--- title: "ThreatConnect Domain Thrasher | ThreatConnect" slug: "threatconnect-domain-thrasher" description: "This article describes how to install, configure, and use ThreatConnect Domain Thrasher, which enables you to automate and track proactive investigations into registered domain variants for your organization." updated: 2025-10-27T16:57:18Z published: 2025-10-27T16:57:18Z --- > ## Documentation Index > Fetch the complete documentation index at: https://knowledge.threatconnect.com/llms.txt > Use this file to discover all available pages before exploring further. # ThreatConnect Domain Thrasher ## Overview Domain squatting, or cybersquatting, is a sneaky tactic in which bad actors register misspelled or otherwise altered versions of popular domain names to hijack traffic, mislead users, or even steal personal information. Using techniques such as typosquatting, bitsquatting, and combosquatting, cybercriminals register domains that mimic real sites, providing them with a façade they can use to harvest user data, spread malware, and phish for login credentials. Every mistyped domain or accidental click that lands on a fake site instead of yours is a potential risk. In today’s threat landscape, protecting your brand means guarding not just your main domain, but also every letter around it. ThreatConnect® Domain Thrasher is a purpose-built capability that helps you investigate and detect spoofed domains before they become a problem for your organization. You can use it to automate and track proactive investigations into registered domain variants for your organization’s online assets and the IP addresses to which they resolve, equipping you with the information you need to take action against the squatted domains. ThreatConnect Domain Thrasher is powered by two Playbooks that identify, import, and enrich registered squatting variants for given domains and a dashboard that you can use to track registered domain squats and related information. Registered squatting variants and related DNS and other records (e.g., CNAME, MX, and NS) are imported into ThreatConnect as Host Indicators, and resolved IP addresses are imported as Address Indicators, with custom Attributes and Tags that provide identification and enrichment data. [This video](https://youtu.be/JSFnhYCRlBQ ) demonstrates the ThreatConnect Domain Thrasher set-up and provides a walk-through of its main features. ## Before You Start ### User Roles - To install the ThreatConnect Domain Thrasher Attribute Types file on the System level on your ThreatConnect instance and to configure the Attribute Types, you must have a [System role](https://knowledge.threatconnect.com/docs/threatconnect-system-roles-and-permissions) of Administrator. - To import the ThreatConnect Domain Thrasher dashboard and to share the dashboard to your Organization, your user account can have any [Organization role](https://knowledge.threatconnect.com/docs/organization-roles). - To import the ThreatConnect Domain Thrasher Playbooks into your Organization and to configure the Playbooks, your user account must have an Organization role of Standard User, Sharing User, Organization Administrator, or App Developer. ### Prerequisites - **DNSTwist** Playbook App version 2.0.*x*installed on your ThreatConnect instance.NoteTo verify that version 2.0.*x* of the **DNSTwist** Playbook App is installed on your ThreatConnect instance, search for “dnstwist” (without the quotation marks) on the **Installed** tab of the **TC Exchange™ Settings** screen with **Apps** selected from the dropdown at the upper left. If you do not see version 2.0.*x* of the **DNSTwist** Playbook App, please contact your Customer Success Manager for further assistance. - **ThreatConnect Domain Thrasher.zip** file downloaded to your local drive. Please contact your Customer Success Manager to request this file. - To have access to Playbooks on your ThreatConnect instance, turn on the **playbooksEnabled** system setting (must be a System Administrator to perform this action). - To have access to Playbooks in your Organization, turn on the **Enable Playbooks** permission on the **Permissions** tab of the **Organization Information** window when editing your Organization on the **Organizations** tab of the **Account Settings** screen (must be a System Administrator, Operations Administrator, or Accounts Administrator to perform this action). - To import and share dashboards, turn on the **Enable Custom Dashboards** permission on the **Permissions** tab of the **Organization Information** window when editing your Organization on the **Organizations** tab of the **Account Settings** screen (must be a System Administrator, Operations Administrator, or Accounts Administrator to perform this action). ## ThreatConnect Domain Thrasher Contents ThreatConnect Domain Thrasher is provided as a **ThreatConnect Domain Thrasher.zip** file that includes the following components: - Attribute Types package: **domainthrasher-attributes.json** - Playbooks: - **Domain Thrasher - Domain Search.pbxz** - **Domain Thrasher - Create Associations.pbxz** - Dashboard: **Domain_Thrasher.tdb** ## Install and Configure ThreatConnect Domain Thrasher Unzip the **ThreatConnect Domain Thrasher.zip** file. Then follow these steps to install and configure each component of ThreatConnect Domain Thrasher: 1. [Upload and configure the Attribute Types.](/v1/docs/threatconnect-domain-thrasher#upload-and-configure-attribute-types) 2. [Install and configure the **Domain Thrasher** dashboard.](/v1/docs/threatconnect-domain-thrasher#install-and-configure-domain-thrasher-dashboard) 3. [Install and configure the **Domain Thrasher - Domain Search** Playbook.](/v1/docs/threatconnect-domain-thrasher#install-and-configure-domain-thrasher-domain-search-playbook) 4. [Install and configure the **Domain Thrasher - Create Associations** Playbook.](/v1/docs/threatconnect-domain-thrasher#install-and-configure-domain-thrasher-create-associations-playbook) ### Upload and Configure Attribute Types The **domainthrasher-attributes.json** file contains a set of Attribute Types that the Playbooks in ThreatConnect Domain Thrasher leverage to process and enrich domain data stored as [Attributes](https://knowledge.threatconnect.com/docs/attributes) for imported Indicators: - Fuzzer - Registrar - Address Record (IPv4) - Address Record (IPv6) - Canonical Name Record (CNAME) - Mail Exchanger record (MX) - Nameserver record (NS) - Pointer record (PTR) - Start of Authority record (SOA) - Service Location record (SRV) - Text record (TXT) - Monitored Domain #### Upload Attribute Types Follow these steps to upload the **domainthrasher-attributes.json** Attribute Types at the System level on your ThreatConnect instance and create all required Attribute Types for ThreatConnect Domain Thrasher: ImportantIt is recommended that you create the Attribute Types on the System level so that all owners on your ThreatConnect instance can leverage them. 1. Hover over **Settings**![Settings icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)on the top navigation bar and select **System Settings**. 2. Select the **Attribute Types** tab. 3. Click **UPLOAD** at the upper left. 4. Click **+ SELECT FILE** in the **Upload Attributes** window. 5. Select the **domainthrasher-attributes.json** file. 6. Click **SAVE** to create all the displayed Attribute Types at the System level. #### Configure Attribute Types The ThreatConnect Domain Thrasher dashboard requires three of the Attribute Types to be made available for grouping on dashboard cards. Follow these steps to configure each of the Fuzzer, Registrar, and Monitored Domain Attribute Types: ImportantYou will be following these steps three times, once for each of the three Attribute Types (Fuzzer, Registrar, and Monitored Domain). 1. Hover over **Settings**![Settings icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Settings%20icon.png)on the top navigation bar and select **System Settings**. 2. Select the **Attribute Types** tab. 3. Click **Edit**![Pencil icon_Black](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Pencil%20icon_Black.png)in the **Options** column for the Attribute Type. 4. Select the **Enable in GroupBy** checkbox at the lower left of the **Configure Attribute Type** window. 5. Click **SAVE** to save the updated configuration for the Attribute Type. ### Install and Configure Domain Thrasher Dashboard The **Domain Thrasher** dashboard enables you to track registered domain squats and related information. #### Install Domain Thrasher Dashboard Follow these steps to install the **Domain Thrasher** dashboard: 1. Select **Import Dashboard** from the **Dashboard** option on the top navigation bar. 2. Select the **Domain Thrasher - Dashboard.tdb** file. #### Configure Domain Thrasher Dashboard Follow these steps to configure the **Domain Thrasher** Dashboard: 1. Select **Domain Thrasher** from the **My Dashboards** section under the **Dashboard** option on the top navigation bar to view the **Domain Thrasher**dashboard.NoteThe **Domain Thrasher** dashboard cards will all display **No Results** at this time. The cards will populate with data after the Playbooks are installed, configured, and executed. 2. Select **Share Dashboard** from the **⋮** menu at the upper right of the **Domain Thrasher** dashboard screen and click **SAVE** to share the dashboard to your Organization with the name **Domain Thrasher - Shared**.NoteTo avoid confusion between dashboards with similar names, you can delete the original **Domain Thrasher** from **My Dashboards** if desired. Do not delete the **Domain Thrasher - Shared** dashboard. 3. After it is fully installed and configured and has executed, ThreatConnect Domain Thrasher will populate domain variants into one of your ThreatConnect [owners](https://knowledge.threatconnect.com/docs/ownership-in-threatconnect). Make sure that the owner you plan to select (most likely your Organization) is selected in [**My Intel Sources**](https://knowledge.threatconnect.com/docs/my-intel-sources) for the **Domain Thrasher - Shared** dashboard. 4. Copy or otherwise note the URL for the **Domain Thrasher - Shared** dashboard. You will be pasting it when you [configure the **Settings** App in the **Domain Thrasher - Domain Search** Playbook](/docs/threatconnect-domain-thrasher#configure-settings-app). ### Install and Configure Domain Thrasher - Domain Search Playbook The **Domain Thrasher - Domain Search** Playbook uses the **DNSTwist** Playbook App to generate, import, and enrich domain variants. #### Install Domain Thrasher - Domain Search Playbook Follow these steps to install the **Domain Thrasher - Domain Search** Playbook in your Organization: 1. Click **Playbooks** on the top navigation bar. 2. Hover over the **NEW** dropdown at the upper left of the **Playbooks** screen and select **Import Playbook** from the dropdown. 3. Select the **Domain Thrasher - Domain Search.pbxz** file. 4. Click **NEXT** on Step 2 (**Playbook Preview**) of the **Import Playbook** drawer. 5. Click **IMPORT** on Step 3 (**Components to Install**) of the **Import Playbook**drawer.NoteThis step will install the **Domain Thrasher - Processing Data Component**[Playbook Component](https://knowledge.threatconnect.com/docs/playbook-components-overview) in your Organization. 6. Click **IMPORT** to import the **Domain Thrasher - Domain Search** Playbook into your Organization. #### Configure Domain Thrasher - Domain Search Playbook Follow these steps to configure the **Domain Thrasher - Domain Search** Playbook (Figure 1): 1. [Configure the **Domain Thrasher - Domain Search** Playbook’s Trigger.](/docs/threatconnect-domain-thrasher#configure-domain-thrasher-domain-search-playbook-trigger) 2. [Configure the **Settings** App.](/docs/threatconnect-domain-thrasher#configure-settings-app) 3. [Configure the **DNSTwist** App.](/docs/threatconnect-domain-thrasher#configure-dnstwist-app) 4. [Activate the **Domain Thrasher - Processing Data Component** Playbook Component.](/docs/threatconnect-domain-thrasher#activate-domain-thrasher-processing-data-component-playbook-component) 5. [Activate the **Domain Thrasher - Domain Search** Playbook.](/docs/threatconnect-domain-thrasher#activate-domain-thrasher-domain-search-playbook) ![Figure 1_ThreatConnect Domain Thrasher_7.9.2](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%201_ThreatConnect%20Domain%20Thrasher_7.9.2.png) ##### Configure Domain Thrasher - Domain Search Playbook Trigger The **Domain Thrasher - Domain Search** Playbook is executed with a [Timer Trigger](https://knowledge.threatconnect.com/docs/playbooks-the-timer-trigger), which [runs the Playbook on a set schedule](https://knowledge.threatconnect.com/docs/en/executing-a-playbook#playbooks-with-a-timer-trigger), allowing you to search for domain squats regularly and as often as you need. Follow these steps to configure the **Domain Thrasher - Domain Search** Playbook’s Timer Trigger: 1. Double-click the Timer Trigger (Figure 1) to edit it. 2. Fill out the fields in the **Edit Trigger**drawer (Figure 2) as follows:![Figure 2_ThreatConnect Domain Thrasher_7.9.2](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%202_ThreatConnect%20Domain%20Thrasher_7.9.2.png) - **Timer Name**: Retain **Timer Trigger** as the Trigger's name. - **Schedule**: Select the frequency at which you want the Playbook to execute. Your selection will determine the available configuration options under the **Schedule**dropdown: - **Daily**: Select this option to run the Playbook at least one time per day. - **Job Repeating**: (Optional) Select this checkbox to run the Playbook more than one time per day. After you select this checkbox, configure the following options to define when and how often the Playbook will run each day: - **Job Repeating Starting Hour**: (Required) Enter the time at which the Playbook should start to run each day. - **Job Repeating Ending Hour**: (Required) Enter the time at which the Playbook should finish running each day. - **Repeating Interval Time (Minutes)**: (Required) Enter the interval, in minutes, at which the Playbook will run. For example, if you enter **5**, the Trigger will run every 5 minutes between the **Job Repeating Starting Hour** and the **Job Repeating Ending Hour**. - **Daily Time (UTC)**: If you did not select the **Job Repeating**checkbox, then the Playbook will run one time per day. Enter the time of day at which the Playbook should run.ImportantMake sure to adjust the time you enter to the UTC time zone. - **Weekly**: Select this option to run the Playbook at least one time per week. - **Weekly Time (UTC)**: Enter the time of day at which the Playbook should run.ImportantMake sure to adjust the time you enter to the UTC time zone. - **Weekly Day(s)**: Select one or more days of the week on which the Playbook should run. - **Monthly**: Select this option to run the Playbook at least one time per month. - **Monthly Time (UTC)**: Enter the time of day at which the Playbook should run.ImportantMake sure to adjust the time you enter to the UTC time zone. - **Monthly Day(s)**: Select one or more days of the month on which the Playbook should run.ImportantMake sure to adjust the time you enter to the UTC time zone. - **Advanced**: Select this option to enter a standard Quartz Cron expression to set a granular schedule for the Playbook’s execution. - **Cron Expression**: Enter a standard Quartz Cron expression that determines the Playbook’s execution schedule. To view examples, click **Display Documentation![Playbooks_Display Documentation icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Playbooks_Display%20Documentation%20icon.png)**at the upper right of the **Edit Trigger** drawer (Figure 2) and scroll to the “Advanced Expressions” section of the **Documentation** drawer. 3. Click **SAVE** to save the Trigger’s configuration. ##### Configure Settings App The **Settings** App determines the ThreatConnect owner into which domain variants are imported, the email addresses to which notifications about newly identified domain variants are sent, and the dashboard that receives the data processed by ThreatConnect Domain Thrasher. Follow these steps to configure the **Settings** App in the **Domain Thrasher - Domain Search** Playbook: 1. Double-click the ⚙️ **SETTINGS - CHANGE ME** App (Figure 1) to edit it. 2. Make the following changes in the **Edit App** drawer (Figure 3): ![Figure 3_ThreatConnect Domain Thrasher_7.9.2](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%203_ThreatConnect%20Domain%20Thrasher_7.9.2.png) - **Job Name**: Retain ⚙️ **SETTINGS - CHANGE ME** as the Job's name. - **source_name**: The **source_name** variable represents the owner into which ThreatConnect Domain Thrasher will import enriched domains and DNS and related records (as Host Indicators) and resolved IP addresses (as Address Indicators). The default owner is your Organization, represented by **#gbl.org.name**. If you want to select a different owner, click **Edit**![Pencil icon_Black](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Pencil%20icon_Black.png)in the **source_name** row of the table. The **Value** field under **Variables** will display the current value for the **source_name** key. Replace the current value with the name of the owner you want to receive data imported from ThreatConnect Domain Thrasher, and then click **Save**![Confirm icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Confirm%20icon.png).ImportantIf you change the value for the **source_name** variable, the new value *must be an exact match* to the name of one of your ThreatConnect owners. - **emails_comma_separated**: The **emails_comma_separated** variable represents a list of one or more email addresses to which you want ThreatConnect Domain Thrasher to send notifications about newly imported domain variants. Click **Edit**![Pencil icon_Black](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Pencil%20icon_Black.png)in the **emails_comma_separated** row of the table. The **Value** field under **Variables** will display the current value for the **emails_comma_separated** key. Replace the default value with one or more email addresses you want to receive notifications from ThreatConnect Domain Thrasher, separating each email address with a comma, and then click **Save**![Confirm icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Confirm%20icon.png). If you do not want ThreatConnect Domain Thrasher to send email notifications, delete the default value, and then click **Save![Confirm icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Confirm%20icon.png)**. - **dashboard_url**: The **dashboard_url** variable represents the URL of the [dashboard](https://knowledge.threatconnect.com/docs/dashboards) that will track data from ThreatConnect Domain Thrasher. Click **Edit**![Pencil icon_Black](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Pencil%20icon_Black.png)in the **dashboard_url** row of the table. The **Value** field under **Variables** will display the default value for the **dashboard_url** key.  Replace the default value with the URL you copied in Step 4 when [configuring the **Domain Thrasher** dashboard](/v1/docs/threatconnect-domain-thrasher#configure-domain-thrasher-dashboard), and then click **Save**![Confirm icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Confirm%20icon.png). 3. Click **SAVE** to save the App’s configuration. ##### Configure DNSTwist App The **DNSTwist** App applies the [DNSTwist algorithm](https://github.com/elceef/dnstwist) to one or more given domains to identify variants that can be used for forms of cyber squatting such as typosquatting and combosquatting. Follow these steps to configure the **DNSTwist** App in the **Domain Spinning - Domain Search** Playbook: 1. Double-click the **DNSTwist** App (Figure 1) to edit it. 2. Fill out the fields in the **Edit App** drawer (Figure 4) as follows:![Figure 4_ThreatConnect Domain Thrasher_7.9.2](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%204_ThreatConnect%20Domain%20Thrasher_7.9.2.png) - **Job Name**: Retain **DNSTwist** as the App’s name. - **Action**: Select one of the following options from the dropdown: - **Multiple Domains**: Select this option, which is the default, if you want the App to identify domain variants for more than one domain. - **Single Domain**: Select this option if you want the App to identify domain variants for only one domain. - **Domains Map**: Replace the default value with one or more domains for which you want to identify variants, separating each domain with a comma.NoteThis option will be available only if you select **Multiple****Domains** from the **Actions** menu. - **Domain Name**: Enter a single domain for which you want to identify variants.NoteThis option will be available only if you select **Single Domain** from the **Actions** dropdown. - **Return Only Registered Domains**: Select this checkbox to have the **DNSTwist**App return only variants that are registered domains.ImportantIt is recommended that you keep the **Return Only Registered Domains** checkbox selected, as ThreatConnect Domain Thrasher’s intended use case is to track only registered domain variants. - **Nameservers**: (Optional) Enter one or more custom nameservers to use for performing DNS requests, separating each nameserver with a comma. 3. Click **SAVE** to save the App’s configuration. ##### Activate Domain Thrasher - Processing Data Component Playbook Component The **Domain Thrasher - Processing Data Component** [Playbook Component](https://knowledge.threatconnect.com/docs/playbook-components-overview) processes the domain variants identified by the **DNSTwist** App in the **Domain Thrasher - Domain Search** Playbook. It imports and enriches the domain variants and their DNS and other related records and resolved IP addresses. The orange **Process Data** box in the **Domain Thrasher - Domain Search** Playbook is the Component’s Trigger—that is, it calls the Component to execute after the **DNSTwist** App has executed. Follow these steps to activate the **Domain Thrasher - Processing Data Component** Playbook Component: 1. Select **View** from the **Process Data** Component Trigger’s menu![Playbook Component Trigger Menu icon](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Playbook%20Component%20Trigger%20Menu%20icon.png)in the **Domain Thrasher - Domain Search** Playbook (Figure 1) to open a tab for the Component in the Playbook Designer (Figure 5). ![Figure 5_ThreatConnect Domain Thrasher_7.9.2](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%205_ThreatConnect%20Domain%20Thrasher_7.9.2.png) 2. Select **Active** from the **Mode** dropdown at the upper right of the **Domain Thrasher - Processing Data Component** tab in the Playbook Designer to activate the **Domain Thrasher - Processing Data Component** Playbook Component. ##### Activate Domain Thrasher - Domain Search Playbook Select **Active** from the **Mode** dropdown at the upper right of the **Domain Thrasher - Domain Search** tab in the Playbook Designer (Figure 1) to activate the **Domain Thrasher - Domain Search** Playbook. ### Install and Configure Domain Thrasher - Create Associations Playbook The **Domain Thrasher - Create Associations** Playbook creates associations between the domains, DNS and related records, and resolved IP addresses provided and imported in the **Domain Thrasher - Domain Search** Playbook. #### Install Domain Thrasher - Create Associations Playbook Follow these steps to install the **Domain Thrasher - Create Associations** Playbook in your Organization: 1. Click **Playbooks** on the top navigation bar. 2. Hover over the **NEW** dropdown at the upper left of the **Playbooks** screen and select **Import Playbook** from the dropdown. 3. Select the **Domain Thrasher - Create Associations.pbxz** file. 4. Click **IMPORT** to import the **Domain Thrasher - Create Associations** Playbook into your Organization. #### Configure Domain Thrasher - Create Associations Playbook Follow these steps to configure the **Domain Thrasher - Create Associations** Playbook (Figure 6): ![Figure 6_ThreatConnect Domain Thrasher_7.9.2](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%206_ThreatConnect%20Domain%20Thrasher_7.9.2.png) 1. Double-click the Host Trigger (Figure 6) to edit it. 2. Fill out the fields on Step 1 (**Configure**) of the **Edit Trigger** drawer (Figure 7) as follows:![Figure 7_ThreatConnect Domain Thrasher_7.9.2](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%207_ThreatConnect%20Domain%20Thrasher_7.9.2.png) - **Trigger Name**: Retain **Host Trigger - CHANGE ME** as the Trigger's name. - Click **NEXT**. 3. Fill out the fields on Step 2 (**Action**) of the **Edit Trigger** drawer (Figure 8) as follows:![Figure 8_ThreatConnect Domain Thrasher_7.9.2](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%208_ThreatConnect%20Domain%20Thrasher_7.9.2.png) - **Owners**: Select the owner you chose for the **source_name** variable when configuring the **Settings** App (Figure 8) from the **Owners** dropdown. - Click **NEXT**.HintIf you retained the default owner (**#gbl.org.name**) as the **source_name** variable in the **Settings** App, select your Organization from the **Owners** dropdown. 4. Click **SAVE** on Step 3 (**Filters**) of the **Edit Trigger** drawer. 5. Select **Active** from the **Mode** dropdown at the upper right of the **Domain Thrasher - Create Associations** tab in the Playbook Designer (Figure 6) to activate the **Domain Thrasher - Create Associations** Playbook. ## Using ThreatConnect Domain Thrasher After the Playbooks in ThreatConnect Domain Thrasher execute for the first time, the following events will occur: - [The **Domain Thrasher** dashboard will populate.](/v1/docs/threatconnect-domain-thrasher#domain-thrasher-dashboard) - [Host and Address Indicators will be imported into the ThreatConnect owner you selected in ThreatConnect Domain Thrasher’s configuration.](/v1/docs/threatconnect-domain-thrasher#imported-indicators) - [Tags specific to Domain Thrasher will be added to Indicators imported into the ThreatConnect owner you selected in ThreatConnect Domain Thrasher’s configuration.](/v1/docs/threatconnect-domain-thrasher#domain-thrasher-tags) - [Email notifications will be sent to the email addresses you provided in ThreatConnect Domain Thrasher’s configuration.](/v1/docs/threatconnect-domain-thrasher#email-notifications) ### Domain Thrasher Dashboard The **Domain Thrasher** dashboard (Figure 9) displays cards with information related to registered domain squats identified by ThreatConnect Domain Thrasher, including the following: - Recently registered squat domains and the geographic location of their associated DNS records - Prevalence of squatting strategy for recently registered squat domains - DNS records of various types for your domains and the squat domains identified for them - Breakdowns of squat domains, resolved IP addresses, and DNS records of various types by monitored domain ![Figure 9_ThreatConnect Domain Thrasher_7.9.2](https://cdn.document360.io/dfc206c8-1c9f-4725-b74d-a66f83432320/Images/Documentation/Figure%209_ThreatConnect%20Domain%20Thrasher_7.9.2.png) ### Imported Indicators ThreatConnect Domain Thrasher imports the following data as Host Indicators in the ThreatConnect owner selected in ThreatConnect Domain Thrasher’s configuration: - Registered domains identified as squatting variants of the domains provided to ThreatConnect Domain Thrasher. - Canonical name records for registered domains identified as squatting variants of the domains provided to ThreatConnect Domain Thrasher. - Mail Exchanger records for registered domains identified as squatting variants of the domains provided to ThreatConnect Domain Thrasher. - Nameserver records for registered domains identified as squatting variants of the domains provided to ThreatConnect Domain Thrasher. ThreatConnect Domain Thrasher imports the following data as Address Indicators in the ThreatConnect owner selected in ThreatConnect Domain Thrasher’s configuration: - IPv4 and IPv6 address (DNS) records for IP addresses resolving to the domains provided to ThreatConnect Domain Thrasher. - IPv4 and IPv6 address (DNS) records for IP addresses resolving to registered domains identified as squatting variants of the domains provided to ThreatConnect Domain Thrasher. ThreatConnect Domain Thrasher automatically creates associations between domains or registration records imported as Host Indicators and their resolved IP addresses imported as Address Indicators. When investigating Indicators imported by ThreatConnect Domain Thrasher, you can refer to their [Attributes](https://knowledge.threatconnect.com/docs/attributes) for details on squatting technique, registration information, and related nameserver records. ### Domain Thrasher Tags The [Tags](https://knowledge.threatconnect.com/docs/applying-tags) listed in Table 1 are added to Indicators that ThreatConnect Domain Thrasher imports into the ThreatConnect owner selected in the Playbooks’ configuration. You can [search](https://knowledge.threatconnect.com/docs/search-and-analyze) and [pivot](https://knowledge.threatconnect.com/docs/pivoting-on-data) on these Tags, as well as explore their associations in [Threat Graph](https://knowledge.threatconnect.com/docs/threat-graph). | Tag | Indicator Type | Description | | --- | --- | --- | | Address record (IPv4) | Address | Added to resolved IPv4 address (DNS) records for domains provided to ThreatConnect Domain Thrasher and for registered domain variants identified by ThreatConnect Domain Thrasher. | | Address record (IPv6) | Address | Added to resolved IPv6 address (DNS) records for domains provided to ThreatConnect Domain Thrasher and for registered domain variants identified by ThreatConnect Domain Thrasher. | | Canonical Name (CNAME) | Host | Added to CNAME records identified for domains provided to ThreatConnect Domain Thrasher and for registered domain variants identified by ThreatConnect Domain Thrasher. | | DNStwist | Address, Host | Added to all Indicators imported from ThreatConnect Domain Thrasher. | | Domain: Registered | Host | Added to registered domain variants identified by ThreatConnect Domain Thrasher. | | Fuzzer: ** | Host | Added to registered domain variants identified by ThreatConnect Domain Thrasher to indicate the squatting technique. Possible types include the following: **addition**, **bitsquatting**, **insertion**, **replacement**, **homoglyph**, **omission**, **subdomain**, **transposition**, **vowel-swap**, **repetition**, **hyphenation**, **various**, **dictionary**, **plural**, and ***original**.Note***original** indicates that the domain is an original domain entered into the ThreatConnect Domain Thrasher configuration—that is, a domain for which you are investigating squatting variants. | | Mail Exchanger record (MX) | Host | Added to Mail Exchanger records identified for domains provided to ThreatConnect Domain Thrasher and for registered domain variants identified by ThreatConnect Domain Thrasher. | | Nameserver record (NS) | Host | Added to nameserver records identified for domains provided to ThreatConnect Domain Thrasher and for registered domain variants identified by ThreatConnect Domain Thrasher. | ### Email Notifications When ThreatConnect Domain Thrasher identifies registered domain variants, it will send notifications providing the number of newly registered domains and a link to the **Domain Thrasher - Shared** dashboard to the email addresses provided in its configuration, ensuring that stakeholders are informed about potentially threatening domains as soon as they are discovered. NoteTo customize the email notification template, edit the **Send Email** App in the **Domain Thrasher - Domain Search** Playbook (Figure 1) when the Playbook is in Design Mode, change the contents of the **Subject** and **Body** parameters in Step 2 (**Configure**), and save the changes. Please reach out to your Customer Success Engineer with any questions about how to customize the email notification template for ThreatConnect Domain Thrasher. --- *ThreatConnect® is a registered trademark, and TC Exchange™ is a trademark, of ThreatConnect, Inc.* 20172-01 v.01.A