This article describes the Intelligence Card Extension for DomainTools.
About DomainTools
DomainTools provides threat intelligence derived from domain registration and DNS information. The extension enriches Domain Cards and IP Address Cards with domain and registration-based intelligence.
You must have commercial access to DomainTools to use this extension. Please also see the Getting Started With Intelligence Card Extensions page if you're interested in enabling this extension.
Extending Domain Cards
You can enrich any Domain Card with the following threat intelligence from DomainTools:
- Domain profile
- Domain Reputation lookup
- WHOIS record
- IP Hosting History for this Domain
- Other domains linked to email addresses found in the Whois record
- Link to browse screenshot history
You can pivot in Recorded Future on these elements of the DomainTools response:
- Current IP Address
- Historic IP Addresses
- Contact Email Addresses
- Nameserver DNS names
Example (for google.com):
Extending IP Address Cards
You can enrich any IP Address Card with the following threat intelligence from DomainTools:
- Domains Hosted at this IP (Reverse IP)
- Returns the most recent cached IP Whois record for the allocated range the IP is in (Reverse IP Whois)
You can pivot in Recorded Future on any of the Domain names.
Example (from IP Address 216.58.193.115):
Note: while we show the "Total Domains for Host" count accurately, in the list of "Domains Hosted at IP" we limit the number of domains listed to just 20.
Subscription Limitations
If your DomainTools subscription does not include access to a particular API endpoint, an error message will appear at the bottom of the response that mentions this fact. Data from subscribed endpoints will still appear in the response (example shown below).
Other Resources
Domain Tools Basics: https://www.youtube.com/watch?v=_7ZH8O3gaOo
Whois Tutorial: https://www.youtube.com/watch?v=H4pN_osn10o
Maltego/Domain Tools Tutorial: https://www.youtube.com/watch?v=GCQhvzEMvoc