DomainTools

the domaintools connector enables automated access to domain profiling, threat investigation, and monitoring services, enriching security workflows with valuable dns and domain intelligence domaintools is a comprehensive suite for domain and dns based threat intelligence and investigation the domaintools connector for swimlane turbine enables users to automate domain risk assessment, watchlist management, and historical data retrieval by integrating with domaintools, security teams can enhance their incident response and threat hunting capabilities, leveraging domain profiling, reputation scoring, and reverse whois lookups directly within swimlane playbooks this empowers users to rapidly identify and mitigate potential threats, streamline investigations, and maintain domain awareness without manual intervention prerequisites to effectively use the domaintools connector with swimlane, ensure you have the following api key authentication url the endpoint url for domaintools api access api key your unique identifier to authenticate with the domaintools api capabilities the domaintools connector has the following capabilities add and remove domain watchlist get brand monitor get domain profile get hosting history get reputation get reverse ip get reverse whois get whois get whois history configurations domaintools intelligence api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required api username username string optional api key api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add and remove domain watchlist adds or removes domains from the domaintools watchlist, enabling tracking of recent dns or whois changes requires 'watchlist domain ids' and 'state' endpoint url /v1/iris detect/domains/ method patch input argument name type required description watchlist domain ids array required id(s) of domains being triaged state string required add domains to watchlist or ignore and mute alerts for those domains output parameter type description status code number http status code of the response reason string response reason phrase watchlist domains array output field watchlist domains state string output field state domain string output field domain discovered date string date value changed date string date value id string unique identifier assigned by string output field assigned by assigned date string date value example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "watchlist domains" \[] } } ] brand monitor search new domain registrations globally for names containing specified brand or string using domaintools endpoint url v1/mark alert method get input argument name type required description query string required parameter for brand monitor domain profile retrieve basic registration details and a preview of extended data for a specified domain using domaintools endpoint url /v1/{{domain}} method get input argument name type required description domain string required parameter for domain profile output parameter type description status code number http status code of the response data object response data response object output field response registrant object output field registrant name string name of the resource domains number output field domains product url string url endpoint for the request server object output field server ip address string output field ip address other domains number output field other domains product url string url endpoint for the request registration object output field registration created string output field created expires string output field expires updated string output field updated registrar string output field registrar statuses array status value name servers array name of the resource server string output field server product url string url endpoint for the request history object output field history registrar object output field registrar earliest event string output field earliest event events number output field events product url string url endpoint for the request example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "data" { "response" {} }, "response text" "string" } ] domain reputation retrieve a risk score for a specified domain from domaintools, aiding in the assessment of its reputation endpoint url v1/reputation method get input argument name type required description domain string required parameter for domain reputation output parameter type description status code number http status code of the response data object response data response object output field response domain string output field domain risk score number score value response text string output field response text reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "data" { "response" {} }, "response text" "string" } ] hosting history retrieve a domain's registrar, ip, and name server changes over time using domaintools' hosting history api requires the domain as a path parameter endpoint url v1/{{domain}}/hosting history method get input argument name type required description domain string required parameter for hosting history output parameter type description status code number http status code of the response data object response data response object output field response domain name string name of the resource ip history array output field ip history domain string output field domain post ip string output field post ip pre ip string output field pre ip action string output field action actiondate string date value action in words string output field action in words registrar history array output field registrar history domain string output field domain date updated string output field date updated date created string output field date created date expires string output field date expires date lastchecked string output field date lastchecked registrar string output field registrar registrartag string output field registrartag nameserver history array name of the resource domain string output field domain action string output field action actiondate string date value action in words string output field action in words post mns string output field post mns example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "data" { "response" {} }, "response text" "string" } ] iris detect new retrieve a list of monitors and their respective ids associated with the current domaintools account endpoint url v1/iris detect/domains/new/ method get input argument name type required description monitor id string optional unique identifier escalation types array optional type of the resource tlds array optional parameter for iris detect new risk score ranges array optional parameter for iris detect new mx exists boolean optional parameter for iris detect new domain state string optional parameter for iris detect new discovered since string optional parameter for iris detect new changed since string optional parameter for iris detect new escalated since string optional parameter for iris detect new search string optional parameter for iris detect new sort array optional parameter for iris detect new order string optional parameter for iris detect new offset number optional parameter for iris detect new limit number optional parameter for iris detect new preview boolean optional parameter for iris detect new output parameter type description status code number http status code of the response reason string response reason phrase watchlist domains array output field watchlist domains file name string name of the resource file string output field file total count number count value count number count value offset number output field offset limit number output field limit example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "watchlist domains" \[], "total count" 123, "count" 123, "offset" 123, "limit" 123 } } ] iris enrich retrieve historical whois information for a specified domain from domaintools endpoint url /v1/iris enrich method get input argument name type required description domain string required parameter for iris enrich output parameter type description status code number http status code of the response data object response data response object output field response limit exceeded boolean output field limit exceeded message string response message results count number result of the operation results array result of the operation domain string output field domain whois url string url endpoint for the request adsense object output field adsense value string value for the parameter alexa number output field alexa popularity rank number output field popularity rank active boolean output field active google analytics object output field google analytics value string value for the parameter admin contact object output field admin contact name object name of the resource org object output field org street object output field street city object output field city state object output field state postal object output field postal country object output field country phone object output field phone example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "data" { "response" {} }, "response text" "string" } ] iris investigate orchestrate and investigate domain related use cases at human scale with domaintools endpoint url v1/iris investigate method post input argument name type required description active boolean optional parameter for iris investigate adsense string optional parameter for iris investigate create date string optional date value data updated after string optional response data domain string optional parameter for iris investigate email string optional parameter for iris investigate email domain string optional parameter for iris investigate expiration date string optional date value google analytics string optional parameter for iris investigate ip string optional parameter for iris investigate mailserver domain string optional parameter for iris investigate mailserver host string optional parameter for iris investigate mailserver ip string optional parameter for iris investigate nameserver domain string optional name of the resource nameserver host string optional name of the resource nameserver ip string optional name of the resource not tagged with all string optional parameter for iris investigate not tagged with any string optional parameter for iris investigate position string optional parameter for iris investigate redirect domain string optional parameter for iris investigate registrant string optional parameter for iris investigate registrant org string optional parameter for iris investigate registrar string optional parameter for iris investigate search hash string optional parameter for iris investigate ssl email string optional parameter for iris investigate output parameter type description status code number http status code of the response reason string response reason phrase response object output field response limit exceeded boolean output field limit exceeded has more results boolean result of the operation message string response message results count number result of the operation total count number count value results array result of the operation domain string output field domain whois url string url endpoint for the request adsense object output field adsense value string value for the parameter count number count value alexa number output field alexa popularity rank string output field popularity rank active boolean output field active google analytics object output field google analytics value string value for the parameter count number count value admin contact object output field admin contact name object name of the resource value string value for the parameter count number count value org object output field org example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "json body" { "response" {} } } ] reverse ip retrieve a list of domain names hosted on the same ip address, requiring the 'domain' as a path parameter endpoint url v1/{{domain}}/reverse ip method get input argument name type required description domain string required parameter for reverse ip output parameter type description status code number http status code of the response data object response data response object output field response ip addresses array output field ip addresses ip address string output field ip address domain count number count value domain names array name of the resource file name string name of the resource file string output field file response text string output field response text reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "data" { "response" {} }, "response text" "string" } ] reverse whois retrieve a list of domain names with matching registrant information using domaintools' reverse whois api, requiring specific search terms endpoint url v1/reverse whois method get input argument name type required description terms string required parameter for reverse whois mode string optional parameter for reverse whois output parameter type description status code number http status code of the response data object response data response object output field response domain count object count value current number output field current historic number output field historic report price object output field report price current number output field current historic number output field historic domains array output field domains response text string output field response text reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "data" { "response" {} }, "response text" "string" } ] who is retrieve whois information for a specified ip address using domaintools endpoint url /v1/{{ip}}/whois method get input argument name type required description ip string required parameter for who is output parameter type description response object output field response registrant string output field registrant registration object output field registration created string output field created expires string output field expires updated string output field updated registrar string output field registrar statuses array status value name servers array name of the resource whois object output field whois date string date value record string output field record record source string output field record source example \[ { "response" { "registrant" "string", "registration" {}, "name servers" \[], "whois" {}, "record source" "string" } } ] whois history retrieve the latest historical whois records for a domain, sorted by record date in descending order by default endpoint url v1/{{domain}}/whois/history method get input argument name type required description domain string required parameter for whois history output parameter type description status code number http status code of the response data object response data response object output field response record count number count value history array output field history date string date value is private number output field is private whois object output field whois registrant string output field registrant registration object output field registration name servers array name of the resource server string output field server record string output field record response text string output field response text reason string response reason phrase example \[ { "status code" 200, "response headers" { "content type" "application/json", "date" "thu, 01 jan 2024 00 00 00 gmt" }, "reason" "ok", "data" { "response" {} }, "response text" "string" } ] response headers header description example cache control directives for caching mechanisms content encoding http response header content encoding content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt expires the date/time after which the response is considered stale pragma http response header pragma server information about the software used by the origin server set cookie http response header set cookie transfer encoding http response header transfer encoding vary http response header vary x time http response header x time