Package Documentation

Storm Package: synapse-domainiq

The following Commands are available from this package. This documentation is generated for version 4.1.1 of the package.

Storm Commands

This package implements the following Storm Commands.

domainiq.limits

Print the current DomainIQ query limits.

Usage: domainiq.limits [options]

Options:

  --help                      : Display the command usage.

domainiq.rlookup

Perform a reverse lookup via DomainIQ.

This command takes nodes as input and performs any applicable reverse lookups
via DomainIQ depending on their type. Lookup types available are:

    IP: Performed on inet:ipv4 nodes.
    Email: Performed on inet:email and inet:whois:email nodes.
    Mailserver: Performed on inet:dns:mx and inet:fqdn nodes.
    Nameserver: Performed on inet:dns:ns, inet:whois:recns, and inet:fqdn nodes.

Results from reverse lookup queries will be used to create inet:dns:a,
inet:dns:mx, inet:dns:ns, or inet:whois:email nodes.

Examples:

    // Perform an email reverse lookup on an inet:email node.
    inet:[email protected] | domainiq.rlookup

    // Perform a nameserver reverse lookup on an inet:dns:ns node.
    inet:dns:ns=(foo.com, f1g1ns1.dnspod.net) | domainiq.rlookup

    // Perform a mailserver reverse lookup on an inet:dns:mx node and limit to
    // 10 results.
    inet:dns:mx=(foo.com, msgin.t.facebook.com) | domainiq.rlookup --size 10

    // Perform an IP reverse lookup on an inet:ipv4 node.
    inet:ipv4=172.217.8.206 | domainiq.rlookup


Usage: domainiq.rlookup [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.
  --asof <asof>               : Specify the maximum age for a cached result. To disable caching, use --asof now. (default: -30days)

domainiq.setup.apikey

Manage the DomainIQ API key.

Examples

    // Set a global DomainIQ API key
    domainiq.setup.apikey abcd1234

    // Set a DomainIQ API key for the current user
    domainiq.setup.apikey --self abcd1234

    // Display the API key scope of the current key
    domainiq.setup.apikey --show-scope

    // Display the current API key.
    domainiq.setup.apikey --show-apikey

    // Remove the current global API key.
    domainiq.setup.apikey --remove

    // Remove the per-user API key for the current user.
    domainiq.setup.apikey --self --remove


Usage: domainiq.setup.apikey [options] <apikey>

Options:

  --help                      : Display the command usage.
  --self                      : Set or remove the key as a user variable. If not used, the key is set globally.
  --show-scope                : Display the API key scope in use (global vs self).
  --show-apikey               : Display the API key value (requires admin perms or a "self" scope key).
  --remove                    : Remove the configured API key. May be used with --self.

Arguments:

  [apikey]                    : The API key string.

domainiq.whois

Query DomainIQ for WHOIS information on a domain.

This command takes inet:fqdn nodes as input and queries the DomainIQ API for
current WHOIS information. Results of the query are used to create inet:whois:rec,
inet:whois:recns, inet:whois:email, and inet:whois:contact nodes.

By default the full WHOIS record will be retrieved from DomainIQ. Using the
--abbv option will instead pull the abbreviated record which will not create
any inet:whois:contact nodes.

Examples:

    // Gather WHOIS data about an FQDN.
    inet:fqdn=vertex.link | domainiq.whois

    // Gather WHOIS data about an FQDN using the abbreviated record from DomainIQ.
    inet:fqdn=google.com | domainiq.whois --abbv


Usage: domainiq.whois [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.
  --asof <asof>               : Specify the maximum age for a cached result. To disable caching, use --asof now. (default: -30days)

domainiq.whoishist

Query DomainIQ for historical WHOIS information on a domain.

This command takes inet:fqdn nodes as input and queries the DomainIQ API for
historical WHOIS information. Results of the query are used to create inet:whois:rec,
inet:whois:recns, inet:whois:email, and inet:whois:contact nodes for each historical
record returned.

Note: This endpoint requires additional permission from DomainIQ to access.

Examples:

    // Gather historical WHOIS data about a domain.
    inet:fqdn=vertex.link | domainiq.whoishist

    // Gather historical WHOIS data about a domain, limited to 10 results.
    inet:fqdn=google.com | domainiq.whoishist --size 10


Usage: domainiq.whoishist [options]

Options:

  --help                      : Display the command usage.
  --debug                     : Show verbose debug output.
  --size <size>               : Limit the number of results ingested to the given size (per-node).
  --yield                     : Yield the newly created nodes.
  --asof <asof>               : Specify the maximum age for a cached result. To disable caching, use --asof now. (default: -30days)

Storm Modules

This package does not export any Storm APIs.