Skip to main content

Suspicious Domain Hunting

Download With Dependencies

This pack provides all the necessary tools for the Suspicious Domain Hunting use case. It uses the CertStream integration to ingest new SSL certificates and alert for type-squatting domains with SSL certificate, these alerts are then analyzed and mitigated.

Phishing domains impersonating an organization's brand are a persistent threat that often slip through defenses. Analysts struggle to manually monitor certificate transparency logs and WHOIS registrations to catch phishing domains early.

The Suspicious Domain Hunting pack equips analysts with automation to proactively hunt for phishing domains targeting their organization. CertStream integration ingests newly issued SSL certificates in real-time, while WHOIS data and threat intel feeds are checked for domain registrations using the company brand. Analysts save hours of manual effort and can disrupt phishing campaigns before emails reach users.

This pack includes playbooks that:

  • Ingest and enrich certificate transparency events in real-time.
  • Correlate new SSL certs with WHOIS domain registration data.
  • Check domain reputation against threat intel feeds.
  • Prioritize incidents for high risk domains impersonating the organization.
  • Enable quick suspensions or takedowns of phishing domains.

Analysts also get out-of-the-box incident views and layouts tailored for Suspicious Domain Hunting, enabling efficient workflows to take action on high severity events.

What does this pack do?
  • Monitors certificate transparency logs via CertStream.
  • Ingests and enriches SSL cert events as incidents.
  • Checks domain WHOIS records for matches against organization brand.
  • Correlates SSL data with WHOIS data to identify phishing domains.
  • Queries domain reputation against threat intel feeds.
  • Prioritizes incidents using criticality score if org domain is spoofed.
  • Includes playbooks to automatically suspend domains via registrar.
  • Provides domain hunting views and layout for efficient analyst response.
Additional Information

Leverages the CertStream integration - configure your API key before installation.

Works best with Domain Reputation and Domain Enrichment integrations enabled.

For takedown automation, API access to domain registrar required.

PLATFORMS

Cortex XSOAR

INFO

Supported ByCommunity
CreatedMay 5, 2024
Last ReleaseNovember 7, 2024
Hunting
WORKS WITH THE FOLLOWING INTEGRATIONS:

DISCLAIMER
Content packs are licensed by the Publisher identified above and subject to the Publisher’s own licensing terms. Palo Alto Networks is not liable for and does not warrant or support any content pack produced by a third-party Publisher, whether or not such packs are designated as “Palo Alto Networks-certified” or otherwise. For more information, see the Marketplace documentation.