Skip to content

Domaintools Feeds Integration v1.1.0 #14423

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 18 commits into
base: main
Choose a base branch
from
+4,314 −688
Open

Domaintools Feeds Integration v1.1.0 #14423

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
4192e2f
[IDEV-1964_1988] Implement nad and domaindiscovery feed; update readm…
briluza May 20, 2025
4c822f3
Update the app naming to DomainTools Feeds
briluza May 20, 2025
06689eb
Update manifest file
briluza May 20, 2025
e450e16
Update README
briluza May 20, 2025
9d45ddc
[IDEV-1987] feat(domainrdap): Implement domainrdap feeds in elastic i…
briluza Jun 13, 2025
5b3e799
Update version from 0.4.0 to 1.0.1
briluza Jun 27, 2025
9adcb34
Merge branch 'elastic:main' into ti_domaintools
briluza Jul 2, 2025
9b70daa
Update kibana overview dashboard; addded more saved searches
briluza Jul 2, 2025
1cce741
Merge branch 'elastic:main' into ti_domaintools
briluza Jul 4, 2025
a052738
fix tests and update README
briluza Jul 4, 2025
9a6c016
Update PR link in changelog.yml
briluza Jul 4, 2025
4622fb5
Merge branch 'elastic:main' into ti_domaintools
briluza Jul 8, 2025
b7e7b2d
address PR feedbacks
briluza Jul 8, 2025
b14d38e
[pr feedbacks] - updated the cel.yml.hbs files; change condition in i…
briluza Jul 8, 2025
eb24e75
added final new line
briluza Jul 8, 2025
70aa23f
fix error in ingesting
briluza Jul 8, 2025
957ad2c
make the feed a constant keyword
briluza Jul 8, 2025
779f05f
update ingest pipeline for domainrdap
briluza Jul 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
74 changes: 58 additions & 16 deletions packages/ti_domaintools/_dev/build/docs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,44 +1,86 @@
# DomainTools Real Time Unified Feeds
# DomainTools Feeds

The DomainTools Real Time Unified Feeds integration allows you to monitor DomainTools Newly Observed Domains.
The DomainTools NOD Feed provides real-time access to newly registered and observed domains, enabling proactive threat detection and defense.
DomainTools Feeds provide data on the different stages of the domain lifecycle: from first-observed in the wild, to newly re-activated after a period of quiet. Access current feed data in real-time or retrieve historical feed data through separate APIs. Some feeds also offer data for DNS firewalls in Response Policy Zone (RPZ) format.

With over 300,000 new domains observed daily, the feed empowers security teams to identify and block potentially malicious domains before they can be weaponized.
Ideal for threat hunting, phishing prevention, and brand protection, the NOD Feed delivers unparalleled visibility into emerging domain activity to stay ahead of evolving threats.
Summary of Available Feeds:

For example, if you wanted to monitor Newly Observed Domains (NOD) feed, you could ingest the DomainTools NOD feed.
Then you can reference domaintools.nod_feed when using visualizations or alerts.
- `Newly Active Domains (NAD)`: Apex-level domains (e.g. example.com but not <www.example.com>) that we observe based on the latest lifecycle of the domain. A domain may be seen either for the first time ever, or again after at least 10 days of inactivity (no observed resolutions in DNS). Populated with our global passive DNS (pDNS) sensor network.
- `Newly Observed Domains (NOD)`: Apex-level domains (e.g. example.com but not <www.example.com>) that we observe for the first time, and have not observed previously with our global DNS sensor network.
- `Domain Discovery`: New domains as they are either discovered in domain registration information, observed by our global sensor network, or reported by trusted third parties.
- `Domain RDAP`: Changes to global domain registration information, populated by the Registration Data Access Protocol (RDAP). Compliments the 5-Minute WHOIS Feed as registries and registrars switch from Whois to RDAP.

With over 300,000 new domains observed daily, the feed empowers security teams to identify and block potentially malicious domains before they can be weaponized.
Ideal for threat hunting, phishing prevention, and brand protection.

For example, if you wanted to monitor Newly Observed Domains (NOD) feed, you could ingest the DomainTools NOD feed.
Then you can reference ti_domaintools.nod_feed when using visualizations or alerts.

## Data streams

The DomainTools Real Time Unified Feeds integration collects one type of data streams: logs
The DomainTools Feeds integration collects one type of data streams: **logs**

Log data streams collected by the DomainTools integration include the following feeds:

Log data streams collected by the DomainTools integration include the Newly Observed Domains (NOD) feed: Apex-level domains (e.g. Example Domain but not www.example.com) that we observe for the first time, and have not observed previously.
Populated with our global DNS sensor network.
- `Newly Observed Domains (NOD)`
- `Newly Active Domains (NAD)`
- `Domain Discovery`
- `Domain RDAP`

## Requirements

You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it.
You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it.
You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware.

You will require a license to one or more DomainTools feeds, and API credentials.
Your required API credentials will vary with your authentication method, detailed below.
You will require a license to one or more DomainTools feeds, and API credentials.
Your required API credentials will vary with your authentication method, detailed below.

Obtain your API credentials from your group’s API administrator.
Obtain your API credentials from your group’s API administrator.
API administrators can manage their API keys at research.domaintools.com, selecting the drop-down account menu and choosing API admin.

## Setup

For step-by-step instructions on how to set up an integration, see the Getting started guide.

### Newly Observed Domains (NOD) Feed
### Newly Observed Domains (NOD) Feed

The `nod_feed` data stream provides events from [DomainTools Newly Observed Domains Feed](https://www.domaintools.com/products/threat-intelligence-feeds/).
This data is collected via the [DomainTools Real Time Feeds API](https://docs.domaintools.com/feeds/realtime/).
This data is collected via the [DomainTools Feeds API](https://docs.domaintools.com/feeds/realtime/).

#### Example

{{event "nod_feed"}}

{{fields "nod_feed"}}

### Newly Active Domains (NAD) Feed

The `nod_feed` data stream provides events from [DomainTools Newly Active Domains Feed](https://www.domaintools.com/products/threat-intelligence-feeds/).
This data is collected via the [DomainTools Feeds API](https://docs.domaintools.com/feeds/realtime/).

#### Example

{{event "nad_feed"}}

{{fields "nad_feed"}}

### Domain Discovery Feed

The `domaindiscovery feed` data stream provides events from [DomainTools Domain Discovery Feed](https://www.domaintools.com/products/threat-intelligence-feeds/).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
The `domaindiscovery feed` data stream provides events from [DomainTools Domain Discovery Feed](https://www.domaintools.com/products/threat-intelligence-feeds/).
The `domaindiscovery` feed data stream provides events from [DomainTools Domain Discovery Feed](https://www.domaintools.com/products/threat-intelligence-feeds/).

(the name of the data stream in the code is domaindiscovery, unless you want to have the "_feed" suffix on all of the data streams for consistency)

This data is collected via the [DomainTools Feeds API](https://docs.domaintools.com/feeds/realtime/).

#### Example

{{event "domaindiscovery"}}

{{fields "domaindiscovery"}}

### Domain RDAP

The `domainrdap feed` data stream provides events from [DomainTools Domain RDAP](https://www.domaintools.com/products/threat-intelligence-feeds/).
This data is collected via the [DomainTools Feeds API](https://docs.domaintools.com/feeds/realtime/).

#### Example

{{event "domainrdap"}}

{{fields "domainrdap"}}
2 changes: 1 addition & 1 deletion packages/ti_domaintools/_dev/deploy/docker/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
version: "2.3"
services:
domaintools:
ti_domaintools:
image: docker.elastic.co/observability/stream:v0.18.0
ports:
- 8080
Expand Down
88 changes: 88 additions & 0 deletions packages/ti_domaintools/_dev/deploy/docker/files/config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,3 +6,91 @@ rules:
body: |-
{"timestamp":"2025-01-11T08:42:46Z","domain":"test1.com"}
{"timestamp":"2025-01-11T08:42:46Z","domain":"test2.com"}
- path: /v1/feed/nad/
methods: [GET]
responses:
- status_code: 200
body: |-
{"timestamp":"2025-01-11T08:42:46Z","domain":"test3.com"}
{"timestamp":"2025-01-11T08:42:46Z","domain":"test4.com"}
- path: /v1/feed/domaindiscovery/
methods: [GET]
responses:
- status_code: 200
body: |-
{"timestamp":"2025-01-11T08:42:46Z","domain":"test5.com"}
{"timestamp":"2025-01-11T08:42:46Z","domain":"test6.com"}
- path: /v1/feed/domainrdap/
methods: [GET]
responses:
- status_code: 200
body: |-
{
"timestamp": "2025-06-12T20:34:31Z",
"domain": "unlockyourlifehere.com",
"raw_record": {
"first_request_timestamp": "2025-06-12T20:34:24Z",
"requests": [
{
"data": "{\"objectClassName\":\"domain\",\"handle\":\"2894681047_DOMAIN_COM-VRSN\",\"ldhName\":\"UNLOCKYOURLIFEHERE.COM\",\"links\":[{\"value\":\"https:\\/\\/rdap.verisign.com\\/com\\/v1\\/domain\\/UNLOCKYOURLIFEHERE.COM\",\"rel\":\"self\",\"href\":\"https:\\/\\/rdap.verisign.com\\/com\\/v1\\/domain\\/UNLOCKYOURLIFEHERE.COM\",\"type\":\"application\\/rdap+json\"},{\"value\":\"https:\\/\\/rdap.godaddy.com\\/v1\\/domain\\/UNLOCKYOURLIFEHERE.COM\",\"rel\":\"related\",\"href\":\"https:\\/\\/rdap.godaddy.com\\/v1\\/domain\\/UNLOCKYOURLIFEHERE.COM\",\"type\":\"application\\/rdap+json\"}],\"status\":[\"redemption period\"],\"entities\":[{\"objectClassName\":\"entity\",\"handle\":\"146\",\"roles\":[\"registrar\"],\"publicIds\":[{\"type\":\"IANA Registrar ID\",\"identifier\":\"146\"}],\"vcardArray\":[\"vcard\",[[\"version\",{},\"text\",\"4.0\"],[\"fn\",{},\"text\",\"GoDaddy.com, LLC\"]]],\"entities\":[{\"objectClassName\":\"entity\",\"roles\":[\"abuse\"],\"vcardArray\":[\"vcard\",[[\"version\",{},\"text\",\"4.0\"],[\"fn\",{},\"text\",\"\"],[\"tel\",{\"type\":\"voice\"},\"uri\",\"tel:480-624-2505\"],[\"email\",{},\"text\",\"[email protected]\"]]]}]}],\"events\":[{\"eventAction\":\"registration\",\"eventDate\":\"2024-06-28T11:49:19Z\"},{\"eventAction\":\"expiration\",\"eventDate\":\"2025-06-28T11:49:19Z\"},{\"eventAction\":\"last changed\",\"eventDate\":\"2025-05-20T02:44:33Z\"},{\"eventAction\":\"last update of RDAP database\",\"eventDate\":\"2025-06-12T20:34:16Z\"}],\"secureDNS\":{\"delegationSigned\":false},\"rdapConformance\":[\"rdap_level_0\",\"icann_rdap_technical_implementation_guide_0\",\"icann_rdap_response_profile_0\"],\"notices\":[{\"title\":\"Terms of Use\",\"description\":[\"Service subject to Terms of Use.\"],\"links\":[{\"href\":\"https:\\/\\/www.verisign.com\\/domain-names\\/registration-data-access-protocol\\/terms-service\\/index.xhtml\",\"type\":\"text\\/html\"}]},{\"title\":\"Status Codes\",\"description\":[\"For more information on domain status codes, please visit https:\\/\\/icann.org\\/epp\"],\"links\":[{\"href\":\"https:\\/\\/icann.org\\/epp\",\"type\":\"text\\/html\"}]},{\"title\":\"RDDS Inaccuracy Complaint Form\",\"description\":[\"URL of the ICANN RDDS Inaccuracy Complaint Form: https:\\/\\/icann.org\\/wicf\"],\"links\":[{\"href\":\"https:\\/\\/icann.org\\/wicf\",\"type\":\"text\\/html\"}]}]}",
"source_type": "registry",
"timestamp": "2025-06-12T20:34:24Z",
"url": "https://rdap.verisign.com/com/v1/domain/unlockyourlifehere.com"
}
]
},
"parsed_record": {
"parsed_fields": {
"conformance": [
"rdap_level_0",
"icann_rdap_technical_implementation_guide_0",
"icann_rdap_response_profile_0"
],
"contacts": [],
"creation_date": "2024-06-28T11:49:19+00:00",
"dnssec": {
"signed": false
},
"domain": "UNLOCKYOURLIFEHERE.COM",
"domain_statuses": [
"redemption period"
],
"email_domains": [
"godaddy.com"
],
"emails": [
"[email protected]"
],
"expiration_date": "2025-06-28T11:49:19+00:00",
"handle": "2894681047_DOMAIN_COM-VRSN",
"last_changed_date": "2025-05-20T02:44:33+00:00",
"links": [
{
"href": "https://rdap.verisign.com/com/v1/domain/UNLOCKYOURLIFEHERE.COM",
"rel": "self"
},
{
"href": "https://rdap.godaddy.com/v1/domain/UNLOCKYOURLIFEHERE.COM",
"rel": "related"
}
],
"registrar": {
"contacts": [
{
"email": "[email protected]",
"name": "",
"phone": "tel:480-624-2505",
"roles": [
"abuse"
]
}
],
"iana_id": "146",
"name": "GoDaddy.com, LLC"
},
"unclassified_emails": []
},
"registrar_request_url": null,
"registry_request_url": "https://rdap.verisign.com/com/v1/domain/unlockyourlifehere.com"
}
}
8 changes: 8 additions & 0 deletions packages/ti_domaintools/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,12 @@
# newer versions go on top
- version: "1.1.0"
changes:
- description: Added nad, domaindiscovery and domainrdap domaintools feeds.
type: enhancement
link: https://github.com/elastic/integrations/pull/14423
- description: Update overview dashboard to include the newly added feeds.
type: enhancement
link: https://github.com/elastic/integrations/pull/14423
- version: "1.0.0"
changes:
- description: Release package as GA.
Expand Down
13 changes: 13 additions & 0 deletions packages/ti_domaintools/data_stream/domaindiscovery/_dev/test/pipeline/test-event.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{
"events": [
{
"message": "{\"timestamp\":\"2025-01-11T08:42:46Z\",\"domain\":\"ccnitsolution.com\"}"
},
{
"message": "{\"timestamp\":\"2025-01-11T08:42:46Z\",\"domain\":\"ccnitsolution2.com\"}"
},
{
"message": "{\"timestamp\":\"2025-01-11T08:42:46Z\",\"domain\":\"ccnitsolution3.com\"}"
}
]
}
94 changes: 94 additions & 0 deletions ..._domaintools/data_stream/domaindiscovery/_dev/test/pipeline/test-event.json-expected.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,94 @@
{
"expected": [
{
"domaintools": {
"domain": "ccnitsolution.com",
"timestamp": "2025-01-11T08:42:46Z"
},
"ecs": {
"version": "8.11.0"
},
"event": {
"category": [
"threat"
],
"kind": "enrichment",
"type": [
"indicator"
]
},
"message": "{\"timestamp\":\"2025-01-11T08:42:46Z\",\"domain\":\"ccnitsolution.com\"}",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be put in event.original.

"threat": {
"feed": {
"description": "New domains as they are either discovered in domain registration information, observed by our global sensor network, or reported by trusted third parties.",
"name": "DomainTools domaindiscovery",
"reference": "https://docs.techdocs.ci.domaintools.cloud/feeds/realtime/userguide/"
},
"indicator": {
"name": "ccnitsolution.com",
"type": "domain-name"
}
}
},
{
"domaintools": {
"domain": "ccnitsolution2.com",
"timestamp": "2025-01-11T08:42:46Z"
},
"threat": {
"indicator": {
"name": "ccnitsolution2.com",
"type": "domain-name"
},
"feed": {
"reference": "https://docs.techdocs.ci.domaintools.cloud/feeds/realtime/userguide/",
"name": "DomainTools domaindiscovery",
"description": "New domains as they are either discovered in domain registration information, observed by our global sensor network, or reported by trusted third parties."
}
},
"message": "{\"timestamp\":\"2025-01-11T08:42:46Z\",\"domain\":\"ccnitsolution2.com\"}",
"ecs": {
"version": "8.11.0"
},
"event": {
"category": [
"threat"
],
"type": [
"indicator"
],
"kind": "enrichment"
}
},
{
"domaintools": {
"domain": "ccnitsolution3.com",
"timestamp": "2025-01-11T08:42:46Z"
},
"threat": {
"indicator": {
"name": "ccnitsolution3.com",
"type": "domain-name"
},
"feed": {
"reference": "https://docs.techdocs.ci.domaintools.cloud/feeds/realtime/userguide/",
"name": "DomainTools domaindiscovery",
"description": "New domains as they are either discovered in domain registration information, observed by our global sensor network, or reported by trusted third parties."
}
},
"message": "{\"timestamp\":\"2025-01-11T08:42:46Z\",\"domain\":\"ccnitsolution3.com\"}",
"ecs": {
"version": "8.11.0"
},
"event": {
"category": [
"threat"
],
"type": [
"indicator"
],
"kind": "enrichment"
}
}
]
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I suspect that you are using an older version of elastic-package. Please upgrade to the latest version and regenerate the test expectations.

11 changes: 11 additions & 0 deletions packages/ti_domaintools/data_stream/domaindiscovery/_dev/test/system/test-default-config.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
input: cel
service: ti_domaintools
vars:
data_stream:
vars:
api_url: http://{{Hostname}}:{{Port}}/v1
interval: 10m
api_username: xxx
api_key: xxx
assert:
hit_count: 2
Loading