

  • DomainTools Registrar Enricher - Iris Investigate

  • DomainTools SSL Email enrichers Enricher - Iris Investigate

  • DomainTools SSL Hash Enricher - Iris Investigate

  • DomainTools SSL Organization Enricher - Iris Investigate

For more information, see List of enrichers and their endpoints.

Supported observable types

See Supported observables.

Output

Enriches supported observable types to produce Indicators and associated observables.

API endpoint

See List of enrichers and their endpoints.

Description

The Iris Investigate API is best suited for investigating and orchestrating use cases at human scale. These are typically triggered on-demand by an analyst seeking additional context on a single domain indicator.

Requirements#

  • DomainTools User name

  • DomainTools API key

Automatic enrichment#

Avoid setting up enrichment rules for the DomainTools enricher.

Setting up enrichment rules for this enricher allows it to automatically run and rapidly consume your API request quota.

Instead, run the enricher manually.

Set up the enricher#

Before using the enricher, configure it to add your DomainTools credentials:

  1. Go to Data configuration Data configuration icon > Enrichers.

  2. Select the enricher from the displayed list.

  3. Edit the enricher by selecting from the top right More More > Edit.

  4. In the Edit enricher task view, fill out these fields:

    Note

    Required fields are marked with an asterisk (*).

    Field

    Description

    API URL*

    By default, this is set to https://api.domaintools.com/v1/iris-investigate.

    Username*

    Set this to your DomainTools user name.

    API key*

    Set this to your DomainTools API key.

  5. Click Save to store your changes.

Default configuration#

These are the default configuration parameters for the DomainTools enricher:

Note

Required fields are marked with an asterisk (*).

Field

Description

Name

Set by default. See List of enrichers and their endpoints.

Override TLP

Forces all entities and observables produced by this extension to inherit this TLP value.

Description*

Enter a description for this enricher.

Cache validity (sec)*

Set to 2592000 seconds (30 days) by default.

Rate limit (per sec)*

Set to 1000 seconds by default.

Monthly execution cap (runs)*

Set to 1000000 runs by default.

Source reliability*

Assign a reliability level to entities and observables produced by this extension. The values here are based on the Admiralty System.

Observable types*

Set by default. See Supported observables.

Enabled

Select to enable this enricher.

API URL*

By default, this is set to https://api.domaintools.com/v1/iris-investigate.

Username*

Set this to your DomainTools user name.

API key*

Set this to your DomainTools API key.

SSL verification

Selected by default. Select to enable SSL verification.

Path to SSL certificate file

Used when connecting to a feed source that uses a custom CA. Set this as the path to the SSL certificate to use when authenticating the feed source.

For more information, see SSL certificates.

SSL certificates#

To use an SSL certificate, it must be:

  • Accessible on the EclecticIQ Intelligence Center host.

  • Placed in a location that can be accessed by the eclecticiq user.

  • Owned by eclecticiq:eclecticiq.

To make sure that EclecticIQ Intelligence Center can access the SSL certificate:

  1. Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.

  2. On the EclecticIQ Intelligence Center host, open the terminal.

  3. Change ownership of the SSL certificate by running as root in the terminal:

    chown eclecticiq:eclecticiq /path/to/cert.pem

    Where /path/to/cert.pem is the location of the SSL certificate EclecticIQ Intelligence Center needs to access.

Removed V1 enrichers#

DomainTools is deprecating their V1 API endpoints in favor of the Iris Investigate API.

The following enrichers have been removed for versions 2.7.2, 2.8.2 of the DomainTools extension and newer:

List of enrichers and their endpoints#

Enricher name

Description

API Endpoint

DomainTools Domain Enricher - Iris Investigate

Retrieves all information available on Iris for that domain.

https://api.domaintools.com/v1/iris-investigate/?domain=<domain>

DomainTools Email Enricher - Iris Investigate

Looks up email address from the most recently available Whois record, DNS SOA record, or SSL certificate.

https://api.domaintools.com/v1/iris-investigate/?email=<Email>

DomainTools Email Domain Enricher - Iris Investigate

Looks up the domain portion of a Whois or DNS SOA email address.

https://api.domaintools.com/v1/iris-investigate/?email_domain=<Domain>

DomainTools IP Enricher - Iris Investigate

Looks up the IPv4 address the registered domain was last known to point to during an active DNS check.

https://api.domaintools.com/v1/iris-investigate/?ip=<Ipv4>

DomainTools Mailserver Domain Enricher - Iris Investigate

Looks up the registered domain portion of the mail server (e.g. domaintools.net)

https://api.domaintools.com/v1/iris-investigate/?mailserver_domain=<Domain>

DomainTools Mailserver Host Enricher - Iris Investigate

Looks up the fully-qualified host name of the mail server (e.g. mx.domaintools.net).

https://api.domaintools.com/v1/iris-investigate/?mailserver_host=<Domain>

DomainTools Mailserver IP Enricher - Iris Investigate

Looks up the IPv4 address of the mail server.

https://api.domaintools.com/v1/iris-investigate/?mailserver_ip=<Ipv4>

DomainTools Nameserver Domain Enricher - Iris Investigate

Looks up the registered domain portion of the name server (e.g. domaintools.net).

https://api.domaintools.com/v1/iris-investigate/?nameserver_domain=<Domain>

DomainTools Nameserver Host Enricher - Iris Investigate

Looks up the fully-qualified host name of the name server (e.g. ns1.domaintools.net).

https://api.domaintools.com/v1/iris-investigate/?nameserver_host=<Domain>

DomainTools Nameserver IP Enricher - Iris Investigate

Looks up the IPv4 address of the name server.

https://api.domaintools.com/v1/iris-investigate/?nameserver_ip=<Ipv4>

DomainTools Redirect Domain Enricher - Iris Investigate

Looks up domains to see if they to redirect to another domain name.

https://api.domaintools.com/v1/iris-investigate/?redirect_domain=<Domain>

DomainTools Registrant Enricher - Iris Investigate

Substring search on the Whois registrant field.

https://api.domaintools.com/v1/iris-investigate/?registrant=<Name>

DomainTools Registrant Organization Enricher - Iris Investigate

Substring search on the Whois registrant org field.

https://api.domaintools.com/v1/iris-investigate/?registrant_org=<Organisation>

DomainTools Registrar Enricher - Iris Investigate

Exact match to the Whois registrar field.

https://api.domaintools.com/v1/iris-investigate/?registrar=<Registrar>

DomainTools SSL Email enrichers Enricher - Iris Investigate

Email address from the SSL certificate.

https://api.domaintools.com/v1/iris-investigate/?ssl_email=<Email>

DomainTools SSL Hash Enricher - Iris Investigate

SSL certificate hash.

https://api.domaintools.com/v1/iris-investigate/?ssl_hash=<Hash>

DomainTools SSL Organization Enricher - Iris Investigate

Exact match to the organization name on the SSL certificate.

https://api.domaintools.com/v1/iris-investigate/?ssl_org=<Organisation>

Data mapping#

Supported observables#

Enricher name

Supported Observables

DomainTools Domain Enricher - Iris Investigate

domain

DomainTools Email Domain Enricher - Iris Investigate

domain

DomainTools Email Enricher - Iris Investigate

email

DomainTools IP Enricher - Iris Investigate

ipv4

DomainTools Mailserver Domain Enricher - Iris Investigate

domain

DomainTools Mailserver Host Enricher - Iris Investigate

domain

DomainTools Mailserver IP Enricher - Iris Investigate

ipv4

DomainTools Nameserver Domain Enricher - Iris Investigate

domain

DomainTools Nameserver Host Enricher - Iris Investigate

domain

DomainTools Nameserver IP Enricher - Iris Investigate

ipv4

DomainTools Redirect Domain Enricher - Iris Investigate

domain

DomainTools Registrant Enricher - Iris Investigate

name

DomainTools Registrant Organization Enricher - Iris Investigate

organization

DomainTools Registrar Enricher - Iris Investigate

registrar

DomainTools SSL Email enrichers Enricher - Iris Investigate

email

DomainTools SSL Hash Enricher - Iris Investigate

hash-sha1, hash-sha512, hash-md5, hash-sha256

DomainTools SSL Organization Enricher - Iris Investigate

organization

“Maximum 5000 returned - you may need to refine your query”#

The DomainTools Iris Investigate API imposes a limit of 5000 results per query. This means that if enriching an observable that returns more than 5000 results, the enrichment and enricher fails with the following error message from DomainTools:

requests.exceptions.HTTPError: Maximum 5000 returned - you may need to refine your query.

The platform does not support adding parameters to enrichers per run, so it is currently not possible to “refine” the enricher’s query without making the enricher over-fit for a single enrichment target.

Instead, please look up the enrichment target using the DomainTools Iris UI.

Risk score#

DomainTools provides a risk score for enriched observables. This risk score is:

  • Mapped to the Confidence value of the resulting Indicator.

  • Adds a Tag to the resulting Indicator.

The following table details how risk scores are mapped to Indicators on the platform:

Risk Score Value

Indicator Confidence

Indicator Tag

1-33

Low Confidence

Risk Score: Low

34-66

Medium Confidence

Risk Score: Medium

67-100

High Confidence

Risk Score: High

Redacted data#

If enrichment returns results that contain the value of ‘REDACTED FOR PRIVACY’ (case-insensitive), those results are not ingested.