Experimental New Domain / Domain Age API
One of our goals is to provide data to "color your logs" (or "Augment" them, as vendors may say). I have been experimenting with various ways to get simplified access to "domain age" data for a while now. This means not just data about new domains but how old a particular domain is. It may be an interesting parameter to add to when investigating.
To make it easier to retrieve this data, we now have two new API functions, and I may finally document them properly at https://isc.sans.edu/api (where you will find all the other random data we make available). I have been playing with this for a while and may have posted about it, but now it is as ready as it will be for a while.
Lookups are simple:
curl --user-agent 'this is Dr. J' 'https://isc.sans.edu/api/domainage/sans.org?json'
Just replace "sans.org" with the domain you are interested in.
For domains "first seen" on a particular date, try:
curl --user-agent 'this is Dr. J' 'https://isc.sans.edu/api/recentdomains/2022-06-01?json'
if you omit the date, the last date ("today") is returned. This only works for dates one month back.
Quick FAQ:
- Where does the data come from?
Multiple sources. Some domains we discover by seeing them in our web/ssh/firewall log data. Some comes from registrars, some from certificate transparency logs. Some of the old domain data comes from "whois" lookups. - How "good" is the "firstseen" date?
We call it "firstseen" for a reason. This is the first time we have seen the domain. It may be older. Sometimes this is based on whois data, but not always. - What is the rate limit / SLA for this API:
Right now, we do not have a strict rate limit. But this is meant for occasional, not bulk, lookup. One lookup a second, maybe a thousand or so a day, should be good. We do not do API keys or authentication. But please add some information to the user agent that allows us to reach out in case of a problem. Some default user agents may get blocked, so customize your user agent (we want to get at least rid of requests that are too lazy to alter their user agent) - Are there any restrictions on usage?
Do not resell. Other than that, you are OK to use it. Please attribute. Our standard "creative commons" license applies if you are interested in details. Please ask us if you have questions. - What is the data quality?
That is what I want you to tell me? See errors/omissions? Let us know. The data is provided "as-is" (but you will get the money back that you didn't pay if something is wrong) - What is the "type" about?
Treat it as a "comment," but it is still being developed. - What output formats do you support
RTFM at isc.sans.edu/api
---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|
Comments
www
Nov 17th 2022
6 months ago
EEW
Nov 17th 2022
6 months ago
qwq
Nov 17th 2022
6 months ago
mashood
Nov 17th 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Nov 23rd 2022
6 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
isc.sans.edu
Dec 3rd 2022
5 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
5 months ago
isc.sans.edu
Dec 26th 2022
5 months ago