Investigate All the Things - in Slack
Share this entry
DomainTools Recipes: Pivoting and Monitoring the Undead
Earlier this year we introduced the concept of the DomainTools “Recipe Book,” a series of instructions for using DomainTools data in specific applications to meet various use cases. In each entry of this series, we’ll describe one or more objectives and share some tools and procedures needed to accomplish that objective. Most of these involve automation technologies of one kind or another (as did two of the three we shared last time), and—of course—at least one DomainTools product. Each entry will contain links to resources you can use to try these recipes out in your own environment if you wish.
Important notes (which we also included in our first entry):
- These recipes aren’t a complete technical manual for each item—in most of them, you will need to refer to additional documentation for DomainTools products, third-party applications, or both. The Procedure section is a summary to give you an overview of what is involved.
- Because third parties will evolve their products over time, some of these procedures may become obsolete at some point.
And now…on to this installment!
Investigate All the Things – in Slack
Like our Slack Domain Risk Score recipe (published in the first blog in this series), this one also uses the Tines no-code automation platform, in concert with Slack, to enable a simple but powerful use case: given a domain as a starting point, get quick summary info about the domain, and pivot on shared data points to find connected domains. This recipe lets an analyst quickly develop a sense of how a given domain may fit into a larger campaign, without having to open a DomainTools UI (or other application, such as our App for Splunk). But—if you want to, you can also use the link that Slack offers to open up the actual Iris Investigate UI. You can see the blue link for that in the screenshot below.
Required Components
- A Tines tenant (Note: Tines offers a free Community Edition)
- Slack, with Slack Chatbot (or “Slackbot”) configured
- Note: you need to have admin privileges in the Slack workspace where you’ll install this (or any) app
- DomainTools Iris Investigate API endpoint (and corresponding API username and key)
Procedure
- Ensure that you have access to the DomainTools Iris Investigate API and that your API key is readily available (If you have purchased access to this API but need help with your key, contact us at [email protected]). Optionally, for the passive DNS (pDNS) component, you will also need a DNSDB API key.
- Slack actions
- Go to Apps -> Create new App
- Choose Slash Command
- Choose your command name and syntax (e.g. “dtirisinvestigate” and “enter a domain”)
- Import Request URL from Tines (you can find this in the first Webhook block in the story)
- Install the App to your workspace
- Tines actions
- Instantiate a tenant (free)
- Navigate to this story
- Enter resource: DomainTools API username
- Enter resource: Domain Monitor List and associated Resource ID (optional; this is populated by another story in Tines and uses the Iris Enrich API)
- Enter credential: DomainTools Iris Investigate API key
- Enter credential: DNSDB API key (optional; for the pDNS action)
- Enter credential: Tines API key (obtain this from Tines)
- Copy Webhook URL (to paste into Slack app)
- If the credentials/resources in Tines are correct, you should now be able to run your command from Slack! If you use the optional Monitor List component, that part will be available as soon as you have any monitored domains populated into the list.
This recipe lets you do the following things, all from Slack:
- See the component and overall Domain Risk Scores for the domain
- Open an investigation in the Iris Investigate UI (this opens a browser window)
- Explore Guided Pivots, if there are any for the domain (more on this below)
- See a list of subdomains associated with the domain
- Get a .csv output of passive DNS (pDNS) observations for the domain if you have DNSDB access
- Monitor the domain for future changes to its Risk Score (these changes will be sent as Slack messages when there is a change to the Risk Score) NOTE: this feature chains together a separate Tines story with this one.
About Guided Pivots
This is a feature in the Iris Investigate UI that’s designed to draw the analyst’s attention to the pivots that are most likely to be helpful to an investigation. While you might wonder “what sorcery is this?,” the principle is in fact very simple. For a data point (such as an IP address, name server, registrant email, etc) to be a Guided Pivot, it has to have a count of connected domains between 2 and 500. Having a connected-domains count in this range is useful because a) it’s a manageable number of other domains to examine, and b) it is more likely that the domains may be under the control of the same entity, rather than being arbitrarily lumped together (say by a hosting provider on a generic IP address).
Using this Slack integration, if the domain you’re querying has any Guided Pivots associated with it, you will be able to select them from a dropdown list, all in the Slack UI. You can see the dropdown in the first screenshot above.
Subdomains, pDNS, and Risk Score monitoring
Each of these actions has a button in the Slack UI once it has returned the summary info for the domain you queried. The button labeled Subdomains looks at our pDNS database to surface any subdomains that have been observed for the domain (e.g. subdomain.example.com). pDNS, which is optional and uses the DNSDB API, provides more detail on resolutions that have been observed for the domain, including timestamps of those resolutions, and a variety of record types. Risk Score monitoring (which leverages another Tines story, linked above) allows you to designate the domain so that if its score changes in the future, you’ll receive a Slack notification with the new score.
Taken together, the actions illustrated here allow analysts to carry out a lot of the tasks they often do when unknown or suspicious domains are surfaced in their environments—and from within a tool that many organizations use throughout the workday. Of course, there are many other ways to carry out these workflows, such as in our native applications or in other integrations; the best choice is the one that most directly suits your work habits.
These recipes are examples of just a few ways in which you can apply DomainTools data to solve specific use cases in streamlined ways. They are just a starting point—for us, because we’ll be releasing more of them regularly—and for you, because we expect that folks who are interested in this kind of application will take the ideas in new and innovative directions.
If you’d like to see these recipes, or any other application(s) of our data, drop us a line and sign up for a personalized session with us. Happy hunting!