diff --git a/README.md b/README.md index e1bc7e3..28ee170 100644 --- a/README.md +++ b/README.md @@ -106,6 +106,7 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION [configure scheduled playbooks](#action-configure-scheduled-playbooks) - Run on initial setup to configure the optional monitoring playbooks. This action creates a custom list to manage the playbook scheduling and run status [on poll](#action-on-poll) - Execute scheduled playbooks based on the set interval(mins) in 'domaintools_scheduled_playbooks' custom list. Smaller intervals will result in more accurate schedules [nod feed](#action-nod-feed) - Apex-level domains (e.g. example.com but not www.example.com) observed for the first time by the DomainTools sensor network, and which are not present in our DNSDB historical database. +[nad feed](#action-nad-feed) - Apex-level domains (e.g. example.com but not www.example.com) DomainTools has newly observed in our DNS sensor network. This includes domains observed in DNS for the first time as well as domains observed in DNS again after not being observed for at least 10 days. ## action: 'test connectivity' Validate the asset configuration for connectivity @@ -652,6 +653,34 @@ PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS **session_id** | optional | Serves as a unique identifier for the session. This parameter ensures that data retrieval begins from the latest timestamp recorded in the previous data pull. | string | **top** | optional | The number of results to return in the response payload. Primarily used for testing. | string | +#### Action Output +DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES +--------- | ---- | -------- | -------------- +action_result.data | string | | +action_result.data.\*.domain | string | `domain` | +action_result.data.\*.timestamp | string | | +action_result.status | string | | success failed +action_result.summary | string | | +action_result.message | string | | +action_result.parameter.domain | string | | +action_result.parameter.after | string | | +action_result.parameter.session_id | string | | +action_result.parameter.top | string | | + +## action: 'nad feed' +Apex-level domains (e.g. example.com but not www.example.com) DomainTools has newly observed in our DNS sensor network. This includes domains observed in DNS for the first time as well as domains observed in DNS again after not being observed for at least 10 days. + +Type: **investigate** +Read only: **True** + +#### Action Parameters +PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS +--------- | -------- | ----------- | ---- | -------- +**domain** | optional | Used to filter feed results. The filter can be an exact match or a partial match when the \* character is included at the beginning and/or end of the value. | string | +**after** | optional | A negative integer (in seconds) representing the start of the time window, relative to the current time in seconds, for which data will be provided. | string | +**session_id** | optional | Serves as a unique identifier for the session. This parameter ensures that data retrieval begins from the latest timestamp recorded in the previous data pull. | string | +**top** | optional | The number of results to return in the response payload. Primarily used for testing. | string | + #### Action Output DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES --------- | ---- | -------- | -------------- diff --git a/domaintools_iris.json b/domaintools_iris.json index d9a9a48..a6d0786 100644 --- a/domaintools_iris.json +++ b/domaintools_iris.json @@ -2191,6 +2191,95 @@ } ], "versions": "EQ(*)" + }, + { + "action": "nad feed", + "description": "Apex-level domains (e.g. example.com but not www.example.com) DomainTools has newly observed in our DNS sensor network. This includes domains observed in DNS for the first time as well as domains observed in DNS again after not being observed for at least 10 days.", + "type": "investigate", + "identifier": "nad_feed", + "read_only": true, + "parameters": { + "domain": { + "description": "Used to filter feed results. The filter can be an exact match or a partial match when the * character is included at the beginning and/or end of the value.", + "data_type": "string", + "order": 0 + }, + "after": { + "description": "A negative integer (in seconds) representing the start of the time window, relative to the current time in seconds, for which data will be provided.", + "data_type": "string", + "order": 1 + }, + "session_id": { + "description": "Serves as a unique identifier for the session. This parameter ensures that data retrieval begins from the latest timestamp recorded in the previous data pull.", + "data_type": "string", + "order": 2 + }, + "top": { + "description": "The number of results to return in the response payload. Primarily used for testing.", + "data_type": "string", + "order": 3 + } + }, + "render": { + "width": 12, + "title": "Newly Active Domains List", + "type": "table", + "height": 10 + }, + "output": [ + { + "data_path": "action_result.data", + "data_type": "string" + }, + { + "data_path": "action_result.data.*.domain", + "data_type": "string", + "column_name": "Domain Names", + "column_order": 1, + "contains": [ + "domain" + ] + }, + { + "data_path": "action_result.data.*.timestamp", + "data_type": "string", + "column_name": "Time Stamp", + "column_order": 2 + }, + { + "data_path": "action_result.status", + "data_type": "string", + "example_values": [ + "success", + "failed" + ] + }, + { + "data_path": "action_result.summary", + "data_type": "string" + }, + { + "data_path": "action_result.message", + "data_type": "string" + }, + { + "data_path": "action_result.parameter.domain", + "data_type": "string" + }, + { + "data_path": "action_result.parameter.after", + "data_type": "string" + }, + { + "data_path": "action_result.parameter.session_id", + "data_type": "string" + }, + { + "data_path": "action_result.parameter.top", + "data_type": "string" + } + ], + "versions": "EQ(*)" } ], "pip39_dependencies": { diff --git a/domaintools_iris_connector.py b/domaintools_iris_connector.py index a556034..0a2558c 100644 --- a/domaintools_iris_connector.py +++ b/domaintools_iris_connector.py @@ -34,6 +34,7 @@ class DomainToolsConnector(BaseConnector): ACTION_ID_ON_POLL = "on_poll" ACTION_ID_CONFIGURE_SCHEDULED_PLAYBOOK = "configure_monitoring_scheduled_playbooks" ACTION_ID_NOD_FEED = "nod_feed" + ACTION_ID_NAD_FEED = "nad_feed" def __init__(self): # Call the BaseConnectors init first @@ -366,6 +367,8 @@ def handle_action(self, param): ret_val = self._configure_monitoring_scheduled_playbooks(param) elif action_id == self.ACTION_ID_NOD_FEED: ret_val = self._nod_feed(param) + elif action_id == self.ACTION_ID_NAD_FEED: + ret_val = self._nad_feed(param) return ret_val @@ -860,7 +863,7 @@ def _configure_monitoring_scheduled_playbooks(self, param): ) def _nod_feed(self, param): - self.save_progress("Starting nod_feeds action.") + self.save_progress("Starting nod_feed action.") action_result = self.add_action_result(ActionResult(param)) params = {"always_sign_api_key": False} params.update(param) @@ -873,6 +876,20 @@ def _nod_feed(self, param): return action_result.get_status() + def _nad_feed(self, param): + self.save_progress("Starting nad_feed action.") + action_result = self.add_action_result(ActionResult(param)) + params = {"always_sign_api_key": False} + params.update(param) + session_id = params.pop("session_id", None) + if session_id: + params["sessionID"] = session_id + + self._do_query("nad", action_result, query_args=params) + self.save_progress("Completed nod_feed action.") + + return action_result.get_status() + if __name__ == "__main__": import argparse