Investigate Threats Faster Inside Cortex XSOAR.
Stop switching tools mid-investigation. DomainTools brings DNS enrichment, infrastructure pivoting, and predictive risk scoring directly into the War Room so your team can detect, investigate, and respond faster.
Security analysts are forced into workflows that are manual, repetitive, and require constant attentiveness. Switching between tools to investigate a domain adds friction and time to every incident. One detail overlooked can have serious consequences.
Purpose built for investigation and response teams running Cortex XSOAR.
Domain intelligence surfaces directly inside the Cortex XSOAR War Room. No separate tools, no tab switching. Analysts stay in their workflow from triage to resolution
Automate playbooks for enrichment of DNS observables. Trigger IoC investigations, block threats based on connected infrastructure, and persist enriched intelligence automatically.
Reduce reaction time when extracting and containing potentially harmful information from malicious payloads and network activity.
Download the DomainTools Iris Investigate pack directly from the Cortex Marketplace. Requires a DomainTools Iris Investigate API key. Compatible with Cortex XSOAR 6.6.0 and later.
Navigate to Settings and Integrations. Search for DomainTools Iris and add a new instance. Enter your API username and key. Set your preferred risk threshold and Guided Pivot threshold parameters.
Run DomainTools commands directly in the War Room. Enrich domain indicators, retrieve full Iris profiles, pivot on infrastructure, and surface risk scores without leaving the incident.
Deploy any of the 6 pre built playbooks to automate enrichment, risk monitoring, domain pivoting, and tagging workflows across your SOC.
The full suite of DomainTools capabilities available directly within Cortex XSOAR.
Fetch a full Iris Investigate profile for any domain including IP addresses, nameservers, mail servers, SSL certificate details and tracking codes, email addresses from DNS SOA records, Whois and RDAP data, and passive DNS history.
Iris Investigate surfaces which infrastructure pivots are most likely to yield relevant connections. Pivot on IP, email, nameserver, mail server, or SSL hash using the domaintools-iris-pivot command to cut dead ends in any investigation.
Scoring ML classifiers score domains across phishing, malware, spam, and proximity to malicious infrastructure, often within seconds of creation. Individual classifier scores are returned so analysts know exactly why a domain is flagged.
Tag domains in Iris Investigate and have them automatically monitored in XSOAR. Incidents containing tagged identifiers are automatically escalated, enabling cross team SOC collaboration without manual tracking.
Configure the DomainTools domain command as the auto enrichment reputation command for domain indicators. Every domain encountered contributes automatically to Cortex's DBot Score and Domain.Malicious context fields.
DomainTools data is stored in the XSOAR indicator table for persistent enrichment. Automatically keep track of investigations performed for convenient incident reporting.
Six ready to use playbooks cover the most common DomainTools workflows. Deploy as is or customize for your environment.
Retrieves the Iris Investigate profile of a domain and automatically identifies potential connected infrastructure based on DomainTools Guided Pivot values, reducing manual investigative effort.
Monitors a defined list of Iris tagged domains for risk on a schedule. Checks active domains with high risk scores and outputs them as indicators on the associated incident, alerting the analyst to review.
Monitors for new domains matching saved infrastructure parameters such as registrar, DNS, and SSL certificates. Pulls matching indicators into the current incident on each run.
Retrieves the Domain Risk Score for a given domain, checks if it exceeds the configured threshold, and alerts the analyst to manually review the domain indicator.
Gathers data through pivots that share a common attribute with a domain. For example, pivoting on an IP address returns all domains related to that IP, uncovering related malicious infrastructure.
Associates domain indicators to the current incident automatically, ensuring enriched intelligence is linked to the right case for tracking and reporting
Custom Playbooks and Scripts
DomainTools continues to build additional automation content for XSOAR users. Scripts and playbooks are available for download directly from the DomainTools Palo Alto XSOAR repository on GitHub. All playbooks halt on errors by default. Error handling can be customized via the On Error tab in Task Details to set retry counts, continue on error behavior, or alternate error paths.
Ready to get started with DomainTools forCortex XSOAR
Request a Demo