-
Notifications
You must be signed in to change notification settings - Fork 458
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Initial Domaintools Integration #12140
base: main
Are you sure you want to change the base?
Conversation
💚 CLA has been signed |
Hi @andrewkroh I went ahead and signed the CLA, thank you! |
Hi @andrewkroh apologies if I'm missing something obvious here, first time going through this process. Was there anything else you needed from me to get this PR approved and merged? Thank you for the guidance! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I took quick (non-thorough) look and left a few comments. I'm asking to find the right internal team to help review this.
The integration kind of sounds like it should be treated as a threat intel integration with naming to match (e.g. ti_domaintools). Is that the general use case for this data?
This will need system and pipeline testing.
|
||
### Newly Observed Domains (NOD) Feed | ||
|
||
The `nod_feed` data stream provides events from [DomainTools Newly Observed Domains Feed](https://www.domaintools.com/products/threat-intelligence-feeds/). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you link to the API docs too. I'm thinking of something like, This data is collected via the [Foo API](https://example.com).
It's important info to have the reference info available for maintaining the integration and troubleshooting. (and for reviewing this PR)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this should be converted to the CEL input. We aim to use it for all new development.
Per the http json input docs:
If you are starting development of a new custom HTTP API input, we recommend that you use the Common Expression Language input which provides greater flexibility and an improved developer experience.
- name: timestamp | ||
type: keyword | ||
description: > | ||
The feed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What does this timestamp represent? It is the time when the domain was registered? Or first observed through passive DNS means?
- name: domain | ||
type: keyword | ||
description: > | ||
The Domain. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are these going to be eTLDs only or any domain observed anywhere?
|
||
The `nod_feed` data stream provides events from [DomainTools Newly Observed Domains Feed](https://www.domaintools.com/products/threat-intelligence-feeds/). | ||
|
||
**Exported fields** |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This field table and the sample event should be generated from a template that is placed in the _build/
dir (see other integrations as an example).
Hi @andrewkroh, Thank you for the review! Your comments make perfect sense. We've just started our company holiday, so we'll be able to address the feedback and submit an update early next year. Happy holidays to you as well! |
Initial integration for DomainTools Newly Observed Domains feed.
Please explain:
Checklist
changelog.yml
file.Author's Checklist
How to test this PR locally
Install and configure DomainTools integration. Search for feed results:
data_stream.dataset: "domaintools.nod_feed"