Skip to content

IDEV-1986: Add domain_discovery_feed action. #48

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jbabac merged 2 commits into from
Mar 20, 2025
Merged

IDEV-1986: Add domain_discovery_feed action. #48

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f996449
IDEV-1986: Add domain_discovery_feed action.
jbabac Mar 19, 2025
3cafbbd
IDEV-1985: Enhance implementation
jbabac Mar 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
112 changes: 112 additions & 0 deletions domaintools_iris.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2326,6 +2326,118 @@
}
],
"versions": "EQ(*)"
},
{
"action": "domain discovery feed",
"description": "New domains as they are either discovered in domain registration information, observed by our global sensor network, or reported by trusted third parties.",
"type": "investigate",
"identifier": "domain_discovery_feed",
"read_only": true,
"parameters": {
"domain": {
"description": "Used to filter feed results. The filter can be an exact match or a partial match when the * character is included at the beginning and/or end of the value.",
"data_type": "string",
"order": 0
},
"before": {
"description": "The end of the query window in seconds or in ISO8601 format, relative to the current time, inclusive.",
"data_type": "string",
"order": 1
},
"after": {
"description": "The start of the query window in seconds in ISO8601 format, relative to the current time, inclusive.",
"data_type": "string",
"order": 2
},
"session_id": {
"description": "Serves as a unique identifier for the session. This parameter ensures that data retrieval begins from the latest timestamp recorded in the previous data pull.",
"data_type": "string",
"order": 3
},
"top": {
"description": "The number of results to return in the response payload. Primarily used for testing.",
"data_type": "string",
"order": 4
}
},
"render": {
"width": 12,
"title": "Domain Discovery List",
"type": "table",
"height": 10
},
"output": [
{
"data_path": "action_result.data",
"data_type": "string"
},
{
"data_path": "action_result.data.*.domain",
"data_type": "string",
"column_name": "Domain Names",
"column_order": 0,
"contains": [
"domain"
]
},
{
"data_path": "action_result.data.*.timestamp",
"data_type": "string",
"column_name": "Time Stamp",
"column_order": 1
},
{
"data_path": "action_result.status",
"data_type": "string",
"example_values": [
"success",
"failed"
]
},
{
"data_path": "action_result.summary",
"data_type": "string"
},
{
"data_path": "action_result.message",
"data_type": "string"
},
{
"data_path": "action_result.parameter.after",
"data_type": "string"
},
{
"data_path": "action_result.parameter.before",
"data_type": "string"
},
{
"data_path": "action_result.parameter.domain",
"data_type": "string"
},
{
"data_path": "action_result.parameter.session_id",
"data_type": "string"
},
{
"data_path": "action_result.parameter.top",
"data_type": "string"
},
{
"data_path": "summary.total_objects",
"data_type": "numeric",
"example_values": [
1
]
},
{
"data_path": "summary.total_objects_successful",
"data_type": "numeric",
"example_values": [
1
]
}
],
"versions": "EQ(*)"
}
],
"pip39_dependencies": {
Expand Down
24 changes: 22 additions & 2 deletions domaintools_iris_connector.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,7 @@ class DomainToolsConnector(BaseConnector):
ACTION_ID_CONFIGURE_SCHEDULED_PLAYBOOK = "configure_monitoring_scheduled_playbooks"
ACTION_ID_NOD_FEED = "nod_feed"
ACTION_ID_NAD_FEED = "nad_feed"
ACTION_ID_DOMAIN_DISCOVERY_FEED = "domain_discovery_feed"

def __init__(self):
# Call the BaseConnectors init first
Expand Down Expand Up @@ -68,7 +69,7 @@ def initialize(self):
return phantom.APP_SUCCESS

def _is_feeds_service(self, service):
return service in ("nod", "nad")
return service in ("nod", "nad", "domaindiscovery")

def _handle_py_ver_for_byte(self, input_str):
"""
Expand Down Expand Up @@ -113,7 +114,7 @@ def _parse_feeds_response(self, service, action_result, feeds_results):
rows = response.strip().split("\n")

for row in rows:
if service in ("nod", "nad"):
if service in ("nod", "nad", "domaindiscovery"):
feed_result = json.loads(row)
data.append(
{
Expand Down Expand Up @@ -377,6 +378,8 @@ def handle_action(self, param):
ret_val = self._nod_feed(param)
elif action_id == self.ACTION_ID_NAD_FEED:
ret_val = self._nad_feed(param)
elif action_id == self.ACTION_ID_DOMAIN_DISCOVERY_FEED:
ret_val = self._domain_discovery_feed(param)

return ret_val

Expand Down Expand Up @@ -904,6 +907,23 @@ def _nad_feed(self, param):

return action_result.get_status()

def _domain_discovery_feed(self, param):
self.save_progress(f"Starting {self.ACTION_ID_DOMAIN_DISCOVERY_FEED} action.")
action_result = self.add_action_result(ActionResult(param))
params = {"always_sign_api_key": False}
params.update(param)
session_id = params.pop("session_id", None)
if session_id:
params["sessionID"] = session_id

ret_val = self._do_query("domaindiscovery", action_result, query_args=params)
self.save_progress(f"Completed {self.ACTION_ID_DOMAIN_DISCOVERY_FEED} action.")

if not ret_val:
return action_result.get_data()

return action_result.get_status()


if __name__ == "__main__":
import argparse
Expand Down
Loading