DomainTools

the domaintools connector enables automated access to domain profiling, threat investigation, and monitoring services, enriching security workflows with valuable dns and domain intelligence domaintools is a comprehensive suite for domain and dns based threat intelligence and investigation the domaintools connector for swimlane turbine enables users to automate domain risk assessment, watchlist management, and historical data retrieval by integrating with domaintools, security teams can enhance their incident response and threat hunting capabilities, leveraging domain profiling, reputation scoring, and reverse whois lookups directly within swimlane playbooks this empowers users to rapidly identify and mitigate potential threats, streamline investigations, and maintain domain awareness without manual intervention prerequisites to effectively use the domaintools connector with swimlane, ensure you have the following api key authentication url the endpoint url for domaintools api access api key your unique identifier to authenticate with the domaintools api capabilities the domaintools connector has the following capabilities add and remove domain watchlist get brand monitor get domain profile get hosting history get reputation get reverse ip get reverse whois get whois get whois history configurations domaintools intelligence api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required api username username string optional api key api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add and remove domain watchlist adds or removes domains from the domaintools watchlist, enabling tracking of recent dns or whois changes requires 'watchlist domain ids' and 'state' endpoint url /v1/iris detect/domains/ method patch input argument name type required description watchlist domain ids array optional id(s) of domains being triaged state string optional add domains to watchlist or ignore and mute alerts for those domains input example {"json body" {"watchlist domain ids" \["aalma1ooe0"],"state" "watched"}} output parameter type description status code number http status code of the response reason string response reason phrase watchlist domains array output field watchlist domains watchlist domains state string output field watchlist domains state watchlist domains domain string output field watchlist domains domain watchlist domains discovered date string date value watchlist domains changed date string date value watchlist domains id string unique identifier watchlist domains assigned by string output field watchlist domains assigned by watchlist domains assigned date string date value output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"watchlist domains" \[{}]}} brand monitor search new domain registrations globally for names containing specified brand or string using domaintools endpoint url v1/mark alert method get input argument name type required description parameters query string required parameters for the brand monitor action input example {"parameters" {"query" "domaintools"}} domain profile retrieve basic registration details and a preview of extended data for a specified domain using domaintools endpoint url /v1/{{domain}} method get input argument name type required description path parameters domain string required parameters for the domain profile action input example {"path parameters" {"domain" "domaintools com"}} output parameter type description status code number http status code of the response data object response data data response object response data data response registrant object response data data response registrant name string response data data response registrant domains number response data data response registrant product url string response data data response server object response data data response server ip address string response data data response server other domains number response data data response server product url string response data data response registration object response data data response registration created string response data data response registration expires string response data data response registration updated string response data data response registration registrar string response data data response registration statuses array response data data response name servers array response data data response name servers server string response data data response name servers product url string response data data response history object response data data response history registrar object response data data response history registrar earliest event string response data data response history registrar events number response data data response history registrar product url string response data output example {"data" {"response" {"registrant" {},"server" {},"registration" {},"name servers" \[],"history" {},"seo" {},"website data" {}}},"response text" "string"} domain reputation retrieve a risk score for a specified domain from domaintools, aiding in the assessment of its reputation endpoint url v1/reputation method get input argument name type required description parameters domain string required parameters for the domain reputation action input example {"parameters" {"domain" "domaintools com"}} output parameter type description status code number http status code of the response data object response data data response object response data data response domain string response data data response risk score number response data response text string output field response text reason string response reason phrase output example {"data" {"response" {"domain" "string","risk score" 123}},"response text" "string"} hosting history retrieve a domain's registrar, ip, and name server changes over time using domaintools' hosting history api requires the domain as a path parameter endpoint url v1/{{domain}}/hosting history method get input argument name type required description path parameters domain string required parameters for the hosting history action input example {"path parameters" {"domain" "domaintools com"}} output parameter type description status code number http status code of the response data object response data data response object response data data response domain name string response data data response ip history array response data data response ip history domain string response data data response ip history post ip string response data data response ip history pre ip string response data data response ip history action string response data data response ip history actiondate string response data data response ip history action in words string response data data response registrar history array response data data response registrar history domain string response data data response registrar history date updated string response data data response registrar history date created string response data data response registrar history date expires string response data data response registrar history date lastchecked string response data data response registrar history registrar string response data data response registrar history registrartag string response data data response nameserver history array response data data response nameserver history domain string response data data response nameserver history action string response data data response nameserver history actiondate string response data data response nameserver history action in words string response data data response nameserver history post mns string response data output example {"data" {"response" {"domain name" "example name","ip history" \[],"registrar history" \[],"nameserver history" \[]}},"response text" "string"} iris detect new retrieve a list of monitors and their respective ids associated with the current domaintools account endpoint url v1/iris detect/domains/new/ method get input argument name type required description parameters monitor id string optional parameters for the iris detect new action parameters escalation types array optional parameters for the iris detect new action parameters tlds array optional parameters for the iris detect new action parameters risk score ranges array optional parameters for the iris detect new action parameters mx exists boolean optional parameters for the iris detect new action parameters domain state string optional parameters for the iris detect new action parameters discovered since string optional parameters for the iris detect new action parameters changed since string optional parameters for the iris detect new action parameters escalated since string optional parameters for the iris detect new action parameters search string optional parameters for the iris detect new action parameters sort array optional parameters for the iris detect new action parameters order string optional parameters for the iris detect new action parameters offset number optional parameters for the iris detect new action parameters limit number optional parameters for the iris detect new action parameters preview boolean optional parameters for the iris detect new action input example {"parameters" {"monitor id" "string","escalation types" \["string"],"tlds" \["string"],"risk score ranges" \["string"],"mx exists"\ true,"domain state" "string","discovered since" "string","changed since" "string","escalated since" "string","search" "string","sort" \["string"],"order" "string","offset" 123,"limit" 123,"preview"\ true}} output parameter type description status code number http status code of the response reason string response reason phrase watchlist domains array output field watchlist domains watchlist domains file name string name of the resource watchlist domains file string output field watchlist domains file total count number count value count number count value offset number output field offset limit number output field limit output example {"watchlist domains" \[{"file name" "example name","file" "string"}],"total count" 123,"count" 123,"offset" 123,"limit" 123} iris enrich retrieve historical whois information for a specified domain from domaintools endpoint url /v1/iris enrich method get input argument name type required description parameters domain string required parameters for the iris enrich action input example {"parameters" {"domain" "google com"}} output parameter type description status code number http status code of the response data object response data data response object response data data response limit exceeded boolean response data data response message string response data data response results count number response data data response results array response data data response results domain string response data data response results whois url string response data data response results adsense object response data data response results adsense value string response data data response results alexa number response data data response results popularity rank number response data data response results active boolean response data data response results google analytics object response data data response results google analytics value string response data data response results admin contact object response data data response results admin contact name object response data data response results admin contact org object response data data response results admin contact street object response data data response results admin contact city object response data data response results admin contact state object response data data response results admin contact postal object response data data response results admin contact country object response data data response results admin contact phone object response data output example {"data" {"response" {"limit exceeded"\ true,"message" "string","results count" 123,"results" \[],"missing domains" \[]}},"response text" "string"} iris investigate orchestrate and investigate domain related use cases at human scale with domaintools endpoint url v1/iris investigate method post input argument name type required description parameters active boolean optional parameters for the iris investigate action parameters adsense string optional parameters for the iris investigate action parameters create date string optional parameters for the iris investigate action parameters data updated after string optional parameters for the iris investigate action parameters domain string optional parameters for the iris investigate action parameters email string optional parameters for the iris investigate action parameters email domain string optional parameters for the iris investigate action parameters expiration date string optional parameters for the iris investigate action parameters google analytics string optional parameters for the iris investigate action parameters ip string optional parameters for the iris investigate action parameters mailserver domain string optional parameters for the iris investigate action parameters mailserver host string optional parameters for the iris investigate action parameters mailserver ip string optional parameters for the iris investigate action parameters nameserver domain string optional parameters for the iris investigate action parameters nameserver host string optional parameters for the iris investigate action parameters nameserver ip string optional parameters for the iris investigate action parameters not tagged with all string optional parameters for the iris investigate action parameters not tagged with any string optional parameters for the iris investigate action parameters position string optional parameters for the iris investigate action parameters redirect domain string optional parameters for the iris investigate action parameters registrant string optional parameters for the iris investigate action parameters registrant org string optional parameters for the iris investigate action parameters registrar string optional parameters for the iris investigate action parameters search hash string optional parameters for the iris investigate action parameters ssl email string optional parameters for the iris investigate action input example {"parameters" {"active"\ true,"adsense" "string","create date" "string","data updated after" "string","domain" "string","email" "user\@example com","email domain" "string","expiration date" "string","google analytics" "string","ip" "string","mailserver domain" "string","mailserver host" "string","mailserver ip" "string","nameserver domain" "example name","nameserver host" "example name","nameserver ip" "example name","not tagged with all" "string","not tagged with any" "string","position" "string","redirect domain" "string","registrant" "string","registrant org" "string","registrar" "string","search hash" "string","ssl email" "string","ssl hash" "string","ssl org" "string","ssl subject" "string","tagged with all" "string","tagged with any" "string","tld" "string"}} output parameter type description status code number http status code of the response reason string response reason phrase response object output field response response limit exceeded boolean output field response limit exceeded response has more results boolean result of the operation response message string response message response results count number result of the operation response total count number count value response results array result of the operation response results domain string result of the operation response results whois url string url endpoint for the request response results adsense object result of the operation response results adsense value string value for the parameter response results adsense count number result of the operation response results alexa number result of the operation response results popularity rank string result of the operation response results active boolean result of the operation response results google analytics object result of the operation response results google analytics value string value for the parameter response results google analytics count number result of the operation response results admin contact object result of the operation response results admin contact name object name of the resource response results admin contact name value string name of the resource response results admin contact name count number name of the resource response results admin contact org object result of the operation output example {"response" {"limit exceeded"\ true,"has more results"\ true,"message" "string","results count" 123,"total count" 123,"results" \[{}],"missing domains" \[{}]}} reverse ip retrieve a list of domain names hosted on the same ip address, requiring the 'domain' as a path parameter endpoint url v1/{{domain}}/reverse ip method get input argument name type required description path parameters domain string required parameters for the reverse ip action input example {"path parameters" {"domain" "domaintools com"}} output parameter type description status code number http status code of the response data object response data data response object response data data response ip addresses array response data data response ip addresses ip address string response data data response ip addresses domain count number response data data response ip addresses domain names array response data data response ip addresses domain names file name string response data data response ip addresses domain names file string response data response text string output field response text reason string response reason phrase output example {"data" {"response" {"ip addresses" \[]}},"response text" "string"} reverse whois retrieve a list of domain names with matching registrant information using domaintools' reverse whois api, requiring specific search terms endpoint url v1/reverse whois method get input argument name type required description parameters terms string required parameters for the reverse whois action parameters mode string optional parameters for the reverse whois action input example {"parameters" {"terms" "domaintools llc|seattle","mode" "purchase"}} output parameter type description status code number http status code of the response data object response data data response object response data data response domain count object response data data response domain count current number response data data response domain count historic number response data data response report price object response data data response report price current number response data data response report price historic number response data data response domains array response data response text string output field response text reason string response reason phrase output example {"data" {"response" {"domain count" {},"report price" {},"domains" \[]}},"response text" "string"} who is retrieve whois information for a specified ip address using domaintools endpoint url /v1/{{ip}}/whois method get input argument name type required description path parameters ip string required parameters for the who is action input example {"path parameters" {"ip" "8 8 8 8"}} output parameter type description response object output field response response registrant string output field response registrant response registration object output field response registration response registration created string output field response registration created response registration expires string output field response registration expires response registration updated string output field response registration updated response registration registrar string output field response registration registrar response registration statuses array status value response name servers array name of the resource response whois object output field response whois response whois date string date value response whois record string output field response whois record response record source string output field response record source output example {"response" {"registrant" "string","registration" {"created" "2024 01 01t00 00 00z","expires" "string","updated" "2024 01 01t00 00 00z","registrar" "string","statuses" \[]},"name servers" \["string"],"whois" {"date" "2024 01 01t00 00 00z","record" "string"},"record source" "string"}} whois history retrieve the latest historical whois records for a domain, sorted by record date in descending order by default endpoint url v1/{{domain}}/whois/history method get input argument name type required description path parameters domain string required parameters for the whois history action input example {"path parameters" {"domain" "domaintools com"}} output parameter type description status code number http status code of the response data object response data data response object response data data response record count number response data data response history array response data data response history date string response data data response history is private number response data data response history whois object response data data response history whois registrant string response data data response history whois registration object response data data response history whois name servers array response data data response history whois server string response data data response history whois record string response data response text string output field response text reason string response reason phrase output example {"data" {"response" {"record count" 123,"history" \[]}},"response text" "string"} response headers header description example cache control directives for caching mechanisms content encoding http response header content encoding content type the media type of the resource application/json date the date and time at which the message was originated thu, 01 jan 2024 00 00 00 gmt expires the date/time after which the response is considered stale pragma http response header pragma server information about the software used by the origin server set cookie http response header set cookie transfer encoding http response header transfer encoding vary http response header vary x time http response header x time