DomainTools Iris Playbooks

The “DomainTools Iris – Auto-Pivot Host > Address > Hosts” Playbook begins with a User Action trigger on a Host indicator and auto-pivots on Reverse Whois where there are < X domains hosted by the IP Address. It is highly recommended that the $domaintools.auto_pivot.domain.limit variable be set to < 500, however, < 10 is a good place to begin if there isn’t currently an auto-pivot process in place. Once the auto-pivot takes place, the Playbook will add the IP and Host Indicators to the Incident along with DomainTools enrichment data in ThreatConnect.

The “DomainTools Iris – Host Enrichment” playbook begins with a User Action trigger on a Host Indicator. It requests the Domain Profile from DomainTools Iris and parses the results. It then adds an Attribute and Tags with the enrichment results from DomainTools.

These Playbook templates can be found in the ThreatConnect app catalog under the names: DomainTools Iris – Auto-Pivot Host > Address > Hosts and DomainTools Iris – Host Enrichment