DomainTools Iris Investigate

Map connected infrastructure to get ahead of threats. Iris Investigate delivers dozens of domain-related attributes on every result including Risk Score, DNS, Whois, SSL, and more. It enables easy pivoting through different domain infrastructure and exposes meaningful insights with connection counts on most data fields.

Available Playbooks

• DomainTools ASIM DNS Playbook - This playbook uses the DomainTools Iris Enrich API. It is able to get domain infrastructure information for a domain or set of domains associated with an alert. If your account is provisioned for Iris Enrich, use the Iris Enrich endpoint to return Whois, mailserver, DNS, SSL and related indicators from Iris Enrich for a given domain or set of domains.
  
• DomainTools DNSDB Co-Located Addresses - This playbook uses the Farsight DNSDB connector to automatically enrich IP Addresses found in the Microsoft Sentinel incidents. This lookup will identify all the IPs that are co-located (based on Domain) based on the Offense Source value. This would be set of IPs that also shared the same Domain as the originating IP address.
• DomainTools DNSDB Co-Located Hosts - This playbook uses the Farsight DNSDB connector to automatically enrich Domain's found in the Microsoft Sentinel incidents. This use case describes the desire to easily identify Hosts that are co-located (based on Address) based on the input of a domain and a given point in time.
• DomainTools DNSDB Historical Addresses - This playbook uses the Farsight DNSDB connector to automatically enrich IP Addresses found in the Microsoft Sentinel incidents. This use case describes the desire to identify all Addresses used as DNS A records for a given Host based on a time window from a starting and stopping point in time.
  
• DomainTools DNSDB Historical Hosts - This playbook uses the Farsight DNSDB connector to automatically enrich Domain's found in the Microsoft Sentinel incidents.
  
• DomainTools IP Address Enrichment Playbook - This playbook uses the DomainTools Parsed Whois API. It is able to provide whois information for a IP or set of IPs associated with an incident.
• DomainTools Iris Enrich Domain Playbook - This playbook uses the DomainTools Iris Enrich API, which we recommend over Iris Investigate for high-volume API lookup activities. It is able to provide domain infrastructure information for a domain or set of domains associated with an incident.
  
• DomainTools Iris Investigate URL Playbook - This playbook uses the DomainTools Iris Investigate API. Given a domain or set of domains associated with an incident, return Whois, mailserver, DNS, SSL and related indicators.

Pre-requisites

You will need the following:

• A Microsoft Power Apps or Power Automate plan with custom connector feature
  
• An Azure subscription
  
• DomainTools API Username
  
• DomainTools API Key Provisioned for Iris Investigate and optionally Iris Enrich and Farsight DNSDB if using those playbooks
  

How to Get Credentials

Contact sales@domaintools.com

Support

For all support requests and general inquiries you can contact enterprisesupport@domaintools.com