--- title: "DomainTools Enrichment | ThreatConnect" slug: "domaintools-enrichment" description: "This article describes how to enable the DomainTools enrichment service in ThreatConnect, view data retrieved from DomainTools on the Enrichment tab of an Indicator’s Details screen, and import Indicators from DomainTools into ThreatConnect." updated: 2025-03-11T19:57:46Z published: 2025-03-11T19:57:46Z canonical: "knowledge.threatconnect.com/domaintools-enrichment" --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # DomainTools Enrichment ## Overview The DomainTools® built-in enrichment in ThreatConnect® lets you access DomainTools’ deep domain insights directly within ThreatConnect, providing you with a more complete perspective on potential security threats and further boosting the depth and efficacy of your threat intelligence investigations. This article describes how to enable the DomainTools enrichment service in ThreatConnect, view data retrieved from DomainTools on the **Enrichment**tab of an Indicator’s **Details**screen, and import Indicators from DomainTools into ThreatConnect. ## Before You Start ### User Roles - To enable and configure the DomainTools enrichment, your user account must have a [System role](https://knowledge.threatconnect.com/docs/threatconnect-system-roles-and-permissions) of Administrator. - To view DomainTools data on the **Enrichment** tab of an Indicator’s **Details** screen, your user account can have any [Organization role](https://knowledge.threatconnect.com/docs/organization-roles). - To retrieve data manually on the **DomainTools** card on the **Enrichment** tab of an Indicator’s **Details** screen, your user account can have any Organization role. - To import DomainTools data into an Organization, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer. - To import DomainTools data into a Community or Source, your user account must have a [Community role](https://knowledge.threatconnect.com/docs/community-roles) of Contributor, Editor, or Director for that Community or Source. ### Prerequisites - DomainTools API credentials (API username and API key) that are authorized to access [Iris® Investigate](https://www.domaintools.com/products/platform/iris-investigate/). To obtain DomainTools API credentials, [contact DomainTools](https://www.domaintools.com/contact/). ## Enabling the DomainTools Enrichment Before you can retrieve data from DomainTools, you must enable and configure the DomainTools enrichment in ThreatConnect. Follow these steps to enable and configure the DomainTools enrichment on your ThreatConnect instance: 1. Hover over **Settings![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)**on the top navigation bar and select **System Settings**. 2. Select the **Indicators**tab on the **System Settings**screen, and then click **Enrichment Tools**in the sidebar. 3. Click **Edit![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Pencil%20icon_Black.png)**in the **Options**column for **DomainTools**and fill out the fields on the **Edit Vendor**window (Figure 1) as follows:![Figure 1_DomainTools Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%201_DomainTools%20Enrichment_7.8.1.png) - **Enable Vendor**: Select this checkbox to enable DomainTools. - **Enable Automatic Retrieval**: Select this checkbox to enable automatic data retrieval for DomainTools. If automatic data retrieval is enabled, DomainTools data will automatically populate when a user opens a Host Indicator’s **Enrichment** tab for the first time. This checkbox is selected by default. - **DomainTools User Name**: Enter the API username associated with the account that will be used to retrieve data from DomainTools. - **API Key**: Enter the API key that will be used to retrieve data from DomainTools. - **VALIDATE**: After entering the DomainTools API credentials, click this****button to validate them. If the API credentials are accepted, the **VALIDATE**button’s label will change to **VALID**. - **Lookup/Retrieve**: Select **Host**to retrieve data from DomainTools for Host Indicators. 4. Click **SAVE**on the **Edit Vendor**window to save the configuration for the DomainTools enrichment. When DomainTools is enabled, a value of **true** will be displayed in the **Enabled** column for its entry on the **Enrichment Tools** screen. ## Data Overview The **Overview**section of the **DomainTools**card (Figure 2) on the [**Enrichment** tab](https://knowledge.threatconnect.com/docs/the-enrichment-tab#viewing-enrichment-data) of a Host Indicator’s **Details** screen provides a summary of data retrieved from DomainTools for the Indicator and the date and time the data were last retrieved. ![Figure 2_DomainTools Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%202_DomainTools%20Enrichment_7.8.1.png) - **Overall Risk Score**: The overall score provided in the DomainTools Domain Profile for the Host. This score predicts how likely a domain is to be malicious. - **Malware Risk Score**: The malware score provided in the DomainTools Domain Profile for the Host. This score is a measure of how closely a domain resembles domains used for malware. - **Phishing Risk Score**: The phishing score provided in the DomainTools Domain Profile for the Host. This score is a measure of how closely a domain resembles domains used for phishing. - **Spam Risk Score**: The spam score provided in the DomainTools Domain Profile for the Host. This score is a measure of how closely a domain resembles domains used for spam. - **Domain Status**: The Host’s domain status (active or inactive). - **Registrant Org**: The organization that has registered the Host. - **Registrar**: The registrar for the Host’s registration. - **IP Addresses**: The IP addresses associated with the Host. - **IP Addresses’ Countries**: The countries in which the IP addresses associated with the Host are registered. - **ASNs**: The autonomous system numbers (ASNs) associated with the Host. Hint When [constructing a TQL query](https://knowledge.threatconnect.com/docs/constructing-query-expressions), you can use the following****parameters to query for Host Indicators based on their scores and status in DomainTools: - **dtOverallScore**: Query by the Host’s overall score in DomainTools - **dtMalwareScore**: Query by the Host’s malware score in DomainTools - **dtPhishingScore**: Query by the Host’s phishing score in DomainTools - **dtSpamScore**: Query by the Host’s spam score in DomainTools - **dtStatus**: Query by the Host’s domain status in DomainTools ## DomainTools Detailed View Click **Open Detailed View**on the **DomainTools**card to open the **DomainTools Detailed View**drawer (Figure 3). This drawer displays cards with additional data retrieved from DomainTools. The cards are collapsed by default. Figure 3 shows the **DomainTools Detailed View**drawer with all available cards expanded. ![Figure 4_DomainTools Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%203_DomainTools%20Enrichment_7.8.1.png) The **DomainTools Detailed View**drawer displays the following cards: - **Email Address Details**: The email addresses associated with the Host and the number of domains associated with each email address. - **IP Address Details**: The IP addresses associated with the Host and the number of domains associated with each IP address. - **Name Server Details**: The name servers associated with the Host and the number of domains associated with each name server. - **SSL Information**: The secure sockets layer (SSL) certificates associated with the Host. Details displayed for each SSL certificate include the certificate fingerprint (i.e., the unique identifier for the SSL certificate), the common name (i.e., the primary domain name associated with the certificate), and dates establishing the time window during which the certificate is valid. NoteIf the **DomainTools Detailed View**drawer does not display a card for a Host Indicator, then no data for that card were returned from DomainTools. ## Importing Indicators From DomainTools Into ThreatConnect You may import Indicators displayed on the **Email Address Details**, **IP Address Details** and **Name Server Details** cards into ThreatConnect and associate them to a new or existing Group. You may also import Indicators displayed on the **Email Address Details**and **IP Address Details**cards into ThreatConnect and associate them directly to the enriched Indicator (i.e., the Host Indicator whose **Details** screen you are viewing) via a custom association. Follow these steps to import Indicators from DomainTools into ThreatConnect: 1. Expand one of the following cards on the **DomainTools Detailed View**drawer (Figure 3) to view Indicators retrieved from DomainTools that are related to the enriched Indicator: - **Email Address Details**: Indicators on this card will be imported as Email Address Indicators. - **IP Address Details**: Indicators on this card will be imported as Address Indicators. - **Name Server Details**: Indicators on this card will be imported as Host Indicators. 2. Select the checkbox for each Indicator to import into ThreatConnect, or select the checkbox in the table’s header to import all Indicators displayed on the current page in the table.ImportantIf a selected Indicator already exists in the ThreatConnect owner into which you are importing data, that copy of the Indicator will be updated based on the information entered and options configured during the import. 3. Expand the **Import**dropdown at the top left of the card and select one of the following import options (Figure 4):![Figure 5_DomainTools Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%204_DomainTools%20Enrichment_7.8.1.png) - [**To New Group**](/docs/domaintools-enrichment#importing-indicators-into-a-new-group): Select this option to import the selected Indicators and associate them to a new Group created during the import. - [**To Existing Group**](/docs/domaintools-enrichment#importing-indicators-into-an-existing-group): Select this option to import the selected Indicators and associate them to an existing Group. - [**As an Indicator**](/docs/domaintools-enrichment#importing-indicators-as-indicators): Select this option to import the selected Indicators and associate them directly to the enriched Indicator via a custom association. NoteIf associating the Indicators selected for import to a new or existing Group, the Group will also be associated to the enriched Indicator, thus creating a second-level (i.e., indirect) association between the Indicators imported from DomainTools and the enriched Indicator. ### Importing Indicators Into a New Group Follow these steps to import Indicators from DomainTools and associate them to a new Group created during the import: 1. Follow Steps 1–3 in the [“Importing Indicators From DomainTools Into ThreatConnect”](/docs/domaintools-enrichment#importing-indicators-from-domaintools-into-threatconnect) section and select **To New Group**from the **Import**dropdown. 2. Proceed through the steps on the **Create**screen to create the Group and configure the Indicators selected for import. There are three steps in this process: [**Details**](/docs/domaintools-enrichment#step-1-enter-details-about-the-group) (required), [**Associations**](/docs/domaintools-enrichment#step-2-enter-details-about-associated-indicators-optional) (optional), and [**Attachments**](/docs/domaintools-enrichment#step-3-upload-file-attachments-to-the-group-optional) (optional). #### Step 1: Enter Details About the Group The **Details**step of the **Create**screen (Figure 5) is a required step where you enter basic information about the Group you are creating. ![Figure 6_DomainTools Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%205_DomainTools%20Enrichment_7.8.1.png) Follow these steps to fill out the fields on the **Details**step:**** 1. Provide the following details for the Group:**** - **Type**: By default, **Event**is selected. However, you can select another [Group type](https://knowledge.threatconnect.com/docs/the-threatconnect-data-model) from the dropdown. If you select a new Group type from the **Type**dropdown, the [fields on the **Details**step](https://knowledge.threatconnect.com/docs/creating-groups#additional-details-step-fields) will change based on the new Group type. - **Owner**: Select the [owner](https://knowledge.threatconnect.com/docs/ownership-in-threatconnect) in which to create the Group. - **Summary**: Enter a name for the Group. - **Description**: (Optional) Enter a [Description](https://knowledge.threatconnect.com/docs/the-description-attribute) for the Group.****To apply the Description to the Indicators that will be associated to the Group, select **Apply Description To Associations**. - **Tags**: (Optional) Enter one or more [Tags](https://knowledge.threatconnect.com/docs/applying-tags) to apply to the Group. (By default, the **Tags**field includes a **DomainTools Enrichment**Tag.) To****apply the Tags to the Indicators that will be associated to the Group, select **Apply Tags To Associations**.ImportantIf you select **Apply Tags to Associations**, it is recommended that you remove the **DomainTools Enrichment** Tag from the **Tags**field so that the Tag is not applied to the enriched Indicator (that is, the Indicator whose **Enrichment** tab you are importing DomainTools data from), as this Indicator will be added as an association to the new Group. Alternatively, if you want to apply the **DomainTools Enrichment** Tag to all associations except for the enriched Indicator, select **Apply Tags to Associations**, leave the **DomainTools Enrichment**Tag in the **Tags**field, and then, after completing the import, navigate to the enriched Indicator’s **Details** screen and [remove the Tag from the Indicator manually](https://knowledge.threatconnect.com/docs/applying-tags#removing-a-tag-from-an-object). 2. Click **Next** to proceed to the optional [**Associations**step](/docs/domaintools-enrichment#step-2-enter-details-about-associated-indicators-optional).NoteThe **Save**button is available only on the **Associations**and **Attachments**sections. #### Step 2: Enter Details About Associated Indicators (Optional) The **Associations**step of the **Create**screen (Figure 6) is an optional step where you configure the Indicators from DomainTools that are being created and [associated](https://knowledge.threatconnect.com/docs/associations) to the new Group. ![Figure 7_DomainTools Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%206_DomainTools%20Enrichment_7.8.1.png) Follow these steps to fill out the fields on the **Associations**step: 1. (Optional) On the **Associations** card, review the table of Indicators that will be created and associated to the Group. This table includes all selected Indicators and the enriched Indicator. To remove an Indicator from the table, click **Delete**![Trash icon_Black](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Trash%20icon_Black.png)in the **Actions**column.NoteThe table on the **Associations**card will include a **Private**column if your System Administrator turned on private Indicators for your ThreatConnect instance. To mark an Indicator as [private](https://knowledge.threatconnect.com/docs/private-indicators), select the corresponding checkbox in the **Private** column.NoteA checkmark in the **Known**column indicates that the corresponding Indicator exists in the owner in which you are creating the Group and Indicators. 2. (Optional) On the **Association Details**card, provide the following details for *all*Indicators that will be created and associated to the Group:ImportantAll information added in this section will be applied to the enriched Indicator (that is, the Indicator whose **Enrichment** tab you are importing DomainTools data from), because the enriched Indicator is always added as an association to the new Group, along with the Indicators selected on the card on the **DomainTools Detailed View** drawer (Figure 4). If the enriched Indicator has a default Description, a Threat Rating, or a Confidence Rating and you enter a value for one of these fields, then that value will replace the existing value for the enriched Indicator. Tags entered in this section will be applied in addition to the enriched Indicator’s existing Tags. - **Description**: Enter a default [Description](https://knowledge.threatconnect.com/docs/the-description-attribute) for the Indicators. If you entered a Description for the Group on the [**Details** step](/docs/domaintools-enrichment#step-1-enter-details-about-the-group) and selected **Apply Description to Associations**, the text box will contain that Description. - **Tags**: Enter one or more [Tags](https://knowledge.threatconnect.com/v1/docs/applying-tags) to apply to the Indicators. If you entered Tags for the Group on the [**Details** step](/docs/domaintools-enrichment#step-1-enter-details-about-the-group) and selected **Apply Tags to Associations**, the text box will contain those Tags. - **Threat Rating**: Set the [Threat Rating](https://knowledge.threatconnect.com/v1/docs/setting-indicator-threat-and-confidence-ratings) for the Indicators. - **Confidence Rating**: Set the [Confidence Rating](https://knowledge.threatconnect.com/v1/docs/setting-indicator-threat-and-confidence-ratings) for the Indicators. 3. Click **Next** to proceed to the optional [**Attachments**step](/docs/domaintools-enrichment#step-3-upload-file-attachments-to-the-group-optional), or click **Save**to create the Group and Indicators. #### Step 3: Upload File Attachments to the Group (Optional) If you click **Next**on the **Associations**step, you will proceed to the optional **Attachments** step of the **Create**screen (Figure 7). Here, you can upload and attach related files to the Group. ![Figure 8_DomainTools Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%207_DomainTools%20Enrichment_7.8.1.png) Follow these steps to proceed through the **Attachments**step: 1. Upload one or more files for which Document Groups will be created and associated to the Group being created. 2. After a file is uploaded, the filename will be displayed below the upload area, along with the **Add to Malware Vault**checkbox. Leave this checkbox cleared unless you are [uploading a malware file](https://knowledge.threatconnect.com/docs/uploading-malware). 3. Click **Save**to create the Group and Indicators. After you complete the import process, the Group’s **Details**screen will open. You can view the Indicators that were imported and associated to the Group on the [**Indicator Associations**card](https://knowledge.threatconnect.com/docs/the-associations-tab#indicator-associations) of the Group’s [**Associations** tab](https://knowledge.threatconnect.com/docs/the-associations-tab). ### Importing Indicators Into an Existing Group Follow these steps to import Indicators from DomainTools and associate them to an existing Group: 1. Follow Steps 1–3 in the [“Importing Indicators From DomainTools Into ThreatConnect”](/docs/domaintools-enrichment#importing-indicators-from-domaintools-into-threatconnect) section and select **To Existing Group**from the **Import**dropdown. 2. Proceed through the steps on the **Import to Existing Group**screen to select an existing Group and configure the Indicators selected for import. There are two steps in this process: [**Select Group**](/docs/domaintools-enrichment#step-1-select-an-existing-group) (required) and [**Associations**](/docs/domaintools-enrichment#step-2-enter-details-about-associated-indicators-optional1) (optional). #### Step 1: Select an Existing Group The **Select Group** step the **Import to Existing Group**screen (Figure 8) is a required step where you select an existing Group to associate to the imported Indicators. ![Figure 9_DomainTools Enrichment_7.2.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%208_DomainTools%20Enrichment_7.8.1.png) Follow these steps to select a Group to associate to the imported Indicators: 1. Select a Group to which the selected Indicators, as well as the enriched Indicator, will be associated. To search for a Group, enter its name in the search bar above the table containing all Groups. 2. Click **Next** to proceed to the optional [**Associations**step](/docs/domaintools-enrichment#step-2-enter-details-about-associated-indicators-optional1).NoteThe **Save**button is available only on the **Associations**step. #### Step 2: Enter Details About Associated Indicators (Optional) The **Associations**step of the **Import to Existing Group**screen (Figure 9) is an optional step where you configure the Indicators from DomainTools that are being created and [associated](https://knowledge.threatconnect.com/docs/associations) to the existing Group. ![Figure 10_DomainTools Enrichment_7.3.0](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%209_DomainTools%20Enrichment_7.8.1.png) 1. (Optional) On the **Associations** card, review the table of Indicators that will be created and associated to the Group. This table includes all selected Indicators and the enriched Indicator. To remove an Indicator from the table, click **Delete**![Trash icon_Black](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Trash%20icon_Black.png)in the **Actions**column.NoteThe table on the **Associations**card will include a **Private**column if your System Administrator turned on private Indicators for your ThreatConnect instance. To mark an Indicator as [private](https://knowledge.threatconnect.com/docs/private-indicators), select the corresponding checkbox in the **Private** column.NoteA checkmark in the **Known**column indicates that the corresponding Indicator exists in the owner in which the selected Group exists. 2. (Optional) On the **Association Details**card, provide the following details for *all*Indicators that will be created and associated to the Group:ImportantAll information added in this section will be applied to the enriched Indicator (that is, the Indicator whose **Enrichment** tab you are importing DomainTools data from), because the enriched Indicator is always added as an association to the new Group, along with the Indicators selected on the card on the **DomainTools Detailed View** drawer (Figure 4). If the enriched Indicator has a default Description, a Threat Rating, or a Confidence Rating and you enter a value for one of these fields, then that value will replace the existing value for the enriched Indicator. Tags entered in this section will be applied in addition to the enriched Indicator’s existing Tags. - **Description**: Enter a default [Description](https://knowledge.threatconnect.com/docs/the-description-attribute) for the Indicators. - **Tags**: Enter one or more [Tags](https://knowledge.threatconnect.com/v1/docs/applying-tags) to apply to the Indicators. - **Threat Rating**: Set the [Threat Rating](https://knowledge.threatconnect.com/v1/docs/setting-indicator-threat-and-confidence-ratings) for the Indicators. - **Confidence Rating**: Set the [Confidence Rating](https://knowledge.threatconnect.com/v1/docs/setting-indicator-threat-and-confidence-ratings) for the Indicators. 3. Click **Save** to create the Indicators and associate them to the existing Group. After you complete the import process, the Group’s **Details**screen will open. You can view the Indicators that were imported and associated to the Group on the [**Indicator Associations**card](https://knowledge.threatconnect.com/docs/the-associations-tab#indicator-associations) of the Group’s [**Associations** tab](https://knowledge.threatconnect.com/docs/the-associations-tab). ### Importing Indicators as Indicators 1. Follow Steps 1–3 in the [“Importing Indicators From DomainTools Into ThreatConnect”](/docs/domaintools-enrichment#importing-indicators-from-domaintools-into-threatconnect) section and select **As an Indicator**from the **Import**dropdown.ImportantThe **As an Indicator**option is not available for Indicators displayed on the **Name Server Details**card. 2. On the **Import Indicators**window (Figure 10), review the list of Indicators that will be imported into ThreatConnect and associated directly to the enriched Indicator. To remove an Indicator from this list, click **Delete![Delete button_Details screen](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Delete%20button_Details%20screen.png)**. ![](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%2010_DomainTools%20Enrichment_7.8.1.png) 3. Click **Import Indicators**to import the Indicators and associate them directly to the enriched Indicator via a custom association. After you complete the import process, the [**Associations** tab](https://knowledge.threatconnect.com/docs/the-associations-tab) of the enriched Indicator’s **Details**screen will be displayed. You can view the associated Indicators on the [**Indicator Associations**card](https://knowledge.threatconnect.com/docs/the-associations-tab#indicator-associations) of this tab. ## Retrieving Data Manually When you open an Indicator’s **Enrichment**tab for the first time, data will be retrieved from DomainTools and displayed on the **DomainTools**card automatically if your System Administrator enabled automatic data retrieval for DomainTools. Otherwise, the **DomainTools**card will display a message stating “Automatic Data Retrieval has been disabled by the System Administrator,” and you will need to click **Retrieve Data** on the card to populate it with data. Once data have been retrieved, they will be cached for a period of time configured by your System Administrator. Each time you revisit that Indicator’s **Enrichment**tab, the cached DomainTools data will be displayed until this period of time has passed. To retrieve the latest DomainTools data for the Indicator manually, click **Retrieve Data** on the **DomainTools**card. NoteThe API credentials your System Administrator entered when configuring DomainTools on the **System Settings**screen will be used each time data are retrieved from DomainTools for an Indicator. ## Enriching Indicators Using the ThreatConnect API You can use the ThreatConnect v3 API to enrich Host Indicators with data from DomainTools. For instructions on using the ThreatConnect v3 API to enrich Indicators, see [*Indicator Enrichment Overview*](https://threatconnect.readme.io/reference/indicator-enrichment-overview). --- *ThreatConnect® is a registered trademark of ThreatConnect, Inc.* *DomainTools® and Iris® are registered trademarks of DomainTools, LLC.* 20146-07 v.03.B