WhoisXML API Integrated Into Query To Enrich Federated Search

WhoisXML API offers context for domain history.

Integrating WhoisXML API with Query will allow analysts to include the following data in their search:

• Query fetches WHOIS information during domain searches. Query enriches the domain searches with OSINT context coming from WhoisXML API data.
• Query fetches Geo-location information for public IP searches. Query enriches IP searches with public geolocation & ASN details. The geolocation data aids in pinpointing threat origins, while ASN insights optimize network security. Both streamline operational efficiency and enable informed business decisions based on traffic origins.

Query’s connection to WhoisXML API can be easily enabled just by adding your API key in Query’s WhoisXML API connection configuration. See out integration documentation here.

The integration is based on these two WhoisXML APIs:

• WHOIS API (see  https://whois.whoisxmlapi.com)
• IP Geolocation API (see https://ip-geolocation.whoisxmlapi.com)

In the context of any security investigation the analyst is performing, Query leverages the domain search API when any federated search is performed for Domain (URL), Email Address, or IP. For Email Address, the search is performed for the relevant MX servers. In all cases, the data returned provides the WHOIS record for the hosting IP or domain. The results also contain the IP Address of the searched domain, or in the case of an IP search, the domains associated with that IP address.

Query normalizes the results into its OCSF based QDM (Query Data Model) which extracts and maps the data into Domain_info object and Threat Intel object.

Analysts can get key attributes of interest during an investigation, such as:

• Domain name
• Registrar information
• Registered date
• Expiration date
• Domain’s reputation
• WhoisXML API analysis results from

For IPs, the analysts can see:

• ASN
• Owner
• ISP
• Geo-location

Depending on the other integrations in your Query instance, analysts can find:

• Which devices communicated with the above public IP or domain.
• Who are the users on these devices and what is their role.
• Additional alerts correlated with the user or the device, such as based upon email, web, or file activity.
• Relevant follow up searches to get vulnerability or malware information associated with related entities like files, processes, and applications on that device.