Domain Squatting

this swimlane domain squatting connector is intended to work with the swimlane domain squatting use case only capabilities this connector provides the following capabilities check associated threat intelligence records reputation results compare current and previous dom hashes create & erase snapshot records deactivate all potential squatting domain records find potential squatting domains refresh potential squatting domains retrieve associated monitored domain and threat intelligence records initial setup this connector is intended to work with the swimlane domain squatting use case only you will need a swimlane administrator/api user personal access token (pat) domain squatting application(s) deployed to a swimlane instance domain squatting monitored domain domain squatting potential squatting domain domain squatting snapshot quickstart application(s) threat intel indicators and artifacts note field names, etc are case sensitive please enter just as you see in this documentation, or if using other field names, pay close attention to case sensitivity throughout setup required assets swimlane alert correlation swimlane url "sw web 443 " on spi installations, "sw web 4443 " on docker installations swimlane api/admin pat personal access token (pat) of an administrative or api user task details there are several different tasks within this connector which are specifically tailored to work with the domain squatting set of applications (e g use case) to help facilitate any troubleshooting or questions about this connector we have described each task as well as how it is used in connection with the domain squatting set of applications find potential squatting domains this is used as a scheduled task with the domain squatting use case the find potential squatting domains task utilizes dominions https //github com/swimlane/dominions (an open source project developed by the swimlane deep dive team) dominions is a python package that searches whoisds for newly registered domains dominions accepts a domain name as input and performs three different algorithms and checks this against newly registered domains contained in checks to see if the domain is contained within a newly registered domain levenshtein checks the levenshtein distance the provided domain is to a newly registered domain confusables checks to see if the domain contains confusables that match a newly registered domain the following inputs for this task are defined below monitored domain application name (str) the string name of the monitored domain application within swimlane default is domain squatting monitored domain domain to monitor field display name (str) the field display name that represents the domain to monitor default is domain to monitor search active field display name (str) the field display name that represents whether a search is active or not default is search active maximum potential squatting domains per day field display name (str, optional) the field display name that represents the maximum potential squatting domains that should be identified for a given domain default is maximum potential squatting domains per day this task will output the following potential squatting domain (str) the potential squatting domain from the domain to monitor field display name field monitored domain record id (str) the potential squatting domain swimlane application record id matched domain (str) a matched domain search term (str) the search term that identified the matched domain search term match methods (list) all match methods options include contained in , levenshtein , and confusables refresh active potential squatting domains this is used as a scheduled task with the domain squatting use case the refresh active potential squatting domains task periodically runs and runs patch (update) on any potential squatting domain records status field to preparing for submission which will in turn kick off workflow within that application record the following inputs for this task are defined below potential squatting domain application name (str) the string name of the potential squatting domain application within swimlane default is domain squatting potential squatting domain scan active field display name (str) the field display name that represents whether there is an active scan on a record default is scan active status field display name (str) the field display name that represents the current status for a potential squatting domain record default is status target status field display name (str) the status to set within all potential squatting domain recods default is preparing for submission this task will output the following success (bool) whether the task was successful errors (str) errors if they occured when running the task completed (datetime) an iso8601 date timestamp when the task was completed records refreshed (list) a list of records refreshed check threat intelligence reputation this is used as part of workflow within the potential squatting domain application the check threat intelligence reputation task is triggered via workflow to check a threat intel indicators and artifacts application for any associated iocs the following inputs for this task are defined below landing page threat intelligence reference record display name (str) the field display name that represents the a reference record containing a potential squatting domains landing page record default is landing page threat intelligence records langing page threat intelligence reference record verdict field display name (str) the field display name that represents the verdict for the provided landing page threat intelligence reference record display name reference record default is ti tag associated ioc threat intelligence reference record display name (str) the field display name that represents any associated threat intelligence via a associated ioc reference record default is associated ioc threat intelligence records associated ioc threat intelligence reference record verdict field display name (str) the field display name that represents the verdict for the provided associated ioc threat intelligence reference record display name reference record default is ti tag this task will output the following current landing page verdict (str) the current landing page verdict (e g malicious, suspicious, etc ) current associated ioc verdict (str) the current associated ioc verdict (e g malicious, suspicious, etc ) current automated verdict (str) the current overall automated verdict (e g malicious, suspicious, etc ) completed (datetime) an iso8601 date timestamp when the task was completed compare current dom hashes to previous dom hashes this is used as part of workflow within the potential squatting domain application the compare current dom hashes to previous dom hashes task is triggered via workflow and compares the current dom hash to all previous dom hashes the following inputs for this task are defined below most recent dom (str) the most recent captured dom string previous dom fuzzy hashes (str) all previous dom fuzzy hashes snapshot match threshold (int, optional) the snapshot threshold for matching current dom to previous doms default is 75 this task will output the following previous dom fuzzy hashes (list) an updated list of dom fuzzy hashes from current plus previous dom hashes create new snapshot record (bool) whether or not to create a new snaphsot record most recent dom fuzzy hash (str) the most recent dom fuzzy hash max match percentage (int) the maximum ssdeep match percentage identified create snapshot record from current snapshot this is used as part of workflow within the potential squatting domain application the create snapshot record from current snapshot task is triggered via workflow and creates a snapshot record using the current record data this task is essentially a pass through that takes inputs you've defined and outputs them so you can create a new record in the snapshot application the only addition is the completed timestamp field is added as an output there are several inputs for this task (too many to list out here) and all are optional but we recommend that you use as many as possible for your application deactivate all potential squatting domains this is used as part of workflow within the monitored domain application the deactivate all potential squatting domains task is used to deactivate all potential squatting domains within the monitored domain application the following inputs for this task are defined below potential squatting domains display name (str) the field display name that represents a potential squatting domain(s) within monitored domain records default is potential squatting domains scan active field display name (str) the field display name that represents whether there is an active scan on a record default is scan active this task will output the following deactivation status (str) the deactivation status completed (datetime) an iso8601 date timestamp when the task was completed erase current snapshot info this is used as part of workflow within the potential squatting domain application the erase current snapshot info task is triggered via a widget/button and will erase data from provided fields within a snapshot record the following inputs for this task are defined below field names (list) the field display name(s) to erase data from default is most recent urlscan dom, most recent urlscan json, urlscan most recent uuid, urlscan result, urlscan message, create new snapshot record, most recent status code, requests, certificates, domains contacted, countries contacted, ips contacted, link domains, servers contacted, urls requested,final url, links, current indicators, current landing page verdict, current associated ioc verdict, current automated verdict, landing page submitted to threat intelligence, associated iocs submitted to threat intelligence, max match percentage, most recent urlscan screenshot attachment, associated ioc threat intelligence records most recent urlscan dom, most recent urlscan json, urlscan most recent uuid, urlscan result, urlscan message, create new snapshot record, most recent status code, requests, certificates, domains contacted, countries contacted, ips contacted, link domains, servers contacted, urls requested,final url, links, current indicators, current landing page verdict, current associated ioc verdict, current automated verdict, landing page submitted to threat intelligence, associated iocs submitted to threat intelligence, max match percentage, most recent urlscan screenshot attachment, associated ioc threat intelligence records this task will output the following success (bool) whether the task was successful errors (str) errors if they occured when running the task completed (datetime) an iso8601 date timestamp when the task was completed retrieve associated monitored domain record this is used as part of workflow within the potential squatting domain application the retrieve associated monitored domain record retrieves all associated monitored domain records within the potential squatting domain application the following inputs for this task are defined below reference field display name (str) the field display name that represents reference record of monitored domains default is monitored domains reference field id display name (str) the field display name that represents the monitored domain record id default is monitored domain record id this task will output the following success (bool) whether the task was successful errors (str) errors if they occured when running the task completed (datetime) an iso8601 date timestamp when the task was completed retrieve associated threat intelligence records this is used as part of workflow within the snapshot application the retrieve associated threat intelligence records retrieves all associated threat intelligence records on a potential squatting domain the following inputs for this task are defined below landing page threat intelligence field display name (str) the field display name that represents the a reference record containing a potential squatting domains landing page record default is landing page threat intelligence records landing page record ids (list) a mapped field that contains a list of landing page record ids associated ioc threat intelligence reference record display name (str) the field display name that represents any associated threat intelligence via a associated ioc reference record default is associated ioc threat intelligence records associated ioc record ids (list) a mapped field that contains a list of associated ioc record ids this task will output the following completed (datetime) an iso8601 date timestamp when the task was completed configurations api key authentication authenticates using an api key configuration parameters parameter description type required url internal url of your swimlane instance, i e 'sw web 443 ', 'sw web 4443 ' or fqdn of load balancer string required swimlane api pat personal access token (pat) for an api/administrative user of swimlane string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional http basic authentication authenticates using username and password configuration parameters parameter description type required url internal url of your swimlane instance, i e 'sw web 443 ', 'sw web 4443 ' or fqdn of load balancer string required username username for an api/administrative user of swimlane use with password as an alternative to api/admin pat string required password password for an api/administrative user of swimlane use with username as an alternative to api/admin pat string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions check threat intelligence reputation checks a squatting domain against a threat intelligence application input argument name type required description landing page threat intelligence reference display name string required the display name of the landing page threat intelligence reference record landing page threat intelligence reference verdict field display name string required the display name of the landing page threat intelligence reference record verdict field associated ioc threat intelligence reference display name string required the display name of the associated ioc threat intelligence reference record associated ioc threat intelligence reference verdict field display name string required the display name of the associated ioc threat intelligence reference record verdict field output parameter type description landing page string output field landing page associated ioc string output field associated ioc verdict string output field verdict completed string output field completed example \[ { "landing page" "current landing page verdict", "associated ioc" "current associated ioc verdict", "verdict" "current automated verdict", "completed" "tue, 24 oct 2023 06 28 56 gmt" } ] compare current dom text to previous dom hashes compares current dom text to previous captured dom ssdeep hashes input argument name type required description most recent dom string required the most recent dom previous fuzzy hashes array required previous dom fuzzy hashes snapshot match threshold number optional ssdeep snapshot match threshold (percentage) output parameter type description previous dom fuzzy hashes array output field previous dom fuzzy hashes create new snapshot record boolean output field create new snapshot record most recent dom fuzzy hash string output field most recent dom fuzzy hash max match percentage number output field max match percentage example \[ { "previous dom fuzzy hashes" \[ "previous dom fuzzy hashes" ], "create new snapshot record" true, "most recent dom fuzzy hash" "most recent dom fuzzy hash", "max match percentage" 3 } ] create snapshot record from current snapshot creates a new record in the domain squatting snapshot application input argument name type required description screenshot attachment string optional screenshot attachment file most recent dom string optional the most recent dom urlscan result string optional urlscan result json string optional most recent urlscan json requests string optional http requests data certificates string optional certificate data domains contacted array optional domains contacted countries contacted array optional countries contacted ips contacted array optional ips contacted link domains array optional link domains servers contacted array optional servers contacted urls requested array optional urls requested most recent dom fuzzy hash string optional most recent dom fuzzy hash final url string optional final url potential squatting domain string required potential squatting domain automated verdict string optional current automated verdict landing page verdict string optional current landing page verdict associated ioc verdict string optional current associated ioc verdict analyst verdict string optional analyst verdict customer string optional customer search term string optional search term search term match methods array optional search term match methods whois information string optional whois information max match percentage number optional maximum match percentage most recent status code string optional most recent status code output parameter type description screenshot attachment array output field screenshot attachment file name string name of the resource file string output field file most recent dom string output field most recent dom urlscan result string url endpoint for the request json string output field json requests string output field requests certificates string output field certificates domains contacted array output field domains contacted countries contacted array output field countries contacted ips contacted array output field ips contacted link domains array output field link domains servers contacted array output field servers contacted urls requested array url endpoint for the request most recent dom fuzzy hash string output field most recent dom fuzzy hash final url string url endpoint for the request potential squatting domain string output field potential squatting domain automated verdict string output field automated verdict landing page verdict string output field landing page verdict associated ioc verdict string output field associated ioc verdict analyst verdict string output field analyst verdict customer string output field customer search term string output field search term search term match methods array http method to use whois information string output field whois information example \[ { "screenshot attachment" \[], "most recent dom" "most recent dom", "urlscan result" "urlscan result", "json" "most recent urlscan json", "requests" "requests", "certificates" "certificates", "domains contacted" \[ "domains contacted" ], "countries contacted" \[ "countries contacted" ], "ips contacted" \[ "ips contacted" ], "link domains" \[ "link domains" ], "servers contacted" \[ "servers contacted" ], "urls requested" \[ "urls requested" ], "most recent dom fuzzy hash" "most recent dom fuzzy hash", "final url" "final url", "potential squatting domain" "potential squatting domain" } ] deactivate all potential squatting domains deactivates all potential squatting domains input argument name type required description potential squatting domain display name string required potential squatting domain field display name scan active field display name string required scan active field display name output parameter type description deactivated records array output field deactivated records completed string output field completed example \[ { "deactivated records" \[ "deactivated records" ], "completed" "tue, 24 oct 2023 06 28 56 gmt" } ] erase current snapshot info erases the current snapshot information input argument name type required description field names array optional field names to erase data from output parameter type description success boolean whether the operation was successful errors string error message if any completed string output field completed example \[ { "success" true, "errors" "errors", "completed" "tue, 24 oct 2023 06 28 56 gmt" } ] find potential squatting domains attempts to find potential squatting domains input argument name type required description monitored domain application name string required name of the application containing domains to monitor domain to monitor display name string required domain to monitor field display name search active display name string required search active field display name maximum squatting domains display name string optional maximum potential squatting domains per day field display name output parameter type description potential squatting domain string output field potential squatting domain monitored domain record id string unique identifier matched domain string output field matched domain search term string output field search term search term match methods array http method to use example \[ { "potential squatting domain" "potential squatting domain", "monitored domain record id" "monitored domain record id", "matched domain" "matched domain", "search term" "search term", "search term match methods" \[ "search term match methods" ] } ] refresh active potential squatting domains refresh an active potential squatting domain record data input argument name type required description potential squatting domain app name string required the potential squatting domain application name scan active field display name string required the display name of the 'scan active' field status field display name string required the display name of the 'status' field target status field display name string required the target value for the defined status field output parameter type description success boolean whether the operation was successful errors string error message if any completed string output field completed records refreshed array output field records refreshed example \[ { "success" true, "errors" "errors", "completed" "tue, 24 oct 2023 06 28 56 gmt", "records refreshed" \[ "records refreshed" ] } ] retrieve associated record retrieves a associated record(s) input argument name type required description reference record id display name string required the display name of a list field containing record ids reference field display name string required the display name of reference field that the record ids will be mapped into output parameter type description success boolean whether the operation was successful errors string error message if any completed string output field completed example \[ { "success" true, "errors" "errors", "completed" "tue, 24 oct 2023 06 28 56 gmt" } ]