DNS-based attacks can be complex, often involving hundreds of data points that make up malicious infrastructure. This can require cybersecurity teams to spend significant amounts of time collecting and analyzing this data, resulting in slower reporting and decision-making.
How Copilot & DomainTools Enhance Threat Detection
To further our mission of helping our customers stay ahead of emerging threats, DomainTools is proud to announce its integration with Microsoft Security Copilot. This integration provides fast, AI-powered returns of domain intelligence to enhance security investigations and incident response workflows.
Automated Domain Lookups with Copilot Prompts
Analysts can seamlessly retrieve DomainTools data by creating Security Copilot prompts, enabling them to make instantaneous decisions based on context and view domain information in a user-friendly format.
This integration will directly support threat intelligence and incident response efforts. Immediate answers and quick decision-making are important in both areas, and Copilot’s ability to automate and summarize domain insights will both reduce analysts’ mean time to respond and increase their confidence when making decisions on domain indicators.
Enriching Threat Data with Reputation Scores & Passive DNS Data Fields
Copilot can return domain and IP address data featured in the Iris product suite, including passive DNS records, Whois/RDAP details, and the DomainTools Risk Score. DomainTools Risk Score predicts how likely a domain is to be malicious, often before it is operationalized. This can reduce the window of vulnerability between the time a malicious domain is registered and when it is leveraged by bad actors as part of an attack. The Risk Score of a domain provides critical context, and with Copilot you can receive this context immediately through the power of automated information gathering.
Copilot Integration with DomainTools
In practice, the integration of Copilot with DomainTools offers the following key benefits:
- Domain query and normalization using Copilot-provided fields
- Data enrichment and insights including reputation scores, ownership details, and DNS records
- Concise, user-friendly summaries of domain intelligence directly within Copilot
Let’s take a look at these capabilities in detail, beginning with how analysts can develop Copilot prompts to query DomainTools data.
Prompt Development
Below is an example of a basic domain lookup:
Retrieve domain intelligence for example[.]com. Provide reputation score, Whois details, and DNS records.
From this simple query, you can expect an output similar to this:
Reputation Score: High risk (95/100)
Whois Details: Registered to [Owner Name], [Registrar]
DNS Records: [A, MX, NS records]
Drilling down on Whois details will return output like this:
Copilot can also retrieve more advanced threat intelligence powered by DomainTools data. For example, analysts could ask for threat indicators related to a domain, including passive DNS data, subdomains, and history of malicious activity. The expected output would return something like this:
Threat Reputation: Previously linked to phishing campaigns
Passive DNS Data: Resolves to [IP Address], seen in over 20 threat reports
Subdomains: badactor[.]com, badwebsite[.]com
From there, analysts can create additional queries to take a proactive security posturing. The below image demonstrates how Copilot can be used to support threat hunting based on returned indicators:
For historical analysis, investigators can perform Whois lookups for domains of interest. If an analyst asked Copilot to retrieve historical Whois records for badactor[.]com in order to view ownership changes over time, they might receive the following output:
Current Whois: Registered to “PrivacyGuard LLC”
Previous Whois: Previously owned by “CyberCorp Inc.”
Change Date: Ownership changed on 2023-07-15
These prompts are not limited to domain names; analysts can also perform IP address lookups to find associated domains, reputation scores, and more. Though simple, these prompts return significant insights, as shown below:
Prompt: List domains associated with the IP address 192.168.1.1 and provide reputation insights.
Expected Output:
Associated Domains: example[.]com, malicious-site[.]net
Reputation Score: example[.]com (Safe), malicious-site[.]net (High Risk)
Conclusion
We at DomainTools strongly believe that the integration of our data with Copilot will further our mission of making the Internet a safer place. To get started, visit the Microsoft Azure Marketplace for more details on plans, pricing, and how DomainTools can be used within various Microsoft products. Please note that general availability for this integration is coming soon.
For more information on how DomainTools integrates with other security vendors, visit https://domaintools.com/integrations/.
News Source:Anthony Johnson,This article does not represent our position.
