Current ThreatQ Version Filter

Whois XML API Operation

The web format of this guide reflects the most current release. Guides for older iterations are available in PDF format.

Integration Details

ThreatQuotient provides the following details for this integration:

Current Integration Version

1.0.0

Compatible with ThreatQ Versions

>= 4.25.0

Support Tier

ThreatQ Supported

Introduction

The Whois XML API operation provides parsed information extracted from the raw Whois record and provides context in the form of attributes and indicators of compromise from the WhoisXmlApi operation.

The operation will extract additional information on FQDN indicator types using the Whois XML API endpoint.

Prerequisites

The following item is required for the operation:

Whois Xml Api API Key

ThreatQuotient does not issue third-party vendor credentials. Contact WhoisXMLAPI for the required key.

Installation

This integration can be installed in the My Integration section of your ThreatQ instance. See the Adding an Integration topic for more details.

Configuration

ThreatQuotient does not issue API keys for third-party vendors. Contact the specific vendor to obtain API keys and other integration-related credentials.

To configure the integration:

Navigate to your integrations management page in ThreatQ.
Select the Operation option from the Type dropdown (optional).
Click on the integration entry to open its details page.

Enter the following parameters under the Configuration tab:

Parameter	Description
Api Key	Enter the API Key fromWhois XML API.

Review any additional settings, make any changes if needed, and click on Save.
Click on the toggle switch, located above the Additional Information section, to enable it.

Actions

The Whois XML API operation provides the following actions:

Action	Description	Object Type	Object Subtype
Parse Information	Provides parsed information extracted from the raw Whois record.	Indicator	Indicator Attribute

Parse Information

Provides parsed information extracted from the raw Whois record. The URL that is called is:

https://whoisxmlapi.com/whoisserver/WhoisService?outputformat=json&domainName={}

ThreatQuotient provides the following default mapping for this action:

Feed Data Path	ThreatQ Entity	ThreatQ Object Type or Attribute Key	Published Date	Examples	Notes
createdDate	Created Date	Indicator Attribute	N/A	1997-09-15T00:00:00-0700	N/A
updatedDate	Update Date	Indicator Attribute	N/A	1997-09-15T00:00:00-0700	N/A
expiresDate	Expires Date	Indicator Attribute	N/A	1997-09-15T00:00:00-0700	N/A
registrant.organization	Registrant Organization	Indicator Attribute	N/A	Google LLC	N/A
registrant.state	Registrant State Indicator	Indicator Attribute	N/A	CA	N/A
registrant.country	Registrant Country Indicator	Indicator Attribute	N/A	United States	N/A
registrant.rawText	Registrant Raw Text Indicator	Indicator Attribute	N/A	Registrant Organization: Google LLC [...]	N/A
administrativeContact.organization	Administrative Contact Organization	Indicator Attribute	N/A	Google LLC	N/A
administrativeContact.country	Administrative Contact Country	Indicator Attribute	N/A	United States	N/A
administrativeContact.state	Administrative Contact State	Indicator Attribute	N/A	CA	N/A
administrativeContact.rawText	Administative Contact Raw Text	Indicator Attribute	N/A	Registrant Organization: Google LLC [...]	N/A
technicalContact.organization	Technical Contact Organization	Indicator Attribute	N/A	Google LLC	N/A
technicalContact.state	Technical Contact State	Indicator Attribute	N/A	CA	N/A
technicalContact.country	Technical Contact Country	Indicator Attribute	N/A	United States	N/A
technicalContact.rawText	Technical Contact Raw Text	Indicator Attribute	N/A	Registrant Organization: Google LLC [...]	N/A
nameServers.hostnames[]	FQDN	Related Indicator	N/A	ns2.google.com	N/A
nameServers.hostnames[]	FQDN	Related Indicator	N/A	11.11.11.11	N/A
status	Status	Indicator Attribute	N/A	ClientUpdatedProhibited	N/A
parseCode	Parse Code	Indicator Attribute	N/A	111	N/A
header	Header	Indicator Attribute	N/A	N/A	N/A
footer	Footer	Indicator Attribute	N/A	N/A	N/A
audit.createDate	Audit Created Date	Indicator Attribute	N/A	2018-10-23 15:33:41.000 UTC	N/A
audit.updatedDate	Audit Updated Date	Indicator Attribute	N/A	2018-10-23 15:33:41.000 UTC	N/A
customField1Name	Custom Field1 Name	Indicator Attribute	N/A	RegistrarContactEmail	N/A
customField2Name	Custom Field2 Name	Indicator Attribute	N/A	RegistrarContactEmail	N/A
customField3Name	Custom Field3 Name	Indicator Attribute	N/A	RegistrarContactEmail	N/A
customField1Value	Custom Field1 Value	Indicator Attribute	N/A	busecmplaints@markmonitor.com	N/A
customField2Value	Custom Field2 Value	Indicator Attribute	N/A	busecmplaints@markmonitor.com	N/A
customField3Value	Custom Field3 Value	Indicator Attribute	N/A	busecmplaints@markmonitor.com	N/A
registrarName	Registrar Name	Indicator Attribute	N/A	MarkMonitor	N/A
registrarIANAID	Registrar IANAID	Indicator Attribute	N/A	292	N/A
whoisServer	Whois Server	Indicator Attribute	N/A	whois.markmonitor.com	N/A
createdDateNormalized	Created Date Normalized	Indicator Attribute	N/A	1997-09-15 04:00:00 UTC	N/A
updatedDateNormalized	Updated Date Normalized	Indicator Attribute	N/A	1997-09-15 04:00:00 UTC	N/A
expiresDateNormalized	Expires Date Normalized	Indicator Attribute	N/A	1997-09-15 04:00:00 UTC	N/A
registryData.createdDate	Registry Created Date	Indicator Attribute	N/A	1997-09-15T04:00:00Z	N/A
registryData.expiresDate	Registry Expires Date	Indicator Attribute	N/A	1997-09-15T04:00:00Z	N/A
domainAvailability	Domain Availability	Indicator Attribute	N/A	Unavailable	N/A
contactEmail	Contact Email	Indicator Attribute	N/A	aaa@some.com	N/A
domainNameExt	Domain Name Ext	Indicator Attribute	N/A	.com	N/A
estimatedDomainAge	Estimated Domain Age	Indicator Attribute	N/A	1212	N/A
ips[]	IP Address	Related Indicator	N/A	12.12.12.12	N/A

Change Log

Version 1.0.0
- Initial release

PDF Guides

Document	ThreatQ Version
Whois XML API Operation Implementation Guide v1.0.0	4.25 or Greater