Domain Enrichment - DomainTools Iris Enrich

Overview

This playbook uses the DomainTools Iris Enrich API, which we recommend over Iris Investigate for high-volume API lookup activities. It is able to provide domain infrastructure information for a domain or set of domains associated with an incident. If your account is provisioned for Iris Enrich, use the Iris Enrich endpoint to return Whois, mailserver, DNS, SSL and related indicators from Iris Enrich for a given domain or set of domains.

Visit https://www.domaintools.com/integrations to request a Api key.

When a new Azure Sentinel Incident is created, and this playbook is triggered, it performs these actions:

• It fetches all the Host/DNS/URL entities in the Incident.
• Iterates through the Host/DNS/URL entities and fetches the results from Iris Enrich for each entity.
• All the details from DomainTools Iris Enrich will be added as comments in a tabular format.

Links to deploy the DomainTools Iris Enrich Domain Playbook

Authentication

Prerequisites

• A DomainTools API Key provisioned for Iris Enrich
• DomainTools Function App should be deployed

Deployment instructions

• Deploy the playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
• Fill in the required parameters for deploying the playbook.
• Click "Review + create". Once the validation is successful, click on "Create".

Post-Deployment instructions.