Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Initial Domaintools Integration #12140

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Conversation

wesleya
Copy link

@wesleya wesleya commented Dec 17, 2024

Initial integration for DomainTools Newly Observed Domains feed.

Please explain:

  • WHAT: Initial datastream, ingest pipeline, fields for DomainTools Newly Observed Domains feed.
  • WHY: First DomainTools feed integration

Checklist

  • I have reviewed tips for building integrations and this pull request is aligned with them.
  • I have verified that all data streams collect metrics or logs.
  • I have added an entry to my package's changelog.yml file.
  • I have verified that Kibana version constraints are current according to guidelines.
  • I have verified that any added dashboard complies with Kibana's Dashboard good practices

Author's Checklist

  • Newly Observed Domains feed

How to test this PR locally

Install and configure DomainTools integration. Search for feed results: data_stream.dataset: "domaintools.nod_feed"

Copy link

cla-checker-service bot commented Dec 17, 2024

💚 CLA has been signed

@andrewkroh andrewkroh added needs CLA User must sign the Elastic Contributor License before review. New Integration Issue or pull request for creating a new integration package. labels Dec 17, 2024
@wesleya
Copy link
Author

wesleya commented Dec 17, 2024

Hi @andrewkroh I went ahead and signed the CLA, thank you!

@andrewkroh andrewkroh removed the needs CLA User must sign the Elastic Contributor License before review. label Dec 17, 2024
@wesleya
Copy link
Author

wesleya commented Dec 19, 2024

Hi @andrewkroh apologies if I'm missing something obvious here, first time going through this process. Was there anything else you needed from me to get this PR approved and merged? Thank you for the guidance!

Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I took quick (non-thorough) look and left a few comments. I'm asking to find the right internal team to help review this.

The integration kind of sounds like it should be treated as a threat intel integration with naming to match (e.g. ti_domaintools). Is that the general use case for this data?

This will need system and pipeline testing.


### Newly Observed Domains (NOD) Feed

The `nod_feed` data stream provides events from [DomainTools Newly Observed Domains Feed](https://www.domaintools.com/products/threat-intelligence-feeds/).
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you link to the API docs too. I'm thinking of something like, This data is collected via the [Foo API](https://example.com).

It's important info to have the reference info available for maintaining the integration and troubleshooting. (and for reviewing this PR)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should be converted to the CEL input. We aim to use it for all new development.

Per the http json input docs:

If you are starting development of a new custom HTTP API input, we recommend that you use the Common Expression Language input which provides greater flexibility and an improved developer experience.

- name: timestamp
type: keyword
description: >
The feed.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does this timestamp represent? It is the time when the domain was registered? Or first observed through passive DNS means?

- name: domain
type: keyword
description: >
The Domain.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are these going to be eTLDs only or any domain observed anywhere?


The `nod_feed` data stream provides events from [DomainTools Newly Observed Domains Feed](https://www.domaintools.com/products/threat-intelligence-feeds/).

**Exported fields**
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This field table and the sample event should be generated from a template that is placed in the _build/ dir (see other integrations as an example).

@wesleya
Copy link
Author

wesleya commented Dec 20, 2024

Hi @andrewkroh,

Thank you for the review! Your comments make perfect sense. We've just started our company holiday, so we'll be able to address the feedback and submit an update early next year.

Happy holidays to you as well!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
New Integration Issue or pull request for creating a new integration package.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants