One of our goals is to provide data to “color your logs” (or “Augment” them, as vendors may say). I have been experimenting with various ways to get simplified access to “domain age” data for a while now. This means not just data about new domains but how old a particular domain is. It may be an interesting parameter to add to when investigating.
To make it easier to retrieve this data, we now have two new API functions, and I may finally document them properly at https://isc.sans.edu/api (where you will find all the other random data we make available). I have been playing with this for a while and may have posted about it, but now it is as ready as it will be for a while.
Lookups are simple:
curl –user-agent ‘this is Dr. J’ ‘https://isc.sans.edu/api/domainage/sans.org?json’
Just replace “sans.org” with the domain you are interested in.
For domains “first seen” on a particular date, try:
curl –user-agent ‘this is Dr. J’ ‘https://isc.sans.edu/api/recentdomains/2022-06-01?json’
if you omit the date, the last date (“today”) is returned. This only works for dates one month back.
- Where does the data come from?
Multiple sources. Some domains we discover by seeing them in our web/ssh/firewall log data. Some comes from registrars, some from certificate transparency logs. Some of the old domain data comes from “whois” lookups.
- How “good” is the “firstseen” date?
We call it “firstseen” for a reason. This is the first time we have seen the domain. It may be older. Sometimes this is based on whois data, but not always.
- What is the rate limit / SLA for this API:
Right now, we do not have a strict rate limit. But this is meant for occasional, not bulk, lookup. One lookup a second, maybe a thousand or so a day, should be good. We do not do API keys or authentication. But please add some information to the user agent that allows us to reach out in case of a problem. Some default user agents may get blocked, so customize your user agent (we want to get at least rid of requests that are too lazy to alter their user agent)
- Are there any restrictions on usage?
Do not resell. Other than that, you are OK to use it. Please attribute. Our standard “creative commons” license applies if you are interested in details. Please ask us if you have questions.
- What is the data quality?
That is what I want you to tell me? See errors/omissions? Let us know. The data is provided “as-is” (but you will get the money back that you didn’t pay if something is wrong)
- What is the “type” about?
Treat it as a “comment,” but it is still being developed.
- What output formats do you support
RTFM at isc.sans.edu/api
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.