diff --git a/packages/ti_domaintools/_dev/build/docs/README.md b/packages/ti_domaintools/_dev/build/docs/README.md index b67377e451e..0048b055578 100644 --- a/packages/ti_domaintools/_dev/build/docs/README.md +++ b/packages/ti_domaintools/_dev/build/docs/README.md @@ -8,6 +8,8 @@ Summary of Available Feeds: - `Newly Observed Domains (NOD)`: Apex-level domains (e.g. example.com but not ) that we observe for the first time, and have not observed previously with our global DNS sensor network. - `Domain Discovery`: New domains as they are either discovered in domain registration information, observed by our global sensor network, or reported by trusted third parties. - `Domain RDAP`: Changes to global domain registration information, populated by the Registration Data Access Protocol (RDAP). Compliments the 5-Minute WHOIS Feed as registries and registrars switch from Whois to RDAP. +- `Domain Risk`: Real-time updates to Domain Risk Scores for apex domains, regardless of observed traffic. +- `Domain Hotlist`: Domains with high Domain Risk Scores that have also been active within 24 hours. With over 300,000 new domains observed daily, the feed empowers security teams to identify and block potentially malicious domains before they can be weaponized. Ideal for threat hunting, phishing prevention, and brand protection. @@ -25,6 +27,8 @@ Log data streams collected by the DomainTools integration include the following - `Newly Active Domains (NAD)` - `Domain Discovery` - `Domain RDAP` +- `Domain Risk` +- `Domain Hotlist` ## Requirements @@ -84,3 +88,25 @@ This data is collected via the [DomainTools Feeds API](https://docs.domaintools. {{event "domainrdap_feed"}} {{fields "domainrdap_feed"}} + +### Domain Risk Feed + +The `domainrisk_feed` data stream provides events from [DomainTools Domain Risk](https://www.domaintools.com/products/threat-intelligence-feeds/). +This data is collected via the [DomainTools Feeds API](https://docs.domaintools.com/feeds/realtime/). + +#### Example + +{{event "domainrisk_feed"}} + +{{fields "domainrisk_feed"}} + +### Domain Hotlist Feed + +The `domainhotlist_feed` data stream provides events from [DomainTools Domain Hotlist](https://www.domaintools.com/products/threat-intelligence-feeds/). +This data is collected via the [DomainTools Feeds API](https://docs.domaintools.com/feeds/realtime/). + +#### Example + +{{event "domainhotlist_feed"}} + +{{fields "domainhotlist_feed"}} diff --git a/packages/ti_domaintools/_dev/deploy/docker/files/config.yml b/packages/ti_domaintools/_dev/deploy/docker/files/config.yml index 3e257239c9e..12cf763745b 100644 --- a/packages/ti_domaintools/_dev/deploy/docker/files/config.yml +++ b/packages/ti_domaintools/_dev/deploy/docker/files/config.yml @@ -26,3 +26,17 @@ rules: - status_code: 200 body: |- {"timestamp":"2025-08-20T16:44:02Z","domain":"1xbet-ieon.lol","raw_record":{"first_request_timestamp":"2025-08-20T16:43:57Z","requests":[{"data":"{\"rdapConformance\":[\"icann_rdap_response_profile_1\",\"icann_rdap_response_profile_0\",\"icann_rdap_technical_implementation_guide_1\",\"icann_rdap_technical_implementation_guide_0\",\"rdap_level_0\"],\"lang\":\"en\",\"objectClassName\":\"domain\",\"handle\":\"D583238142-CNIC\",\"ldhName\":\"1xbet-ieon.lol\",\"nameservers\":[{\"objectClassName\":\"nameserver\",\"ldhName\":\"dns1.registrar-servers.com\",\"handle\":\"H46040-CNIC\",\"links\":[{\"title\":\"Authoritative URL for this resource\",\"rel\":\"self\",\"type\":\"application\\/rdap+json\",\"value\":\"https:\\/\\/rdap.centralnic.com\\/lol\\/domain\\/1xbet-ieon.lol\",\"href\":\"https:\\/\\/rdap.centralnic.com\\/lol\\/nameserver\\/dns1.registrar-servers.com\"}]},{\"objectClassName\":\"nameserver\",\"ldhName\":\"dns2.registrar-servers.com\",\"handle\":\"H46041-CNIC\",\"links\":[{\"title\":\"Authoritative URL for this resource\",\"rel\":\"self\",\"type\":\"application\\/rdap+json\",\"value\":\"https:\\/\\/rdap.centralnic.com\\/lol\\/domain\\/1xbet-ieon.lol\",\"href\":\"https:\\/\\/rdap.centralnic.com\\/lol\\/nameserver\\/dns2.registrar-servers.com\"}]}],\"secureDNS\":{\"delegationSigned\":false},\"entities\":[{\"objectClassName\":\"entity\",\"handle\":\"1068\",\"roles\":[\"registrar\"],\"vcardArray\":[\"vcard\",[[\"version\",[],\"text\",\"4.0\"],[\"fn\",[],\"text\",\"Namecheap\"]]],\"links\":[{\"title\":\"Authoritative URL for this resource\",\"rel\":\"self\",\"type\":\"application\\/rdap+json\",\"value\":\"https:\\/\\/rdap.centralnic.com\\/lol\\/domain\\/1xbet-ieon.lol\",\"href\":\"https:\\/\\/rdap.centralnic.com\\/lol\\/entity\\/1068\"},{\"title\":\"Registrar's Website\",\"rel\":\"about\",\"value\":\"https:\\/\\/rdap.namecheap.com\\/\",\"href\":\"https:\\/\\/namecheap.com\"}],\"entities\":[{\"objectClassName\":\"entity\",\"handle\":\"not applicable\",\"roles\":[\"abuse\"],\"vcardArray\":[\"vcard\",[[\"version\",[],\"text\",\"4.0\"],[\"fn\",[],\"text\",\"Abuse Contact\"],[\"org\",[],\"text\",\"Namecheap\"],[\"email\",[],\"text\",\"abuse@namecheap.com\"],[\"tel\",{\"type\":\"voice\"},\"uri\",\"tel:+1.9854014545\"]]]}],\"publicIds\":[{\"type\":\"IANA Registrar ID\",\"identifier\":\"1068\"}]}],\"status\":[\"server transfer prohibited\",\"client transfer prohibited\",\"add period\"],\"port43\":\"whois.nic.lol\",\"events\":[{\"eventAction\":\"registration\",\"eventDate\":\"2025-08-19T14:50:37.0Z\"},{\"eventAction\":\"expiration\",\"eventDate\":\"2026-08-19T23:59:59.0Z\"},{\"eventAction\":\"last update of RDAP database\",\"eventDate\":\"2025-08-20T16:43:58.0Z\"},{\"eventAction\":\"last changed\",\"eventDate\":\"2025-08-19T14:50:42.0Z\"}],\"notices\":[{\"title\":\"Status Codes\",\"description\":[\"For more information on domain status codes, please visit https:\\/\\/icann.org\\/epp\"],\"links\":[{\"title\":\"More information on domain status codes\",\"rel\":\"glossary\",\"value\":\"https:\\/\\/rdap.centralnic.com\\/lol\\/domain\\/1xbet-ieon.lol\",\"href\":\"https:\\/\\/icann.org\\/epp\"}]},{\"title\":\"Terms of Use\",\"description\":[\"For more information on Whois status codes, please visit https:\\/\\/icann.org\\/epp\",\"\",\"\u003e\u003e\u003e IMPORTANT INFORMATION ABOUT THE DEPLOYMENT OF RDAP: please visit\",\"https:\\/\\/www.centralnicregistry.com\\/support\\/information\\/rdap \u003c\u003c\u003c\",\"\",\"The registration data available in this service is limited. Additional\",\"data may be available at https:\\/\\/lookup.icann.org\",\"\",\"The Whois and RDAP services are provided by CentralNic, and contain\",\"information pertaining to Internet domain names registered by our\",\"our customers. By using this service you are agreeing (1) not to use any\",\"information presented here for any purpose other than determining\",\"ownership of domain names, (2) not to store or reproduce this data in\",\"any way, (3) not to use any high-volume, automated, electronic processes\",\"to obtain data from this service. Abuse of this service is monitored and\",\"actions in contravention of these terms will result in being permanently\",\"blacklisted. All data is (c) CentralNic Ltd (https:\\/\\/www.centralnicregistry.com)\",\"\",\"Access to the Whois and RDAP services is rate limited. For more\",\"information, visit https:\\/\\/registrar-console.centralnicregistry.com\\/pub\\/whois_guidance.\"],\"links\":[{\"title\":\"Terms of Use\",\"rel\":\"terms-of-service\",\"value\":\"https:\\/\\/rdap.centralnic.com\\/lol\\/domain\\/1xbet-ieon.lol\",\"href\":\"https:\\/\\/www.centralnicregistry.com\\/\"}]},{\"title\":\"RDDS Inaccuracy Complaint Form\",\"description\":[\"URL of the ICANN RDDS Inaccuracy Complaint Form: https:\\/\\/icann.org\\/wicf\"],\"links\":[{\"title\":\"ICANN RDDS Inaccuracy Complaint Form\",\"rel\":\"help\",\"value\":\"https:\\/\\/rdap.centralnic.com\\/lol\\/domain\\/1xbet-ieon.lol\",\"href\":\"https:\\/\\/icann.org\\/wicf\"}]}],\"links\":[{\"title\":\"Authoritative URL for this resource\",\"rel\":\"self\",\"type\":\"application\\/rdap+json\",\"value\":\"https:\\/\\/rdap.centralnic.com\\/lol\\/domain\\/1xbet-ieon.lol\",\"href\":\"https:\\/\\/rdap.centralnic.com\\/lol\\/domain\\/1xbet-ieon.lol\"},{\"title\":\"RDAP Service Help\",\"rel\":\"help\",\"type\":\"text\\/html\",\"value\":\"https:\\/\\/rdap.centralnic.com\\/lol\\/domain\\/1xbet-ieon.lol\",\"href\":\"https:\\/\\/whois.nic.lol\\/rdap\"},{\"title\":\"XYZ.com, LLC\",\"rel\":\"related\",\"type\":\"text\\/html\",\"value\":\"https:\\/\\/rdap.centralnic.com\\/lol\\/domain\\/1xbet-ieon.lol\",\"href\":\"https:\\/\\/gen.xyz\\/\"},{\"title\":\"URL of Sponsoring Registrar's RDAP Record\",\"rel\":\"related\",\"type\":\"application\\/rdap+json\",\"value\":\"https:\\/\\/rdap.centralnic.com\\/lol\\/domain\\/1xbet-ieon.lol\",\"href\":\"https:\\/\\/rdap.namecheap.com\\/domain\\/1xbet-ieon.lol\"}]}","source_type":"registrar","timestamp":"2025-08-20T16:43:59Z","url":"https://rdap.centralnic.com/lol/domain/1xbet-ieon.lol"}]},"parsed_record":{"parsed_fields":{"conformance":["icann_rdap_response_profile_1","icann_rdap_response_profile_0","icann_rdap_technical_implementation_guide_1","icann_rdap_technical_implementation_guide_0","rdap_level_0"],"contacts":[],"creation_date":"2025-08-19T14:50:37+00:00","dnssec":{"signed":false},"domain":"1xbet-ieon.lol","domain_statuses":["server transfer prohibited","client transfer prohibited","add period"],"email_domains":["namecheap.com"],"emails":["abuse@namecheap.com"],"expiration_date":"2026-08-19T23:59:59+00:00","handle":"D583238142-CNIC","last_changed_date":"2025-08-19T14:50:42+00:00","links":[{"href":"https://rdap.centralnic.com/lol/domain/1xbet-ieon.lol","rel":"self"},{"href":"https://whois.nic.lol/rdap","rel":"help"},{"href":"https://gen.xyz/","rel":"related"},{"href":"https://rdap.namecheap.com/domain/1xbet-ieon.lol","rel":"related"},{"href":"https://rdap.centralnic.com/lol/domain/1xbet-ieon.lol","rel":"self"},{"href":"https://whois.nic.lol/rdap","rel":"help"},{"href":"https://gen.xyz/","rel":"related"},{"href":"https://rdap.namecheap.com/domain/1xbet-ieon.lol","rel":"related"}],"nameservers":["dns1.registrar-servers.com","dns2.registrar-servers.com"],"registrar":{"contacts":[{"email":"abuse@namecheap.com","handle":"not applicable","name":"Abuse Contact","org":"Namecheap","phone":"tel:+1.9854014545","roles":["abuse"]}],"iana_id":"1068","name":"Namecheap"},"unclassified_emails":[]},"registrar_request_url":"https://rdap.centralnic.com/lol/domain/1xbet-ieon.lol","registry_request_url":"https://rdap.centralnic.com/lol/domain/1xbet-ieon.lol"}} + - path: /v1/feed/domainrisk/ + methods: [GET] + responses: + - status_code: 200 + body: |- + {"timestamp":"2025-09-06T23:08:07Z","domain":"bathroom-remodeling-65908.bond","phishing_risk":99,"malware_risk":99,"spam_risk":77,"proximity_risk":100,"overall_risk":100} + {"timestamp":"2025-09-06T23:08:07Z","domain":"dental-implants-45730.bond","phishing_risk":99,"malware_risk":99,"spam_risk":66,"proximity_risk":100,"overall_risk":100} + - path: /v1/feed/domainhotlist/ + methods: [GET] + responses: + - status_code: 200 + body: |- + {"timestamp":"2025-09-06T23:00:08Z","domain":"axrszo1ibm.click","phishing_risk":99,"malware_risk":99,"spam_risk":99,"proximity_risk":100,"overall_risk":100,"expires":"2025-09-07T22:57:35Z"} + {"timestamp":"2025-09-06T22:35:37Z","domain":"tqnbs936.com","phishing_risk":99,"malware_risk":99,"spam_risk":99,"proximity_risk":100,"overall_risk":100,"expires":"2025-09-07T18:32:34Z"} diff --git a/packages/ti_domaintools/data_stream/domainhotlist_feed/_dev/test/pipeline/test-event.log b/packages/ti_domaintools/data_stream/domainhotlist_feed/_dev/test/pipeline/test-event.log new file mode 100644 index 00000000000..cb937bd32d8 --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainhotlist_feed/_dev/test/pipeline/test-event.log @@ -0,0 +1,3 @@ +{"timestamp":"2025-09-06T23:00:08Z","domain":"axrszo1ibm.click","phishing_risk":99,"malware_risk":99,"spam_risk":99,"proximity_risk":100,"overall_risk":100,"expires":"2025-09-07T22:57:35Z"} +{"timestamp":"2025-09-06T22:35:37Z","domain":"tqnbs936.com","phishing_risk":99,"malware_risk":99,"spam_risk":99,"proximity_risk":100,"overall_risk":100,"expires":"2025-09-07T18:32:34Z"} +{"timestamp":"2025-09-06T22:36:07Z","domain":"trackers-fr-relais.com","phishing_risk":99,"malware_risk":99,"spam_risk":99,"proximity_risk":100,"overall_risk":100,"expires":"2025-09-07T22:33:47Z"} diff --git a/packages/ti_domaintools/data_stream/domainhotlist_feed/_dev/test/pipeline/test-event.log-expected.json b/packages/ti_domaintools/data_stream/domainhotlist_feed/_dev/test/pipeline/test-event.log-expected.json new file mode 100644 index 00000000000..08d7b90adff --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainhotlist_feed/_dev/test/pipeline/test-event.log-expected.json @@ -0,0 +1,97 @@ +{ + "expected": [ + { + "domaintools": { + "domain": "axrszo1ibm.click", + "expires": "2025-09-07T22:57:35Z", + "malware_risk": 99, + "overall_risk": 100, + "phishing_risk": 99, + "proximity_risk": 100, + "spam_risk": 99, + "timestamp": "2025-09-06T23:00:08Z" + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"timestamp\":\"2025-09-06T23:00:08Z\",\"domain\":\"axrszo1ibm.click\",\"phishing_risk\":99,\"malware_risk\":99,\"spam_risk\":99,\"proximity_risk\":100,\"overall_risk\":100,\"expires\":\"2025-09-07T22:57:35Z\"}", + "type": [ + "indicator" + ] + }, + "threat": { + "indicator": { + "name": "axrszo1ibm.click", + "type": "domain-name" + } + } + }, + { + "domaintools": { + "domain": "tqnbs936.com", + "expires": "2025-09-07T18:32:34Z", + "malware_risk": 99, + "overall_risk": 100, + "phishing_risk": 99, + "proximity_risk": 100, + "spam_risk": 99, + "timestamp": "2025-09-06T22:35:37Z" + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"timestamp\":\"2025-09-06T22:35:37Z\",\"domain\":\"tqnbs936.com\",\"phishing_risk\":99,\"malware_risk\":99,\"spam_risk\":99,\"proximity_risk\":100,\"overall_risk\":100,\"expires\":\"2025-09-07T18:32:34Z\"}", + "type": [ + "indicator" + ] + }, + "threat": { + "indicator": { + "name": "tqnbs936.com", + "type": "domain-name" + } + } + }, + { + "domaintools": { + "domain": "trackers-fr-relais.com", + "expires": "2025-09-07T22:33:47Z", + "malware_risk": 99, + "overall_risk": 100, + "phishing_risk": 99, + "proximity_risk": 100, + "spam_risk": 99, + "timestamp": "2025-09-06T22:36:07Z" + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"timestamp\":\"2025-09-06T22:36:07Z\",\"domain\":\"trackers-fr-relais.com\",\"phishing_risk\":99,\"malware_risk\":99,\"spam_risk\":99,\"proximity_risk\":100,\"overall_risk\":100,\"expires\":\"2025-09-07T22:33:47Z\"}", + "type": [ + "indicator" + ] + }, + "threat": { + "indicator": { + "name": "trackers-fr-relais.com", + "type": "domain-name" + } + } + } + ] +} diff --git a/packages/ti_domaintools/data_stream/domainhotlist_feed/_dev/test/system/test-default-config.yml b/packages/ti_domaintools/data_stream/domainhotlist_feed/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..31a0f441817 --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainhotlist_feed/_dev/test/system/test-default-config.yml @@ -0,0 +1,11 @@ +input: cel +service: ti_domaintools +vars: +data_stream: + vars: + api_url: http://{{Hostname}}:{{Port}}/v1 + interval: 10m + api_username: xxx + api_key: xxx +assert: + hit_count: 2 diff --git a/packages/ti_domaintools/data_stream/domainhotlist_feed/agent/stream/cel.yml.hbs b/packages/ti_domaintools/data_stream/domainhotlist_feed/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..2ab84b14ce4 --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainhotlist_feed/agent/stream/cel.yml.hbs @@ -0,0 +1,65 @@ +config_version: "2" +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +resource.url: {{api_url}} +state: + api_username: {{api_username}} + api_key: {{api_key}} + session_id: {{session_id}} + app_name: elastic_feeds + app_partner: elastic + app_version: 1.1.0 + top: {{top}} +redact: + fields: + - api_key +program: | + state.with( + request( + "GET", + state.url.trim_right("/") + "/feed/domainhotlist/?" + { + "api_username": [state.api_username], + "api_key": [state.api_key], + "sessionID": [state.session_id], + "app_name": [state.app_name], + "app_partner": [state.app_partner], + "app_version": [state.app_version], + "top": [string(state.top)], + }.format_query() + ).with( + { + "Header": { + "Accept": ["application/x-ndjson"], + }, + } + ).do_request().as(resp, (resp.StatusCode == 200 || resp.StatusCode == 206) ? + { + "events": string(resp.Body).split("\n").map(e, e!="", + { + "message": e, + } + ), + "want_more": resp.StatusCode == 206 + } + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET: " + + ( + (size(resp.Body) != 0) ? + string(resp.Body) + : + string(resp.Status) + " (" + string(resp.StatusCode) + ")" + ), + }, + }, + "want_more": false, + } + ) + ) diff --git a/packages/ti_domaintools/data_stream/domainhotlist_feed/elasticsearch/ilm/default_policy.json b/packages/ti_domaintools/data_stream/domainhotlist_feed/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..1d859b57d73 --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainhotlist_feed/elasticsearch/ilm/default_policy.json @@ -0,0 +1,23 @@ +{ + "policy": { + "phases": { + "hot": { + "actions": { + "rollover": { + "max_age": "2d", + "max_size": "50gb" + }, + "set_priority": { + "priority": 100 + } + } + }, + "delete": { + "min_age": "3d", + "actions": { + "delete": {} + } + } + } + } +} diff --git a/packages/ti_domaintools/data_stream/domainhotlist_feed/elasticsearch/ingest_pipeline/default.yml b/packages/ti_domaintools/data_stream/domainhotlist_feed/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..2b850bd21a1 --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainhotlist_feed/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,67 @@ +--- +description: Pipeline for processing domaindiscovery feed +processors: + - set: + field: ecs.version + value: '8.17.0' + + - terminate: + tag: data_collection_error + if: ctx.error?.message != null + description: error message set and no data to process. + + - rename: + field: message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + + - json: + field: event.original + target_field: domaintools + + ############################ + # Generic indicator fields # + ############################ + + - set: + field: threat.indicator.type + value: domain-name + - set: + if: ctx.domaintools?.domain != null + field: threat.indicator.name + copy_from: domaintools.domain + + #################### + # Event ECS fields # + #################### + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: ['threat'] + - set: + field: event.type + value: ['indicator'] + +on_failure: +- set: + field: event.kind + value: pipeline_error +- append: + field: tags + value: preserve_original_event + allow_duplicates: false +- append: + field: error.message + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' diff --git a/packages/ti_domaintools/data_stream/domainhotlist_feed/fields/base-fields.yml b/packages/ti_domaintools/data_stream/domainhotlist_feed/fields/base-fields.yml new file mode 100644 index 00000000000..9eb4f415132 --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainhotlist_feed/fields/base-fields.yml @@ -0,0 +1,9 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + external: ecs +- name: "@timestamp" + external: ecs diff --git a/packages/ti_domaintools/data_stream/domainhotlist_feed/fields/ecs.yml b/packages/ti_domaintools/data_stream/domainhotlist_feed/fields/ecs.yml new file mode 100644 index 00000000000..6144ae3e836 --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainhotlist_feed/fields/ecs.yml @@ -0,0 +1,30 @@ +- name: ecs.version + external: ecs +- name: error.message + external: ecs +- name: event.category + external: ecs +- name: event.id + external: ecs +- name: event.ingested + external: ecs +- name: event.kind + external: ecs +- name: event.type + external: ecs +- name: threat.indicator.type + external: ecs +- name: threat.indicator.name + external: ecs +- name: threat.feed.description + type: constant_keyword + description: Display the feed description. + value: "Domains with high Domain Risk Scores that have also been active within 24 hours." +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name. + value: "DomainTools domainhotlist" +- name: threat.feed.reference + type: constant_keyword + description: Display the feed reference. + value: "https://docs.techdocs.ci.domaintools.cloud/feeds/realtime/userguide/" diff --git a/packages/ti_domaintools/data_stream/domainhotlist_feed/fields/fields.yml b/packages/ti_domaintools/data_stream/domainhotlist_feed/fields/fields.yml new file mode 100644 index 00000000000..0e557c5bf12 --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainhotlist_feed/fields/fields.yml @@ -0,0 +1,57 @@ +- name: domaintools + type: group + fields: + - name: domain + type: keyword + description: > + The Domain. + + - name: feed + type: constant_keyword + value: "domainhotlist" + description: > + The feed type. + + - name: phishing_risk + type: byte + description: > + The phishing risk score of the domain. + + - name: malware_risk + type: byte + description: > + The malware risk score of the domain. + + - name: proximity_risk + type: byte + description: > + The proximity risk score of the domain. + + - name: spam_risk + type: byte + description: > + The spam risk score of the domain. + + - name: overall_risk + type: byte + description: > + The overall risk score of the domain. + + - name: expires + type: date + description: > + The expiration of the entry. The expiration is 24 hours after the first of the two required events (risk or activity) is detected. + + - name: timestamp + type: date + description: > + Timestamp when the domain was added to the DomainTools feed, in ISO 8601 UTC form. + +- name: message + external: ecs + description: > + The feed from DomainTools Feed API. + +- name: input.type + type: keyword + description: Type of filebeat input. diff --git a/packages/ti_domaintools/data_stream/domainhotlist_feed/fields/is-ioc-transform-source-true.yml b/packages/ti_domaintools/data_stream/domainhotlist_feed/fields/is-ioc-transform-source-true.yml new file mode 100644 index 00000000000..b1d45027981 --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainhotlist_feed/fields/is-ioc-transform-source-true.yml @@ -0,0 +1,4 @@ +- name: labels.is_ioc_transform_source + type: constant_keyword + value: "true" + description: Indicates whether an IOC is in the raw source data stream, or the in latest destination index. diff --git a/packages/ti_domaintools/data_stream/domainhotlist_feed/lifecycle.yml b/packages/ti_domaintools/data_stream/domainhotlist_feed/lifecycle.yml new file mode 100644 index 00000000000..5a4af9095b7 --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainhotlist_feed/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "5d" diff --git a/packages/ti_domaintools/data_stream/domainhotlist_feed/manifest.yml b/packages/ti_domaintools/data_stream/domainhotlist_feed/manifest.yml new file mode 100644 index 00000000000..8e5066c359c --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainhotlist_feed/manifest.yml @@ -0,0 +1,65 @@ +title: "DomainTools Domain Hotlist Feed" +type: logs +ilm_policy: logs-ti_domaintools.domainhotlist_feed-default_policy +streams: + - input: cel + vars: + - name: api_url + type: text + title: DomainTools API URL + multi: false + required: true + show_user: true + default: https://api.domaintools.com/v1 + description: The URL of the DomainTools API. + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 10m + description: Interval at which the feed will be pulled. Supported units for this parameter are h/m/s. + - name: api_username + type: text + title: DomainTools API Username + multi: false + required: true + show_user: true + default: DomainTools API Username + description: DomainTools API Username + - name: api_key + type: password + title: DomainTools API Key + multi: false + required: true + show_user: true + secret: true + description: DomainTools API Key + - name: session_id + type: text + title: Session ID + multi: false + required: true + show_user: true + default: DomainToolsElasticSID + description: The Session ID to use in requesting feed. + - name: top + type: text + title: Top + multi: false + required: true + show_user: true + default: "300" + - name: enable_request_tracer + type: bool + title: Enable request tracing + description: >- + The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details. + default: false + multi: false + required: false + show_user: false + title: DomainTools Domain Hotlist Feed + description: Subscribe to DomainTools Domain Hotlist Feed + template_path: cel.yml.hbs diff --git a/packages/ti_domaintools/data_stream/domainhotlist_feed/sample_event.json b/packages/ti_domaintools/data_stream/domainhotlist_feed/sample_event.json new file mode 100644 index 00000000000..4f633166a56 --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainhotlist_feed/sample_event.json @@ -0,0 +1,76 @@ +{ + "@timestamp": "2025-09-11T15:48:25.817Z", + "agent": { + "ephemeral_id": "74a0f32a-8842-445b-85b8-3f2ef0d68f13", + "id": "93715821-51ef-48df-8721-78cbe6cf916d", + "name": "elastic-agent-80427", + "type": "filebeat", + "version": "8.18.2" + }, + "data_stream": { + "dataset": "ti_domaintools.domainhotlist_feed", + "namespace": "22303", + "type": "logs" + }, + "domaintools": { + "domain": "axrszo1ibm.click", + "expires": "2025-09-07T22:57:35Z", + "malware_risk": 99, + "overall_risk": 100, + "phishing_risk": 99, + "proximity_risk": 100, + "spam_risk": 99, + "timestamp": "2025-09-06T23:00:08Z" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "93715821-51ef-48df-8721-78cbe6cf916d", + "snapshot": false, + "version": "8.18.2" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "dataset": "ti_domaintools.domainhotlist_feed", + "ingested": "2025-09-11T15:48:28Z", + "kind": "enrichment", + "type": [ + "indicator" + ] + }, + "host": { + "architecture": "aarch64", + "containerized": false, + "hostname": "elastic-agent-80427", + "ip": [ + "172.24.0.2", + "172.18.0.8" + ], + "mac": [ + "A2-E3-32-7E-CF-FE", + "A6-83-0B-2E-4E-E6" + ], + "name": "elastic-agent-80427", + "os": { + "family": "", + "kernel": "6.10.14-linuxkit", + "name": "Wolfi", + "platform": "wolfi", + "type": "linux", + "version": "20230201" + } + }, + "input": { + "type": "cel" + }, + "threat": { + "indicator": { + "name": "axrszo1ibm.click", + "type": "domain-name" + } + } +} diff --git a/packages/ti_domaintools/data_stream/domainrisk_feed/_dev/test/pipeline/test-event.log b/packages/ti_domaintools/data_stream/domainrisk_feed/_dev/test/pipeline/test-event.log new file mode 100644 index 00000000000..641b6c60b72 --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainrisk_feed/_dev/test/pipeline/test-event.log @@ -0,0 +1,3 @@ +{"timestamp":"2025-09-06T23:08:07Z","domain":"bathroom-remodeling-65908.bond","phishing_risk":99,"malware_risk":99,"spam_risk":77,"proximity_risk":100,"overall_risk":100} +{"timestamp":"2025-09-06T23:08:07Z","domain":"dental-implants-45730.bond","phishing_risk":99,"malware_risk":99,"spam_risk":66,"proximity_risk":100,"overall_risk":100} +{"timestamp":"2025-09-06T23:08:06Z","domain":"mental-health-36341.bond","phishing_risk":98,"malware_risk":97,"spam_risk":75,"proximity_risk":100,"overall_risk":100} diff --git a/packages/ti_domaintools/data_stream/domainrisk_feed/_dev/test/pipeline/test-event.log-expected.json b/packages/ti_domaintools/data_stream/domainrisk_feed/_dev/test/pipeline/test-event.log-expected.json new file mode 100644 index 00000000000..2c06643f28e --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainrisk_feed/_dev/test/pipeline/test-event.log-expected.json @@ -0,0 +1,94 @@ +{ + "expected": [ + { + "domaintools": { + "domain": "bathroom-remodeling-65908.bond", + "malware_risk": 99, + "overall_risk": 100, + "phishing_risk": 99, + "proximity_risk": 100, + "spam_risk": 77, + "timestamp": "2025-09-06T23:08:07Z" + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"timestamp\":\"2025-09-06T23:08:07Z\",\"domain\":\"bathroom-remodeling-65908.bond\",\"phishing_risk\":99,\"malware_risk\":99,\"spam_risk\":77,\"proximity_risk\":100,\"overall_risk\":100}", + "type": [ + "indicator" + ] + }, + "threat": { + "indicator": { + "name": "bathroom-remodeling-65908.bond", + "type": "domain-name" + } + } + }, + { + "domaintools": { + "domain": "dental-implants-45730.bond", + "malware_risk": 99, + "overall_risk": 100, + "phishing_risk": 99, + "proximity_risk": 100, + "spam_risk": 66, + "timestamp": "2025-09-06T23:08:07Z" + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"timestamp\":\"2025-09-06T23:08:07Z\",\"domain\":\"dental-implants-45730.bond\",\"phishing_risk\":99,\"malware_risk\":99,\"spam_risk\":66,\"proximity_risk\":100,\"overall_risk\":100}", + "type": [ + "indicator" + ] + }, + "threat": { + "indicator": { + "name": "dental-implants-45730.bond", + "type": "domain-name" + } + } + }, + { + "domaintools": { + "domain": "mental-health-36341.bond", + "malware_risk": 97, + "overall_risk": 100, + "phishing_risk": 98, + "proximity_risk": 100, + "spam_risk": 75, + "timestamp": "2025-09-06T23:08:06Z" + }, + "ecs": { + "version": "8.17.0" + }, + "event": { + "category": [ + "threat" + ], + "kind": "enrichment", + "original": "{\"timestamp\":\"2025-09-06T23:08:06Z\",\"domain\":\"mental-health-36341.bond\",\"phishing_risk\":98,\"malware_risk\":97,\"spam_risk\":75,\"proximity_risk\":100,\"overall_risk\":100}", + "type": [ + "indicator" + ] + }, + "threat": { + "indicator": { + "name": "mental-health-36341.bond", + "type": "domain-name" + } + } + } + ] +} diff --git a/packages/ti_domaintools/data_stream/domainrisk_feed/_dev/test/system/test-default-config.yml b/packages/ti_domaintools/data_stream/domainrisk_feed/_dev/test/system/test-default-config.yml new file mode 100644 index 00000000000..31a0f441817 --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainrisk_feed/_dev/test/system/test-default-config.yml @@ -0,0 +1,11 @@ +input: cel +service: ti_domaintools +vars: +data_stream: + vars: + api_url: http://{{Hostname}}:{{Port}}/v1 + interval: 10m + api_username: xxx + api_key: xxx +assert: + hit_count: 2 diff --git a/packages/ti_domaintools/data_stream/domainrisk_feed/agent/stream/cel.yml.hbs b/packages/ti_domaintools/data_stream/domainrisk_feed/agent/stream/cel.yml.hbs new file mode 100644 index 00000000000..280bf9643f3 --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainrisk_feed/agent/stream/cel.yml.hbs @@ -0,0 +1,65 @@ +config_version: "2" +interval: {{interval}} +resource.tracer: + enabled: {{enable_request_tracer}} + filename: "../../logs/cel/http-request-trace-*.ndjson" + maxbackups: 5 +resource.url: {{api_url}} +state: + api_username: {{api_username}} + api_key: {{api_key}} + session_id: {{session_id}} + app_name: elastic_feeds + app_partner: elastic + app_version: 1.1.0 + top: {{top}} +redact: + fields: + - api_key +program: | + state.with( + request( + "GET", + state.url.trim_right("/") + "/feed/domainrisk/?" + { + "api_username": [state.api_username], + "api_key": [state.api_key], + "sessionID": [state.session_id], + "app_name": [state.app_name], + "app_partner": [state.app_partner], + "app_version": [state.app_version], + "top": [string(state.top)], + }.format_query() + ).with( + { + "Header": { + "Accept": ["application/x-ndjson"], + }, + } + ).do_request().as(resp, (resp.StatusCode == 200 || resp.StatusCode == 206) ? + { + "events": string(resp.Body).split("\n").map(e, e!="", + { + "message": e, + } + ), + "want_more": resp.StatusCode == 206 + } + : + { + "events": { + "error": { + "code": string(resp.StatusCode), + "id": string(resp.Status), + "message": "GET: " + + ( + (size(resp.Body) != 0) ? + string(resp.Body) + : + string(resp.Status) + " (" + string(resp.StatusCode) + ")" + ), + }, + }, + "want_more": false, + } + ) + ) diff --git a/packages/ti_domaintools/data_stream/domainrisk_feed/elasticsearch/ilm/default_policy.json b/packages/ti_domaintools/data_stream/domainrisk_feed/elasticsearch/ilm/default_policy.json new file mode 100644 index 00000000000..1d859b57d73 --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainrisk_feed/elasticsearch/ilm/default_policy.json @@ -0,0 +1,23 @@ +{ + "policy": { + "phases": { + "hot": { + "actions": { + "rollover": { + "max_age": "2d", + "max_size": "50gb" + }, + "set_priority": { + "priority": 100 + } + } + }, + "delete": { + "min_age": "3d", + "actions": { + "delete": {} + } + } + } + } +} diff --git a/packages/ti_domaintools/data_stream/domainrisk_feed/elasticsearch/ingest_pipeline/default.yml b/packages/ti_domaintools/data_stream/domainrisk_feed/elasticsearch/ingest_pipeline/default.yml new file mode 100644 index 00000000000..2b850bd21a1 --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainrisk_feed/elasticsearch/ingest_pipeline/default.yml @@ -0,0 +1,67 @@ +--- +description: Pipeline for processing domaindiscovery feed +processors: + - set: + field: ecs.version + value: '8.17.0' + + - terminate: + tag: data_collection_error + if: ctx.error?.message != null + description: error message set and no data to process. + + - rename: + field: message + target_field: event.original + ignore_missing: true + if: ctx.event?.original == null + - remove: + field: message + tag: remove_message + ignore_missing: true + description: The `message` field is no longer required if the document has an `event.original` field. + if: ctx.event?.original != null + + - json: + field: event.original + target_field: domaintools + + ############################ + # Generic indicator fields # + ############################ + + - set: + field: threat.indicator.type + value: domain-name + - set: + if: ctx.domaintools?.domain != null + field: threat.indicator.name + copy_from: domaintools.domain + + #################### + # Event ECS fields # + #################### + - set: + field: event.kind + value: enrichment + - set: + field: event.category + value: ['threat'] + - set: + field: event.type + value: ['indicator'] + +on_failure: +- set: + field: event.kind + value: pipeline_error +- append: + field: tags + value: preserve_original_event + allow_duplicates: false +- append: + field: error.message + value: >- + Processor '{{{ _ingest.on_failure_processor_type }}}' + {{{#_ingest.on_failure_processor_tag}}}with tag '{{{ _ingest.on_failure_processor_tag }}}' + {{{/_ingest.on_failure_processor_tag}}}failed with message '{{{ _ingest.on_failure_message }}}' diff --git a/packages/ti_domaintools/data_stream/domainrisk_feed/fields/base-fields.yml b/packages/ti_domaintools/data_stream/domainrisk_feed/fields/base-fields.yml new file mode 100644 index 00000000000..9eb4f415132 --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainrisk_feed/fields/base-fields.yml @@ -0,0 +1,9 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + type: constant_keyword + description: Data stream dataset. +- name: data_stream.namespace + external: ecs +- name: "@timestamp" + external: ecs diff --git a/packages/ti_domaintools/data_stream/domainrisk_feed/fields/ecs.yml b/packages/ti_domaintools/data_stream/domainrisk_feed/fields/ecs.yml new file mode 100644 index 00000000000..bdfbcbee0dc --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainrisk_feed/fields/ecs.yml @@ -0,0 +1,30 @@ +- name: ecs.version + external: ecs +- name: error.message + external: ecs +- name: event.category + external: ecs +- name: event.id + external: ecs +- name: event.ingested + external: ecs +- name: event.kind + external: ecs +- name: event.type + external: ecs +- name: threat.indicator.type + external: ecs +- name: threat.indicator.name + external: ecs +- name: threat.feed.description + type: constant_keyword + description: Display the feed description. + value: "Real-time updates to Domain Risk Scores for apex domains, regardless of observed traffic." +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name. + value: "DomainTools domainrisk" +- name: threat.feed.reference + type: constant_keyword + description: Display the feed reference. + value: "https://docs.techdocs.ci.domaintools.cloud/feeds/realtime/userguide/" diff --git a/packages/ti_domaintools/data_stream/domainrisk_feed/fields/fields.yml b/packages/ti_domaintools/data_stream/domainrisk_feed/fields/fields.yml new file mode 100644 index 00000000000..bf6ac1a729d --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainrisk_feed/fields/fields.yml @@ -0,0 +1,52 @@ +- name: domaintools + type: group + fields: + - name: domain + type: keyword + description: > + The Domain. + + - name: feed + type: constant_keyword + value: "domainrisk" + description: > + The feed type. + + - name: phishing_risk + type: byte + description: > + The phishing risk score of the domain. + + - name: malware_risk + type: byte + description: > + The malware risk score of the domain. + + - name: proximity_risk + type: byte + description: > + The proximity risk score of the domain. + + - name: spam_risk + type: byte + description: > + The spam risk score of the domain. + + - name: overall_risk + type: byte + description: > + The overall risk score of the domain. + + - name: timestamp + type: date + description: > + Timestamp when the domain was added to the DomainTools feed, in ISO 8601 UTC form. + +- name: message + external: ecs + description: > + The feed from DomainTools Feed API. + +- name: input.type + type: keyword + description: Type of filebeat input. diff --git a/packages/ti_domaintools/data_stream/domainrisk_feed/fields/is-ioc-transform-source-true.yml b/packages/ti_domaintools/data_stream/domainrisk_feed/fields/is-ioc-transform-source-true.yml new file mode 100644 index 00000000000..b1d45027981 --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainrisk_feed/fields/is-ioc-transform-source-true.yml @@ -0,0 +1,4 @@ +- name: labels.is_ioc_transform_source + type: constant_keyword + value: "true" + description: Indicates whether an IOC is in the raw source data stream, or the in latest destination index. diff --git a/packages/ti_domaintools/data_stream/domainrisk_feed/lifecycle.yml b/packages/ti_domaintools/data_stream/domainrisk_feed/lifecycle.yml new file mode 100644 index 00000000000..5a4af9095b7 --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainrisk_feed/lifecycle.yml @@ -0,0 +1 @@ +data_retention: "5d" diff --git a/packages/ti_domaintools/data_stream/domainrisk_feed/manifest.yml b/packages/ti_domaintools/data_stream/domainrisk_feed/manifest.yml new file mode 100644 index 00000000000..3a8f928b9f3 --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainrisk_feed/manifest.yml @@ -0,0 +1,65 @@ +title: "DomainTools Domain Risk Feed" +type: logs +ilm_policy: logs-ti_domaintools.domainrisk_feed-default_policy +streams: + - input: cel + vars: + - name: api_url + type: text + title: DomainTools API URL + multi: false + required: true + show_user: true + default: https://api.domaintools.com/v1 + description: The URL of the DomainTools API. + - name: interval + type: text + title: Interval + multi: false + required: true + show_user: true + default: 10m + description: Interval at which the feed will be pulled. Supported units for this parameter are h/m/s. + - name: api_username + type: text + title: DomainTools API Username + multi: false + required: true + show_user: true + default: DomainTools API Username + description: DomainTools API Username + - name: api_key + type: password + title: DomainTools API Key + multi: false + required: true + show_user: true + secret: true + description: DomainTools API Key + - name: session_id + type: text + title: Session ID + multi: false + required: true + show_user: true + default: DomainToolsElasticSID + - name: top + type: text + title: Top + multi: false + required: true + show_user: true + default: "300" + description: The Session ID to use in requesting feed. + - name: enable_request_tracer + type: bool + title: Enable request tracing + description: >- + The request tracer logs requests and responses to the agent's local file-system for debugging configurations. Enabling this request tracing compromises security and should only be used for debugging. Disabling the request tracer will delete any stored traces. See [documentation](https://www.elastic.co/guide/en/beats/filebeat/current/filebeat-input-cel.html#_resource_tracer_enable) for details. + default: false + multi: false + required: false + show_user: false + title: DomainTools Domain Risk Feed + description: Subscribe to DomainTools Domain Risk Feed + template_path: cel.yml.hbs diff --git a/packages/ti_domaintools/data_stream/domainrisk_feed/sample_event.json b/packages/ti_domaintools/data_stream/domainrisk_feed/sample_event.json new file mode 100644 index 00000000000..8474879d92f --- /dev/null +++ b/packages/ti_domaintools/data_stream/domainrisk_feed/sample_event.json @@ -0,0 +1,75 @@ +{ + "@timestamp": "2025-09-10T17:13:16.748Z", + "agent": { + "ephemeral_id": "4c3bec09-a0dc-44b4-8dd6-40fbaa915536", + "id": "b2456514-4b1d-41a2-9c43-fa3f1d2c309a", + "name": "elastic-agent-66378", + "type": "filebeat", + "version": "8.18.2" + }, + "data_stream": { + "dataset": "ti_domaintools.domainrisk_feed", + "namespace": "89484", + "type": "logs" + }, + "domaintools": { + "domain": "bathroom-remodeling-65908.bond", + "malware_risk": 99, + "overall_risk": 100, + "phishing_risk": 99, + "proximity_risk": 100, + "spam_risk": 77, + "timestamp": "2025-09-06T23:08:07Z" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "b2456514-4b1d-41a2-9c43-fa3f1d2c309a", + "snapshot": false, + "version": "8.18.2" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "dataset": "ti_domaintools.domainrisk_feed", + "ingested": "2025-09-10T17:13:19Z", + "kind": "enrichment", + "type": [ + "indicator" + ] + }, + "host": { + "architecture": "aarch64", + "containerized": false, + "hostname": "elastic-agent-66378", + "ip": [ + "172.24.0.2", + "172.18.0.5" + ], + "mac": [ + "2A-6D-82-23-5E-4E", + "7E-AE-D2-7C-35-FB" + ], + "name": "elastic-agent-66378", + "os": { + "family": "", + "kernel": "6.10.14-linuxkit", + "name": "Wolfi", + "platform": "wolfi", + "type": "linux", + "version": "20230201" + } + }, + "input": { + "type": "cel" + }, + "threat": { + "indicator": { + "name": "bathroom-remodeling-65908.bond", + "type": "domain-name" + } + } +} diff --git a/packages/ti_domaintools/docs/README.md b/packages/ti_domaintools/docs/README.md index 8cec9ffd1cd..d371bd36206 100644 --- a/packages/ti_domaintools/docs/README.md +++ b/packages/ti_domaintools/docs/README.md @@ -8,6 +8,8 @@ Summary of Available Feeds: - `Newly Observed Domains (NOD)`: Apex-level domains (e.g. example.com but not ) that we observe for the first time, and have not observed previously with our global DNS sensor network. - `Domain Discovery`: New domains as they are either discovered in domain registration information, observed by our global sensor network, or reported by trusted third parties. - `Domain RDAP`: Changes to global domain registration information, populated by the Registration Data Access Protocol (RDAP). Compliments the 5-Minute WHOIS Feed as registries and registrars switch from Whois to RDAP. +- `Domain Risk`: Real-time updates to Domain Risk Scores for apex domains, regardless of observed traffic. +- `Domain Hotlist`: Domains with high Domain Risk Scores that have also been active within 24 hours. With over 300,000 new domains observed daily, the feed empowers security teams to identify and block potentially malicious domains before they can be weaponized. Ideal for threat hunting, phishing prevention, and brand protection. @@ -25,6 +27,8 @@ Log data streams collected by the DomainTools integration include the following - `Newly Active Domains (NAD)` - `Domain Discovery` - `Domain RDAP` +- `Domain Risk` +- `Domain Hotlist` ## Requirements @@ -539,3 +543,245 @@ An example event for `domainrdap_feed` looks as following: | threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | | threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | + +### Domain Risk Feed + +The `domainrisk_feed` data stream provides events from [DomainTools Domain Risk](https://www.domaintools.com/products/threat-intelligence-feeds/). +This data is collected via the [DomainTools Feeds API](https://docs.domaintools.com/feeds/realtime/). + +#### Example + +An example event for `domainrisk_feed` looks as following: + +```json +{ + "@timestamp": "2025-09-10T17:13:16.748Z", + "agent": { + "ephemeral_id": "4c3bec09-a0dc-44b4-8dd6-40fbaa915536", + "id": "b2456514-4b1d-41a2-9c43-fa3f1d2c309a", + "name": "elastic-agent-66378", + "type": "filebeat", + "version": "8.18.2" + }, + "data_stream": { + "dataset": "ti_domaintools.domainrisk_feed", + "namespace": "89484", + "type": "logs" + }, + "domaintools": { + "domain": "bathroom-remodeling-65908.bond", + "malware_risk": 99, + "overall_risk": 100, + "phishing_risk": 99, + "proximity_risk": 100, + "spam_risk": 77, + "timestamp": "2025-09-06T23:08:07Z" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "b2456514-4b1d-41a2-9c43-fa3f1d2c309a", + "snapshot": false, + "version": "8.18.2" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "dataset": "ti_domaintools.domainrisk_feed", + "ingested": "2025-09-10T17:13:19Z", + "kind": "enrichment", + "type": [ + "indicator" + ] + }, + "host": { + "architecture": "aarch64", + "containerized": false, + "hostname": "elastic-agent-66378", + "ip": [ + "172.24.0.2", + "172.18.0.5" + ], + "mac": [ + "2A-6D-82-23-5E-4E", + "7E-AE-D2-7C-35-FB" + ], + "name": "elastic-agent-66378", + "os": { + "family": "", + "kernel": "6.10.14-linuxkit", + "name": "Wolfi", + "platform": "wolfi", + "type": "linux", + "version": "20230201" + } + }, + "input": { + "type": "cel" + }, + "threat": { + "indicator": { + "name": "bathroom-remodeling-65908.bond", + "type": "domain-name" + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| domaintools.domain | The Domain. | keyword | +| domaintools.feed | The feed type. | constant_keyword | +| domaintools.malware_risk | The malware risk score of the domain. | byte | +| domaintools.overall_risk | The overall risk score of the domain. | byte | +| domaintools.phishing_risk | The phishing risk score of the domain. | byte | +| domaintools.proximity_risk | The proximity risk score of the domain. | byte | +| domaintools.spam_risk | The spam risk score of the domain. | byte | +| domaintools.timestamp | Timestamp when the domain was added to the DomainTools feed, in ISO 8601 UTC form. | date | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| input.type | Type of filebeat input. | keyword | +| labels.is_ioc_transform_source | Indicates whether an IOC is in the raw source data stream, or the in latest destination index. | constant_keyword | +| message | The feed from DomainTools Feed API. | match_only_text | +| threat.feed.description | Display the feed description. | constant_keyword | +| threat.feed.name | Display friendly feed name. | constant_keyword | +| threat.feed.reference | Display the feed reference. | constant_keyword | +| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | + + +### Domain Hotlist Feed + +The `domainhotlist_feed` data stream provides events from [DomainTools Domain Hotlist](https://www.domaintools.com/products/threat-intelligence-feeds/). +This data is collected via the [DomainTools Feeds API](https://docs.domaintools.com/feeds/realtime/). + +#### Example + +An example event for `domainhotlist_feed` looks as following: + +```json +{ + "@timestamp": "2025-09-11T15:48:25.817Z", + "agent": { + "ephemeral_id": "74a0f32a-8842-445b-85b8-3f2ef0d68f13", + "id": "93715821-51ef-48df-8721-78cbe6cf916d", + "name": "elastic-agent-80427", + "type": "filebeat", + "version": "8.18.2" + }, + "data_stream": { + "dataset": "ti_domaintools.domainhotlist_feed", + "namespace": "22303", + "type": "logs" + }, + "domaintools": { + "domain": "axrszo1ibm.click", + "expires": "2025-09-07T22:57:35Z", + "malware_risk": 99, + "overall_risk": 100, + "phishing_risk": 99, + "proximity_risk": 100, + "spam_risk": 99, + "timestamp": "2025-09-06T23:00:08Z" + }, + "ecs": { + "version": "8.17.0" + }, + "elastic_agent": { + "id": "93715821-51ef-48df-8721-78cbe6cf916d", + "snapshot": false, + "version": "8.18.2" + }, + "event": { + "agent_id_status": "verified", + "category": [ + "threat" + ], + "dataset": "ti_domaintools.domainhotlist_feed", + "ingested": "2025-09-11T15:48:28Z", + "kind": "enrichment", + "type": [ + "indicator" + ] + }, + "host": { + "architecture": "aarch64", + "containerized": false, + "hostname": "elastic-agent-80427", + "ip": [ + "172.24.0.2", + "172.18.0.8" + ], + "mac": [ + "A2-E3-32-7E-CF-FE", + "A6-83-0B-2E-4E-E6" + ], + "name": "elastic-agent-80427", + "os": { + "family": "", + "kernel": "6.10.14-linuxkit", + "name": "Wolfi", + "platform": "wolfi", + "type": "linux", + "version": "20230201" + } + }, + "input": { + "type": "cel" + }, + "threat": { + "indicator": { + "name": "axrszo1ibm.click", + "type": "domain-name" + } + } +} +``` + +**Exported fields** + +| Field | Description | Type | +|---|---|---| +| @timestamp | Date/time when the event originated. This is the date/time extracted from the event, typically representing when the event was generated by the source. If the event source has no original timestamp, this value is typically populated by the first time the event was received by the pipeline. Required field for all events. | date | +| data_stream.dataset | Data stream dataset. | constant_keyword | +| data_stream.namespace | A user defined namespace. Namespaces are useful to allow grouping of data. Many users already organize their indices this way, and the data stream naming scheme now provides this best practice as a default. Many users will populate this field with `default`. If no value is used, it falls back to `default`. Beyond the Elasticsearch index naming criteria noted above, `namespace` value has the additional restrictions: \* Must not contain `-` \* No longer than 100 characters | constant_keyword | +| data_stream.type | An overarching type for the data stream. Currently allowed values are "logs" and "metrics". We expect to also add "traces" and "synthetics" in the near future. | constant_keyword | +| domaintools.domain | The Domain. | keyword | +| domaintools.expires | The expiration of the entry. The expiration is 24 hours after the first of the two required events (risk or activity) is detected. | date | +| domaintools.feed | The feed type. | constant_keyword | +| domaintools.malware_risk | The malware risk score of the domain. | byte | +| domaintools.overall_risk | The overall risk score of the domain. | byte | +| domaintools.phishing_risk | The phishing risk score of the domain. | byte | +| domaintools.proximity_risk | The proximity risk score of the domain. | byte | +| domaintools.spam_risk | The spam risk score of the domain. | byte | +| domaintools.timestamp | Timestamp when the domain was added to the DomainTools feed, in ISO 8601 UTC form. | date | +| ecs.version | ECS version this event conforms to. `ecs.version` is a required field and must exist in all events. When querying across multiple indices -- which may conform to slightly different ECS versions -- this field lets integrations adjust to the schema version of the events. | keyword | +| error.message | Error message. | match_only_text | +| event.category | This is one of four ECS Categorization Fields, and indicates the second level in the ECS category hierarchy. `event.category` represents the "big buckets" of ECS categories. For example, filtering on `event.category:process` yields all events relating to process activity. This field is closely related to `event.type`, which is used as a subcategory. This field is an array. This will allow proper categorization of some events that fall in multiple categories. | keyword | +| event.id | Unique ID to describe the event. | keyword | +| event.ingested | Timestamp when an event arrived in the central data store. This is different from `@timestamp`, which is when the event originally occurred. It's also different from `event.created`, which is meant to capture the first time an agent saw the event. In normal conditions, assuming no tampering, the timestamps should chronologically look like this: `@timestamp` \< `event.created` \< `event.ingested`. | date | +| event.kind | This is one of four ECS Categorization Fields, and indicates the highest level in the ECS category hierarchy. `event.kind` gives high-level information about what type of information the event contains, without being specific to the contents of the event. For example, values of this field distinguish alert events from metric events. The value of this field can be used to inform how these kinds of events should be handled. They may warrant different retention, different access control, it may also help understand whether the data is coming in at a regular interval or not. | keyword | +| event.type | This is one of four ECS Categorization Fields, and indicates the third level in the ECS category hierarchy. `event.type` represents a categorization "sub-bucket" that, when used along with the `event.category` field values, enables filtering events down to a level appropriate for single visualization. This field is an array. This will allow proper categorization of some events that fall in multiple event types. | keyword | +| input.type | Type of filebeat input. | keyword | +| labels.is_ioc_transform_source | Indicates whether an IOC is in the raw source data stream, or the in latest destination index. | constant_keyword | +| message | The feed from DomainTools Feed API. | match_only_text | +| threat.feed.description | Display the feed description. | constant_keyword | +| threat.feed.name | Display friendly feed name. | constant_keyword | +| threat.feed.reference | Display the feed reference. | constant_keyword | +| threat.indicator.name | The display name indicator in an UI friendly format URL, IP address, email address, registry key, port number, hash value, or other relevant name can serve as the display name. | keyword | +| threat.indicator.type | Type of indicator as represented by Cyber Observable in STIX 2.0. | keyword | + diff --git a/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/fields/base-fields.yml b/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/fields/base-fields.yml new file mode 100644 index 00000000000..27249d2fc02 --- /dev/null +++ b/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs +- name: event.module + type: constant_keyword + external: ecs + value: ti_domaintools +- name: event.dataset + type: constant_keyword + external: ecs + value: ti_domaintools.domainhotlist_feed +- name: "@timestamp" + external: ecs diff --git a/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/fields/beats.yml b/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/fields/beats.yml new file mode 100644 index 00000000000..b13d5cc96f4 --- /dev/null +++ b/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/fields/beats.yml @@ -0,0 +1,11 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + external: ecs diff --git a/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/fields/ecs.yml b/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/fields/ecs.yml new file mode 100644 index 00000000000..6144ae3e836 --- /dev/null +++ b/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/fields/ecs.yml @@ -0,0 +1,30 @@ +- name: ecs.version + external: ecs +- name: error.message + external: ecs +- name: event.category + external: ecs +- name: event.id + external: ecs +- name: event.ingested + external: ecs +- name: event.kind + external: ecs +- name: event.type + external: ecs +- name: threat.indicator.type + external: ecs +- name: threat.indicator.name + external: ecs +- name: threat.feed.description + type: constant_keyword + description: Display the feed description. + value: "Domains with high Domain Risk Scores that have also been active within 24 hours." +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name. + value: "DomainTools domainhotlist" +- name: threat.feed.reference + type: constant_keyword + description: Display the feed reference. + value: "https://docs.techdocs.ci.domaintools.cloud/feeds/realtime/userguide/" diff --git a/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/fields/fields.yml b/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/fields/fields.yml new file mode 100644 index 00000000000..4fc14d1ebcb --- /dev/null +++ b/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/fields/fields.yml @@ -0,0 +1,53 @@ +- name: domaintools + type: group + fields: + - name: domain + type: keyword + description: > + The Domain. + + - name: feed + type: constant_keyword + value: "domainhotlist" + description: > + The feed. + + - name: phishing_risk + type: byte + description: > + The phishing risk score of the domain. + + - name: malware_risk + type: byte + description: > + The malware risk score of the domain. + + - name: proximity_risk + type: byte + description: > + The proximity risk score of the domain. + + - name: spam_risk + type: byte + description: > + The spam risk score of the domain. + + - name: overall_risk + type: byte + description: > + The overall risk score of the domain. + + - name: expires + type: date + description: > + The expiration of the entry. The expiration is 24 hours after the first of the two required events (risk or activity) is detected. + + - name: timestamp + type: date + description: > + Timestamp when the domain was added to the DomainTools feed, in ISO 8601 UTC form. + +- name: message + external: ecs + description: >- + The feed. diff --git a/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/fields/is-ioc-transform-source-false.yml b/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/fields/is-ioc-transform-source-false.yml new file mode 100644 index 00000000000..15524f7a6cc --- /dev/null +++ b/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/fields/is-ioc-transform-source-false.yml @@ -0,0 +1,4 @@ +- name: labels.is_ioc_transform_source + type: constant_keyword + value: "false" + description: Indicates whether an IOC is in the raw source data stream, or the in latest destination index. diff --git a/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/manifest.yml b/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/manifest.yml new file mode 100644 index 00000000000..f5296fd0c0a --- /dev/null +++ b/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/manifest.yml @@ -0,0 +1,18 @@ +start: true +destination_index_template: + settings: + index: + sort: + field: + - "@timestamp" + order: + - desc + mappings: + dynamic: true + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: false diff --git a/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/transform.yml b/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/transform.yml new file mode 100644 index 00000000000..4bebb384aa9 --- /dev/null +++ b/packages/ti_domaintools/elasticsearch/transform/latest_domainhotlist/transform.yml @@ -0,0 +1,35 @@ +# Use of "*" to use all namespaces defined. +source: + index: + - "logs-ti_domaintools.domainhotlist_feed-*" +# The version suffix on the dest.index should be incremented if a breaking change +# is made to the index mapping. You must also bump the fleet_transform_version +# for any change to this transform configuration to take effect. The old destination +# index is not automatically removed. We are dependent on https://github.com/elastic/package-spec/issues/523 to give +# us that ability in order to prevent having duplicate IoC data and prevent query +# time field type conflicts. +dest: + index: "logs-ti_domaintools_latest.domainhotlist_feed-2" + aliases: + - alias: "logs-ti_domaintools_latest.domainhotlist_feed" + move_on_creation: true +latest: + unique_key: + - domaintools.domain + sort: event.ingested +description: Latest Domain hotlist data +frequency: 30s +sync: + time: + field: event.ingested + # Updated to 120s because of refresh delay in Serverless. With default 60s, sometimes transform wouldn't process all documents. + delay: 120s +retention_policy: + time: + field: event.ingested + max_age: 7d +_meta: + managed: true + # Bump this version to delete, reinstall, and restart the transform during package. + # Version bump is needed if there is any code change in transform. + fleet_transform_version: 1.0.0 diff --git a/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/fields/base-fields.yml b/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/fields/base-fields.yml new file mode 100644 index 00000000000..562f0a69af2 --- /dev/null +++ b/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/fields/base-fields.yml @@ -0,0 +1,16 @@ +- name: data_stream.type + external: ecs +- name: data_stream.dataset + external: ecs +- name: data_stream.namespace + external: ecs +- name: event.module + type: constant_keyword + external: ecs + value: ti_domaintools +- name: event.dataset + type: constant_keyword + external: ecs + value: ti_domaintools.domainrisk_feed +- name: "@timestamp" + external: ecs diff --git a/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/fields/beats.yml b/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/fields/beats.yml new file mode 100644 index 00000000000..b13d5cc96f4 --- /dev/null +++ b/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/fields/beats.yml @@ -0,0 +1,11 @@ +- name: input.type + type: keyword + description: Type of Filebeat input. +- name: log.flags + type: keyword + description: Flags for the log file. +- name: log.offset + type: long + description: Offset of the entry in the log file. +- name: log.file.path + external: ecs diff --git a/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/fields/ecs.yml b/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/fields/ecs.yml new file mode 100644 index 00000000000..bdfbcbee0dc --- /dev/null +++ b/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/fields/ecs.yml @@ -0,0 +1,30 @@ +- name: ecs.version + external: ecs +- name: error.message + external: ecs +- name: event.category + external: ecs +- name: event.id + external: ecs +- name: event.ingested + external: ecs +- name: event.kind + external: ecs +- name: event.type + external: ecs +- name: threat.indicator.type + external: ecs +- name: threat.indicator.name + external: ecs +- name: threat.feed.description + type: constant_keyword + description: Display the feed description. + value: "Real-time updates to Domain Risk Scores for apex domains, regardless of observed traffic." +- name: threat.feed.name + type: constant_keyword + description: Display friendly feed name. + value: "DomainTools domainrisk" +- name: threat.feed.reference + type: constant_keyword + description: Display the feed reference. + value: "https://docs.techdocs.ci.domaintools.cloud/feeds/realtime/userguide/" diff --git a/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/fields/fields.yml b/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/fields/fields.yml new file mode 100644 index 00000000000..52f2a714c3d --- /dev/null +++ b/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/fields/fields.yml @@ -0,0 +1,48 @@ +- name: domaintools + type: group + fields: + - name: domain + type: keyword + description: > + The Domain. + + - name: feed + type: constant_keyword + value: "domainrisk" + description: > + The feed. + + - name: phishing_risk + type: byte + description: > + The phishing risk score of the domain. + + - name: malware_risk + type: byte + description: > + The malware risk score of the domain. + + - name: proximity_risk + type: byte + description: > + The proximity risk score of the domain. + + - name: spam_risk + type: byte + description: > + The spam risk score of the domain. + + - name: overall_risk + type: byte + description: > + The overall risk score of the domain. + + - name: timestamp + type: date + description: > + Timestamp when the domain was added to the DomainTools feed, in ISO 8601 UTC form. + +- name: message + external: ecs + description: >- + The feed. diff --git a/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/fields/is-ioc-transform-source-false.yml b/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/fields/is-ioc-transform-source-false.yml new file mode 100644 index 00000000000..15524f7a6cc --- /dev/null +++ b/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/fields/is-ioc-transform-source-false.yml @@ -0,0 +1,4 @@ +- name: labels.is_ioc_transform_source + type: constant_keyword + value: "false" + description: Indicates whether an IOC is in the raw source data stream, or the in latest destination index. diff --git a/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/manifest.yml b/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/manifest.yml new file mode 100644 index 00000000000..f5296fd0c0a --- /dev/null +++ b/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/manifest.yml @@ -0,0 +1,18 @@ +start: true +destination_index_template: + settings: + index: + sort: + field: + - "@timestamp" + order: + - desc + mappings: + dynamic: true + dynamic_templates: + - strings_as_keyword: + match_mapping_type: string + mapping: + ignore_above: 1024 + type: keyword + date_detection: false diff --git a/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/transform.yml b/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/transform.yml new file mode 100644 index 00000000000..4f7e6a394a8 --- /dev/null +++ b/packages/ti_domaintools/elasticsearch/transform/latest_domainrisk/transform.yml @@ -0,0 +1,35 @@ +# Use of "*" to use all namespaces defined. +source: + index: + - "logs-ti_domaintools.domainrisk_feed-*" +# The version suffix on the dest.index should be incremented if a breaking change +# is made to the index mapping. You must also bump the fleet_transform_version +# for any change to this transform configuration to take effect. The old destination +# index is not automatically removed. We are dependent on https://github.com/elastic/package-spec/issues/523 to give +# us that ability in order to prevent having duplicate IoC data and prevent query +# time field type conflicts. +dest: + index: "logs-ti_domaintools_latest.domainrisk_feed-2" + aliases: + - alias: "logs-ti_domaintools_latest.domainrisk_feed" + move_on_creation: true +latest: + unique_key: + - domaintools.domain + sort: event.ingested +description: Latest Domain risk data +frequency: 30s +sync: + time: + field: event.ingested + # Updated to 120s because of refresh delay in Serverless. With default 60s, sometimes transform wouldn't process all documents. + delay: 120s +retention_policy: + time: + field: event.ingested + max_age: 7d +_meta: + managed: true + # Bump this version to delete, reinstall, and restart the transform during package. + # Version bump is needed if there is any code change in transform. + fleet_transform_version: 1.0.0 diff --git a/packages/ti_domaintools/img/ti_domaintools_overview-dashboard.png b/packages/ti_domaintools/img/ti_domaintools_overview-dashboard.png index 51dcc28172b..4aac62d89c8 100644 Binary files a/packages/ti_domaintools/img/ti_domaintools_overview-dashboard.png and b/packages/ti_domaintools/img/ti_domaintools_overview-dashboard.png differ diff --git a/packages/ti_domaintools/kibana/dashboard/ti_domaintools-69a8feb8-13a4-4921-8152-a94dc437aabd.json b/packages/ti_domaintools/kibana/dashboard/ti_domaintools-69a8feb8-13a4-4921-8152-a94dc437aabd.json new file mode 100644 index 00000000000..c9052cf5332 --- /dev/null +++ b/packages/ti_domaintools/kibana/dashboard/ti_domaintools-69a8feb8-13a4-4921-8152-a94dc437aabd.json @@ -0,0 +1,2705 @@ +{ + "attributes": { + "controlGroupInput": { + "chainingSystem": "HIERARCHICAL", + "controlStyle": "oneLine", + "ignoreParentSettingsJSON": { + "ignoreFilters": false, + "ignoreQuery": false, + "ignoreTimerange": false, + "ignoreValidations": false + }, + "panelsJSON": {}, + "showApplySelections": false + }, + "description": "", + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "key": "domaintools.domain", + "negate": false, + "type": "exists" + }, + "query": { + "exists": { + "field": "domaintools.domain" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "optionsJSON": { + "hidePanelTitles": false, + "syncColors": true, + "syncCursor": true, + "syncTooltips": true, + "useMargins": true + }, + "panelsJSON": [ + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b29120e5-51f6-4e7e-a0d0-b22bb945816e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "b29120e5-51f6-4e7e-a0d0-b22bb945816e": { + "columnOrder": [ + "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1" + ], + "columns": { + "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique count of Newly Observed Domain Feeds", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "domaintools.domain" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "2c733840-66cc-45b9-8fd0-9fb17d2b9be9", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.nod_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.nod_feed" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "domaintools.domain", + "index": "logs-*", + "key": "domaintools.domain", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "domaintools.domain" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#54B399", + "icon": "empty", + "layerId": "b29120e5-51f6-4e7e-a0d0-b22bb945816e", + "layerType": "data", + "metricAccessor": "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "2c733840-66cc-45b9-8fd0-9fb17d2b9be9", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.nod_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.nod_feed" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "domaintools.domain", + "index": "logs-*", + "key": "domaintools.domain", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "domaintools.domain" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": true, + "syncCursor": true, + "syncTooltips": true + }, + "gridData": { + "h": 8, + "i": "5a13283f-c22c-414c-a5f6-3487d557f886", + "w": 6, + "x": 24, + "y": 0 + }, + "panelIndex": "5a13283f-c22c-414c-a5f6-3487d557f886", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b29120e5-51f6-4e7e-a0d0-b22bb945816e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "b29120e5-51f6-4e7e-a0d0-b22bb945816e": { + "columnOrder": [ + "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1" + ], + "columns": { + "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique count of Newly Active Domain Feeds", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "domaintools.domain" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "bf265c5c-76e6-4da9-be04-398938462272", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.nad_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.nad_feed" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "domaintools.domain", + "index": "logs-*", + "key": "domaintools.domain", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "domaintools.domain" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#1BB7DE", + "icon": "empty", + "layerId": "b29120e5-51f6-4e7e-a0d0-b22bb945816e", + "layerType": "data", + "metricAccessor": "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "bf265c5c-76e6-4da9-be04-398938462272", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.nad_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.nad_feed" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "domaintools.domain", + "index": "logs-*", + "key": "domaintools.domain", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "domaintools.domain" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": true, + "syncCursor": true, + "syncTooltips": true + }, + "gridData": { + "h": 8, + "i": "fb0c3358-650f-427b-90e3-ca4b3e7da33c", + "w": 6, + "x": 30, + "y": 0 + }, + "panelIndex": "fb0c3358-650f-427b-90e3-ca4b3e7da33c", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b29120e5-51f6-4e7e-a0d0-b22bb945816e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "b29120e5-51f6-4e7e-a0d0-b22bb945816e": { + "columnOrder": [ + "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1" + ], + "columns": { + "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique count of Domain Discovery Feeds", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "domaintools.domain" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "303418fd-ef7f-46f7-bfc2-f7f8a276fd6d", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.domaindiscovery_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.domaindiscovery_feed" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "domaintools.domain", + "index": "logs-*", + "key": "domaintools.domain", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "domaintools.domain" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#6092C0", + "icon": "empty", + "layerId": "b29120e5-51f6-4e7e-a0d0-b22bb945816e", + "layerType": "data", + "metricAccessor": "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "303418fd-ef7f-46f7-bfc2-f7f8a276fd6d", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.domaindiscovery_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.domaindiscovery_feed" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "domaintools.domain", + "index": "logs-*", + "key": "domaintools.domain", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "domaintools.domain" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": true, + "syncCursor": true, + "syncTooltips": true + }, + "gridData": { + "h": 8, + "i": "514cc069-3d03-4043-9dc4-63e7d8912936", + "w": 6, + "x": 36, + "y": 0 + }, + "panelIndex": "514cc069-3d03-4043-9dc4-63e7d8912936", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b29120e5-51f6-4e7e-a0d0-b22bb945816e", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "b29120e5-51f6-4e7e-a0d0-b22bb945816e": { + "columnOrder": [ + "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1" + ], + "columns": { + "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Unique count of Domain RDAP Feeds", + "operationType": "unique_count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "domaintools.domain" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*" + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "95a2738a-5aec-4694-9e6d-ab182becde24", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.domainrdap_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.domainrdap_feed" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "domaintools.domain", + "index": "logs-*", + "key": "domaintools.domain", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "domaintools.domain" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "color": "#C6C9CB", + "icon": "empty", + "layerId": "b29120e5-51f6-4e7e-a0d0-b22bb945816e", + "layerType": "data", + "metricAccessor": "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "95a2738a-5aec-4694-9e6d-ab182becde24", + "negate": false, + "params": [ + { + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.domainrdap_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.domainrdap_feed" + } + } + }, + { + "meta": { + "alias": null, + "disabled": false, + "field": "domaintools.domain", + "index": "logs-*", + "key": "domaintools.domain", + "negate": false, + "type": "exists", + "value": "exists" + }, + "query": { + "exists": { + "field": "domaintools.domain" + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": true, + "syncCursor": true, + "syncTooltips": true + }, + "gridData": { + "h": 8, + "i": "80b6c060-89ef-4238-8c5a-acd1135cb3c2", + "w": 6, + "x": 42, + "y": 0 + }, + "panelIndex": "80b6c060-89ef-4238-8c5a-acd1135cb3c2", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6c2ccc16-2ef8-4a91-800a-85ec8e128e91", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "788c583b-a0fe-4174-8d6f-c8282247f3bd", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "6c2ccc16-2ef8-4a91-800a-85ec8e128e91": { + "columnOrder": [ + "d41ba4f5-06fd-4d9a-950c-bb002713f2f7", + "c56d13b4-7805-466d-b717-ddd4f9fca449" + ], + "columns": { + "c56d13b4-7805-466d-b717-ddd4f9fca449": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d41ba4f5-06fd-4d9a-950c-bb002713f2f7": { + "dataType": "date", + "isBucketed": true, + "label": "domaintools.timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "domaintools.timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "788c583b-a0fe-4174-8d6f-c8282247f3bd", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.nod_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.nod_feed" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "c56d13b4-7805-466d-b717-ddd4f9fca449" + ], + "layerId": "6c2ccc16-2ef8-4a91-800a-85ec8e128e91", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "d41ba4f5-06fd-4d9a-950c-bb002713f2f7" + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "788c583b-a0fe-4174-8d6f-c8282247f3bd", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.nod_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.nod_feed" + } + } + } + ], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": true, + "syncCursor": true, + "syncTooltips": true + }, + "gridData": { + "h": 14, + "i": "27a80e14-6ab6-4efd-8dea-e59261eb27a6", + "w": 21, + "x": 0, + "y": 8 + }, + "panelIndex": "27a80e14-6ab6-4efd-8dea-e59261eb27a6", + "title": "Newly Observed Domains over Time [Logs DomainTools Feeds]", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + } + }, + "gridData": { + "h": 14, + "i": "dc942668-79f9-434c-9c7d-df0475a814b0", + "w": 27, + "x": 21, + "y": 8 + }, + "panelIndex": "dc942668-79f9-434c-9c7d-df0475a814b0", + "panelRefName": "panel_dc942668-79f9-434c-9c7d-df0475a814b0", + "title": "Recently Newly Observed Domains [Logs DomainTools Feeds]", + "type": "search" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-6c2ccc16-2ef8-4a91-800a-85ec8e128e91", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "6c2ccc16-2ef8-4a91-800a-85ec8e128e91": { + "columnOrder": [ + "d41ba4f5-06fd-4d9a-950c-bb002713f2f7", + "c56d13b4-7805-466d-b717-ddd4f9fca449" + ], + "columns": { + "c56d13b4-7805-466d-b717-ddd4f9fca449": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "d41ba4f5-06fd-4d9a-950c-bb002713f2f7": { + "dataType": "date", + "isBucketed": true, + "label": "domaintools.timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "domaintools.timestamp" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "a297da4b-3add-4b07-a74d-4192baf47a11", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.nad_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.nad_feed" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "c56d13b4-7805-466d-b717-ddd4f9fca449" + ], + "layerId": "6c2ccc16-2ef8-4a91-800a-85ec8e128e91", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "d41ba4f5-06fd-4d9a-950c-bb002713f2f7", + "yConfig": [ + { + "color": "#1bb7de", + "forAccessor": "c56d13b4-7805-466d-b717-ddd4f9fca449" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "a297da4b-3add-4b07-a74d-4192baf47a11", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.nad_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.nad_feed" + } + } + } + ], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": true, + "syncCursor": true, + "syncTooltips": true + }, + "gridData": { + "h": 13, + "i": "ca10552f-cbac-4e67-90cb-2620b69cf79b", + "w": 21, + "x": 0, + "y": 22 + }, + "panelIndex": "ca10552f-cbac-4e67-90cb-2620b69cf79b", + "title": "Newly Active Domains over Time [Logs DomainTools Feeds]", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + } + }, + "gridData": { + "h": 13, + "i": "a2f808f7-8a03-4aa4-bd63-6a2343166cac", + "w": 27, + "x": 21, + "y": 22 + }, + "panelIndex": "a2f808f7-8a03-4aa4-bd63-6a2343166cac", + "panelRefName": "panel_a2f808f7-8a03-4aa4-bd63-6a2343166cac", + "title": "Recently Newly Active Domains [Logs DomainTools Feeds]", + "type": "search" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-0c69a811-9cb5-4aef-85a4-176619ccf7d7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "0b1b74d6-22f6-43ee-adc0-cfe3700b2cdc", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "0c69a811-9cb5-4aef-85a4-176619ccf7d7": { + "columnOrder": [ + "c228f756-385d-4efe-942b-edb16a8a3827", + "1dcef8c5-9814-4c38-814b-cc15efd97b40" + ], + "columns": { + "1dcef8c5-9814-4c38-814b-cc15efd97b40": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "c228f756-385d-4efe-942b-edb16a8a3827": { + "dataType": "date", + "isBucketed": true, + "label": "domaintools.timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "domaintools.timestamp" + } + }, + "ignoreGlobalFilters": false, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "0b1b74d6-22f6-43ee-adc0-cfe3700b2cdc", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.domaindiscovery_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.domaindiscovery_feed" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "layers": [ + { + "accessors": [ + "1dcef8c5-9814-4c38-814b-cc15efd97b40" + ], + "layerId": "0c69a811-9cb5-4aef-85a4-176619ccf7d7", + "layerType": "data", + "position": "top", + "seriesType": "line", + "showGridlines": false, + "xAccessor": "c228f756-385d-4efe-942b-edb16a8a3827", + "yConfig": [ + { + "color": "#6092c0", + "forAccessor": "1dcef8c5-9814-4c38-814b-cc15efd97b40" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "title": "Empty XY chart", + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "0b1b74d6-22f6-43ee-adc0-cfe3700b2cdc", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.domaindiscovery_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.domaindiscovery_feed" + } + } + } + ], + "hidePanelTitles": false, + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": true, + "syncCursor": true, + "syncTooltips": true + }, + "gridData": { + "h": 13, + "i": "505c262b-81b4-498a-a528-3ef2893f5d7c", + "w": 21, + "x": 0, + "y": 35 + }, + "panelIndex": "505c262b-81b4-498a-a528-3ef2893f5d7c", + "title": "Domain Discovery over Time [Logs DomainTools Feeds]", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + } + }, + "gridData": { + "h": 13, + "i": "16b4bc51-85d6-4ed5-9321-9435d7944082", + "w": 27, + "x": 21, + "y": 35 + }, + "panelIndex": "16b4bc51-85d6-4ed5-9321-9435d7944082", + "panelRefName": "panel_16b4bc51-85d6-4ed5-9321-9435d7944082", + "title": "Recently Domain Discovery [Logs DomainTools Feeds]", + "type": "search" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + } + }, + "gridData": { + "h": 13, + "i": "8394da2a-9e4a-4df6-8827-d89dfa6372bd", + "w": 27, + "x": 21, + "y": 48 + }, + "panelIndex": "8394da2a-9e4a-4df6-8827-d89dfa6372bd", + "panelRefName": "panel_8394da2a-9e4a-4df6-8827-d89dfa6372bd", + "title": "Recently Domain RDAP [Logs DomainTools Feeds]", + "type": "search" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-76906f91-d089-4353-920a-49f0201ece31", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "currentIndexPatternId": "logs-*", + "layers": { + "76906f91-d089-4353-920a-49f0201ece31": { + "columnOrder": [ + "740d5a07-22e8-429e-aa3b-90b480acd291", + "05b4f99d-2dae-4339-8eef-c789308fb2cb" + ], + "columns": { + "05b4f99d-2dae-4339-8eef-c789308fb2cb": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "740d5a07-22e8-429e-aa3b-90b480acd291": { + "dataType": "date", + "isBucketed": true, + "label": "domaintools.timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "domaintools.timestamp" + } + }, + "incompleteColumns": {}, + "indexPatternId": "logs-*", + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "9a18bb8d-1556-4b88-9e41-548cd5ff48d9", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.domainrdap_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.domainrdap_feed" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "05b4f99d-2dae-4339-8eef-c789308fb2cb" + ], + "layerId": "76906f91-d089-4353-920a-49f0201ece31", + "layerType": "data", + "seriesType": "line", + "xAccessor": "740d5a07-22e8-429e-aa3b-90b480acd291", + "yConfig": [ + { + "color": "#c6c9cb", + "forAccessor": "05b4f99d-2dae-4339-8eef-c789308fb2cb" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "9a18bb8d-1556-4b88-9e41-548cd5ff48d9", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.domainrdap_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.domainrdap_feed" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": true, + "syncCursor": true, + "syncTooltips": true + }, + "gridData": { + "h": 13, + "i": "71aafb33-4f04-4b1a-a731-b56254ec3e7f", + "w": 21, + "x": 0, + "y": 48 + }, + "panelIndex": "71aafb33-4f04-4b1a-a731-b56254ec3e7f", + "type": "lens" + }, + { + "embeddableConfig": { + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "hidePanelTitles": false, + "savedVis": { + "data": { + "aggs": [], + "searchSource": { + "filter": [], + "query": { + "language": "kuery", + "query": "" + } + } + }, + "description": "", + "id": "", + "params": { + "fontSize": 11, + "markdown": "**Overview** \nThis dashboard provides an overview of data collected through the DomainTools Feeds integration. It displays the total number of unique count of domains in different feeds to give a snapshot of current activity, visualizes domain observations over time to highlight trends or spikes, and includes a view of recently domaintools feeds for quick access to the latest entries.\n", + "openLinksInNewTab": false + }, + "title": "", + "type": "markdown", + "uiState": {} + } + }, + "gridData": { + "h": 8, + "i": "8348acfc-272f-4e9d-8567-b13ce1b3e6a7", + "w": 12, + "x": 0, + "y": 0 + }, + "panelIndex": "8348acfc-272f-4e9d-8567-b13ce1b3e6a7", + "title": "Contents", + "type": "visualization" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b29120e5-51f6-4e7e-a0d0-b22bb945816e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b8a0bc69-5bd7-4c8e-a81c-1e13ccb9d52c", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b29120e5-51f6-4e7e-a0d0-b22bb945816e": { + "columnOrder": [ + "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1", + "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1X0" + ], + "columns": { + "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count of High Risk domains from Domain Risk Feeds", + "operationType": "formula", + "params": { + "formula": "unique_count(domaintools.domain)", + "isFormulaBroken": false + }, + "references": [ + "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1X0" + ], + "scale": "ratio" + }, + "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Count of High Risk domains from Domain Risk Feeds", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "domaintools.domain" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "b8a0bc69-5bd7-4c8e-a81c-1e13ccb9d52c", + "negate": false, + "params": [ + { + "meta": { + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.domainrisk_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.domainrisk_feed" + } + } + }, + { + "meta": { + "disabled": false, + "field": "domaintools.overall_risk", + "index": "logs-*", + "key": "domaintools.overall_risk", + "negate": false, + "params": { + "gte": "70" + }, + "type": "range", + "value": { + "gte": "70" + } + }, + "query": { + "range": { + "domaintools.overall_risk": { + "gte": "70" + } + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"ti_domaintools.domainrisk_feed\" and domaintools.overall_risk \u003e= 70" + }, + "visualization": { + "color": "#ee8f7c", + "icon": "empty", + "layerId": "b29120e5-51f6-4e7e-a0d0-b22bb945816e", + "layerType": "data", + "metricAccessor": "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "b8a0bc69-5bd7-4c8e-a81c-1e13ccb9d52c", + "negate": false, + "params": [ + { + "meta": { + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.domainrisk_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.domainrisk_feed" + } + } + }, + { + "meta": { + "disabled": false, + "field": "domaintools.overall_risk", + "index": "logs-*", + "key": "domaintools.overall_risk", + "negate": false, + "params": { + "gte": "70" + }, + "type": "range", + "value": { + "gte": "70" + } + }, + "query": { + "range": { + "domaintools.overall_risk": { + "gte": "70" + } + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"ti_domaintools.domainrisk_feed\" and domaintools.overall_risk \u003e= 70" + }, + "syncColors": true, + "syncCursor": true, + "syncTooltips": true + }, + "gridData": { + "h": 8, + "i": "b0378cdd-cf3b-4d6d-bc87-701167e73198", + "w": 6, + "x": 18, + "y": 0 + }, + "panelIndex": "b0378cdd-cf3b-4d6d-bc87-701167e73198", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-b29120e5-51f6-4e7e-a0d0-b22bb945816e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "cc2cd41c-1f27-4d49-a775-644dde82f18b", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "b29120e5-51f6-4e7e-a0d0-b22bb945816e": { + "columnOrder": [ + "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1", + "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1X0" + ], + "columns": { + "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Count of High Risk domains from Domain Hotlist Feeds", + "operationType": "formula", + "params": { + "formula": "unique_count(domaintools.domain)", + "isFormulaBroken": false + }, + "references": [ + "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1X0" + ], + "scale": "ratio" + }, + "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1X0": { + "customLabel": true, + "dataType": "number", + "isBucketed": false, + "label": "Part of Count of High Risk domains from Domain Risk Feeds", + "operationType": "unique_count", + "params": { + "emptyAsNull": false + }, + "scale": "ratio", + "sourceField": "domaintools.domain" + } + }, + "incompleteColumns": {} + } + } + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "cc2cd41c-1f27-4d49-a775-644dde82f18b", + "negate": false, + "params": [ + { + "meta": { + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.domainhotlist_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.domainhotlist_feed" + } + } + }, + { + "meta": { + "disabled": false, + "field": "domaintools.overall_risk", + "index": "logs-*", + "key": "domaintools.overall_risk", + "negate": false, + "params": { + "gte": "70" + }, + "type": "range", + "value": { + "gte": "70" + } + }, + "query": { + "range": { + "domaintools.overall_risk": { + "gte": "70" + } + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"ti_domaintools.domainhotlist_feed\" and domaintools.overall_risk \u003e= 70" + }, + "visualization": { + "color": "#E7664C", + "icon": "empty", + "layerId": "b29120e5-51f6-4e7e-a0d0-b22bb945816e", + "layerType": "data", + "metricAccessor": "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsMetric" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "index": "cc2cd41c-1f27-4d49-a775-644dde82f18b", + "negate": false, + "params": [ + { + "meta": { + "disabled": false, + "field": "data_stream.dataset", + "index": "logs-*", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.domainhotlist_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.domainhotlist_feed" + } + } + }, + { + "meta": { + "disabled": false, + "field": "domaintools.overall_risk", + "index": "logs-*", + "key": "domaintools.overall_risk", + "negate": false, + "params": { + "gte": "70" + }, + "type": "range", + "value": { + "gte": "70" + } + }, + "query": { + "range": { + "domaintools.overall_risk": { + "gte": "70" + } + } + } + } + ], + "relation": "AND", + "type": "combined" + }, + "query": {} + } + ], + "hidePanelTitles": true, + "query": { + "language": "kuery", + "query": "data_stream.dataset : \"ti_domaintools.domainhotlist_feed\" and domaintools.overall_risk \u003e= 70" + }, + "syncColors": true, + "syncCursor": true, + "syncTooltips": true + }, + "gridData": { + "h": 8, + "i": "ef9f7221-e03d-4323-81be-5cc3a5175eb5", + "w": 6, + "x": 12, + "y": 0 + }, + "panelIndex": "ef9f7221-e03d-4323-81be-5cc3a5175eb5", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-76906f91-d089-4353-920a-49f0201ece31", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "3652399c-a001-4afc-a395-93e1334517f2", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "76906f91-d089-4353-920a-49f0201ece31": { + "columnOrder": [ + "740d5a07-22e8-429e-aa3b-90b480acd291", + "05b4f99d-2dae-4339-8eef-c789308fb2cb" + ], + "columns": { + "05b4f99d-2dae-4339-8eef-c789308fb2cb": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "740d5a07-22e8-429e-aa3b-90b480acd291": { + "dataType": "date", + "isBucketed": true, + "label": "domaintools.timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "domaintools.timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "3652399c-a001-4afc-a395-93e1334517f2", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.domainrisk_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.domainrisk_feed" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "05b4f99d-2dae-4339-8eef-c789308fb2cb" + ], + "layerId": "76906f91-d089-4353-920a-49f0201ece31", + "layerType": "data", + "seriesType": "line", + "xAccessor": "740d5a07-22e8-429e-aa3b-90b480acd291", + "yConfig": [ + { + "color": "#c6c9cb", + "forAccessor": "05b4f99d-2dae-4339-8eef-c789308fb2cb" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "3652399c-a001-4afc-a395-93e1334517f2", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.domainrisk_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.domainrisk_feed" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": true, + "syncCursor": true, + "syncTooltips": true + }, + "gridData": { + "h": 13, + "i": "1786af18-796c-4bde-a1dc-65199d50b1a5", + "w": 21, + "x": 0, + "y": 61 + }, + "panelIndex": "1786af18-796c-4bde-a1dc-65199d50b1a5", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + } + }, + "gridData": { + "h": 13, + "i": "8c892700-001e-4f80-9630-f7d1c3157607", + "w": 27, + "x": 21, + "y": 61 + }, + "panelIndex": "8c892700-001e-4f80-9630-f7d1c3157607", + "panelRefName": "panel_8c892700-001e-4f80-9630-f7d1c3157607", + "title": "Recently Domain Risk [Logs DomainTools Feeds]", + "type": "search" + }, + { + "embeddableConfig": { + "attributes": { + "references": [ + { + "id": "logs-*", + "name": "indexpattern-datasource-layer-76906f91-d089-4353-920a-49f0201ece31", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "77b57511-03b3-4d8b-9fa2-1effcf00a843", + "type": "index-pattern" + } + ], + "state": { + "adHocDataViews": {}, + "datasourceStates": { + "formBased": { + "layers": { + "76906f91-d089-4353-920a-49f0201ece31": { + "columnOrder": [ + "740d5a07-22e8-429e-aa3b-90b480acd291", + "05b4f99d-2dae-4339-8eef-c789308fb2cb" + ], + "columns": { + "05b4f99d-2dae-4339-8eef-c789308fb2cb": { + "dataType": "number", + "isBucketed": false, + "label": "Count of records", + "operationType": "count", + "params": { + "emptyAsNull": true + }, + "scale": "ratio", + "sourceField": "___records___" + }, + "740d5a07-22e8-429e-aa3b-90b480acd291": { + "dataType": "date", + "isBucketed": true, + "label": "domaintools.timestamp", + "operationType": "date_histogram", + "params": { + "dropPartials": false, + "includeEmptyRows": true, + "interval": "auto" + }, + "scale": "interval", + "sourceField": "domaintools.timestamp" + } + }, + "incompleteColumns": {}, + "sampling": 1 + } + } + }, + "indexpattern": { + "layers": {} + }, + "textBased": { + "layers": {} + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "77b57511-03b3-4d8b-9fa2-1effcf00a843", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.domainhotlist_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.domainhotlist_feed" + } + } + } + ], + "internalReferences": [], + "query": { + "language": "kuery", + "query": "" + }, + "visualization": { + "axisTitlesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "fittingFunction": "None", + "gridlinesVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "labelsOrientation": { + "x": 0, + "yLeft": 0, + "yRight": 0 + }, + "layers": [ + { + "accessors": [ + "05b4f99d-2dae-4339-8eef-c789308fb2cb" + ], + "layerId": "76906f91-d089-4353-920a-49f0201ece31", + "layerType": "data", + "seriesType": "line", + "xAccessor": "740d5a07-22e8-429e-aa3b-90b480acd291", + "yConfig": [ + { + "color": "#c6c9cb", + "forAccessor": "05b4f99d-2dae-4339-8eef-c789308fb2cb" + } + ] + } + ], + "legend": { + "isVisible": true, + "position": "right" + }, + "preferredSeriesType": "line", + "tickLabelsVisibilitySettings": { + "x": true, + "yLeft": true, + "yRight": true + }, + "valueLabels": "hide" + } + }, + "title": "", + "type": "lens", + "visualizationType": "lnsXY" + }, + "enhancements": { + "dynamicActions": { + "events": [] + } + }, + "filters": [ + { + "$state": { + "store": "appState" + }, + "meta": { + "alias": null, + "disabled": false, + "field": "data_stream.dataset", + "index": "77b57511-03b3-4d8b-9fa2-1effcf00a843", + "key": "data_stream.dataset", + "negate": false, + "params": { + "query": "ti_domaintools.domainhotlist_feed" + }, + "type": "phrase" + }, + "query": { + "match_phrase": { + "data_stream.dataset": "ti_domaintools.domainhotlist_feed" + } + } + } + ], + "query": { + "language": "kuery", + "query": "" + }, + "syncColors": true, + "syncCursor": true, + "syncTooltips": true + }, + "gridData": { + "h": 13, + "i": "b7646eea-0290-43e9-8598-9a62a204b9f6", + "w": 21, + "x": 0, + "y": 74 + }, + "panelIndex": "b7646eea-0290-43e9-8598-9a62a204b9f6", + "title": "", + "type": "lens" + }, + { + "embeddableConfig": { + "description": "", + "enhancements": { + "dynamicActions": { + "events": [] + } + } + }, + "gridData": { + "h": 13, + "i": "fc867b80-a7d0-484b-95fc-3a4896ae3920", + "w": 27, + "x": 21, + "y": 74 + }, + "panelIndex": "fc867b80-a7d0-484b-95fc-3a4896ae3920", + "panelRefName": "panel_fc867b80-a7d0-484b-95fc-3a4896ae3920", + "title": "Recently Domain Hotlist [Logs DomainTools Feeds]", + "type": "search" + } + ], + "timeRestore": false, + "title": "[Logs DomainTools Feeds] Overview", + "version": 3 + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-09-11T16:14:37.276Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "ti_domaintools-69a8feb8-13a4-4921-8152-a94dc437aabd", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + }, + { + "id": "ti_domaintools-7f96fd28-25f1-4e44-9825-2617faa05217", + "name": "dc942668-79f9-434c-9c7d-df0475a814b0:panel_dc942668-79f9-434c-9c7d-df0475a814b0", + "type": "search" + }, + { + "id": "ti_domaintools-0003128e-b815-468e-913d-b091a156a805", + "name": "a2f808f7-8a03-4aa4-bd63-6a2343166cac:panel_a2f808f7-8a03-4aa4-bd63-6a2343166cac", + "type": "search" + }, + { + "id": "ti_domaintools-653c19ae-f37b-4414-8fc9-ebc1b3abe29b", + "name": "16b4bc51-85d6-4ed5-9321-9435d7944082:panel_16b4bc51-85d6-4ed5-9321-9435d7944082", + "type": "search" + }, + { + "id": "ti_domaintools-8ac2e86f-4c5b-4bbf-b3af-a39cc710f84e", + "name": "8394da2a-9e4a-4df6-8827-d89dfa6372bd:panel_8394da2a-9e4a-4df6-8827-d89dfa6372bd", + "type": "search" + }, + { + "id": "ti_domaintools-8fa9ed20-de47-4226-9e75-cd7cbf8e9141", + "name": "8c892700-001e-4f80-9630-f7d1c3157607:panel_8c892700-001e-4f80-9630-f7d1c3157607", + "type": "search" + }, + { + "id": "ti_domaintools-ae844224-f834-43ed-b62e-8c67926d1ddd", + "name": "fc867b80-a7d0-484b-95fc-3a4896ae3920:panel_fc867b80-a7d0-484b-95fc-3a4896ae3920", + "type": "search" + }, + { + "id": "logs-*", + "name": "5a13283f-c22c-414c-a5f6-3487d557f886:indexpattern-datasource-layer-b29120e5-51f6-4e7e-a0d0-b22bb945816e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "fb0c3358-650f-427b-90e3-ca4b3e7da33c:indexpattern-datasource-layer-b29120e5-51f6-4e7e-a0d0-b22bb945816e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "514cc069-3d03-4043-9dc4-63e7d8912936:indexpattern-datasource-layer-b29120e5-51f6-4e7e-a0d0-b22bb945816e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "80b6c060-89ef-4238-8c5a-acd1135cb3c2:indexpattern-datasource-layer-b29120e5-51f6-4e7e-a0d0-b22bb945816e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "27a80e14-6ab6-4efd-8dea-e59261eb27a6:indexpattern-datasource-layer-6c2ccc16-2ef8-4a91-800a-85ec8e128e91", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "27a80e14-6ab6-4efd-8dea-e59261eb27a6:788c583b-a0fe-4174-8d6f-c8282247f3bd", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ca10552f-cbac-4e67-90cb-2620b69cf79b:indexpattern-datasource-layer-6c2ccc16-2ef8-4a91-800a-85ec8e128e91", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "505c262b-81b4-498a-a528-3ef2893f5d7c:indexpattern-datasource-layer-0c69a811-9cb5-4aef-85a4-176619ccf7d7", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "505c262b-81b4-498a-a528-3ef2893f5d7c:0b1b74d6-22f6-43ee-adc0-cfe3700b2cdc", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "71aafb33-4f04-4b1a-a731-b56254ec3e7f:indexpattern-datasource-layer-76906f91-d089-4353-920a-49f0201ece31", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b0378cdd-cf3b-4d6d-bc87-701167e73198:indexpattern-datasource-layer-b29120e5-51f6-4e7e-a0d0-b22bb945816e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b0378cdd-cf3b-4d6d-bc87-701167e73198:b8a0bc69-5bd7-4c8e-a81c-1e13ccb9d52c", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ef9f7221-e03d-4323-81be-5cc3a5175eb5:indexpattern-datasource-layer-b29120e5-51f6-4e7e-a0d0-b22bb945816e", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "ef9f7221-e03d-4323-81be-5cc3a5175eb5:cc2cd41c-1f27-4d49-a775-644dde82f18b", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1786af18-796c-4bde-a1dc-65199d50b1a5:indexpattern-datasource-layer-76906f91-d089-4353-920a-49f0201ece31", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "1786af18-796c-4bde-a1dc-65199d50b1a5:3652399c-a001-4afc-a395-93e1334517f2", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b7646eea-0290-43e9-8598-9a62a204b9f6:indexpattern-datasource-layer-76906f91-d089-4353-920a-49f0201ece31", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "b7646eea-0290-43e9-8598-9a62a204b9f6:77b57511-03b3-4d8b-9fa2-1effcf00a843", + "type": "index-pattern" + }, + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", + "type": "index-pattern" + } + ], + "type": "dashboard", + "typeMigrationVersion": "10.2.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/ti_domaintools/kibana/dashboard/ti_domaintools-7ad9a714-58db-45e3-ba84-1e2dff1eb9a5.json b/packages/ti_domaintools/kibana/dashboard/ti_domaintools-7ad9a714-58db-45e3-ba84-1e2dff1eb9a5.json deleted file mode 100644 index c32db82b08d..00000000000 --- a/packages/ti_domaintools/kibana/dashboard/ti_domaintools-7ad9a714-58db-45e3-ba84-1e2dff1eb9a5.json +++ /dev/null @@ -1,1347 +0,0 @@ -{ - "attributes": { - "description": "", - "kibanaSavedObjectMeta": { - "searchSourceJSON": { - "filter": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "key": "domaintools.domain", - "negate": false, - "type": "exists" - }, - "query": { - "exists": { - "field": "domaintools.domain" - } - } - } - ], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "optionsJSON": { - "hidePanelTitles": false, - "syncColors": true, - "syncCursor": true, - "syncTooltips": true, - "useMargins": true - }, - "panelsJSON": [ - { - "embeddableConfig": { - "enhancements": {}, - "hidePanelTitles": false, - "savedVis": { - "data": { - "aggs": [], - "searchSource": { - "filter": [], - "query": { - "language": "kuery", - "query": "" - } - } - }, - "description": "", - "id": "", - "params": { - "fontSize": 11, - "markdown": "**Overview** \nThis dashboard provides an overview of data collected through the DomainTools Feeds integration. It displays the total number of unique count of domains in different feeds to give a snapshot of current activity, visualizes domain observations over time to highlight trends or spikes, and includes a view of recently domaintools feeds for quick access to the latest entries.", - "openLinksInNewTab": false - }, - "title": "", - "type": "markdown", - "uiState": {} - } - }, - "gridData": { - "h": 8, - "i": "5123b88a-ad6a-4c30-8d4c-576fff3361e1", - "w": 24, - "x": 0, - "y": 0 - }, - "panelIndex": "5123b88a-ad6a-4c30-8d4c-576fff3361e1", - "title": "Contents", - "type": "visualization" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-b29120e5-51f6-4e7e-a0d0-b22bb945816e", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "b29120e5-51f6-4e7e-a0d0-b22bb945816e": { - "columnOrder": [ - "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1" - ], - "columns": { - "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique count of Newly Observed Domain Feeds", - "operationType": "unique_count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "domaintools.domain" - } - }, - "incompleteColumns": {}, - "indexPatternId": "logs-*" - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "2c733840-66cc-45b9-8fd0-9fb17d2b9be9", - "negate": false, - "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "logs-*", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "ti_domaintools.nod_feed" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "ti_domaintools.nod_feed" - } - } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "domaintools.domain", - "index": "logs-*", - "key": "domaintools.domain", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "domaintools.domain" - } - } - } - ], - "relation": "AND", - "type": "combined" - }, - "query": {} - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#54B399", - "icon": "empty", - "layerId": "b29120e5-51f6-4e7e-a0d0-b22bb945816e", - "layerType": "data", - "metricAccessor": "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 8, - "i": "6edf718a-aedf-4659-8661-be76e5935dde", - "w": 6, - "x": 24, - "y": 0 - }, - "panelIndex": "6edf718a-aedf-4659-8661-be76e5935dde", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-b29120e5-51f6-4e7e-a0d0-b22bb945816e", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "b29120e5-51f6-4e7e-a0d0-b22bb945816e": { - "columnOrder": [ - "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1" - ], - "columns": { - "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique count of Newly Active Domain Feeds", - "operationType": "unique_count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "domaintools.domain" - } - }, - "incompleteColumns": {}, - "indexPatternId": "logs-*" - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "bf265c5c-76e6-4da9-be04-398938462272", - "negate": false, - "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "logs-*", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "ti_domaintools.nad_feed" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "ti_domaintools.nad_feed" - } - } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "domaintools.domain", - "index": "logs-*", - "key": "domaintools.domain", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "domaintools.domain" - } - } - } - ], - "relation": "AND", - "type": "combined" - }, - "query": {} - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#1BB7DE", - "icon": "empty", - "layerId": "b29120e5-51f6-4e7e-a0d0-b22bb945816e", - "layerType": "data", - "metricAccessor": "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 8, - "i": "b142ba38-d785-416e-ae2f-24729d7a3907", - "w": 6, - "x": 30, - "y": 0 - }, - "panelIndex": "b142ba38-d785-416e-ae2f-24729d7a3907", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-b29120e5-51f6-4e7e-a0d0-b22bb945816e", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "b29120e5-51f6-4e7e-a0d0-b22bb945816e": { - "columnOrder": [ - "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1" - ], - "columns": { - "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique count of Domain Discovery Feeds", - "operationType": "unique_count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "domaintools.domain" - } - }, - "incompleteColumns": {}, - "indexPatternId": "logs-*" - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "303418fd-ef7f-46f7-bfc2-f7f8a276fd6d", - "negate": false, - "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "logs-*", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "ti_domaintools.domaindiscovery_feed" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "ti_domaintools.domaindiscovery_feed" - } - } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "domaintools.domain", - "index": "logs-*", - "key": "domaintools.domain", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "domaintools.domain" - } - } - } - ], - "relation": "AND", - "type": "combined" - }, - "query": {} - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#6092C0", - "icon": "empty", - "layerId": "b29120e5-51f6-4e7e-a0d0-b22bb945816e", - "layerType": "data", - "metricAccessor": "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 8, - "i": "4a28114a-934a-439d-bda3-397545a27d2d", - "w": 6, - "x": 36, - "y": 0 - }, - "panelIndex": "4a28114a-934a-439d-bda3-397545a27d2d", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-b29120e5-51f6-4e7e-a0d0-b22bb945816e", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "b29120e5-51f6-4e7e-a0d0-b22bb945816e": { - "columnOrder": [ - "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1" - ], - "columns": { - "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1": { - "customLabel": true, - "dataType": "number", - "isBucketed": false, - "label": "Unique count of Domain RDAP Feeds", - "operationType": "unique_count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "domaintools.domain" - } - }, - "incompleteColumns": {}, - "indexPatternId": "logs-*" - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "index": "95a2738a-5aec-4694-9e6d-ab182becde24", - "negate": false, - "params": [ - { - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "logs-*", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "ti_domaintools.domainrdap_feed" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "ti_domaintools.domainrdap_feed" - } - } - }, - { - "meta": { - "alias": null, - "disabled": false, - "field": "domaintools.domain", - "index": "logs-*", - "key": "domaintools.domain", - "negate": false, - "type": "exists", - "value": "exists" - }, - "query": { - "exists": { - "field": "domaintools.domain" - } - } - } - ], - "relation": "AND", - "type": "combined" - }, - "query": {} - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "color": "#C6C9CB", - "icon": "empty", - "layerId": "b29120e5-51f6-4e7e-a0d0-b22bb945816e", - "layerType": "data", - "metricAccessor": "e3e689ce-3b28-4a0e-86bb-73fbc38dedd1" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsMetric" - }, - "enhancements": {}, - "hidePanelTitles": true - }, - "gridData": { - "h": 8, - "i": "f4f68fae-c8bf-4f4b-8da2-f8ef7d134172", - "w": 6, - "x": 42, - "y": 0 - }, - "panelIndex": "f4f68fae-c8bf-4f4b-8da2-f8ef7d134172", - "type": "lens" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-6c2ccc16-2ef8-4a91-800a-85ec8e128e91", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "788c583b-a0fe-4174-8d6f-c8282247f3bd", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "6c2ccc16-2ef8-4a91-800a-85ec8e128e91": { - "columnOrder": [ - "d41ba4f5-06fd-4d9a-950c-bb002713f2f7", - "c56d13b4-7805-466d-b717-ddd4f9fca449" - ], - "columns": { - "c56d13b4-7805-466d-b717-ddd4f9fca449": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "d41ba4f5-06fd-4d9a-950c-bb002713f2f7": { - "dataType": "date", - "isBucketed": true, - "label": "domaintools.timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "domaintools.timestamp" - } - }, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "788c583b-a0fe-4174-8d6f-c8282247f3bd", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "ti_domaintools.nod_feed" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "ti_domaintools.nod_feed" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "c56d13b4-7805-466d-b717-ddd4f9fca449" - ], - "layerId": "6c2ccc16-2ef8-4a91-800a-85ec8e128e91", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "xAccessor": "d41ba4f5-06fd-4d9a-950c-bb002713f2f7" - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 14, - "i": "aef56e82-dba8-48fc-ad1e-1633e295d7ba", - "w": 21, - "x": 0, - "y": 8 - }, - "panelIndex": "aef56e82-dba8-48fc-ad1e-1633e295d7ba", - "title": "Newly Observed Domains over Time [Logs DomainTools Feeds]", - "type": "lens" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 14, - "i": "020517f8-2f8d-41af-8c63-c7079f5fcb6a", - "w": 27, - "x": 21, - "y": 8 - }, - "panelIndex": "020517f8-2f8d-41af-8c63-c7079f5fcb6a", - "panelRefName": "panel_020517f8-2f8d-41af-8c63-c7079f5fcb6a", - "type": "search" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-6c2ccc16-2ef8-4a91-800a-85ec8e128e91", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "6c2ccc16-2ef8-4a91-800a-85ec8e128e91": { - "columnOrder": [ - "d41ba4f5-06fd-4d9a-950c-bb002713f2f7", - "c56d13b4-7805-466d-b717-ddd4f9fca449" - ], - "columns": { - "c56d13b4-7805-466d-b717-ddd4f9fca449": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "d41ba4f5-06fd-4d9a-950c-bb002713f2f7": { - "dataType": "date", - "isBucketed": true, - "label": "domaintools.timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "domaintools.timestamp" - } - }, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "a297da4b-3add-4b07-a74d-4192baf47a11", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "ti_domaintools.nad_feed" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "ti_domaintools.nad_feed" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "c56d13b4-7805-466d-b717-ddd4f9fca449" - ], - "layerId": "6c2ccc16-2ef8-4a91-800a-85ec8e128e91", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "xAccessor": "d41ba4f5-06fd-4d9a-950c-bb002713f2f7", - "yConfig": [ - { - "color": "#1bb7de", - "forAccessor": "c56d13b4-7805-466d-b717-ddd4f9fca449" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 13, - "i": "982c1274-e635-47ce-9afe-8f7f2efb5b28", - "w": 21, - "x": 0, - "y": 22 - }, - "panelIndex": "982c1274-e635-47ce-9afe-8f7f2efb5b28", - "title": "Newly Active Domains over Time [Logs DomainTools Feeds]", - "type": "lens" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 13, - "i": "fc9c237d-9c02-4391-85e5-af1aa8a76e42", - "w": 27, - "x": 21, - "y": 22 - }, - "panelIndex": "fc9c237d-9c02-4391-85e5-af1aa8a76e42", - "panelRefName": "panel_fc9c237d-9c02-4391-85e5-af1aa8a76e42", - "type": "search" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-0c69a811-9cb5-4aef-85a4-176619ccf7d7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "0b1b74d6-22f6-43ee-adc0-cfe3700b2cdc", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "layers": { - "0c69a811-9cb5-4aef-85a4-176619ccf7d7": { - "columnOrder": [ - "c228f756-385d-4efe-942b-edb16a8a3827", - "1dcef8c5-9814-4c38-814b-cc15efd97b40" - ], - "columns": { - "1dcef8c5-9814-4c38-814b-cc15efd97b40": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "c228f756-385d-4efe-942b-edb16a8a3827": { - "dataType": "date", - "isBucketed": true, - "label": "domaintools.timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "domaintools.timestamp" - } - }, - "ignoreGlobalFilters": false, - "incompleteColumns": {}, - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "0b1b74d6-22f6-43ee-adc0-cfe3700b2cdc", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "ti_domaintools.domaindiscovery_feed" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "ti_domaintools.domaindiscovery_feed" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "layers": [ - { - "accessors": [ - "1dcef8c5-9814-4c38-814b-cc15efd97b40" - ], - "layerId": "0c69a811-9cb5-4aef-85a4-176619ccf7d7", - "layerType": "data", - "position": "top", - "seriesType": "line", - "showGridlines": false, - "xAccessor": "c228f756-385d-4efe-942b-edb16a8a3827", - "yConfig": [ - { - "color": "#6092c0", - "forAccessor": "1dcef8c5-9814-4c38-814b-cc15efd97b40" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "line", - "title": "Empty XY chart", - "valueLabels": "hide" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {}, - "hidePanelTitles": false - }, - "gridData": { - "h": 13, - "i": "1efcc97b-cd5d-4e24-a7b8-718baeb2ed77", - "w": 21, - "x": 0, - "y": 35 - }, - "panelIndex": "1efcc97b-cd5d-4e24-a7b8-718baeb2ed77", - "title": "Domain Discovery over Time [Logs DomainTools Feeds]", - "type": "lens" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 13, - "i": "2561b9a0-b035-48a5-9d24-906188dc270f", - "w": 27, - "x": 21, - "y": 35 - }, - "panelIndex": "2561b9a0-b035-48a5-9d24-906188dc270f", - "panelRefName": "panel_2561b9a0-b035-48a5-9d24-906188dc270f", - "type": "search" - }, - { - "embeddableConfig": { - "enhancements": {} - }, - "gridData": { - "h": 13, - "i": "e69be1e3-3922-4306-826f-e06f19455a41", - "w": 27, - "x": 21, - "y": 48 - }, - "panelIndex": "e69be1e3-3922-4306-826f-e06f19455a41", - "panelRefName": "panel_e69be1e3-3922-4306-826f-e06f19455a41", - "type": "search" - }, - { - "embeddableConfig": { - "attributes": { - "references": [ - { - "id": "logs-*", - "name": "indexpattern-datasource-layer-76906f91-d089-4353-920a-49f0201ece31", - "type": "index-pattern" - } - ], - "state": { - "adHocDataViews": {}, - "datasourceStates": { - "formBased": { - "currentIndexPatternId": "logs-*", - "layers": { - "76906f91-d089-4353-920a-49f0201ece31": { - "columnOrder": [ - "740d5a07-22e8-429e-aa3b-90b480acd291", - "05b4f99d-2dae-4339-8eef-c789308fb2cb" - ], - "columns": { - "05b4f99d-2dae-4339-8eef-c789308fb2cb": { - "dataType": "number", - "isBucketed": false, - "label": "Count of records", - "operationType": "count", - "params": { - "emptyAsNull": true - }, - "scale": "ratio", - "sourceField": "___records___" - }, - "740d5a07-22e8-429e-aa3b-90b480acd291": { - "dataType": "date", - "isBucketed": true, - "label": "domaintools.timestamp", - "operationType": "date_histogram", - "params": { - "dropPartials": false, - "includeEmptyRows": true, - "interval": "auto" - }, - "scale": "interval", - "sourceField": "domaintools.timestamp" - } - }, - "incompleteColumns": {}, - "indexPatternId": "logs-*", - "sampling": 1 - } - } - }, - "indexpattern": { - "layers": {} - }, - "textBased": { - "layers": {} - } - }, - "filters": [ - { - "$state": { - "store": "appState" - }, - "meta": { - "alias": null, - "disabled": false, - "field": "data_stream.dataset", - "index": "9a18bb8d-1556-4b88-9e41-548cd5ff48d9", - "key": "data_stream.dataset", - "negate": false, - "params": { - "query": "ti_domaintools.domainrdap_feed" - }, - "type": "phrase" - }, - "query": { - "match_phrase": { - "data_stream.dataset": "ti_domaintools.domainrdap_feed" - } - } - } - ], - "internalReferences": [], - "query": { - "language": "kuery", - "query": "" - }, - "visualization": { - "axisTitlesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "fittingFunction": "None", - "gridlinesVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "labelsOrientation": { - "x": 0, - "yLeft": 0, - "yRight": 0 - }, - "layers": [ - { - "accessors": [ - "05b4f99d-2dae-4339-8eef-c789308fb2cb" - ], - "layerId": "76906f91-d089-4353-920a-49f0201ece31", - "layerType": "data", - "seriesType": "line", - "xAccessor": "740d5a07-22e8-429e-aa3b-90b480acd291", - "yConfig": [ - { - "color": "#c6c9cb", - "forAccessor": "05b4f99d-2dae-4339-8eef-c789308fb2cb" - } - ] - } - ], - "legend": { - "isVisible": true, - "position": "right" - }, - "preferredSeriesType": "line", - "tickLabelsVisibilitySettings": { - "x": true, - "yLeft": true, - "yRight": true - }, - "valueLabels": "hide" - } - }, - "title": "", - "type": "lens", - "visualizationType": "lnsXY" - }, - "enhancements": {} - }, - "gridData": { - "h": 13, - "i": "ec5325e1-573b-441a-b52c-6e7d7259afde", - "w": 21, - "x": 0, - "y": 48 - }, - "panelIndex": "ec5325e1-573b-441a-b52c-6e7d7259afde", - "type": "lens" - } - ], - "timeRestore": false, - "title": "[Logs DomainTools Feeds] Overview", - "version": 1 - }, - "coreMigrationVersion": "8.8.0", - "created_at": "2025-07-02T16:12:12.499Z", - "id": "ti_domaintools-7ad9a714-58db-45e3-ba84-1e2dff1eb9a5", - "managed": false, - "references": [ - { - "id": "logs-*", - "name": "kibanaSavedObjectMeta.searchSourceJSON.filter[0].meta.index", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "6edf718a-aedf-4659-8661-be76e5935dde:indexpattern-datasource-layer-b29120e5-51f6-4e7e-a0d0-b22bb945816e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "b142ba38-d785-416e-ae2f-24729d7a3907:indexpattern-datasource-layer-b29120e5-51f6-4e7e-a0d0-b22bb945816e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "4a28114a-934a-439d-bda3-397545a27d2d:indexpattern-datasource-layer-b29120e5-51f6-4e7e-a0d0-b22bb945816e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "f4f68fae-c8bf-4f4b-8da2-f8ef7d134172:indexpattern-datasource-layer-b29120e5-51f6-4e7e-a0d0-b22bb945816e", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aef56e82-dba8-48fc-ad1e-1633e295d7ba:indexpattern-datasource-layer-6c2ccc16-2ef8-4a91-800a-85ec8e128e91", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "aef56e82-dba8-48fc-ad1e-1633e295d7ba:788c583b-a0fe-4174-8d6f-c8282247f3bd", - "type": "index-pattern" - }, - { - "id": "ti_domaintools-7f96fd28-25f1-4e44-9825-2617faa05217", - "name": "020517f8-2f8d-41af-8c63-c7079f5fcb6a:panel_020517f8-2f8d-41af-8c63-c7079f5fcb6a", - "type": "search" - }, - { - "id": "logs-*", - "name": "982c1274-e635-47ce-9afe-8f7f2efb5b28:indexpattern-datasource-layer-6c2ccc16-2ef8-4a91-800a-85ec8e128e91", - "type": "index-pattern" - }, - { - "id": "ti_domaintools-0003128e-b815-468e-913d-b091a156a805", - "name": "fc9c237d-9c02-4391-85e5-af1aa8a76e42:panel_fc9c237d-9c02-4391-85e5-af1aa8a76e42", - "type": "search" - }, - { - "id": "logs-*", - "name": "1efcc97b-cd5d-4e24-a7b8-718baeb2ed77:indexpattern-datasource-layer-0c69a811-9cb5-4aef-85a4-176619ccf7d7", - "type": "index-pattern" - }, - { - "id": "logs-*", - "name": "1efcc97b-cd5d-4e24-a7b8-718baeb2ed77:0b1b74d6-22f6-43ee-adc0-cfe3700b2cdc", - "type": "index-pattern" - }, - { - "id": "ti_domaintools-653c19ae-f37b-4414-8fc9-ebc1b3abe29b", - "name": "2561b9a0-b035-48a5-9d24-906188dc270f:panel_2561b9a0-b035-48a5-9d24-906188dc270f", - "type": "search" - }, - { - "id": "ti_domaintools-8ac2e86f-4c5b-4bbf-b3af-a39cc710f84e", - "name": "e69be1e3-3922-4306-826f-e06f19455a41:panel_e69be1e3-3922-4306-826f-e06f19455a41", - "type": "search" - }, - { - "id": "logs-*", - "name": "ec5325e1-573b-441a-b52c-6e7d7259afde:indexpattern-datasource-layer-76906f91-d089-4353-920a-49f0201ece31", - "type": "index-pattern" - } - ], - "type": "dashboard", - "typeMigrationVersion": "8.9.0" -} \ No newline at end of file diff --git a/packages/ti_domaintools/kibana/search/ti_domaintools-0003128e-b815-468e-913d-b091a156a805.json b/packages/ti_domaintools/kibana/search/ti_domaintools-0003128e-b815-468e-913d-b091a156a805.json index f925d14bc45..ad897372d5e 100644 --- a/packages/ti_domaintools/kibana/search/ti_domaintools-0003128e-b815-468e-913d-b091a156a805.json +++ b/packages/ti_domaintools/kibana/search/ti_domaintools-0003128e-b815-468e-913d-b091a156a805.json @@ -40,9 +40,8 @@ "usesAdHocDataView": false }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-07-02T15:57:44.851Z", + "created_at": "2025-09-11T15:57:13.007Z", "id": "ti_domaintools-0003128e-b815-468e-913d-b091a156a805", - "managed": false, "references": [ { "id": "logs-*", @@ -51,5 +50,5 @@ } ], "type": "search", - "typeMigrationVersion": "8.0.0" + "typeMigrationVersion": "10.5.0" } \ No newline at end of file diff --git a/packages/ti_domaintools/kibana/search/ti_domaintools-653c19ae-f37b-4414-8fc9-ebc1b3abe29b.json b/packages/ti_domaintools/kibana/search/ti_domaintools-653c19ae-f37b-4414-8fc9-ebc1b3abe29b.json index 44129d20938..f81019e3880 100644 --- a/packages/ti_domaintools/kibana/search/ti_domaintools-653c19ae-f37b-4414-8fc9-ebc1b3abe29b.json +++ b/packages/ti_domaintools/kibana/search/ti_domaintools-653c19ae-f37b-4414-8fc9-ebc1b3abe29b.json @@ -40,9 +40,8 @@ "usesAdHocDataView": false }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-07-02T15:58:28.355Z", + "created_at": "2025-09-11T15:57:13.007Z", "id": "ti_domaintools-653c19ae-f37b-4414-8fc9-ebc1b3abe29b", - "managed": false, "references": [ { "id": "logs-*", @@ -51,5 +50,5 @@ } ], "type": "search", - "typeMigrationVersion": "8.0.0" + "typeMigrationVersion": "10.5.0" } \ No newline at end of file diff --git a/packages/ti_domaintools/kibana/search/ti_domaintools-7f96fd28-25f1-4e44-9825-2617faa05217.json b/packages/ti_domaintools/kibana/search/ti_domaintools-7f96fd28-25f1-4e44-9825-2617faa05217.json index fc7d3743150..36aeb6aa819 100644 --- a/packages/ti_domaintools/kibana/search/ti_domaintools-7f96fd28-25f1-4e44-9825-2617faa05217.json +++ b/packages/ti_domaintools/kibana/search/ti_domaintools-7f96fd28-25f1-4e44-9825-2617faa05217.json @@ -40,9 +40,8 @@ "usesAdHocDataView": false }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-07-02T15:48:36.827Z", + "created_at": "2025-09-11T15:57:13.007Z", "id": "ti_domaintools-7f96fd28-25f1-4e44-9825-2617faa05217", - "managed": false, "references": [ { "id": "logs-*", @@ -51,5 +50,5 @@ } ], "type": "search", - "typeMigrationVersion": "8.0.0" + "typeMigrationVersion": "10.5.0" } \ No newline at end of file diff --git a/packages/ti_domaintools/kibana/search/ti_domaintools-8ac2e86f-4c5b-4bbf-b3af-a39cc710f84e.json b/packages/ti_domaintools/kibana/search/ti_domaintools-8ac2e86f-4c5b-4bbf-b3af-a39cc710f84e.json index c7e105faeb7..a60fcb48325 100644 --- a/packages/ti_domaintools/kibana/search/ti_domaintools-8ac2e86f-4c5b-4bbf-b3af-a39cc710f84e.json +++ b/packages/ti_domaintools/kibana/search/ti_domaintools-8ac2e86f-4c5b-4bbf-b3af-a39cc710f84e.json @@ -43,9 +43,8 @@ "usesAdHocDataView": false }, "coreMigrationVersion": "8.8.0", - "created_at": "2025-07-02T15:59:46.264Z", + "created_at": "2025-09-11T15:57:13.007Z", "id": "ti_domaintools-8ac2e86f-4c5b-4bbf-b3af-a39cc710f84e", - "managed": false, "references": [ { "id": "logs-*", @@ -54,5 +53,5 @@ } ], "type": "search", - "typeMigrationVersion": "8.0.0" + "typeMigrationVersion": "10.5.0" } \ No newline at end of file diff --git a/packages/ti_domaintools/kibana/search/ti_domaintools-8fa9ed20-de47-4226-9e75-cd7cbf8e9141.json b/packages/ti_domaintools/kibana/search/ti_domaintools-8fa9ed20-de47-4226-9e75-cd7cbf8e9141.json new file mode 100644 index 00000000000..7956480d8f0 --- /dev/null +++ b/packages/ti_domaintools/kibana/search/ti_domaintools-8fa9ed20-de47-4226-9e75-cd7cbf8e9141.json @@ -0,0 +1,57 @@ +{ + "attributes": { + "columns": [ + "domaintools.domain", + "domaintools.feed", + "domaintools.overall_risk", + "domaintools.phishing_risk", + "domaintools.proximity_risk", + "domaintools.malware_risk", + "domaintools.spam_risk" + ], + "description": "", + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset :\"ti_domaintools.domainrisk_feed\" " + } + } + }, + "refreshInterval": { + "pause": false, + "value": 10000 + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRange": { + "from": "now-15m", + "to": "now" + }, + "timeRestore": true, + "title": "Recently Domain Risk [Logs DomainTools Feeds]" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-09-11T16:08:20.904Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "ti_domaintools-8fa9ed20-de47-4226-9e75-cd7cbf8e9141", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "typeMigrationVersion": "10.5.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file diff --git a/packages/ti_domaintools/kibana/search/ti_domaintools-ae844224-f834-43ed-b62e-8c67926d1ddd.json b/packages/ti_domaintools/kibana/search/ti_domaintools-ae844224-f834-43ed-b62e-8c67926d1ddd.json new file mode 100644 index 00000000000..67cca1a5c22 --- /dev/null +++ b/packages/ti_domaintools/kibana/search/ti_domaintools-ae844224-f834-43ed-b62e-8c67926d1ddd.json @@ -0,0 +1,58 @@ +{ + "attributes": { + "columns": [ + "domaintools.domain", + "domaintools.feed", + "domaintools.overall_risk", + "domaintools.phishing_risk", + "domaintools.proximity_risk", + "domaintools.malware_risk", + "domaintools.spam_risk", + "domaintools.expires" + ], + "description": "", + "grid": {}, + "hideChart": false, + "isTextBasedQuery": false, + "kibanaSavedObjectMeta": { + "searchSourceJSON": { + "filter": [], + "indexRefName": "kibanaSavedObjectMeta.searchSourceJSON.index", + "query": { + "language": "kuery", + "query": "data_stream.dataset :\"ti_domaintools.domainhotlist_feed\" " + } + } + }, + "refreshInterval": { + "pause": false, + "value": 10000 + }, + "sort": [ + [ + "@timestamp", + "desc" + ] + ], + "timeRange": { + "from": "now-15m", + "to": "now" + }, + "timeRestore": true, + "title": "Recently Domain Hotlist [Logs DomainTools Feeds]" + }, + "coreMigrationVersion": "8.8.0", + "created_at": "2025-09-11T16:11:01.573Z", + "created_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0", + "id": "ti_domaintools-ae844224-f834-43ed-b62e-8c67926d1ddd", + "references": [ + { + "id": "logs-*", + "name": "kibanaSavedObjectMeta.searchSourceJSON.index", + "type": "index-pattern" + } + ], + "type": "search", + "typeMigrationVersion": "10.5.0", + "updated_by": "u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0" +} \ No newline at end of file