Reverse Whois is a service that performs searches on domain names registered by individuals or organizations. Domain registration information includes the list of all registered domains, active and historical domains, based on a search term consisting of an organization name, registrant email, or registrant phone number. When integrated with ServiceNow Security Operations, this registered domain information provides additional enrichment data and insight for security incidents or investigations.
- Enrichment lookups are run on selected observables upon incident creation.
- After the application is configured and observables are added, the workflow launches, and Reverse Whois lookup execution and completion status are recorded in work notes.
- Results are displayed in the Reverse Whois Domains tab under Related Links.
Changed:
- Migrated enrichment workflows to flow designer.
Plugins:
The following plugin for Threat Intelligence must be installed and activated:
- com.snc.threat.intelligence
The following Security Incident Response plugins must be installed and activated:
- com.snc.security_support.common
- com.snc.security_incident
- com.snc.intel_sharing.client
- com.snc.secops.orchestration
Permissions and roles
- Role required: System Admin (admin)
Workflow
The Reverse Whois integration, when used in conjunction with the security operations integrations capabilities framework, provides a high-level workflow independent from the integration vendor.
Once installed and activated, the Reverse Whois API searches domain records based on search terms you enter, and it returns all records that correspond with those terms.
Components created by the application
Default Reverse Whois lookup workflow:
- Enrich Observable- Reverse Whois
List of scripts include:
- ReverseWhoisObservableEnrichment
- ReverseWhoisConfiguration
- ReverseWhoisAjax
Table:
- ReverseWhois Domain (sn_sec_whois_rvs_domain)
The scope(s) used:
- sn_sec_whois_rvs
List of REST Messages:
- Reverse WHOIS Lookup