DomainTools · briluza · Jun 16, 2025 · Jun 13, 2025
diff --git a/packages/ti_domaintools/_dev/build/docs/README.md b/packages/ti_domaintools/_dev/build/docs/README.md
@@ -4,9 +4,10 @@ DomainTools Feeds provide data on the different stages of the domain lifecycle:
 
 Summary of Available Feeds:
 
-- `Domain Discovery`: New domains as they are either discovered in domain registration information, observed by our global sensor network, or reported by trusted third parties.
 - `Newly Active Domains (NAD)`: Apex-level domains (e.g. example.com but not <www.example.com>) that we observe based on the latest lifecycle of the domain. A domain may be seen either for the first time ever, or again after at least 10 days of inactivity (no observed resolutions in DNS). Populated with our global passive DNS (pDNS) sensor network.
 - `Newly Observed Domains (NOD)`: Apex-level domains (e.g. example.com but not <www.example.com>) that we observe for the first time, and have not observed previously with our global DNS sensor network.
+- `Domain Discovery`: New domains as they are either discovered in domain registration information, observed by our global sensor network, or reported by trusted third parties.
+- `Domain RDAP`: Changes to global domain registration information, populated by the Registration Data Access Protocol (RDAP). Compliments the 5-Minute WHOIS Feed as registries and registrars switch from Whois to RDAP.
 
 With over 300,000 new domains observed daily, the feed empowers security teams to identify and block potentially malicious domains before they can be weaponized.
 Ideal for threat hunting, phishing prevention, and brand protection.
@@ -20,9 +21,10 @@ The DomainTools Feeds integration collects one type of data streams: **logs**
 
 Log data streams collected by the DomainTools integration include the following feeds:
 
-- `Domain Discovery`
 - `Newly Observed Domains (NOD)`
 - `Newly Active Domains (NAD)`
+- `Domain Discovery`
+- `Domain RDAP`
 
 ## Requirements
 
@@ -71,3 +73,14 @@ This data is collected via the [DomainTools Feeds API](https://docs.domaintools.
 {{event "domaindiscovery"}}
 
 {{fields "domaindiscovery"}}
+
+### Domain RDAP
+
+The `domainrdap feed` data stream provides events from [DomainTools Domain RDAP](https://www.domaintools.com/products/threat-intelligence-feeds/).
+This data is collected via the [DomainTools Feeds API](https://docs.domaintools.com/feeds/realtime/).
+
+#### Example
+
+{{event "domainrdap"}}
+
+{{fields "domainrdap"}}
diff --git a/...ages/ti_domaintools/data_stream/domaindiscovery/elasticsearch/ingest_pipeline/default.yml b/...ages/ti_domaintools/data_stream/domaindiscovery/elasticsearch/ingest_pipeline/default.yml
@@ -7,7 +7,7 @@ processors:
     target_field: domaintools
 - set:
     field: domaintools.feed
-    value: 'domaindiscovery'
+    value: 'domaindiscovery_feed'
 
   ############################
   # Generic indicator fields #
@@ -27,7 +27,7 @@ processors:
 
 - set:
     field: threat.feed.description
-    value: 'Apex-level domains (e.g. example.com but not www.example.com) that we observe for the first time, and have not observed previously with our global DNS sensor network.'
+    value: 'New domains as they are either discovered in domain registration information, observed by our global sensor network, or reported by trusted third parties.'
 - set:
     field: threat.feed.name
     value: 'DomainTools domaindiscovery'

diff --git a/packages/ti_domaintools/data_stream/domaindiscovery/fields/fields.yml b/packages/ti_domaintools/data_stream/domaindiscovery/fields/fields.yml
@@ -4,7 +4,7 @@
     - name: domain
       type: keyword
       description: >
-        The Domain. Apex-level domains (e.g. example.com but not www.example.com) that we observe for the first time, and have not observed previously with our global DNS sensor network.
+        The Domain.
 
     - name: feed
       type: keyword

diff --git a/packages/ti_domaintools/data_stream/domaindiscovery/sample_event.json b/packages/ti_domaintools/data_stream/domaindiscovery/sample_event.json
@@ -16,7 +16,7 @@
     "data_stream": {
         "namespace": "default",
         "type": "logs",
-        "dataset": "ti_domaintools.nod_feed"
+        "dataset": "ti_domaintools.domaindiscovery"
     },
     "host": {
         "hostname": "docker-fleet-agent",
@@ -58,7 +58,7 @@
         "feed": {
             "reference": "https://docs.techdocs.ci.domaintools.cloud/feeds/realtime/userguide/",
             "name": "DomainTools domaindiscovery",
-            "description": "Apex-level domains (e.g. example.com but not www.example.com) that we observe for the first time, and have not observed previously with our global DNS sensor network."
+            "description": "New domains as they are either discovered in domain registration information, observed by our global sensor network, or reported by trusted third parties."
         }
     },
     "message": "{\"timestamp\":\"2025-01-30T20:14:48Z\",\"domain\":\"tractorpoweredcoreaerator.com\"}",

diff --git a/packages/ti_domaintools/data_stream/domainrdap/_dev/test/pipeline/test-event.json b/packages/ti_domaintools/data_stream/domainrdap/_dev/test/pipeline/test-event.json
@@ -0,0 +1,73 @@
+{
+    "events": [
+        {
+            "timestamp": "2025-06-12T20:34:31Z",
+            "domain": "unlockyourlifehere.com",
+            "raw_record": {
+                "first_request_timestamp": "2025-06-12T20:34:24Z",
+                "requests": [
+                    {
+                        "data": "{\"objectClassName\":\"domain\",\"handle\":\"2894681047_DOMAIN_COM-VRSN\",\"ldhName\":\"UNLOCKYOURLIFEHERE.COM\",\"links\":[{\"value\":\"https:\\/\\/rdap.verisign.com\\/com\\/v1\\/domain\\/UNLOCKYOURLIFEHERE.COM\",\"rel\":\"self\",\"href\":\"https:\\/\\/rdap.verisign.com\\/com\\/v1\\/domain\\/UNLOCKYOURLIFEHERE.COM\",\"type\":\"application\\/rdap+json\"},{\"value\":\"https:\\/\\/rdap.godaddy.com\\/v1\\/domain\\/UNLOCKYOURLIFEHERE.COM\",\"rel\":\"related\",\"href\":\"https:\\/\\/rdap.godaddy.com\\/v1\\/domain\\/UNLOCKYOURLIFEHERE.COM\",\"type\":\"application\\/rdap+json\"}],\"status\":[\"redemption period\"],\"entities\":[{\"objectClassName\":\"entity\",\"handle\":\"146\",\"roles\":[\"registrar\"],\"publicIds\":[{\"type\":\"IANA Registrar ID\",\"identifier\":\"146\"}],\"vcardArray\":[\"vcard\",[[\"version\",{},\"text\",\"4.0\"],[\"fn\",{},\"text\",\"GoDaddy.com, LLC\"]]],\"entities\":[{\"objectClassName\":\"entity\",\"roles\":[\"abuse\"],\"vcardArray\":[\"vcard\",[[\"version\",{},\"text\",\"4.0\"],[\"fn\",{},\"text\",\"\"],[\"tel\",{\"type\":\"voice\"},\"uri\",\"tel:480-624-2505\"],[\"email\",{},\"text\",\"[email protected]\"]]]}]}],\"events\":[{\"eventAction\":\"registration\",\"eventDate\":\"2024-06-28T11:49:19Z\"},{\"eventAction\":\"expiration\",\"eventDate\":\"2025-06-28T11:49:19Z\"},{\"eventAction\":\"last changed\",\"eventDate\":\"2025-05-20T02:44:33Z\"},{\"eventAction\":\"last update of RDAP database\",\"eventDate\":\"2025-06-12T20:34:16Z\"}],\"secureDNS\":{\"delegationSigned\":false},\"rdapConformance\":[\"rdap_level_0\",\"icann_rdap_technical_implementation_guide_0\",\"icann_rdap_response_profile_0\"],\"notices\":[{\"title\":\"Terms of Use\",\"description\":[\"Service subject to Terms of Use.\"],\"links\":[{\"href\":\"https:\\/\\/www.verisign.com\\/domain-names\\/registration-data-access-protocol\\/terms-service\\/index.xhtml\",\"type\":\"text\\/html\"}]},{\"title\":\"Status Codes\",\"description\":[\"For more information on domain status codes, please visit https:\\/\\/icann.org\\/epp\"],\"links\":[{\"href\":\"https:\\/\\/icann.org\\/epp\",\"type\":\"text\\/html\"}]},{\"title\":\"RDDS Inaccuracy Complaint Form\",\"description\":[\"URL of the ICANN RDDS Inaccuracy Complaint Form: https:\\/\\/icann.org\\/wicf\"],\"links\":[{\"href\":\"https:\\/\\/icann.org\\/wicf\",\"type\":\"text\\/html\"}]}]}",
+                        "source_type": "registry",
+                        "timestamp": "2025-06-12T20:34:24Z",
+                        "url": "https://rdap.verisign.com/com/v1/domain/unlockyourlifehere.com"
+                    }
+                ]
+            },
+            "parsed_record": {
+                "parsed_fields": {
+                    "conformance": [
+                        "rdap_level_0",
+                        "icann_rdap_technical_implementation_guide_0",
+                        "icann_rdap_response_profile_0"
+                    ],
+                    "contacts": [],
+                    "creation_date": "2024-06-28T11:49:19+00:00",
+                    "dnssec": {
+                        "signed": false
+                    },
+                    "domain": "UNLOCKYOURLIFEHERE.COM",
+                    "domain_statuses": [
+                        "redemption period"
+                    ],
+                    "email_domains": [
+                        "godaddy.com"
+                    ],
+                    "emails": [
+                        "[email protected]"
+                    ],
+                    "expiration_date": "2025-06-28T11:49:19+00:00",
+                    "handle": "2894681047_DOMAIN_COM-VRSN",
+                    "last_changed_date": "2025-05-20T02:44:33+00:00",
+                    "links": [
+                        {
+                            "href": "https://rdap.verisign.com/com/v1/domain/UNLOCKYOURLIFEHERE.COM",
+                            "rel": "self"
+                        },
+                        {
+                            "href": "https://rdap.godaddy.com/v1/domain/UNLOCKYOURLIFEHERE.COM",
+                            "rel": "related"
+                        }
+                    ],
+                    "registrar": {
+                        "contacts": [
+                            {
+                                "email": "[email protected]",
+                                "name": "",
+                                "phone": "tel:480-624-2505",
+                                "roles": [
+                                    "abuse"
+                                ]
+                            }
+                        ],
+                        "iana_id": "146",
+                        "name": "GoDaddy.com, LLC"
+                    },
+                    "unclassified_emails": []
+                },
+                "registrar_request_url": null,
+                "registry_request_url": "https://rdap.verisign.com/com/v1/domain/unlockyourlifehere.com"
+            }
+        }
+    ]
+}
diff --git a/...es/ti_domaintools/data_stream/domainrdap/_dev/test/pipeline/test-event.json-expected.json b/...es/ti_domaintools/data_stream/domainrdap/_dev/test/pipeline/test-event.json-expected.json
@@ -0,0 +1,34 @@
+{
+    "expected": [
+        {
+            "domaintools": {
+                "domain": "unlockyourlifehere.com",
+                "timestamp": "2025-06-12T20:34:31Z"
+            },
+            "ecs": {
+                "version": "8.11.0"
+            },
+            "event": {
+                "category": [
+                    "threat"
+                ],
+                "kind": "enrichment",
+                "type": [
+                    "indicator"
+                ]
+            },
+            "message": "{\"timestamp\":\"2025-06-12T20:34:31Z\",\"domain\":\"unlockyourlifehere.com\",\"raw_record\":{\"first_request_timestamp\":\"2025-06-12T20:34:24Z\",\"requests\":[{\"data\":\"{\\\"objectClassName\\\":\\\"domain\\\",\\\"handle\\\":\\\"2894681047_DOMAIN_COM-VRSN\\\",\\\"ldhName\\\":\\\"UNLOCKYOURLIFEHERE.COM\\\",\\\"links\\\":[{\\\"value\\\":\\\"https:\\\\/\\\\/rdap.verisign.com\\\\/com\\\\/v1\\\\/domain\\\\/UNLOCKYOURLIFEHERE.COM\\\",\\\"rel\\\":\\\"self\\\",\\\"href\\\":\\\"https:\\\\/\\\\/rdap.verisign.com\\\\/com\\\\/v1\\\\/domain\\\\/UNLOCKYOURLIFEHERE.COM\\\",\\\"type\\\":\\\"application\\\\/rdap+json\\\"},{\\\"value\\\":\\\"https:\\\\/\\\\/rdap.godaddy.com\\\\/v1\\\\/domain\\\\/UNLOCKYOURLIFEHERE.COM\\\",\\\"rel\\\":\\\"related\\\",\\\"href\\\":\\\"https:\\\\/\\\\/rdap.godaddy.com\\\\/v1\\\\/domain\\\\/UNLOCKYOURLIFEHERE.COM\\\",\\\"type\\\":\\\"application\\\\/rdap+json\\\"}],\\\"status\\\":[\\\"redemption period\\\"],\\\"entities\\\":[{\\\"objectClassName\\\":\\\"entity\\\",\\\"handle\\\":\\\"146\\\",\\\"roles\\\":[\\\"registrar\\\"],\\\"publicIds\\\":[{\\\"type\\\":\\\"IANA Registrar ID\\\",\\\"identifier\\\":\\\"146\\\"}],\\\"vcardArray\\\":[\\\"vcard\\\",[[\\\"version\\\",{},\\\"text\\\",\\\"4.0\\\"],[\\\"fn\\\",{},\\\"text\\\",\\\"GoDaddy.com, LLC\\\"]]],\\\"entities\\\":[{\\\"objectClassName\\\":\\\"entity\\\",\\\"roles\\\":[\\\"abuse\\\"],\\\"vcardArray\\\":[\\\"vcard\\\",[[\\\"version\\\",{},\\\"text\\\",\\\"4.0\\\"],[\\\"fn\\\",{},\\\"text\\\",\\\"\\\"],[\\\"tel\\\",{\\\"type\\\":\\\"voice\\\"},\\\"uri\\\",\\\"tel:480-624-2505\\\"],[\\\"email\\\",{},\\\"text\\\",\\\"[email protected]\\\"]]]}]}],\\\"events\\\":[{\\\"eventAction\\\":\\\"registration\\\",\\\"eventDate\\\":\\\"2024-06-28T11:49:19Z\\\"},{\\\"eventAction\\\":\\\"expiration\\\",\\\"eventDate\\\":\\\"2025-06-28T11:49:19Z\\\"},{\\\"eventAction\\\":\\\"last changed\\\",\\\"eventDate\\\":\\\"2025-05-20T02:44:33Z\\\"},{\\\"eventAction\\\":\\\"last update of RDAP database\\\",\\\"eventDate\\\":\\\"2025-06-12T20:34:16Z\\\"}],\\\"secureDNS\\\":{\\\"delegationSigned\\\":false},\\\"rdapConformance\\\":[\\\"rdap_level_0\\\",\\\"icann_rdap_technical_implementation_guide_0\\\",\\\"icann_rdap_response_profile_0\\\"],\\\"notices\\\":[{\\\"title\\\":\\\"Terms of Use\\\",\\\"description\\\":[\\\"Service subject to Terms of Use.\\\"],\\\"links\\\":[{\\\"href\\\":\\\"https:\\\\/\\\\/www.verisign.com\\\\/domain-names\\\\/registration-data-access-protocol\\\\/terms-service\\\\/index.xhtml\\\",\\\"type\\\":\\\"text\\\\/html\\\"}]},{\\\"title\\\":\\\"Status Codes\\\",\\\"description\\\":[\\\"For more information on domain status codes, please visit https:\\\\/\\\\/icann.org\\\\/epp\\\"],\\\"links\\\":[{\\\"href\\\":\\\"https:\\\\/\\\\/icann.org\\\\/epp\\\",\\\"type\\\":\\\"text\\\\/html\\\"}]},{\\\"title\\\":\\\"RDDS Inaccuracy Complaint Form\\\",\\\"description\\\":[\\\"URL of the ICANN RDDS Inaccuracy Complaint Form: https:\\\\/\\\\/icann.org\\\\/wicf\\\"],\\\"links\\\":[{\\\"href\\\":\\\"https:\\\\/\\\\/icann.org\\\\/wicf\\\",\\\"type\\\":\\\"text\\\\/html\\\"}]}]}\",\"source_type\":\"registry\",\"timestamp\":\"2025-06-12T20:34:24Z\",\"url\":\"https://rdap.verisign.com/com/v1/domain/unlockyourlifehere.com\"}]},\"parsed_record\":{\"parsed_fields\":{\"conformance\":[\"rdap_level_0\",\"icann_rdap_technical_implementation_guide_0\",\"icann_rdap_response_profile_0\"],\"contacts\":[],\"creation_date\":\"2024-06-28T11: 49: 19+00: 00\",\"dnssec\":{\"signed\":false},\"domain\":\"UNLOCKYOURLIFEHERE.COM\",\"domain_statuses\":[\"redemption period\"],\"email_domains\":[\"godaddy.com\"],\"emails\":[\"[email protected]\"],\"expiration_date\":\"2025-06-28T11: 49: 19+00: 00\",\"handle\":\"2894681047_DOMAIN_COM-VRSN\",\"last_changed_date\":\"2025-05-20T02: 44: 33+00: 00\",\"links\":[{\"href\":\"https://rdap.verisign.com/com/v1/domain/UNLOCKYOURLIFEHERE.COM\",\"rel\":\"self\"},{\"href\":\"https://rdap.godaddy.com/v1/domain/UNLOCKYOURLIFEHERE.COM\",\"rel\":\"related\"}],\"registrar\":{\"contacts\":[{\"email\":\"[email protected]\",\"name\":\"\",\"phone\":\"tel:480-624-2505\",\"roles\":[\"abuse\"]}],\"iana_id\":\"146\",\"name\":\"GoDaddy.com, LLC\"},\"unclassified_emails\":[]},\"registrar_request_url\":null,\"registry_request_url\":\"https://rdap.verisign.com/com/v1/domain/unlockyourlifehere.com\"}}",
+            "threat": {
+                "feed": {
+                    "description": "Changes to global domain registration information, populated by the Registration Data Access Protocol (RDAP). Compliments the 5-Minute WHOIS Feed as registries and registrars switch from Whois to RDAP.",
+                    "name": "DomainTools domainrdap",
+                    "reference": "https://docs.techdocs.ci.domaintools.cloud/feeds/realtime/userguide/"
+                },
+                "indicator": {
+                    "name": "unlockyourlifehere.com",
+                    "type": "domain-name"
+                }
+            }
+        }
+    ]
+}
diff --git a/packages/ti_domaintools/data_stream/domainrdap/_dev/test/system/test-default-config.yml b/packages/ti_domaintools/data_stream/domainrdap/_dev/test/system/test-default-config.yml
@@ -0,0 +1,11 @@
+input: cel
+service: domaintools
+vars:
+data_stream:
+  vars:
+    api_url: http://{{Hostname}}:{{Port}}/v1
+    interval: 10m
+    api_username: xxx
+    api_key: xxx
+assert:
+  hit_count: 2
diff --git a/packages/ti_domaintools/data_stream/domainrdap/agent/stream/cel.yml.hbs b/packages/ti_domaintools/data_stream/domainrdap/agent/stream/cel.yml.hbs
@@ -0,0 +1,65 @@
+config_version: "2"
+interval: {{interval}}
+resource.tracer:
+  enabled: {{enable_request_tracer}}
+  filename: "../../logs/cel/http-request-trace-*.ndjson"
+  maxbackups: 5
+resource.url: {{api_url}}
+state:
+  api_username: {{api_username}}
+  api_key: {{api_key}}
+  session_id: {{session_id}}
+  app_name: elastic_feeds
+  app_partner: elastic
+  app_version: 0.1.0
+  top: {{top}}
+redact:
+  fields:
+    - api_key
+program: |
+    state.with(
+        request(
+            "GET",
+            state.url.trim_right("/") + "/feed/domainrdap/?" + {
+            "api_username": [state.api_username],
+            "api_key": [state.api_key],
+            "sessionID": [state.session_id],
+            "app_name": [state.app_name],
+            "app_partner": [state.app_partner],
+            "app_version": [string(state.app_version)],
+            "top": [string(state.top)],
+        }.format_query()
+        ).with(
+            {
+                "Header": {
+                    "Accept": ["application/x-ndjson"],
+                },
+            }
+        ).do_request().as(resp, (resp.StatusCode == 200 || resp.StatusCode == 206) ?
+            {
+                "events": string(resp.Body).split("\n").filter(x,x!="").map(e,
+                    {
+                        "message": e,
+                    }
+                ),
+                "want_more": resp.StatusCode == 206
+            }
+        :
+            {
+                "events": {
+                    "error": {
+                        "code": string(resp.StatusCode),
+                        "id": string(resp.Status),
+                        "message": "GET:" +
+                        (
+                            (size(resp.Body) != 0) ?
+                                string(resp.Body)
+                            :
+                                string(resp.Status) + " (" + string(resp.StatusCode) + ")"
+                        ),
+                    },
+                },
+                "want_more": false,
+            }
+        )
+    )
diff --git a/packages/ti_domaintools/data_stream/domainrdap/elasticsearch/ilm/default_policy.json b/packages/ti_domaintools/data_stream/domainrdap/elasticsearch/ilm/default_policy.json
@@ -0,0 +1,23 @@
+{
+    "policy": {
+        "phases": {
+            "hot": {
+                "actions": {
+                    "rollover": {
+                        "max_age": "2d",
+                        "max_size": "50gb"
+                    },
+                    "set_priority": {
+                        "priority": 100
+                    }
+                }
+            },
+            "delete": {
+                "min_age": "3d",
+                "actions": {
+                    "delete": {}
+                }
+            }
+        }
+    }
+}