IBM Security QRadar SOAR

Hi,

we are trying to run an RDAP query to get RDAP data (eg. nameservers, registrar information, abuse contact email, authoritative servers) of a DNS name, IP address or URL.

What we would like to see is something like this: https://www.openrdap.org/demo?cmd=rdap+-v+google.com or what you can get if you lookup google.com on https://lookup.icann.org/lookup.

But what we get with the "RDAP: Query" function is completely different. It uses the ipwhois library to get the data, (you can see the example on https://ipwhois.readthedocs.io/en/latest/RDAP.html), the JSON fields do not correspond to the ones on the openrdap or lookup.icann site and even the fields with similar names contain different data compared to the websites, so this is probably not the function we should be using.

Is there any way to get the information we can see on the openrdap or lookup.icann webpages?

Thank you for any help in advance.

------------------------------
Viktoria Laposi
------------------------------

This might help you out: https://www.openrdap.org/api

It looks really simple to do, basically a simple function could do a GET for the information, and then return the payload as JSON to the post-processor for doing whatever you wanted with it (build a table, populate fields, etc, etc).

If you're newer to building functions, these should help you out:

https://developer.ibm.com/security/resilient/start/
https://www.ibm.com/support/knowledgecenter/SSBRUQ_38.0.0/doc/app_dev/write_func_processor.html
https://www.geeksforgeeks.org/get-post-requests-using-python/
https://realpython.com/python-requests/
https://pynative.com/parse-json-response-using-python-requests-library/

------------------------------
Jared Fagel
Cyber Security Analyst I
Public Utility
------------------------------

Original Message:
Sent: Fri October 09, 2020 07:31 AM
From: Viktoria Laposi
Subject: RDAP Query

Hi,

we are trying to run an RDAP query to get RDAP data (eg. nameservers, registrar information, abuse contact email, authoritative servers) of a DNS name, IP address or URL.

What we would like to see is something like this: https://www.openrdap.org/demo?cmd=rdap+-v+google.com or what you can get if you lookup google.com on https://lookup.icann.org/lookup.

But what we get with the "RDAP: Query" function is completely different. It uses the ipwhois library to get the data, (you can see the example on https://ipwhois.readthedocs.io/en/latest/RDAP.html), the JSON fields do not correspond to the ones on the openrdap or lookup.icann site and even the fields with similar names contain different data compared to the websites, so this is probably not the function we should be using.

Is there any way to get the information we can see on the openrdap or lookup.icann webpages?

Thank you for any help in advance.

------------------------------
Viktoria Laposi
------------------------------