Domain Enrichment - DomainTools Iris Investigate
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Given a domain or set of domains associated with an incident return all Iris Investigate data for those domains as comments in the incident.
| Attribute | Value |
|---|---|
| Type | Playbook |
| Solution | DomainTools |
| Source | View on GitHub |
Logic App Connectors
This playbook uses 3 Logic App connectors / built-in actions:
| Connector / Action | Type | Connections | Actions |
|---|---|---|---|
azuresentinel |
Managed | 1 | 9 |
farsightdnsdb |
Managed | 1 | 1 |
function |
Built-in | 0 | 1 |
Action parameters (URLs, paths, function IDs)
azuresentinel (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| Add_RData_comment_to_incident_(V3) | post | /Incidents/Comment |
— |
| Add_Iris_Investigate_Table_to_Incident_Comments | post | /Incidents/Comment |
— |
| Add_Pivoting_Data_to_Incident_Comments | post | /Incidents/Comment |
— |
| Add_Malicious_tags_to_Incident | post | /Incidents/Comment |
— |
| Update_incident | put | /Incidents |
— |
| Add_Error_to_Incident_Comments | post | /Incidents/Comment |
— |
| Entities_-_Get_DNS | post | /entities/dnsresolution |
— |
| Entities_-_Get_Hosts | post | /entities/host |
— |
| Entities_-_Get_URLs | post | /entities/url |
— |
farsightdnsdb (Managed)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| RData_Lookup_with_RRType | get | /lookup/rdata/name/@{encodeURIComponent(items('For_each_domain_list'))}/ANY |
— |
function (Built-in)
| Action | Method | Endpoint | Other |
|---|---|---|---|
| InvestigateDomain | — | — | functionId=[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Web/sites/', variables('Functionappname'), '/functions/InvestigateDomain')] |
Additional Documentation
DomainTools Iris Investigate Domain Playbook
Table of Contents
- Overview
- Deploy DomainTools-Iris-Investigate-Playbook
- Authentication
- Prerequisites
- Deployment
- Post Deployment Steps
Overview
This playbook uses the DomainTools Iris Investigate API. Given a domain or set of domains associated with an incident, return Whois, mailserver, DNS, SSL and related indicators from Iris Investigate, highlighting fields where fewer than 200 domains share an attribute. This is useful in order to clue investigators where there could be additional indicators of interest available via the Iris Investigate UI or API.
Visit https://www.domaintools.com/integrations to request a Api key.
When a new Azure Sentinel Incident is created, and this playbook is triggered, it performs these actions:
- It fetches all the Host/DNS/URL entities in the Incident.
- Iterates through the Host/DNS/URL entities and fetches the results from Iris Investigate for each entity.
- All the details from DomainTools Iris Investigate will be added as comments in a tabular format.
- All the response attributes that have count value(Count of connected domains sharing this attribute) greater than 1 and less than "Pivot_Threshold" parameter value in the playbook(default to 200), link the DomainTools Iris Investigate UI for further investigation.
Links to deploy the DomainTools Iris Investigate Domain Playbook
Authentication
Authentication methods this connector supports:
Prerequisites
- A DomainTools API Key provisioned for Iris Investigate
- DomainTools Function App should be deployed
Deployment instructions
- Deploy the playbooks by clicking on "Deploy to Azure" button. This will take you to deploying an ARM Template wizard.
- Fill in the required parameters for deploying the playbook.
- Click "Review + create". Once the validation is successful, click on "Create".
Post-Deployment instructions
a. Playbook parameters:
Once deployment is complete, you can change the playbook parameters to get the desired results as explained below.
- Open the Logic App in the edit mode. click on parameters
- If "Fetch_Guided_Pivots_Results" is set to True, It will get the following details for each entity:
- Reverse Email Domain
- Reverese IP
- Pivot MX Host
- Pivot by MX IP
- Pivot by Nameserver IP Address
- Pivot Nameserver Host
- Pivot by Registrant Name
- Pivot by Registrant Org
- Reverse Email
- Pivot SSL Email
- Pivot by SSL Hash
- If you provide tags in the "Find_Domains_With_Malicious_tags" paramter, if a specified set of tags is observed, the playbook will mark the incident as “severe” in Sentinel and add a comment.
- If "Fetch_Domain Tools_DNSDB_Results" is set to True, It will get the DNSDB Rdata details for each entity:
- Save the Logic App.
[Content truncated...]
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊