SOAR
Cortex XSOAR Logo
Cortex XSOAR Logo
Cortex XSOAR Integration · In partnership with Palo Alto Networks

Investigate Threats Faster Inside Cortex XSOAR.

Stop switching tools mid-investigation. DomainTools brings DNS enrichment, infrastructure pivoting, and predictive risk scoring directly into the War Room so your team can detect, investigate, and respond faster.

View Documentation
The Problem

Security analysts are forced into workflows that are manual, repetitive, and require constant attentiveness. Switching between tools to investigate a domain adds friction and time to every incident. One detail overlooked can have serious consequences.

Why DomainTools for Cortex XSOAR
Everything your analysts need. Right where they work.

Purpose built for investigation and response teams running Cortex XSOAR.

Seamless Integration

Domain intelligence surfaces directly inside the Cortex XSOAR War Room. No separate tools, no tab switching. Analysts stay in their workflow from triage to resolution

Automated Enrichment

Automate playbooks for enrichment of DNS observables. Trigger IoC investigations, block threats based on connected infrastructure, and persist enriched intelligence automatically.

Rapid Response

Reduce reaction time when extracting and containing potentially harmful information from malicious payloads and network activity.

How it works
From alert to investigation in seconds.
Install from the Cortex Marketplace

Download the DomainTools Iris Investigate pack directly from the Cortex Marketplace. Requires a DomainTools Iris Investigate API key. Compatible with Cortex XSOAR 6.6.0 and later.

Configure in minutes

Navigate to Settings and Integrations. Search for DomainTools Iris and add a new instance. Enter your API username and key. Set your preferred risk threshold and Guided Pivot threshold parameters.

Investigate from the War Room

Run DomainTools commands directly in the War Room. Enrich domain indicators, retrieve full Iris profiles, pivot on infrastructure, and surface risk scores without leaving the incident.

Automate with pre built playbooks

Deploy any of the 6 pre built playbooks to automate enrichment, risk monitoring, domain pivoting, and tagging workflows across your SOC.

Capabilities
What analysts can do

The full suite of DomainTools capabilities available directly within Cortex XSOAR.

Complete Domain Profiles

Fetch a full Iris Investigate profile for any domain including IP addresses, nameservers, mail servers, SSL certificate details and tracking codes, email addresses from DNS SOA records, Whois and RDAP data, and passive DNS history.

Guided Pivot Counts

Iris Investigate surfaces which infrastructure pivots are most likely to yield relevant connections. Pivot on IP, email, nameserver, mail server, or SSL hash using the domaintools-iris-pivot command to cut dead ends in any investigation.

Predictive Risk

Scoring ML classifiers score domains across phishing, malware, spam, and proximity to malicious infrastructure, often within seconds of creation. Individual classifier scores are returned so analysts know exactly why a domain is flagged.

Domain Tagging and Monitoring

Tag domains in Iris Investigate and have them automatically monitored in XSOAR. Incidents containing tagged identifiers are automatically escalated, enabling cross team SOC collaboration without manual tracking.

Auto Enrichment and Domain Verdict

Configure the DomainTools domain command as the auto enrichment reputation command for domain indicators. Every domain encountered contributes automatically to Cortex's DBot Score and Domain.Malicious context fields.

Persistent Enriched Intelligence

DomainTools data is stored in the XSOAR indicator table for persistent enrichment. Automatically keep track of investigations performed for convenient incident reporting.

Pre Built Playbooks
Automate from day one.

Six ready to use playbooks cover the most common DomainTools workflows. Deploy as is or customize for your environment.

DomainTools Auto Pivots

Retrieves the Iris Investigate profile of a domain and automatically identifies potential connected infrastructure based on DomainTools Guided Pivot values, reducing manual investigative effort.

DomainTools Check Domain Risk Score by Iris Tags

Monitors a defined list of Iris tagged domains for risk on a schedule. Checks active domains with high risk scores and outputs them as indicators on the associated incident, alerting the analyst to review.

DomainTools Check New Domains by Iris Hash

Monitors for new domains matching saved infrastructure parameters such as registrar, DNS, and SSL certificates. Pulls matching indicators into the current incident on each run.

DomainTools Iris Risk Score

Retrieves the Domain Risk Score for a given domain, checks if it exceeds the configured threshold, and alerts the analyst to manually review the domain indicator.

Indicator Pivoting: DomainTools Iris

Gathers data through pivots that share a common attribute with a domain. For example, pivoting on an IP address returns all domains related to that IP, uncovering related malicious infrastructure.

DomainTools Associate Indicator to Incident

Associates domain indicators to the current incident automatically, ensuring enriched intelligence is linked to the right case for tracking and reporting

Custom Playbooks and Scripts

DomainTools continues to build additional automation content for XSOAR users. Scripts and playbooks are available for download directly from the DomainTools Palo Alto XSOAR repository on GitHub. All playbooks halt on errors by default. Error handling can be customized via the On Error tab in Task Details to set retry counts, continue on error behavior, or alternate error paths.

Compatible DomainTools Products
The intelligence powering every investigation.
Iris Investigate

Complete domain profile including IP, nameservers, mail servers, web servers, SSL, RDAP, Whois, and risk score with components and evidence.

Iris Enrich

Lightweight high volume enrichment. Resolves URLs and fully qualified domain names for fast automated workflows.

Whois History

Up to 100 historical Whois records per domain to track ownership and registration changes over time.

RDAP

Real time registration data access protocol lookups for the most current domain registration data.

DNSDB: Farsight Passive DNS

Historical DNS resolution data for deep infrastructure pivoting and threat hunting.

Real Time Threat Feeds

Streaming feeds covering the full domain lifecycle: NOD, NAD, NOH, Domain Discovery, Parsed RDAP, Domain Hotlist, and Domain Risk. Configured as a separate integration.

Ready to get started with DomainTools forCortex XSOAR

Request a Demo