diff --git a/Packs/DomainTools_Iris/.secrets-ignore b/Packs/DomainTools_Iris/.secrets-ignore index ae84c3d32a73..eecced188192 100644 --- a/Packs/DomainTools_Iris/.secrets-ignore +++ b/Packs/DomainTools_Iris/.secrets-ignore @@ -67,4 +67,6 @@ abuse@ionos.com 217.160.80.126 217.160.82.73 217.160.83.63 -217.160.81.67 \ No newline at end of file +217.160.81.67 +142.250.217.68 +142.250.217.78 \ No newline at end of file diff --git a/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/DomainTools_Iris.py b/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/DomainTools_Iris.py index 1c3cad9b8bd7..7e8fa4254a09 100644 --- a/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/DomainTools_Iris.py +++ b/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/DomainTools_Iris.py @@ -128,6 +128,12 @@ def http_request(method: str, params: dict = {}): response = api.parsed_whois(params.get('domain')).response() elif method == "parsed-domain-rdap": response = api.parsed_domain_rdap(query=params.get("domain")) + elif method == "reverse-nameserver": + response = api.reverse_name_server(params.get("nameserver"), limit=params.get("limit")).response() + elif method == "reverse-ip": + response = api.reverse_ip(domain=params.get("domain"), limit=params.get("limit")).response() + elif method == "host-domains": + response = api.host_domains(ip=params.get("ip"), limit=params.get("limit")).response() else: response = api.iris_investigate(**params).response() except Exception as e: @@ -483,7 +489,16 @@ def parsed_whois(domain): return http_request('parsed-whois', {'domain': domain}) -def parsed_domain_rdap(domain: str): +def parsed_domain_rdap(domain: str) -> dict[str, Any]: + """ Returns the parsed domain rdap by a given domain. + + Args: + domain (str): The domain to lookup. + + Returns: + dict: The parsed domain rdap results from DT API. + + """ resp = http_request("parsed-domain-rdap", params={"domain": domain}) return { @@ -492,6 +507,18 @@ def parsed_domain_rdap(domain: str): } +def reverse_nameserver(nameserver: str, limit: int | None = None) -> dict: + return http_request("reverse-nameserver", params={"nameserver": nameserver, "limit": limit}) + + +def reverse_ip(domain: str, limit: int | None = None) -> dict: + return http_request("reverse-ip", params={"domain": domain, "limit": limit}) + + +def host_domains(ip: str, limit: int | None = None) -> dict: + return http_request("host-domains", params={"ip": ip, "limit": limit}) + + def add_key_to_json(cur, to_add): if not cur: return to_add @@ -1513,6 +1540,69 @@ def reverse_whois_command(): ) +def reverse_nameserver_command(): + """ + Returns the reverse lookup on a given nameserver. + """ + nameserver = demisto.args()["nameServer"] + limit = int(demisto.args().get("limit") or 50) + + context: dict[str, list[dict]] = {"Domain": []} + + results = reverse_nameserver(nameserver=nameserver, limit=limit) + primary_domains = results.get("primary_domains") or [] + + total_primary_domains = len(primary_domains) + + human_readable = f"Found {total_primary_domains} domains. \n" + + for domain in primary_domains: + context["Domain"].append({"Name": domain}) + human_readable += f"* {domain} \n" + + return CommandResults( + readable_output=human_readable, + outputs=context, + raw_response=results, + ignore_auto_extract=True + ) + + +def reverse_ip_command(): + """ + Returns the reverse lookup on a given domain or ip. + """ + cmd_args = demisto.args() + ip = cmd_args.get("ip") + domain = cmd_args.get("domain") + limit = int(cmd_args.get("limit") or 50) + + context: dict[str, list[dict]] = {"Domain": []} + human_readable = "" + + if domain: + results = reverse_ip(domain=domain, limit=limit) + elif ip: + results = host_domains(ip=ip, limit=limit) + + addresses: list | dict = results.get("ip_addresses") or [] + if not isinstance(addresses, list): + addresses = [addresses] + + for address in addresses: + human_readable += f"\nFound {address.get('domain_count', 0)} domains for {address.get('ip_address')}. \n" + for domain in address.get("domain_names") or []: + context["Domain"].append({"Name": domain}) + human_readable += f"* {domain} \n" + + return CommandResults( + readable_output=human_readable, + outputs=context, + raw_response=results, + ignore_auto_extract=True + ) + + def parsed_whois_command(): domain = demisto.args()['query'] response = parsed_whois(domain) @@ -1565,6 +1655,31 @@ def parsed_whois_command(): ) +def parsed_domain_rdap_command(): + """ + Returns parsed domain rdap data in a given domain + """ + domain = demisto.args()['domain'] + results = parsed_domain_rdap(domain=domain) + + _raw_response = results.get("_raw") or {} + flat_response = results.get("flat") or {} + + for key, val in flat_response.items(): + if "|" in val: + flat_response[key] = ", ".join([v.strip() for v in val.split("|")]) + + headers = list(flat_response.keys()) + + human_readable = tableToMarkdown(f'DomainTools parsed domain rdap result for {domain}', flat_response, headers=headers) + + return CommandResults( + readable_output=human_readable, + raw_response=_raw_response, + ignore_auto_extract=True + ) + + def test_module(): """ Tests the API key for a user. @@ -1598,31 +1713,6 @@ def fetch_domains(): ) -def parsed_domain_rdap_command(): - """ - Returns parsed domain rdap data in a given domain - """ - domain = demisto.args()['domain'] - results = parsed_domain_rdap(domain=domain) - - _raw_response = results.get("_raw") or {} - flat_response = results.get("flat") or {} - - for key, val in flat_response.items(): - if "|" in val: - flat_response[key] = ", ".join([v.strip() for v in val.split("|")]) - - headers = list(flat_response.keys()) - - human_readable = tableToMarkdown(f'DomainTools parsed domain rdap result for {domain}', flat_response, headers=headers) - - return CommandResults( - readable_output=human_readable, - raw_response=_raw_response, - ignore_auto_extract=True - ) - - def main(): """ Main Demisto function. @@ -1631,6 +1721,7 @@ def main(): "test-module": test_module, "domain": domain_command, "domainRdap": parsed_domain_rdap_command, + "domaintools-whois": parsed_whois_command, "domaintoolsiris-investigate": domain_command, "domaintoolsiris-analytics": domain_analytics_command, "domaintoolsiris-threat-profile": threat_profile_command, @@ -1639,7 +1730,8 @@ def main(): "domaintools-whois-history": whois_history_command, "domaintools-hosting-history": hosting_history_command, "domaintools-reverse-whois": reverse_whois_command, - "domaintools-whois": parsed_whois_command, + "reverseNameServer": reverse_nameserver_command, + "reverseIP": reverse_ip_command } try: diff --git a/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/DomainTools_Iris.yml b/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/DomainTools_Iris.yml index 8264a897be02..dc77df5bc5b0 100644 --- a/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/DomainTools_Iris.yml +++ b/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/DomainTools_Iris.yml @@ -2440,6 +2440,38 @@ script: description: Parsed Whois data. - contextPath: Domain.WhoisRecords description: Full Whois record. + - name: reverseIP + arguments: + - default: true + name: ip + description: Specify the IP address to query. + - name: domain + description: If a domain name is provided, DomainTools will respond with the list of other domains that share the same IP. + - name: limit + description: Limits the size of the domain list than can appear in a response. The limit is applied per-IP address, not for the entire request. + defaultValue: 50 + description: Reverse loopkup of an IP address or a domain. + deprecated: false + execution: false + outputs: + - contextPath: Domain.Name + description: Domain name returned by the query. + - contextPath: Domain.DNS.Address + description: The IP address associated with the returned domains. + - name: reverseNameServer + arguments: + - name: nameServer + required: true + description: Specify the name of the primary or secondary nameserver. + - name: limit + description: Limit the size of the domain list than can appear in a response. + defaultValue: 50 + deprecated: false + execution: false + description: Reverse nameserver lookup. + outputs: + - contextPath: Domain.Name + description: Name of the domain returned by the query. dockerimage: demisto/vendors-sdk:1.0.0.2141458 runonce: false script: '-' diff --git a/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/DomainTools_Iris_test.py b/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/DomainTools_Iris_test.py index f081f358d0d3..b2432db20be0 100644 --- a/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/DomainTools_Iris_test.py +++ b/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/DomainTools_Iris_test.py @@ -1,7 +1,13 @@ import pytest from CommonServerPython import * -from DomainTools_Iris import format_investigate_output, format_enrich_output, main, http_request, API +from DomainTools_Iris import ( + format_investigate_output, + format_enrich_output, + main, + http_request, + API, +) from test_data import mock_response, expected @@ -12,65 +18,77 @@ def dt_client(): def write_test_data(file_path, string_to_write): """ - Use this function to save expected action output for asserting future edge cases. - example: - human_readable_output, context = format_enrich_output(mock_response.domaintools_response) - # requires you to replace "\" with "\\" in file for assertions to pass - write_test_data('new-test-data.txt', human_readable_output) - - Args: - file_path: file to save test expected output. - string_to_write: the results to save. - """ + Use this function to save expected action output for asserting future edge cases. + example: + human_readable_output, context = format_enrich_output(mock_response.domaintools_response) + # requires you to replace "\" with "\\" in file for assertions to pass + write_test_data('new-test-data.txt', human_readable_output) + + Args: + file_path: file to save test expected output. + string_to_write: the results to save. + """ with open(file_path, "w") as file: file.write(string_to_write) def test_format_investigate(): - human_readable_output, context = format_investigate_output(mock_response.domaintools_response) + human_readable_output, context = format_investigate_output( + mock_response.domaintools_response + ) expected_investigate_domaintools_context = expected.domaintools_investigate_context domaintools_context = context.get("domaintools") - assert domaintools_context.get("Name") == expected_investigate_domaintools_context.get("domaintools", {}).get("Name") + assert domaintools_context.get( + "Name" + ) == expected_investigate_domaintools_context.get("domaintools", {}).get("Name") def test_format_enrich(): - human_readable_output, context = format_enrich_output(mock_response.domaintools_response) + human_readable_output, context = format_enrich_output( + mock_response.domaintools_response + ) expected_enrich_domaintools_context = expected.domaintools_enrich_context domaintools_context = context.get("domaintools") - assert domaintools_context.get("Name") == expected_enrich_domaintools_context.get("domaintools", {}).get("Name") + assert domaintools_context.get("Name") == expected_enrich_domaintools_context.get( + "domaintools", {} + ).get("Name") def test_analytics_command(mocker): mocker.patch.object(demisto, "command", return_value="domaintoolsiris-analytics") mocker.patch.object(demisto, "args", return_value={"domain": "domaintools.com"}) mocker.patch( - 'DomainTools_Iris.domain_investigate', + "DomainTools_Iris.domain_investigate", return_value={ - 'results_count': 1, - 'results': [ - mock_response.domaintools_response]}) + "results_count": 1, + "results": [mock_response.domaintools_response], + }, + ) mocker.patch.object(demisto, "results") main() results = demisto.results.call_args[0] - assert results[0]['Contents']['domain'] == 'domaintools.com' + assert results[0]["Contents"]["domain"] == "domaintools.com" def test_threat_profile_command(mocker): - mocker.patch.object(demisto, "command", return_value="domaintoolsiris-threat-profile") + mocker.patch.object( + demisto, "command", return_value="domaintoolsiris-threat-profile" + ) mocker.patch.object(demisto, "args", return_value={"domain": "domaintools.com"}) mocker.patch( - 'DomainTools_Iris.domain_investigate', + "DomainTools_Iris.domain_investigate", return_value={ - 'results_count': 1, - 'results': [ - mock_response.domaintools_response]}) + "results_count": 1, + "results": [mock_response.domaintools_response], + }, + ) mocker.patch.object(demisto, "results") main() results = demisto.results.call_args[0] - assert results[0]['Contents']['domain'] == 'domaintools.com' + assert results[0]["Contents"]["domain"] == "domaintools.com" def test_pivot_command(mocker): @@ -81,71 +99,90 @@ def test_pivot_command(mocker): return_value={ "domain": "domaintools.com", "ip": "104.16.124.175", - "include_context": True}) + "include_context": True, + }, + ) mocker.patch( - 'DomainTools_Iris.domain_pivot', + "DomainTools_Iris.domain_pivot", return_value={ - 'has_more_results': False, - 'results_count': 1, - 'results': mock_response.pivot_response}) + "has_more_results": False, + "results_count": 1, + "results": mock_response.pivot_response, + }, + ) mocker.patch.object(demisto, "results") main() results = demisto.results.call_args[0] - assert results[0]['Contents']['Value'] == '104.16.124.175' + assert results[0]["Contents"]["Value"] == "104.16.124.175" def test_whois_history_command(mocker): mocker.patch.object(demisto, "command", return_value="domaintools-whois-history") mocker.patch.object(demisto, "args", return_value={"domain": "domaintools.com"}) mocker.patch( - 'DomainTools_Iris.whois_history', + "DomainTools_Iris.whois_history", return_value={ - 'record_count': 2, - 'history': mock_response.whois_history_response}) + "record_count": 2, + "history": mock_response.whois_history_response, + }, + ) mocker.patch.object(demisto, "results") main() results = demisto.results.call_args[0] - assert results[0]['Contents']['Value'] == 'domaintools.com' + assert results[0]["Contents"]["Value"] == "domaintools.com" def test_hosting_history_command(mocker): mocker.patch.object(demisto, "command", return_value="domaintools-hosting-history") mocker.patch.object(demisto, "args", return_value={"domain": "domaintools.com"}) mocker.patch( - 'DomainTools_Iris.hosting_history', + "DomainTools_Iris.hosting_history", return_value={ - 'record_count': 2, - 'history': mock_response.hosting_history_response}) + "record_count": 2, + "history": mock_response.hosting_history_response, + }, + ) mocker.patch.object(demisto, "results") main() results = demisto.results.call_args[0] - assert results[0]['Contents']['Value'] == 'domaintools.com' + assert results[0]["Contents"]["Value"] == "domaintools.com" def test_reverse_whois_command(mocker): mocker.patch.object(demisto, "command", return_value="domaintools-reverse-whois") mocker.patch.object(demisto, "args", return_value={"terms": "domaintools"}) - mocker.patch('DomainTools_Iris.reverse_whois', return_value=mock_response.reverse_whois_response) + mocker.patch( + "DomainTools_Iris.reverse_whois", + return_value=mock_response.reverse_whois_response, + ) mocker.patch.object(demisto, "results") main() results = demisto.results.call_args[0] - assert results[0]['Contents']['Value'] == 'domaintools' + assert results[0]["Contents"]["Value"] == "domaintools" def test_whois_command(mocker): mocker.patch.object(demisto, "command", return_value="domaintools-whois") mocker.patch.object(demisto, "args", return_value={"query": "domaintools.com"}) - mocker.patch('DomainTools_Iris.parsed_whois', return_value=mock_response.parsed_whois_response) + mocker.patch( + "DomainTools_Iris.parsed_whois", + return_value=mock_response.parsed_whois_response, + ) mocker.patch.object(demisto, "results") main() results = demisto.results.call_args[0] - assert results[0]['EntryContext']['Domain(val.Name && val.Name == obj.Name)'][0]['Name'] == 'domaintools.com' + assert ( + results[0]["EntryContext"]["Domain(val.Name && val.Name == obj.Name)"][0][ + "Name" + ] + == "domaintools.com" + ) def test_domainRdap_command(mocker): @@ -154,18 +191,18 @@ def test_domainRdap_command(mocker): mock_resp = { "_raw": mock_response.raw_parsed_domain_rdap_response, - "flat": mock_response.flattened_parsed_domain_rdap_response + "flat": mock_response.flattened_parsed_domain_rdap_response, } expected_rdap_response_keys = ["domain_rdap", "parsed_domain_rdap", "record_source"] - mocker.patch('DomainTools_Iris.parsed_domain_rdap', return_value=mock_resp) + mocker.patch("DomainTools_Iris.parsed_domain_rdap", return_value=mock_resp) mocker.patch.object(demisto, "results") main() results = demisto.results.call_args[0] - contents = results[0]['Contents'] + contents = results[0]["Contents"] assert contents["record_source"] == "domaintools.com" assert all(True for key in expected_rdap_response_keys if key in contents) @@ -176,7 +213,7 @@ def test_domainRdap_command(mocker): def test_testModule_command(mocker): mocker.patch.object(demisto, "command", return_value="test-module") - mocker.patch('DomainTools_Iris.http_request', return_value={}) + mocker.patch("DomainTools_Iris.http_request", return_value={}) mocker.patch.object(demisto, "results") main() @@ -184,9 +221,12 @@ def test_testModule_command(mocker): assert "ok" in results[0] -@pytest.mark.parametrize("method, attribute, params", [ - ("parsed-domain-rdap", "parsed_domain_rdap", {"domain": "domaintools.com"}) -]) +@pytest.mark.parametrize( + "method, attribute, params", + [ + ("parsed-domain-rdap", "parsed_domain_rdap", {"domain": "domaintools.com"}), + ], +) def test_http_request(mocker, dt_client, method, attribute, params): expected_response = { "parsed-domain-rdap": mock_response.raw_parsed_domain_rdap_response, @@ -202,3 +242,69 @@ def test_http_request(mocker, dt_client, method, attribute, params): results = http_request(method, params) assert results == expected_response[method] + + +@pytest.mark.parametrize( + "args, attribute, type", + [ + ({"domain": "google.com"}, "reverse_ip", "domain"), + ({"ip": "8.8.8.8"}, "host_domains", "ip"), + ], +) +def test_reverseIP_command(mocker, args, attribute, type): + mocker.patch.object(demisto, "command", return_value="reverseIP") + mocker.patch.object(demisto, "args", return_value=args) + + mock_api_response = { + "ip": mock_response.reverseIP_responses.get("ip"), + "domain": mock_response.reverseIP_responses.get("domain"), + } + + mocker.patch(f"DomainTools_Iris.{attribute}", return_value=mock_api_response[type]) + + mocker.patch.object(demisto, "results") + main() + results = demisto.results.call_args[0] + + contents = results[0]["Contents"] + + assert "ip_addresses" in contents + if type == "domain": + assert isinstance(contents["ip_addresses"], list) is True + + human_readable = results[0]["HumanReadable"] + + expected_human_readable = { + "ip": expected.reverseIP_ip_params_table, + "domain": expected.reverseIP_domain_params_table, + } + assert " ".join(human_readable.split()) == " ".join( + expected_human_readable[type].split() + ) + + +def test_reverseNameserver_command(mocker): + mocker.patch.object(demisto, "command", return_value="reverseNameServer") + mocker.patch.object( + demisto, "args", return_value={"nameServer": "ns01.domaincontrol.com"} + ) + + mocker.patch( + "DomainTools_Iris.reverse_nameserver", + return_value=mock_response.reverseNameserver_response, + ) + + mocker.patch.object(demisto, "results") + main() + results = demisto.results.call_args[0] + + contents = results[0]["Contents"] + + assert "name_server" in contents + assert "primary_domains" in contents + + primary_domains = contents.get("primary_domains") + assert len(primary_domains) == 5 + + human_readable = results[0]["HumanReadable"] + assert " ".join(human_readable.split()) == " ".join(expected.reverseNameserver_table.split()) diff --git a/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/README.md b/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/README.md index 21afdcb9e1e5..b1b69fd563ee 100644 --- a/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/README.md +++ b/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/README.md @@ -1,14 +1,14 @@ Together, DomainTools and Cortex XSOAR automate and orchestrate the incident response process with essential domain profile, web crawl, SSL and infrastructure data. SOCs can create custom, automated workflows to trigger Indicator of Compromise (IoC) investigations, block threats based on connected infrastructure, and identify potentially malicious domains before weaponization. The DomainTools App for Cortex XSOAR is shipped with pre-built playbooks to enable automated enrichment, decision logic, ad-hoc investigations, and the ability to persist enriched intelligence. -This integration was integrated and tested with version 2.1.3 of DomainTools Iris. +This integration was integrated and tested with version 2.2.0 of DomainTools Iris. ## Configure DomainTools Iris in Cortex + | **Parameter** | **Description** | **Required** | | --- | --- | --- | -| DomainTools API URL | Change to in order to use DomainTool's https endpoint. | True | -| API Username | | True | -| API Key | | True | +| API Username | | False | +| API Key | | False | | High-Risk Threshold | | True | | Young Domain Timeframe (within Days) | | True | | Trust any certificate (not secure) | | False | @@ -27,6 +27,7 @@ This integration was integrated and tested with version 2.1.3 of DomainTools Iri | First fetch timestamp (<number> <time unit>, e.g., 12 hours, 7 days) | This is a required field by XSOAR and should be set to 2, one for each possible feed type iris search hash and iris tags. | False | + ## Commands You can execute these commands from the CLI, as part of an automation, or in a playbook. @@ -917,7 +918,6 @@ The DomainTools Parsed Whois API provides parsed information extracted from the | Domain.Name | unknown | Requested domain name. | | Domain.Whois | unknown | Parsed Whois data. | | Domain.WhoisRecords | unknown | Full Whois record. | - ### domainRdap *** @@ -936,3 +936,49 @@ Returns the most recent Domain-RDAP registration record. #### Context Output There is no context output for this command. +### reverseIP + +*** +Reverse loopkup of an IP address or a domain. + +#### Base Command + +`reverseIP` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| ip | Specify the IP address to query. | Optional | +| domain | If a domain name is provided, DomainTools will respond with the list of other domains that share the same IP. | Optional | +| limit | Limits the size of the domain list than can appear in a response. The limit is applied per-IP address, not for the entire request. Default is 50. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| Domain.Name | unknown | Domain name returned by the query. | +| Domain.DNS.Address | unknown | The IP address associated with the returned domains. | + +### reverseNameServer + +*** +Reverse nameserver lookup. + +#### Base Command + +`reverseNameServer` + +#### Input + +| **Argument Name** | **Description** | **Required** | +| --- | --- | --- | +| nameServer | Specify the name of the primary or secondary nameserver. | Required | +| limit | Limit the size of the domain list than can appear in a response. Default is 50. | Optional | + +#### Context Output + +| **Path** | **Type** | **Description** | +| --- | --- | --- | +| Domain.Name | unknown | Name of the domain returned by the query. | + diff --git a/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/test_data/expected.py b/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/test_data/expected.py index bf8806a49b1c..17050641360b 100644 --- a/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/test_data/expected.py +++ b/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/test_data/expected.py @@ -6,7 +6,9 @@ | [domaintools.com](https://domaintools.com) | 2023-11-10 | 0 | 0 | 0 | | | 200 | | {"value": "REDACTED FOR PRIVACY", "count": 132267110} | {"value": "REDACTED FOR PRIVACY", "count": 48508017} | name: {"value": "REDACTED FOR PRIVACY", "count": 131643982}
org: {"value": "REDACTED FOR PRIVACY", "count": 120617938}
street: {"value": "REDACTED FOR PRIVACY", "count": 118863405}
city: {"value": "REDACTED FOR PRIVACY", "count": 122675278}
state: {"value": "WA", "count": 7027354}
postal: {"value": "REDACTED FOR PRIVACY", "count": 123526354}
country: {"value": "us", "count": 274018662}
phone: {"value": "", "count": 0}
fax: {"value": "", "count": 0}
email: {'value': 'https://tieredaccess.com/contact/784fb607-c3ec-4640-b40f-30fc9f61b9ce', 'count': 1} | {"value": "ENOM, INC.", "count": 3984318} | {'value': 'hostmaster@nsone.net', 'count': 6623371} | | name: {"value": "REDACTED FOR PRIVACY", "count": 131643982}
org: {"value": "REDACTED FOR PRIVACY", "count": 120617938}
street: {"value": "REDACTED FOR PRIVACY", "count": 118863405}
city: {"value": "REDACTED FOR PRIVACY", "count": 122675278}
state: {"value": "REDACTED FOR PRIVACY", "count": 118764947}
postal: {"value": "REDACTED FOR PRIVACY", "count": 123526354}
country: {"value": "REDACTED FOR PRIVACY", "count": 119229051}
phone: {"value": "", "count": 0}
fax: {"value": "", "count": 0}
email: {'value': 'redacted for privacy', 'count': 9920089} | name: {"value": "REDACTED FOR PRIVACY", "count": 131643982}
org: {"value": "REDACTED FOR PRIVACY", "count": 120617938}
street: {"value": "REDACTED FOR PRIVACY", "count": 118863405}
city: {"value": "REDACTED FOR PRIVACY", "count": 122675278}
state: {"value": "REDACTED FOR PRIVACY", "count": 118764947}
postal: {"value": "REDACTED FOR PRIVACY", "count": 123526354}
country: {"value": "REDACTED FOR PRIVACY", "count": 119229051}
phone: {"value": "", "count": 0}
fax: {"value": "", "count": 0}
email: {'value': 'redacted for privacy', 'count': 9915617} | name: {"value": "", "count": 0}
org: {"value": "", "count": 0}
street: {"value": "", "count": 0}
city: {"value": "", "count": 0}
state: {"value": "", "count": 0}
postal: {"value": "", "count": 0}
country: {"value": "", "count": 0}
phone: {"value": "", "count": 0}
fax: {"value": "", "count": 0}
email: | {'value': 'enom.com', 'count': 21797646},
{'value': 'nsone.net', 'count': 6273096} | {'value': 'abuse@enom.com', 'count': 12520125} | | clienttransferprohibited | true | {"value": "1998-08-02", "count": 881} | {"value": "2027-08-01", "count": 8614} | {'address': {'value': '141.193.213.20', 'count': 67508}, 'asn': [{'value': 209242, 'count': 1195750}], 'country_code': {'value': 'us', 'count': 197557302}, 'isp': {'value': 'WPEngine Inc.', 'count': 264650}},
{'address': {'value': '141.193.213.21', 'count': 64201}, 'asn': [{'value': 209242, 'count': 1195750}], 'country_code': {'value': 'us', 'count': 197557302}, 'isp': {'value': 'WPEngine Inc.', 'count': 264650}} | us | {'host': {'value': 'aspmx4.googlemail.com', 'count': 1445502}, 'domain': {'value': 'googlemail.com', 'count': 7834197}, 'ip': [{'value': '142.250.152.26', 'count': 8072705}], 'priority': 10},
{'host': {'value': 'aspmx2.googlemail.com', 'count': 7144886}, 'domain': {'value': 'googlemail.com', 'count': 7834197}, 'ip': [{'value': '142.250.115.27', 'count': 10961898}], 'priority': 10},
{'host': {'value': 'alt1.aspmx.l.google.com', 'count': 23734997}, 'domain': {'value': 'google.com', 'count': 27642606}, 'ip': [{'value': '142.250.115.27', 'count': 10961898}], 'priority': 5},
{'host': {'value': 'aspmx.l.google.com', 'count': 24146461}, 'domain': {'value': 'google.com', 'count': 27642606}, 'ip': [{'value': '142.250.99.26', 'count': 1071342}], 'priority': 1},
{'host': {'value': 'alt2.aspmx.l.google.com', 'count': 23642821}, 'domain': {'value': 'google.com', 'count': 27642606}, 'ip': [{'value': '64.233.171.27', 'count': 11245269}], 'priority': 5},
{'host': {'value': 'aspmx3.googlemail.com', 'count': 7030977}, 'domain': {'value': 'googlemail.com', 'count': 7834197}, 'ip': [{'value': '64.233.171.27', 'count': 11245269}], 'priority': 10} | | {'host': {'value': 'dns4.p04.nsone.net', 'count': 402494}, 'domain': {'value': 'nsone.net', 'count': 3878719}, 'ip': [{'value': '198.51.45.68', 'count': 402483}]},
{'host': {'value': 'dns3.p04.nsone.net', 'count': 400519}, 'domain': {'value': 'nsone.net', 'count': 3878719}, 'ip': [{'value': '198.51.44.68', 'count': 400500}]},
{'host': {'value': 'dns1.p04.nsone.net', 'count': 400560}, 'domain': {'value': 'nsone.net', 'count': 3878719}, 'ip': [{'value': '198.51.44.4', 'count': 400568}]},
{'host': {'value': 'dns2.p04.nsone.net', 'count': 400314}, 'domain': {'value': 'nsone.net', 'count': 3878719}, 'ip': [{'value': '198.51.45.4', 'count': 400326}]} | {'hash': {'value': '7d4887aaaad43f8e68e359366dce8063635699e3', 'count': 1}, 'subject': {'value': 'CN=domaintools.com', 'count': 1}, 'organization': {'value': '', 'count': 0}, 'email': [], 'alt_names': [{'value': 'domaintools.com', 'count': 0}, {'value': 'blog.domaintools.com', 'count': 0}, {'value': 'www.domaintools.com', 'count': 0}], 'common_name': {'value': 'domaintools.com', 'count': 1}, 'issuer_common_name': {'value': 'Sectigo RSA Domain Validation Secure Server CA', 'count': 14181540}, 'not_after': {'value': 20240726, 'count': 310808}, 'not_before': {'value': 20230626, 'count': 256705}, 'duration': {'value': 397, 'count': 2562623}} | {"value": "", "count": 0} | {"value": "", "count": 0} | {"value": "", "count": 0} | {"value": "", "count": 0} | {"value": "DomainTools - The first place to go when you need to know.", "count": "[2](https://iris.domaintools.com/investigate/search/?q=domain:\\"domaintools.com\\")"} | {"value": "2001-10-26T00:00:00Z", "count": 0} | {"value": "Golfe2", "count": 1903001} | 3625 | """ -domaintools_investigate_context = json.loads('{"domain": {"Name": "domaintools.com", "CreationDate": "1998-08-02", "DomainStatus": true, "ExpirationDate": "2027-08-01", "DNS": [{"type": "DNS", "ip": "141.193.213.20"}, {"type": "DNS", "ip": "141.193.213.21"}, {"type": "MX", "ip": "142.250.152.26", "host": "aspmx4.googlemail.com"}, {"type": "MX", "ip": "142.250.115.27", "host": "aspmx2.googlemail.com"}, {"type": "MX", "ip": "142.250.115.27", "host": "alt1.aspmx.l.google.com"}, {"type": "MX", "ip": "142.250.99.26", "host": "aspmx.l.google.com"}, {"type": "MX", "ip": "64.233.171.27", "host": "alt2.aspmx.l.google.com"}, {"type": "MX", "ip": "64.233.171.27", "host": "aspmx3.googlemail.com"}, {"type": "NS", "ip": "198.51.45.68", "host": "dns4.p04.nsone.net"}, {"type": "NS", "ip": "198.51.44.68", "host": "dns3.p04.nsone.net"}, {"type": "NS", "ip": "198.51.44.4", "host": "dns1.p04.nsone.net"}, {"type": "NS", "ip": "198.51.45.4", "host": "dns2.p04.nsone.net"}], "Registrant": {"Name": "REDACTED FOR PRIVACY", "Organization": "REDACTED FOR PRIVACY"}, "Geo": {"Country": "us us"}, "WHOIS": [{"key": "Admin Name", "value": "REDACTED FOR PRIVACY"}, {"key": "Admin Organization", "value": "REDACTED FOR PRIVACY"}, {"key": "Admin Email", "value": "redacted for privacy"}, {"key": "Admin Address", "value": "Street: REDACTED FOR PRIVACY, City: REDACTED FOR PRIVACY, State: REDACTED FOR PRIVACY, Postal: REDACTED FOR PRIVACY, Country: REDACTED FOR PRIVACY"}, {"key": "Registrant Name", "value": "REDACTED FOR PRIVACY"}, {"key": "Registrant Organization", "value": "REDACTED FOR PRIVACY"}, {"key": "Registrant Email", "value": "https://tieredaccess.com/contact/784fb607-c3ec-4640-b40f-30fc9f61b9ce"}, {"key": "Registrant Address", "value": "Street: REDACTED FOR PRIVACY, City: REDACTED FOR PRIVACY, State: WA, Postal: REDACTED FOR PRIVACY, Country: us"}, {"key": "Billing Address", "value": "Street: , City: , State: , Postal: , Country: "}, {"key": "Technical Name", "value": "REDACTED FOR PRIVACY"}, {"key": "Technical Organization", "value": "REDACTED FOR PRIVACY"}, {"key": "Technical Email", "value": "redacted for privacy"}, {"key": "Technical Address", "value": "Street: REDACTED FOR PRIVACY, City: REDACTED FOR PRIVACY, State: REDACTED FOR PRIVACY, Postal: REDACTED FOR PRIVACY, Country: REDACTED FOR PRIVACY"}, {"key": "Registrar", "value": {"value": "ENOM, INC.", "count": 3984318}}], "Rank": [{"source": "DomainTools Popularity Rank", "rank": 3625}], "ThreatTypes": [{"threatcategory": "risk_score", "threatcategoryconfidence": 0}, {"threatcategory": "zerolist", "threatcategoryconfidence": 0}], "Tags": ""}, "domaintools": {"Name": "domaintools.com", "LastEnriched": "2023-10-18", "Analytics": {"OverallRiskScore": 0, "ProximityRiskScore": 0, "ThreatProfileRiskScore": {"RiskScore": 0, "Threats": "", "Evidence": ""}, "WebsiteResponseCode": 200, "GoogleAdsenseTrackingCode": {"value": "", "count": 0}, "GoogleAnalyticTrackingCode": {"value": "", "count": 0}, "Tags": []}, "Identity": {"RegistrantName": "REDACTED FOR PRIVACY", "RegistrantOrg": "REDACTED FOR PRIVACY", "RegistrantContact": {"Country": {"value": "us", "count": 274018662}, "Email": [{"value": "https://tieredaccess.com/contact/784fb607-c3ec-4640-b40f-30fc9f61b9ce", "count": 1}], "Name": {"value": "REDACTED FOR PRIVACY", "count": 131643982}, "Phone": {"value": "", "count": 0}, "Street": {"value": "REDACTED FOR PRIVACY", "count": 118863405}, "City": {"value": "REDACTED FOR PRIVACY", "count": 122675278}, "State": {"value": "WA", "count": 7027354}, "Postal": {"value": "REDACTED FOR PRIVACY", "count": 123526354}, "Org": {"value": "REDACTED FOR PRIVACY", "count": 120617938}}, "Registrar": {"value": "ENOM, INC.", "count": 3984318}, "SOAEmail": [{"value": "hostmaster@nsone.net", "count": 6623371}], "SSLCertificateEmail": [], "AdminContact": {"Country": {"value": "REDACTED FOR PRIVACY", "count": 119229051}, "Email": [{"value": "redacted for privacy", "count": 9920089}], "Name": {"value": "REDACTED FOR PRIVACY", "count": 131643982}, "Phone": {"value": "", "count": 0}, "Street": {"value": "REDACTED FOR PRIVACY", "count": 118863405}, "City": {"value": "REDACTED FOR PRIVACY", "count": 122675278}, "State": {"value": "REDACTED FOR PRIVACY", "count": 118764947}, "Postal": {"value": "REDACTED FOR PRIVACY", "count": 123526354}, "Org": {"value": "REDACTED FOR PRIVACY", "count": 120617938}}, "TechnicalContact": {"Country": {"value": "REDACTED FOR PRIVACY", "count": 119229051}, "Email": [{"value": "redacted for privacy", "count": 9915617}], "Name": {"value": "REDACTED FOR PRIVACY", "count": 131643982}, "Phone": {"value": "", "count": 0}, "Street": {"value": "REDACTED FOR PRIVACY", "count": 118863405}, "City": {"value": "REDACTED FOR PRIVACY", "count": 122675278}, "State": {"value": "REDACTED FOR PRIVACY", "count": 118764947}, "Postal": {"value": "REDACTED FOR PRIVACY", "count": 123526354}, "Org": {"value": "REDACTED FOR PRIVACY", "count": 120617938}}, "BillingContact": {"Country": {"value": "", "count": 0}, "Email": [], "Name": {"value": "", "count": 0}, "Phone": {"value": "", "count": 0}, "Street": {"value": "", "count": 0}, "City": {"value": "", "count": 0}, "State": {"value": "", "count": 0}, "Postal": {"value": "", "count": 0}, "Org": {"value": "", "count": 0}}, "EmailDomains": ["enom.com", "nsone.net"], "AdditionalWhoisEmails": [{"value": "abuse@enom.com", "count": 12520125}]}, "Registration": {"RegistrarStatus": ["clienttransferprohibited"], "DomainStatus": true, "CreateDate": "1998-08-02", "ExpirationDate": "2027-08-01"}, "Hosting": {"IPAddresses": [{"address": {"value": "141.193.213.20", "count": 67508}, "asn": [{"value": 209242, "count": 1195750}], "country_code": {"value": "us", "count": 197557302}, "isp": {"value": "WPEngine Inc.", "count": 264650}}, {"address": {"value": "141.193.213.21", "count": 64201}, "asn": [{"value": 209242, "count": 1195750}], "country_code": {"value": "us", "count": 197557302}, "isp": {"value": "WPEngine Inc.", "count": 264650}}], "IPCountryCode": "us", "MailServers": [{"host": {"value": "aspmx4.googlemail.com", "count": 1445502}, "domain": {"value": "googlemail.com", "count": 7834197}, "ip": [{"value": "142.250.152.26", "count": 8072705}], "priority": 10}, {"host": {"value": "aspmx2.googlemail.com", "count": 7144886}, "domain": {"value": "googlemail.com", "count": 7834197}, "ip": [{"value": "142.250.115.27", "count": 10961898}], "priority": 10}, {"host": {"value": "alt1.aspmx.l.google.com", "count": 23734997}, "domain": {"value": "google.com", "count": 27642606}, "ip": [{"value": "142.250.115.27", "count": 10961898}], "priority": 5}, {"host": {"value": "aspmx.l.google.com", "count": 24146461}, "domain": {"value": "google.com", "count": 27642606}, "ip": [{"value": "142.250.99.26", "count": 1071342}], "priority": 1}, {"host": {"value": "alt2.aspmx.l.google.com", "count": 23642821}, "domain": {"value": "google.com", "count": 27642606}, "ip": [{"value": "64.233.171.27", "count": 11245269}], "priority": 5}, {"host": {"value": "aspmx3.googlemail.com", "count": 7030977}, "domain": {"value": "googlemail.com", "count": 7834197}, "ip": [{"value": "64.233.171.27", "count": 11245269}], "priority": 10}], "SPFRecord": "", "NameServers": [{"host": {"value": "dns4.p04.nsone.net", "count": 402494}, "domain": {"value": "nsone.net", "count": 3878719}, "ip": [{"value": "198.51.45.68", "count": 402483}]}, {"host": {"value": "dns3.p04.nsone.net", "count": 400519}, "domain": {"value": "nsone.net", "count": 3878719}, "ip": [{"value": "198.51.44.68", "count": 400500}]}, {"host": {"value": "dns1.p04.nsone.net", "count": 400560}, "domain": {"value": "nsone.net", "count": 3878719}, "ip": [{"value": "198.51.44.4", "count": 400568}]}, {"host": {"value": "dns2.p04.nsone.net", "count": 400314}, "domain": {"value": "nsone.net", "count": 3878719}, "ip": [{"value": "198.51.45.4", "count": 400326}]}], "SSLCertificate": [{"hash": {"value": "7d4887aaaad43f8e68e359366dce8063635699e3", "count": 1}, "subject": {"value": "CN=domaintools.com", "count": 1}, "organization": {"value": "", "count": 0}, "email": [], "alt_names": [{"value": "domaintools.com", "count": 0}, {"value": "blog.domaintools.com", "count": 0}, {"value": "www.domaintools.com", "count": 0}], "common_name": {"value": "domaintools.com", "count": 1}, "issuer_common_name": {"value": "Sectigo RSA Domain Validation Secure Server CA", "count": 14181540}, "not_after": {"value": 20240726, "count": 310808}, "not_before": {"value": 20230626, "count": 256705}, "duration": {"value": 397, "count": 2562623}}], "RedirectsTo": {"value": "", "count": 0}, "RedirectDomain": {"value": "", "count": 0}}, "WebsiteTitle": "DomainTools - The first place to go when you need to know.", "FirstSeen": "2001-10-26T00:00:00Z", "ServerType": "Golfe2"}, "dbotscore": {"Indicator": "domaintools.com", "Type": "domain", "Vendor": "DomainTools Iris", "Score": 1, "Reliability": null}}') +domaintools_investigate_context = json.loads( + '{"domain": {"Name": "domaintools.com", "CreationDate": "1998-08-02", "DomainStatus": true, "ExpirationDate": "2027-08-01", "DNS": [{"type": "DNS", "ip": "141.193.213.20"}, {"type": "DNS", "ip": "141.193.213.21"}, {"type": "MX", "ip": "142.250.152.26", "host": "aspmx4.googlemail.com"}, {"type": "MX", "ip": "142.250.115.27", "host": "aspmx2.googlemail.com"}, {"type": "MX", "ip": "142.250.115.27", "host": "alt1.aspmx.l.google.com"}, {"type": "MX", "ip": "142.250.99.26", "host": "aspmx.l.google.com"}, {"type": "MX", "ip": "64.233.171.27", "host": "alt2.aspmx.l.google.com"}, {"type": "MX", "ip": "64.233.171.27", "host": "aspmx3.googlemail.com"}, {"type": "NS", "ip": "198.51.45.68", "host": "dns4.p04.nsone.net"}, {"type": "NS", "ip": "198.51.44.68", "host": "dns3.p04.nsone.net"}, {"type": "NS", "ip": "198.51.44.4", "host": "dns1.p04.nsone.net"}, {"type": "NS", "ip": "198.51.45.4", "host": "dns2.p04.nsone.net"}], "Registrant": {"Name": "REDACTED FOR PRIVACY", "Organization": "REDACTED FOR PRIVACY"}, "Geo": {"Country": "us us"}, "WHOIS": [{"key": "Admin Name", "value": "REDACTED FOR PRIVACY"}, {"key": "Admin Organization", "value": "REDACTED FOR PRIVACY"}, {"key": "Admin Email", "value": "redacted for privacy"}, {"key": "Admin Address", "value": "Street: REDACTED FOR PRIVACY, City: REDACTED FOR PRIVACY, State: REDACTED FOR PRIVACY, Postal: REDACTED FOR PRIVACY, Country: REDACTED FOR PRIVACY"}, {"key": "Registrant Name", "value": "REDACTED FOR PRIVACY"}, {"key": "Registrant Organization", "value": "REDACTED FOR PRIVACY"}, {"key": "Registrant Email", "value": "https://tieredaccess.com/contact/784fb607-c3ec-4640-b40f-30fc9f61b9ce"}, {"key": "Registrant Address", "value": "Street: REDACTED FOR PRIVACY, City: REDACTED FOR PRIVACY, State: WA, Postal: REDACTED FOR PRIVACY, Country: us"}, {"key": "Billing Address", "value": "Street: , City: , State: , Postal: , Country: "}, {"key": "Technical Name", "value": "REDACTED FOR PRIVACY"}, {"key": "Technical Organization", "value": "REDACTED FOR PRIVACY"}, {"key": "Technical Email", "value": "redacted for privacy"}, {"key": "Technical Address", "value": "Street: REDACTED FOR PRIVACY, City: REDACTED FOR PRIVACY, State: REDACTED FOR PRIVACY, Postal: REDACTED FOR PRIVACY, Country: REDACTED FOR PRIVACY"}, {"key": "Registrar", "value": {"value": "ENOM, INC.", "count": 3984318}}], "Rank": [{"source": "DomainTools Popularity Rank", "rank": 3625}], "ThreatTypes": [{"threatcategory": "risk_score", "threatcategoryconfidence": 0}, {"threatcategory": "zerolist", "threatcategoryconfidence": 0}], "Tags": ""}, "domaintools": {"Name": "domaintools.com", "LastEnriched": "2023-10-18", "Analytics": {"OverallRiskScore": 0, "ProximityRiskScore": 0, "ThreatProfileRiskScore": {"RiskScore": 0, "Threats": "", "Evidence": ""}, "WebsiteResponseCode": 200, "GoogleAdsenseTrackingCode": {"value": "", "count": 0}, "GoogleAnalyticTrackingCode": {"value": "", "count": 0}, "Tags": []}, "Identity": {"RegistrantName": "REDACTED FOR PRIVACY", "RegistrantOrg": "REDACTED FOR PRIVACY", "RegistrantContact": {"Country": {"value": "us", "count": 274018662}, "Email": [{"value": "https://tieredaccess.com/contact/784fb607-c3ec-4640-b40f-30fc9f61b9ce", "count": 1}], "Name": {"value": "REDACTED FOR PRIVACY", "count": 131643982}, "Phone": {"value": "", "count": 0}, "Street": {"value": "REDACTED FOR PRIVACY", "count": 118863405}, "City": {"value": "REDACTED FOR PRIVACY", "count": 122675278}, "State": {"value": "WA", "count": 7027354}, "Postal": {"value": "REDACTED FOR PRIVACY", "count": 123526354}, "Org": {"value": "REDACTED FOR PRIVACY", "count": 120617938}}, "Registrar": {"value": "ENOM, INC.", "count": 3984318}, "SOAEmail": [{"value": "hostmaster@nsone.net", "count": 6623371}], "SSLCertificateEmail": [], "AdminContact": {"Country": {"value": "REDACTED FOR PRIVACY", "count": 119229051}, "Email": [{"value": "redacted for privacy", "count": 9920089}], "Name": {"value": "REDACTED FOR PRIVACY", "count": 131643982}, "Phone": {"value": "", "count": 0}, "Street": {"value": "REDACTED FOR PRIVACY", "count": 118863405}, "City": {"value": "REDACTED FOR PRIVACY", "count": 122675278}, "State": {"value": "REDACTED FOR PRIVACY", "count": 118764947}, "Postal": {"value": "REDACTED FOR PRIVACY", "count": 123526354}, "Org": {"value": "REDACTED FOR PRIVACY", "count": 120617938}}, "TechnicalContact": {"Country": {"value": "REDACTED FOR PRIVACY", "count": 119229051}, "Email": [{"value": "redacted for privacy", "count": 9915617}], "Name": {"value": "REDACTED FOR PRIVACY", "count": 131643982}, "Phone": {"value": "", "count": 0}, "Street": {"value": "REDACTED FOR PRIVACY", "count": 118863405}, "City": {"value": "REDACTED FOR PRIVACY", "count": 122675278}, "State": {"value": "REDACTED FOR PRIVACY", "count": 118764947}, "Postal": {"value": "REDACTED FOR PRIVACY", "count": 123526354}, "Org": {"value": "REDACTED FOR PRIVACY", "count": 120617938}}, "BillingContact": {"Country": {"value": "", "count": 0}, "Email": [], "Name": {"value": "", "count": 0}, "Phone": {"value": "", "count": 0}, "Street": {"value": "", "count": 0}, "City": {"value": "", "count": 0}, "State": {"value": "", "count": 0}, "Postal": {"value": "", "count": 0}, "Org": {"value": "", "count": 0}}, "EmailDomains": ["enom.com", "nsone.net"], "AdditionalWhoisEmails": [{"value": "abuse@enom.com", "count": 12520125}]}, "Registration": {"RegistrarStatus": ["clienttransferprohibited"], "DomainStatus": true, "CreateDate": "1998-08-02", "ExpirationDate": "2027-08-01"}, "Hosting": {"IPAddresses": [{"address": {"value": "141.193.213.20", "count": 67508}, "asn": [{"value": 209242, "count": 1195750}], "country_code": {"value": "us", "count": 197557302}, "isp": {"value": "WPEngine Inc.", "count": 264650}}, {"address": {"value": "141.193.213.21", "count": 64201}, "asn": [{"value": 209242, "count": 1195750}], "country_code": {"value": "us", "count": 197557302}, "isp": {"value": "WPEngine Inc.", "count": 264650}}], "IPCountryCode": "us", "MailServers": [{"host": {"value": "aspmx4.googlemail.com", "count": 1445502}, "domain": {"value": "googlemail.com", "count": 7834197}, "ip": [{"value": "142.250.152.26", "count": 8072705}], "priority": 10}, {"host": {"value": "aspmx2.googlemail.com", "count": 7144886}, "domain": {"value": "googlemail.com", "count": 7834197}, "ip": [{"value": "142.250.115.27", "count": 10961898}], "priority": 10}, {"host": {"value": "alt1.aspmx.l.google.com", "count": 23734997}, "domain": {"value": "google.com", "count": 27642606}, "ip": [{"value": "142.250.115.27", "count": 10961898}], "priority": 5}, {"host": {"value": "aspmx.l.google.com", "count": 24146461}, "domain": {"value": "google.com", "count": 27642606}, "ip": [{"value": "142.250.99.26", "count": 1071342}], "priority": 1}, {"host": {"value": "alt2.aspmx.l.google.com", "count": 23642821}, "domain": {"value": "google.com", "count": 27642606}, "ip": [{"value": "64.233.171.27", "count": 11245269}], "priority": 5}, {"host": {"value": "aspmx3.googlemail.com", "count": 7030977}, "domain": {"value": "googlemail.com", "count": 7834197}, "ip": [{"value": "64.233.171.27", "count": 11245269}], "priority": 10}], "SPFRecord": "", "NameServers": [{"host": {"value": "dns4.p04.nsone.net", "count": 402494}, "domain": {"value": "nsone.net", "count": 3878719}, "ip": [{"value": "198.51.45.68", "count": 402483}]}, {"host": {"value": "dns3.p04.nsone.net", "count": 400519}, "domain": {"value": "nsone.net", "count": 3878719}, "ip": [{"value": "198.51.44.68", "count": 400500}]}, {"host": {"value": "dns1.p04.nsone.net", "count": 400560}, "domain": {"value": "nsone.net", "count": 3878719}, "ip": [{"value": "198.51.44.4", "count": 400568}]}, {"host": {"value": "dns2.p04.nsone.net", "count": 400314}, "domain": {"value": "nsone.net", "count": 3878719}, "ip": [{"value": "198.51.45.4", "count": 400326}]}], "SSLCertificate": [{"hash": {"value": "7d4887aaaad43f8e68e359366dce8063635699e3", "count": 1}, "subject": {"value": "CN=domaintools.com", "count": 1}, "organization": {"value": "", "count": 0}, "email": [], "alt_names": [{"value": "domaintools.com", "count": 0}, {"value": "blog.domaintools.com", "count": 0}, {"value": "www.domaintools.com", "count": 0}], "common_name": {"value": "domaintools.com", "count": 1}, "issuer_common_name": {"value": "Sectigo RSA Domain Validation Secure Server CA", "count": 14181540}, "not_after": {"value": 20240726, "count": 310808}, "not_before": {"value": 20230626, "count": 256705}, "duration": {"value": 397, "count": 2562623}}], "RedirectsTo": {"value": "", "count": 0}, "RedirectDomain": {"value": "", "count": 0}}, "WebsiteTitle": "DomainTools - The first place to go when you need to know.", "FirstSeen": "2001-10-26T00:00:00Z", "ServerType": "Golfe2"}, "dbotscore": {"Indicator": "domaintools.com", "Type": "domain", "Vendor": "DomainTools Iris", "Score": 1, "Reliability": null}}' +) domaintools_enrich_readable = """### DomainTools Iris Enrich for domaintools.com. Investigate [domaintools.com](https://research.domaintools.com/iris/search/?q=domaintools.com) in Iris. |Name|Last Enriched|Overall Risk Score|Proximity Risk Score|Threat Profile Risk Score|Threat Profile Threats|Threat Profile Evidence|Website Response Code|Tags|Registrant Name|Registrant Org|Registrant Contact|Registrar|SOA Email|SSL Certificate Email|Admin Contact|Technical Contact|Billing Contact|Email Domains|Additional Whois Emails|Domain Registrant|Registrar Status|Domain Status|Create Date|Expiration Date|IP Addresses|IP Country Code|Mail Servers|SPF Record|Name Servers|SSL Certificate|Redirects To|Redirect Domain|Google Adsense Tracking Code|Google Analytic Tracking Code|Website Title|First Seen|Server Type|Popularity| @@ -14,7 +16,9 @@ | domaintools.com | 2023-11-10 | 0 | 0 | 0 | | | 200 | | REDACTED FOR PRIVACY | REDACTED FOR PRIVACY | Country: {"value": "us", "count": 274018662}
Email: {'value': 'https://tieredaccess.com/contact/784fb607-c3ec-4640-b40f-30fc9f61b9ce', 'count': 1}
Name: {"value": "REDACTED FOR PRIVACY", "count": 131643982}
Phone: {"value": "", "count": 0}
Street: {"value": "REDACTED FOR PRIVACY", "count": 118863405}
City: {"value": "REDACTED FOR PRIVACY", "count": 122675278}
State: {"value": "WA", "count": 7027354}
Postal: {"value": "REDACTED FOR PRIVACY", "count": 123526354}
Org: {"value": "REDACTED FOR PRIVACY", "count": 120617938} | value: ENOM, INC.
count: 3984318 | {'value': 'hostmaster@nsone.net', 'count': 6623371} | | Country: {"value": "REDACTED FOR PRIVACY", "count": 119229051}
Email: {'value': 'redacted for privacy', 'count': 9920089}
Name: {"value": "REDACTED FOR PRIVACY", "count": 131643982}
Phone: {"value": "", "count": 0}
Street: {"value": "REDACTED FOR PRIVACY", "count": 118863405}
City: {"value": "REDACTED FOR PRIVACY", "count": 122675278}
State: {"value": "REDACTED FOR PRIVACY", "count": 118764947}
Postal: {"value": "REDACTED FOR PRIVACY", "count": 123526354}
Org: {"value": "REDACTED FOR PRIVACY", "count": 120617938} | Country: {"value": "REDACTED FOR PRIVACY", "count": 119229051}
Email: {'value': 'redacted for privacy', 'count': 9915617}
Name: {"value": "REDACTED FOR PRIVACY", "count": 131643982}
Phone: {"value": "", "count": 0}
Street: {"value": "REDACTED FOR PRIVACY", "count": 118863405}
City: {"value": "REDACTED FOR PRIVACY", "count": 122675278}
State: {"value": "REDACTED FOR PRIVACY", "count": 118764947}
Postal: {"value": "REDACTED FOR PRIVACY", "count": 123526354}
Org: {"value": "REDACTED FOR PRIVACY", "count": 120617938} | Country: {"value": "", "count": 0}
Email:
Name: {"value": "", "count": 0}
Phone: {"value": "", "count": 0}
Street: {"value": "", "count": 0}
City: {"value": "", "count": 0}
State: {"value": "", "count": 0}
Postal: {"value": "", "count": 0}
Org: {"value": "", "count": 0} | enom.com,
nsone.net | {'value': 'abuse@enom.com', 'count': 12520125} | | clienttransferprohibited | true | 1998-08-02 | 2027-08-01 | {'address': {'value': '141.193.213.20', 'count': 67508}, 'asn': [{'value': 209242, 'count': 1195750}], 'country_code': {'value': 'us', 'count': 197557302}, 'isp': {'value': 'WPEngine Inc.', 'count': 264650}},
{'address': {'value': '141.193.213.21', 'count': 64201}, 'asn': [{'value': 209242, 'count': 1195750}], 'country_code': {'value': 'us', 'count': 197557302}, 'isp': {'value': 'WPEngine Inc.', 'count': 264650}} | us | {'host': {'value': 'aspmx4.googlemail.com', 'count': 1445502}, 'domain': {'value': 'googlemail.com', 'count': 7834197}, 'ip': [{'value': '142.250.152.26', 'count': 8072705}], 'priority': 10},
{'host': {'value': 'aspmx2.googlemail.com', 'count': 7144886}, 'domain': {'value': 'googlemail.com', 'count': 7834197}, 'ip': [{'value': '142.250.115.27', 'count': 10961898}], 'priority': 10},
{'host': {'value': 'alt1.aspmx.l.google.com', 'count': 23734997}, 'domain': {'value': 'google.com', 'count': 27642606}, 'ip': [{'value': '142.250.115.27', 'count': 10961898}], 'priority': 5},
{'host': {'value': 'aspmx.l.google.com', 'count': 24146461}, 'domain': {'value': 'google.com', 'count': 27642606}, 'ip': [{'value': '142.250.99.26', 'count': 1071342}], 'priority': 1},
{'host': {'value': 'alt2.aspmx.l.google.com', 'count': 23642821}, 'domain': {'value': 'google.com', 'count': 27642606}, 'ip': [{'value': '64.233.171.27', 'count': 11245269}], 'priority': 5},
{'host': {'value': 'aspmx3.googlemail.com', 'count': 7030977}, 'domain': {'value': 'googlemail.com', 'count': 7834197}, 'ip': [{'value': '64.233.171.27', 'count': 11245269}], 'priority': 10} | | {'host': {'value': 'dns4.p04.nsone.net', 'count': 402494}, 'domain': {'value': 'nsone.net', 'count': 3878719}, 'ip': [{'value': '198.51.45.68', 'count': 402483}]},
{'host': {'value': 'dns3.p04.nsone.net', 'count': 400519}, 'domain': {'value': 'nsone.net', 'count': 3878719}, 'ip': [{'value': '198.51.44.68', 'count': 400500}]},
{'host': {'value': 'dns1.p04.nsone.net', 'count': 400560}, 'domain': {'value': 'nsone.net', 'count': 3878719}, 'ip': [{'value': '198.51.44.4', 'count': 400568}]},
{'host': {'value': 'dns2.p04.nsone.net', 'count': 400314}, 'domain': {'value': 'nsone.net', 'count': 3878719}, 'ip': [{'value': '198.51.45.4', 'count': 400326}]} | {'hash': {'value': '7d4887aaaad43f8e68e359366dce8063635699e3', 'count': 1}, 'subject': {'value': 'CN=domaintools.com', 'count': 1}, 'organization': {'value': '', 'count': 0}, 'email': [], 'alt_names': [{'value': 'domaintools.com', 'count': 0}, {'value': 'blog.domaintools.com', 'count': 0}, {'value': 'www.domaintools.com', 'count': 0}], 'common_name': {'value': 'domaintools.com', 'count': 1}, 'issuer_common_name': {'value': 'Sectigo RSA Domain Validation Secure Server CA', 'count': 14181540}, 'not_after': {'value': 20240726, 'count': 310808}, 'not_before': {'value': 20230626, 'count': 256705}, 'duration': {'value': 397, 'count': 2562623}} | value:
count: 0 | value:
count: 0 | value:
count: 0 | value:
count: 0 | DomainTools - The first place to go when you need to know. | 2001-10-26T00:00:00Z | Golfe2 | {'source': 'DomainTools Popularity Rank', 'rank': 3625} | """ -domaintools_enrich_context = json.loads('{"domain": {"Name": "domaintools.com", "CreationDate": "1998-08-02", "DomainStatus": true, "ExpirationDate": "2027-08-01", "DNS": [{"type": "DNS", "ip": "141.193.213.20"}, {"type": "DNS", "ip": "141.193.213.21"}, {"type": "MX", "ip": "142.250.152.26", "host": "aspmx4.googlemail.com"}, {"type": "MX", "ip": "142.250.115.27", "host": "aspmx2.googlemail.com"}, {"type": "MX", "ip": "142.250.115.27", "host": "alt1.aspmx.l.google.com"}, {"type": "MX", "ip": "142.250.99.26", "host": "aspmx.l.google.com"}, {"type": "MX", "ip": "64.233.171.27", "host": "alt2.aspmx.l.google.com"}, {"type": "MX", "ip": "64.233.171.27", "host": "aspmx3.googlemail.com"}, {"type": "NS", "ip": "198.51.45.68", "host": "dns4.p04.nsone.net"}, {"type": "NS", "ip": "198.51.44.68", "host": "dns3.p04.nsone.net"}, {"type": "NS", "ip": "198.51.44.4", "host": "dns1.p04.nsone.net"}, {"type": "NS", "ip": "198.51.45.4", "host": "dns2.p04.nsone.net"}], "Registrant": {"Name": "REDACTED FOR PRIVACY", "Organization": "REDACTED FOR PRIVACY"}, "Geo": {"Country": "us us"}, "WHOIS": [{"key": "Admin Name", "value": "REDACTED FOR PRIVACY"}, {"key": "Admin Organization", "value": "REDACTED FOR PRIVACY"}, {"key": "Admin Email", "value": "redacted for privacy"}, {"key": "Admin Address", "value": "Street: REDACTED FOR PRIVACY, City: REDACTED FOR PRIVACY, State: REDACTED FOR PRIVACY, Postal: REDACTED FOR PRIVACY, Country: REDACTED FOR PRIVACY"}, {"key": "Registrant Name", "value": "REDACTED FOR PRIVACY"}, {"key": "Registrant Organization", "value": "REDACTED FOR PRIVACY"}, {"key": "Registrant Email", "value": "https://tieredaccess.com/contact/784fb607-c3ec-4640-b40f-30fc9f61b9ce"}, {"key": "Registrant Address", "value": "Street: REDACTED FOR PRIVACY, City: REDACTED FOR PRIVACY, State: WA, Postal: REDACTED FOR PRIVACY, Country: us"}, {"key": "Billing Address", "value": "Street: , City: , State: , Postal: , Country: "}, {"key": "Technical Name", "value": "REDACTED FOR PRIVACY"}, {"key": "Technical Organization", "value": "REDACTED FOR PRIVACY"}, {"key": "Technical Email", "value": "redacted for privacy"}, {"key": "Technical Address", "value": "Street: REDACTED FOR PRIVACY, City: REDACTED FOR PRIVACY, State: REDACTED FOR PRIVACY, Postal: REDACTED FOR PRIVACY, Country: REDACTED FOR PRIVACY"}, {"key": "Registrar", "value": {"value": "ENOM, INC.", "count": 3984318}}], "Rank": [{"source": "DomainTools Popularity Rank", "rank": 3625}], "ThreatTypes": [{"threatcategory": "risk_score", "threatcategoryconfidence": 0}, {"threatcategory": "zerolist", "threatcategoryconfidence": 0}], "Tags": ""}, "domaintools": {"Name": "domaintools.com", "LastEnriched": "2023-10-18", "Analytics": {"OverallRiskScore": 0, "ProximityRiskScore": 0, "ThreatProfileRiskScore": {"RiskScore": 0, "Threats": "", "Evidence": ""}, "WebsiteResponseCode": 200, "GoogleAdsenseTrackingCode": {"value": "", "count": 0}, "GoogleAnalyticTrackingCode": {"value": "", "count": 0}, "Tags": []}, "Identity": {"RegistrantName": "REDACTED FOR PRIVACY", "RegistrantOrg": "REDACTED FOR PRIVACY", "RegistrantContact": {"Country": {"value": "us", "count": 274018662}, "Email": [{"value": "https://tieredaccess.com/contact/784fb607-c3ec-4640-b40f-30fc9f61b9ce", "count": 1}], "Name": {"value": "REDACTED FOR PRIVACY", "count": 131643982}, "Phone": {"value": "", "count": 0}, "Street": {"value": "REDACTED FOR PRIVACY", "count": 118863405}, "City": {"value": "REDACTED FOR PRIVACY", "count": 122675278}, "State": {"value": "WA", "count": 7027354}, "Postal": {"value": "REDACTED FOR PRIVACY", "count": 123526354}, "Org": {"value": "REDACTED FOR PRIVACY", "count": 120617938}}, "Registrar": {"value": "ENOM, INC.", "count": 3984318}, "SOAEmail": [{"value": "hostmaster@nsone.net", "count": 6623371}], "SSLCertificateEmail": [], "AdminContact": {"Country": {"value": "REDACTED FOR PRIVACY", "count": 119229051}, "Email": [{"value": "redacted for privacy", "count": 9920089}], "Name": {"value": "REDACTED FOR PRIVACY", "count": 131643982}, "Phone": {"value": "", "count": 0}, "Street": {"value": "REDACTED FOR PRIVACY", "count": 118863405}, "City": {"value": "REDACTED FOR PRIVACY", "count": 122675278}, "State": {"value": "REDACTED FOR PRIVACY", "count": 118764947}, "Postal": {"value": "REDACTED FOR PRIVACY", "count": 123526354}, "Org": {"value": "REDACTED FOR PRIVACY", "count": 120617938}}, "TechnicalContact": {"Country": {"value": "REDACTED FOR PRIVACY", "count": 119229051}, "Email": [{"value": "redacted for privacy", "count": 9915617}], "Name": {"value": "REDACTED FOR PRIVACY", "count": 131643982}, "Phone": {"value": "", "count": 0}, "Street": {"value": "REDACTED FOR PRIVACY", "count": 118863405}, "City": {"value": "REDACTED FOR PRIVACY", "count": 122675278}, "State": {"value": "REDACTED FOR PRIVACY", "count": 118764947}, "Postal": {"value": "REDACTED FOR PRIVACY", "count": 123526354}, "Org": {"value": "REDACTED FOR PRIVACY", "count": 120617938}}, "BillingContact": {"Country": {"value": "", "count": 0}, "Email": [], "Name": {"value": "", "count": 0}, "Phone": {"value": "", "count": 0}, "Street": {"value": "", "count": 0}, "City": {"value": "", "count": 0}, "State": {"value": "", "count": 0}, "Postal": {"value": "", "count": 0}, "Org": {"value": "", "count": 0}}, "EmailDomains": ["enom.com", "nsone.net"], "AdditionalWhoisEmails": [{"value": "abuse@enom.com", "count": 12520125}]}, "Registration": {"RegistrarStatus": ["clienttransferprohibited"], "DomainStatus": true, "CreateDate": "1998-08-02", "ExpirationDate": "2027-08-01"}, "Hosting": {"IPAddresses": [{"address": {"value": "141.193.213.20", "count": 67508}, "asn": [{"value": 209242, "count": 1195750}], "country_code": {"value": "us", "count": 197557302}, "isp": {"value": "WPEngine Inc.", "count": 264650}}, {"address": {"value": "141.193.213.21", "count": 64201}, "asn": [{"value": 209242, "count": 1195750}], "country_code": {"value": "us", "count": 197557302}, "isp": {"value": "WPEngine Inc.", "count": 264650}}], "IPCountryCode": "us", "MailServers": [{"host": {"value": "aspmx4.googlemail.com", "count": 1445502}, "domain": {"value": "googlemail.com", "count": 7834197}, "ip": [{"value": "142.250.152.26", "count": 8072705}], "priority": 10}, {"host": {"value": "aspmx2.googlemail.com", "count": 7144886}, "domain": {"value": "googlemail.com", "count": 7834197}, "ip": [{"value": "142.250.115.27", "count": 10961898}], "priority": 10}, {"host": {"value": "alt1.aspmx.l.google.com", "count": 23734997}, "domain": {"value": "google.com", "count": 27642606}, "ip": [{"value": "142.250.115.27", "count": 10961898}], "priority": 5}, {"host": {"value": "aspmx.l.google.com", "count": 24146461}, "domain": {"value": "google.com", "count": 27642606}, "ip": [{"value": "142.250.99.26", "count": 1071342}], "priority": 1}, {"host": {"value": "alt2.aspmx.l.google.com", "count": 23642821}, "domain": {"value": "google.com", "count": 27642606}, "ip": [{"value": "64.233.171.27", "count": 11245269}], "priority": 5}, {"host": {"value": "aspmx3.googlemail.com", "count": 7030977}, "domain": {"value": "googlemail.com", "count": 7834197}, "ip": [{"value": "64.233.171.27", "count": 11245269}], "priority": 10}], "SPFRecord": "", "NameServers": [{"host": {"value": "dns4.p04.nsone.net", "count": 402494}, "domain": {"value": "nsone.net", "count": 3878719}, "ip": [{"value": "198.51.45.68", "count": 402483}]}, {"host": {"value": "dns3.p04.nsone.net", "count": 400519}, "domain": {"value": "nsone.net", "count": 3878719}, "ip": [{"value": "198.51.44.68", "count": 400500}]}, {"host": {"value": "dns1.p04.nsone.net", "count": 400560}, "domain": {"value": "nsone.net", "count": 3878719}, "ip": [{"value": "198.51.44.4", "count": 400568}]}, {"host": {"value": "dns2.p04.nsone.net", "count": 400314}, "domain": {"value": "nsone.net", "count": 3878719}, "ip": [{"value": "198.51.45.4", "count": 400326}]}], "SSLCertificate": [{"hash": {"value": "7d4887aaaad43f8e68e359366dce8063635699e3", "count": 1}, "subject": {"value": "CN=domaintools.com", "count": 1}, "organization": {"value": "", "count": 0}, "email": [], "alt_names": [{"value": "domaintools.com", "count": 0}, {"value": "blog.domaintools.com", "count": 0}, {"value": "www.domaintools.com", "count": 0}], "common_name": {"value": "domaintools.com", "count": 1}, "issuer_common_name": {"value": "Sectigo RSA Domain Validation Secure Server CA", "count": 14181540}, "not_after": {"value": 20240726, "count": 310808}, "not_before": {"value": 20230626, "count": 256705}, "duration": {"value": 397, "count": 2562623}}], "RedirectsTo": {"value": "", "count": 0}, "RedirectDomain": {"value": "", "count": 0}}, "WebsiteTitle": "DomainTools - The first place to go when you need to know.", "FirstSeen": "2001-10-26T00:00:00Z", "ServerType": "Golfe2"}, "dbotscore": {"Indicator": "domaintools.com", "Type": "domain", "Vendor": "DomainTools Iris", "Score": 1, "Reliability": null}}') +domaintools_enrich_context = json.loads( + '{"domain": {"Name": "domaintools.com", "CreationDate": "1998-08-02", "DomainStatus": true, "ExpirationDate": "2027-08-01", "DNS": [{"type": "DNS", "ip": "141.193.213.20"}, {"type": "DNS", "ip": "141.193.213.21"}, {"type": "MX", "ip": "142.250.152.26", "host": "aspmx4.googlemail.com"}, {"type": "MX", "ip": "142.250.115.27", "host": "aspmx2.googlemail.com"}, {"type": "MX", "ip": "142.250.115.27", "host": "alt1.aspmx.l.google.com"}, {"type": "MX", "ip": "142.250.99.26", "host": "aspmx.l.google.com"}, {"type": "MX", "ip": "64.233.171.27", "host": "alt2.aspmx.l.google.com"}, {"type": "MX", "ip": "64.233.171.27", "host": "aspmx3.googlemail.com"}, {"type": "NS", "ip": "198.51.45.68", "host": "dns4.p04.nsone.net"}, {"type": "NS", "ip": "198.51.44.68", "host": "dns3.p04.nsone.net"}, {"type": "NS", "ip": "198.51.44.4", "host": "dns1.p04.nsone.net"}, {"type": "NS", "ip": "198.51.45.4", "host": "dns2.p04.nsone.net"}], "Registrant": {"Name": "REDACTED FOR PRIVACY", "Organization": "REDACTED FOR PRIVACY"}, "Geo": {"Country": "us us"}, "WHOIS": [{"key": "Admin Name", "value": "REDACTED FOR PRIVACY"}, {"key": "Admin Organization", "value": "REDACTED FOR PRIVACY"}, {"key": "Admin Email", "value": "redacted for privacy"}, {"key": "Admin Address", "value": "Street: REDACTED FOR PRIVACY, City: REDACTED FOR PRIVACY, State: REDACTED FOR PRIVACY, Postal: REDACTED FOR PRIVACY, Country: REDACTED FOR PRIVACY"}, {"key": "Registrant Name", "value": "REDACTED FOR PRIVACY"}, {"key": "Registrant Organization", "value": "REDACTED FOR PRIVACY"}, {"key": "Registrant Email", "value": "https://tieredaccess.com/contact/784fb607-c3ec-4640-b40f-30fc9f61b9ce"}, {"key": "Registrant Address", "value": "Street: REDACTED FOR PRIVACY, City: REDACTED FOR PRIVACY, State: WA, Postal: REDACTED FOR PRIVACY, Country: us"}, {"key": "Billing Address", "value": "Street: , City: , State: , Postal: , Country: "}, {"key": "Technical Name", "value": "REDACTED FOR PRIVACY"}, {"key": "Technical Organization", "value": "REDACTED FOR PRIVACY"}, {"key": "Technical Email", "value": "redacted for privacy"}, {"key": "Technical Address", "value": "Street: REDACTED FOR PRIVACY, City: REDACTED FOR PRIVACY, State: REDACTED FOR PRIVACY, Postal: REDACTED FOR PRIVACY, Country: REDACTED FOR PRIVACY"}, {"key": "Registrar", "value": {"value": "ENOM, INC.", "count": 3984318}}], "Rank": [{"source": "DomainTools Popularity Rank", "rank": 3625}], "ThreatTypes": [{"threatcategory": "risk_score", "threatcategoryconfidence": 0}, {"threatcategory": "zerolist", "threatcategoryconfidence": 0}], "Tags": ""}, "domaintools": {"Name": "domaintools.com", "LastEnriched": "2023-10-18", "Analytics": {"OverallRiskScore": 0, "ProximityRiskScore": 0, "ThreatProfileRiskScore": {"RiskScore": 0, "Threats": "", "Evidence": ""}, "WebsiteResponseCode": 200, "GoogleAdsenseTrackingCode": {"value": "", "count": 0}, "GoogleAnalyticTrackingCode": {"value": "", "count": 0}, "Tags": []}, "Identity": {"RegistrantName": "REDACTED FOR PRIVACY", "RegistrantOrg": "REDACTED FOR PRIVACY", "RegistrantContact": {"Country": {"value": "us", "count": 274018662}, "Email": [{"value": "https://tieredaccess.com/contact/784fb607-c3ec-4640-b40f-30fc9f61b9ce", "count": 1}], "Name": {"value": "REDACTED FOR PRIVACY", "count": 131643982}, "Phone": {"value": "", "count": 0}, "Street": {"value": "REDACTED FOR PRIVACY", "count": 118863405}, "City": {"value": "REDACTED FOR PRIVACY", "count": 122675278}, "State": {"value": "WA", "count": 7027354}, "Postal": {"value": "REDACTED FOR PRIVACY", "count": 123526354}, "Org": {"value": "REDACTED FOR PRIVACY", "count": 120617938}}, "Registrar": {"value": "ENOM, INC.", "count": 3984318}, "SOAEmail": [{"value": "hostmaster@nsone.net", "count": 6623371}], "SSLCertificateEmail": [], "AdminContact": {"Country": {"value": "REDACTED FOR PRIVACY", "count": 119229051}, "Email": [{"value": "redacted for privacy", "count": 9920089}], "Name": {"value": "REDACTED FOR PRIVACY", "count": 131643982}, "Phone": {"value": "", "count": 0}, "Street": {"value": "REDACTED FOR PRIVACY", "count": 118863405}, "City": {"value": "REDACTED FOR PRIVACY", "count": 122675278}, "State": {"value": "REDACTED FOR PRIVACY", "count": 118764947}, "Postal": {"value": "REDACTED FOR PRIVACY", "count": 123526354}, "Org": {"value": "REDACTED FOR PRIVACY", "count": 120617938}}, "TechnicalContact": {"Country": {"value": "REDACTED FOR PRIVACY", "count": 119229051}, "Email": [{"value": "redacted for privacy", "count": 9915617}], "Name": {"value": "REDACTED FOR PRIVACY", "count": 131643982}, "Phone": {"value": "", "count": 0}, "Street": {"value": "REDACTED FOR PRIVACY", "count": 118863405}, "City": {"value": "REDACTED FOR PRIVACY", "count": 122675278}, "State": {"value": "REDACTED FOR PRIVACY", "count": 118764947}, "Postal": {"value": "REDACTED FOR PRIVACY", "count": 123526354}, "Org": {"value": "REDACTED FOR PRIVACY", "count": 120617938}}, "BillingContact": {"Country": {"value": "", "count": 0}, "Email": [], "Name": {"value": "", "count": 0}, "Phone": {"value": "", "count": 0}, "Street": {"value": "", "count": 0}, "City": {"value": "", "count": 0}, "State": {"value": "", "count": 0}, "Postal": {"value": "", "count": 0}, "Org": {"value": "", "count": 0}}, "EmailDomains": ["enom.com", "nsone.net"], "AdditionalWhoisEmails": [{"value": "abuse@enom.com", "count": 12520125}]}, "Registration": {"RegistrarStatus": ["clienttransferprohibited"], "DomainStatus": true, "CreateDate": "1998-08-02", "ExpirationDate": "2027-08-01"}, "Hosting": {"IPAddresses": [{"address": {"value": "141.193.213.20", "count": 67508}, "asn": [{"value": 209242, "count": 1195750}], "country_code": {"value": "us", "count": 197557302}, "isp": {"value": "WPEngine Inc.", "count": 264650}}, {"address": {"value": "141.193.213.21", "count": 64201}, "asn": [{"value": 209242, "count": 1195750}], "country_code": {"value": "us", "count": 197557302}, "isp": {"value": "WPEngine Inc.", "count": 264650}}], "IPCountryCode": "us", "MailServers": [{"host": {"value": "aspmx4.googlemail.com", "count": 1445502}, "domain": {"value": "googlemail.com", "count": 7834197}, "ip": [{"value": "142.250.152.26", "count": 8072705}], "priority": 10}, {"host": {"value": "aspmx2.googlemail.com", "count": 7144886}, "domain": {"value": "googlemail.com", "count": 7834197}, "ip": [{"value": "142.250.115.27", "count": 10961898}], "priority": 10}, {"host": {"value": "alt1.aspmx.l.google.com", "count": 23734997}, "domain": {"value": "google.com", "count": 27642606}, "ip": [{"value": "142.250.115.27", "count": 10961898}], "priority": 5}, {"host": {"value": "aspmx.l.google.com", "count": 24146461}, "domain": {"value": "google.com", "count": 27642606}, "ip": [{"value": "142.250.99.26", "count": 1071342}], "priority": 1}, {"host": {"value": "alt2.aspmx.l.google.com", "count": 23642821}, "domain": {"value": "google.com", "count": 27642606}, "ip": [{"value": "64.233.171.27", "count": 11245269}], "priority": 5}, {"host": {"value": "aspmx3.googlemail.com", "count": 7030977}, "domain": {"value": "googlemail.com", "count": 7834197}, "ip": [{"value": "64.233.171.27", "count": 11245269}], "priority": 10}], "SPFRecord": "", "NameServers": [{"host": {"value": "dns4.p04.nsone.net", "count": 402494}, "domain": {"value": "nsone.net", "count": 3878719}, "ip": [{"value": "198.51.45.68", "count": 402483}]}, {"host": {"value": "dns3.p04.nsone.net", "count": 400519}, "domain": {"value": "nsone.net", "count": 3878719}, "ip": [{"value": "198.51.44.68", "count": 400500}]}, {"host": {"value": "dns1.p04.nsone.net", "count": 400560}, "domain": {"value": "nsone.net", "count": 3878719}, "ip": [{"value": "198.51.44.4", "count": 400568}]}, {"host": {"value": "dns2.p04.nsone.net", "count": 400314}, "domain": {"value": "nsone.net", "count": 3878719}, "ip": [{"value": "198.51.45.4", "count": 400326}]}], "SSLCertificate": [{"hash": {"value": "7d4887aaaad43f8e68e359366dce8063635699e3", "count": 1}, "subject": {"value": "CN=domaintools.com", "count": 1}, "organization": {"value": "", "count": 0}, "email": [], "alt_names": [{"value": "domaintools.com", "count": 0}, {"value": "blog.domaintools.com", "count": 0}, {"value": "www.domaintools.com", "count": 0}], "common_name": {"value": "domaintools.com", "count": 1}, "issuer_common_name": {"value": "Sectigo RSA Domain Validation Secure Server CA", "count": 14181540}, "not_after": {"value": 20240726, "count": 310808}, "not_before": {"value": 20230626, "count": 256705}, "duration": {"value": 397, "count": 2562623}}], "RedirectsTo": {"value": "", "count": 0}, "RedirectDomain": {"value": "", "count": 0}}, "WebsiteTitle": "DomainTools - The first place to go when you need to know.", "FirstSeen": "2001-10-26T00:00:00Z", "ServerType": "Golfe2"}, "dbotscore": {"Indicator": "domaintools.com", "Type": "domain", "Vendor": "DomainTools Iris", "Score": 1, "Reliability": null}}' +) parsed_domain_rdap_table = """### DomainTools parsed domain rdap result for domaintools.com @@ -22,3 +26,41 @@ |---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---| | DOMAINTOOLS.COM | 1697312_DOMAIN_COM-VRSN | client transfer prohibited | 1998-08-02T04:00:00+00:00 | 2020-01-09T23:06:29+00:00 | 2027-08-01T04:00:00+00:00 | signed: false | DNS1.P04.NSONE.NET., DNS2.P04.NSONE.NET., DNS3.P04.NSONE.NET., DNS4.P04.NSONE.NET. | rdap_level_0, icann_rdap_response_profile_0, icann_rdap_technical_implementation_guide_0 | abuse@enom.com, redacted for privacy | enom.com | | ENOM, INC. | 48 | ENOM, INC. | ABUSE@ENOM.COM | tel:+1.4259744689 | abuse | REDACTED FOR PRIVACY | REDACTED FOR PRIVACY | | | | WA | US | registrant | REDACTED FOR PRIVACY | REDACTED FOR PRIVACY | administrative | REDACTED FOR PRIVACY | REDACTED FOR PRIVACY | technical | reseller | """ + + +reverseIP_domain_params_table = """ +Found 105 domains for 142.250.217.68. +* bazinv.com +* energypathco.com +* tradera.club +* gsinet.co.uk +* vendomesucks.com +* tinglyfish.net +* dmarc.net +* jameygijzen.nl +* signled.cn +* hechosetri.xyz +Found 811 domains for 142.250.217.78. +""" + +reverseIP_ip_params_table = """Found 14910 domains for 8.8.8.8. +* 1gkncxfiow5j.com +* 3tuga.xyz +* 4031leyu.com +* 4vrijqda75p3.com +* 98587.top +* acxp.net +* aeneascapital.com +* anhuirb.cn +* appx.com.tr +* badmashistatus.com +""" + + +reverseNameserver_table = """Found 5 domains. +* 0--0----------------------------------------------------------0.com +* 0--0.ac +* 0--0.dev +* 0--0.mobi +* 0--0.xyz +""" diff --git a/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/test_data/mock_response.py b/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/test_data/mock_response.py index 63e846154c40..85292ef55d66 100644 --- a/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/test_data/mock_response.py +++ b/Packs/DomainTools_Iris/Integrations/DomainTools_Iris/test_data/mock_response.py @@ -810,3 +810,67 @@ "contact_roles_3": "technical", "contact_roles_4": "reseller", } + +reverseIP_responses = { + "ip": { + "ip_addresses": { + "ip_address": "8.8.8.8", + "domain_count": 14910, + "domain_names": [ + "1gkncxfiow5j.com", + "3tuga.xyz", + "4031leyu.com", + "4vrijqda75p3.com", + "98587.top", + "acxp.net", + "aeneascapital.com", + "anhuirb.cn", + "appx.com.tr", + "badmashistatus.com", + ], + } + }, + "domain": { + "ip_addresses": [ + { + "ip_address": "142.250.217.68", + "domain_count": 105, + "domain_names": [ + "bazinv.com", + "energypathco.com", + "tradera.club", + "gsinet.co.uk", + "vendomesucks.com", + "tinglyfish.net", + "dmarc.net", + "jameygijzen.nl", + "signled.cn", + "hechosetri.xyz", + ], + }, + { + "ip_address": "142.250.217.78", + "domain_count": 811, + "domain_names": [], + }, + ] + }, +} + + +reverseNameserver_response = { + "name_server": { + "hostname": "domaincontrol.com", + "primary": 58848068, + "secondary": 41001, + "total": 58889069, + }, + "primary_domains": [ + "0--0----------------------------------------------------------0.com", + "0--0.ac", + "0--0.dev", + "0--0.mobi", + "0--0.xyz", + ], + "secondary_domains": [], +} diff --git a/Packs/DomainTools_Iris/ReleaseNotes/2_2_0.md b/Packs/DomainTools_Iris/ReleaseNotes/2_2_0.md new file mode 100644 index 000000000000..1128c098542d --- /dev/null +++ b/Packs/DomainTools_Iris/ReleaseNotes/2_2_0.md @@ -0,0 +1,76 @@ +#### Indicator Fields + +##### DomainTools Iris Risk Score Components + +- Updated the fromVersion to 6.6.0 + +#### Integrations + +##### DomainTools Iris + +- Updated the Docker image to: *demisto/vendors-sdk:1.0.0.2141458*. +- Added a new command `domainProfile` to fetch parsed_domain_rdap data from Domaintools API. + +#### Layouts + +##### DomainTools Iris Incident Layout + +- Updated the metadata format. + +#### Playbooks + +##### DomainTools Check New Domains by Iris Hash + +- Updated the playbook description and the README. + +##### DomainTools Auto Pivots + +- Updated the output description README. + +##### Indicator Pivoting - DomainTools Iris + +- Updated the REAMDE. + +#### Scripts + +##### CheckTags + +- Updated the Docker image to: *demisto/python3:3.12.8.1983910*. + +##### AddDomainRiskScoreToContext + +- Updated the Docker image to: *demisto/python3:3.12.8.1983910*. + +##### DomainExtractAndEnrich + +- Updated the Docker image to: *demisto/python3:3.12.8.1983910*. + +##### AssociateIndicatorsToIncident + +- Updated the Docker image to: *demisto/python3:3.12.8.1983910*. + +##### CheckLastEnrichment + +- Updated the Docker image to: *demisto/python3:3.12.8.1983910*. + +##### CheckPivotableDomains + +- Updated the Docker image to: *demisto/python3:3.12.8.1983910*. + +##### SetIndicatorTableData + +- Updated the Docker image to: *demisto/python3:3.12.8.1983910*. + +##### DomainExtractAndInvestigate + +- Updated the Docker image to: *demisto/python3:3.12.8.1983910*. + + +#### Integrations + +##### DomainTools Iris + +- Updated the Docker image to: *demisto/vendors-sdk:1.0.0.2141458*. +- Added a new command `reverseNameServer` to do a reverse nameserver lookup using Domaintools API. +- Added a new command `reverseIP` to do a reverse loopkup of an IP address or a domain using Domaintools API. +- Added a new command `domainProfile` to fetch parsed_domain_rdap data from Domaintools API. diff --git a/Packs/DomainTools_Iris/pack_metadata.json b/Packs/DomainTools_Iris/pack_metadata.json index 2c09b111196e..fb4fad88a332 100644 --- a/Packs/DomainTools_Iris/pack_metadata.json +++ b/Packs/DomainTools_Iris/pack_metadata.json @@ -2,7 +2,7 @@ "name": "DomainTools Iris Investigate", "description": "Facilitates automation of key infrastructure characterization and hunting portions of the incident response process. Organizations will have access to essential domain profile, web crawl, SSL, and infrastructure data from within Cortex XSOAR. Requires a DomainTools Iris Investigate API key.", "support": "partner", - "currentVersion": "2.1.3", + "currentVersion": "2.2.0", "author": "DomainTools", "url": "https://www.domaintools.com/support/", "email": "memberservices@domaintools.com",