Skip to content
This repository has been archived by the owner on Sep 20, 2023. It is now read-only.

DomainTools Iris Analyzer & Responder Docs #54

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

DomainTools Iris Analyzer & Responder Docs #54

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2418cb0
DomainTools Iris Docs
ChuckWoodraska Jan 8, 2020
d2fa254
Missing a few words
ChuckWoodraska Jan 8, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
36 changes: 36 additions & 0 deletions analyzer_requirements.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,7 @@ on is free or requires special access or valid subscription or product license.
* [Subscription and License\-based Analyzers](#subscription-and-license-based-analyzers)
* [DNSDB](#dnsdb)
* [DomainTools](#domaintools)
* [DomainTools Iris](#domaintools-iris)
* [EmergingThreats](#emergingthreats)
* [FireEye iSIGHT](#fireeye-isight)
* [JoeSandbox](#joesandbox)
Expand All @@ -98,6 +99,8 @@ on is free or requires special access or valid subscription or product license.
* [VMRay](#vmray)
* [Subscription and License-based Responders](#subscription-and-license-based-responders)
* [Crownstrike Falcon](#crowdstrike-falcon)
* [DomainTools Iris Malicious Tags](#domaintools-iris-malicious-tags)
* [DomainTools Iris Risky DNS](#domaintools-iris-risky-dns)
* [Umbrella blacklister](#umbrella-blacklister)

## Introduction
Expand Down Expand Up @@ -846,6 +849,23 @@ to use the analyzer.
Provide your username as a value for the `username` parameter and API key as
a value for the `key` parameter.

### DomainTools Iris
Look up domain names, IP addresses, e-mail addresses, and SSL hashes using the popular
[DomainTools Iris](https://www.domaintools.com/resources/api-documentation/iris-investigate/) service API.

The analyzer comes in 2 flavors:
- DomainToolsIris_**Investigate**: Use DomainTools Iris API to investigate a domain.
- DomainToolsIris_**Pivot**: Use DomainTools Iris API to pivot on ssl_hash, ip, or email.

#### Requirements
You need a [valid DomainTools API integration subscription](https://www.domaintools.com/products/api-integration/)
to use the analyzer.

Provide your username as a value for the `username` parameter and API key as
a value for the `key` parameter.

Setting the `pivot_count_threshold` will highlight items of interest in the template below that threshold.

### EmergingThreats
Leverage Proofpoint's [Emerging Threats Intelligence](https://threatintel.proofpoint.com/)
to assess the reputation of various observables and obtain additional and
Expand Down Expand Up @@ -1059,6 +1079,22 @@ Submit observables from alerts and cases to the Crowdstrike Falcon Custom IOC AP

To configure the responder, provide the URL of the platform as a value for the `falconapi_url` parameter, the api user as the `falconapi_user`parameter and the api key as the `falconapi_key` parameter.

### DomainTools Iris Malicious Tags

Add tag saying that the observable and case have a malicious tag based on iris tags short summary from the DomainTools Iris investigate analyzer.

#### Requirements

To configure the responder, provide a set of values for the `monitored_iris_tags` parameter.

### DomainTools Iris Risky DNS

Add tag saying that the observable and case contains a risky DNS based on risk score short summary from the DomainTools Iris investigate analyzer.

#### Requirements

To configure the responder, provide a value for the `high_risk_threshold` parameter.

### Umbrella Blacklister

Add domain from observables in cases to Umbrella blacklist.
Expand Down