DomainTools — Tool Overview
What is DomainTools?
DomainTools is a domain and DNS-based cyber threat intelligence platform used by security teams to investigate suspicious domains, IP addresses, and internet infrastructure. It enables security practitioners to stop threats before they happen using internet intelligence data, detection and monitoring tools, and predictive risk scoring. For SOC analysts, DomainTools is primarily used when investigating network-based IOCs such as suspicious domains or IP addresses encountered during an alert.
Key Features Relevant to SOC Operations
WHOIS and Domain Lookup DomainTools provides detailed registration data for any domain, including ownership history, registrar information, and associated infrastructure. This is useful for quickly profiling a suspicious domain encountered in an alert or log entry.
Passive DNS and Historical Data Historical passive DNS data allows analysts to discover and analyze emerging campaigns with the ability to connect seemingly unrelated adversary-controlled assets by pivoting through domains, IP addresses, name servers, and other clues stored in DNS records. This is particularly valuable when trying to understand the broader infrastructure behind a threat.
Predictive Risk Scoring DomainTools Risk Score predicts how likely a domain is to be malicious, often before it is operationalized, reducing the window of vulnerability between the time a malicious domain is registered and when it is observed and reported publicly. This helps analysts make faster triage decisions on unknown domains.
Iris Investigate Iris is DomainTools’ primary investigation interface. It allows analysts to pivot across connected infrastructure — from a domain to its IP, name servers, registrant, and related domains — building a fuller picture of threat actor infrastructure from a single starting point.
SIEM and Platform Integration SOC teams can leverage DomainTools within the context of their SIEM, Threat Intelligence Platform (TIP), or SOAR solution, making it easy to enrich alerts with domain and DNS intelligence without leaving existing workflows.
Phishing and Malicious Infrastructure Identification DomainTools helps analysts profile phishing domains and IPs used by threat actors and identify dangerous infrastructure before domains appear on blocklists. This supports both reactive investigation and proactive defense.
How SOC Analysts Use DomainTools
During investigations involving network-based IOCs, DomainTools is used to research suspicious domains or IP addresses and assess their threat potential. Starting with a domain or IP from a ticket or alert, an analyst can pivot through connected infrastructure to identify related malicious assets, assess registration history, and determine whether the indicator has known threat actor associations. Findings should be documented in the ticket to support escalation decisions.
Investigative Note: A domain with little to no registration history, a recent creation date, or privacy-protected WHOIS data combined with a high DomainTools risk score warrants closer scrutiny and should be noted in the ticket.
Access
DomainTools is accessed via its web-based console. The primary investigation interface is Iris Investigate. Refer to your team’s onboarding documentation for login and access provisioning details.