Merge pull request #39 from splunk-soar-connectors/next

Merging next to main for release 1.5.2
splunk-soar-connectors · Jan 6, 2025 · 9423a3f · 9423a3f
2 parents ab08561 + f62aa30
commit 9423a3f
Show file tree

Hide file tree

Showing 44 changed files with 430 additions and 118 deletions.
diff --git a/README.md b/README.md
@@ -2,11 +2,11 @@
 # DomainTools Iris Investigate
 
 Publisher: DomainTools  
-Connector Version: 1.5.1  
+Connector Version: 1.5.2  
 Product Vendor: DomainTools  
 Product Name: DomainTools Iris Investigate  
 Product Version Supported (regex): ".\*"  
-Minimum Product Version: 6.1.1  
+Minimum Product Version: 6.3.0  
 
 This app supports investigative actions to profile domain names, get risk scores, and find connected domains that share the same Whois details, web hosting profiles, SSL certificates, and more on DomainTools Iris Investigate
 
@@ -75,8 +75,8 @@ In this example, we've specified to run three separate monitoring playbooks on d
 [this](https://github.com/DomainTools/playbooks/tree/main/Splunk%20SOAR) Github repository.
 
 
-### Configuration Variables
-The below configuration variables are required for this Connector to operate.  These variables are specified when configuring a DomainTools Iris Investigate asset in SOAR.
+### Configuration variables
+This table lists the configuration variables required to operate DomainTools Iris Investigate. These variables are specified when configuring a DomainTools Iris Investigate asset in Splunk SOAR.
 
 VARIABLE | REQUIRED | TYPE | DESCRIPTION
 -------- | -------- | ---- | -----------
@@ -105,6 +105,8 @@ VARIABLE | REQUIRED | TYPE | DESCRIPTION
 [enrich domain](#action-enrich-domain) - Get all Iris Investigate data for a domain except counts using the high volume Iris Enrich API endpoint (if provisioned)  
 [configure scheduled playbooks](#action-configure-scheduled-playbooks) - Run on initial setup to configure the optional monitoring playbooks. This action creates a custom list to manage the playbook scheduling and run status  
 [on poll](#action-on-poll) - Execute scheduled playbooks based on the set interval(mins) in 'domaintools_scheduled_playbooks' custom list. Smaller intervals will result in more accurate schedules  
+[nod feed](#action-nod-feed) - Apex-level domains (e.g. example.com but not www.example.com) observed for the first time by the DomainTools sensor network, and which are not present in our DNSDB historical database  
+[nad feed](#action-nad-feed) - Apex-level domains (e.g. example.com but not www.example.com) DomainTools has newly observed in our DNS sensor network. This includes domains observed in DNS for the first time as well as domains observed in DNS again after not being observed for at least 10 days  
 
 ## action: 'test connectivity'
 Validate the asset configuration for connectivity
@@ -635,4 +637,64 @@ Read only: **True**
 No parameters are required for this action
 
 #### Action Output
-No Output
+No Output  
+
+## action: 'nod feed'
+Apex-level domains (e.g. example.com but not www.example.com) observed for the first time by the DomainTools sensor network, and which are not present in our DNSDB historical database
+
+Type: **investigate**  
+Read only: **True**
+
+#### Action Parameters
+PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
+--------- | -------- | ----------- | ---- | --------
+**domain** |  optional  | Used to filter feed results. The filter can be an exact match or a partial match when the \* character is included at the beginning and/or end of the value. | string | 
+**after** |  optional  | A negative integer (in seconds) representing the start of the time window, relative to the current time in seconds, for which data will be provided. | string | 
+**session_id** |  optional  | Serves as a unique identifier for the session. This parameter ensures that data retrieval begins from the latest timestamp recorded in the previous data pull. | string | 
+**top** |  optional  | The number of results to return in the response payload. Primarily used for testing. | string | 
+
+#### Action Output
+DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
+--------- | ---- | -------- | --------------
+action_result.data | string |  |  
+action_result.data.\*.domain | string |  `domain`  |  
+action_result.data.\*.timestamp | string |  |  
+action_result.status | string |  |   success  failed 
+action_result.summary | string |  |  
+action_result.message | string |  |  
+action_result.parameter.after | string |  |  
+action_result.parameter.domain | string |  |  
+action_result.parameter.session_id | string |  |  
+action_result.parameter.top | string |  |  
+summary.total_objects | numeric |  |   1 
+summary.total_objects_successful | numeric |  |   1   
+
+## action: 'nad feed'
+Apex-level domains (e.g. example.com but not www.example.com) DomainTools has newly observed in our DNS sensor network. This includes domains observed in DNS for the first time as well as domains observed in DNS again after not being observed for at least 10 days
+
+Type: **investigate**  
+Read only: **True**
+
+#### Action Parameters
+PARAMETER | REQUIRED | DESCRIPTION | TYPE | CONTAINS
+--------- | -------- | ----------- | ---- | --------
+**domain** |  optional  | Used to filter feed results. The filter can be an exact match or a partial match when the \* character is included at the beginning and/or end of the value. | string | 
+**after** |  optional  | A negative integer (in seconds) representing the start of the time window, relative to the current time in seconds, for which data will be provided. | string | 
+**session_id** |  optional  | Serves as a unique identifier for the session. This parameter ensures that data retrieval begins from the latest timestamp recorded in the previous data pull. | string | 
+**top** |  optional  | The number of results to return in the response payload. Primarily used for testing. | string | 
+
+#### Action Output
+DATA PATH | TYPE | CONTAINS | EXAMPLE VALUES
+--------- | ---- | -------- | --------------
+action_result.data | string |  |  
+action_result.data.\*.domain | string |  `domain`  |  
+action_result.data.\*.timestamp | string |  |  
+action_result.status | string |  |   success  failed 
+action_result.summary | string |  |  
+action_result.message | string |  |  
+action_result.parameter.after | string |  |  
+action_result.parameter.domain | string |  |  
+action_result.parameter.session_id | string |  |  
+action_result.parameter.top | string |  |  
+summary.total_objects | numeric |  |   1 
+summary.total_objects_successful | numeric |  |   1