Tines is a platform for automating information security activities without code. Automated structures are implemented using blocks and relationships between them, allowing you to build complex chains of events, transitions, and notifications.
Netlas is integrated into Tines, with all search tools and features. In this article, I’ll show you how to use Netlas’ searches while creating mechanisms for Tines.
In order to use Tines, you need to go through a quick registration. It is possible to log in using letters to your email, it’s quite simple. I won’t go too deep.
Much more important for using Netlas modules is to understand how to find them and how to enter the API key. To do this, you need to create a workspace (in Tines they are called “stories”) and pay attention to the Templates tab in the panel on the left.
After opening this tab, search for “Netlas” and you will be shown the tools integrated into Tines.
A little later I will describe them in more detail, but now I propose to see how and where you need to enter your API key in order to use these transformations.
To do this, take one of the modules — for example, Domain Search. Let’s add it to the workspace.
By clicking on the added element, you will see the action menu and the settings panel. At the moment, we are interested in the second object, in particular the “Headers” and “URL” fields. It is there that you need to add the API key and the request of interest to us.
There are two ways to fill in these fields. You can enter the required data manually, something like this:
In response to such a request, we will receive the following result
However, this option is rather inconvenient. If the mechanism you have built is large enough, setting API keys for each of the objects individually can take a lot of time, and manually setting up their requests destroys the whole point of automation. It will be much easier to use the objects of Tines itself and centralize the input of both queries and keys.
For this, we need an Event Transform. Let’s add one to our workspace.
Next, the Event needs to be configured. In this case, it should work in the “message_only” mode and send the API key as a message, which we will enter into it. You can also change its name to better understand what this particular Event is responsible for.
By the same principle, we will set up the second Event Transform, this time to create a request. Finally, let’s combine them and our Domain Search into one mechanism and write down the receipt of a key with a domain from Events.
Now our transformation will receive an API key and a domain for searching using other objects.
In the previous paragraph, I promised to tell which Netlas tools were integrated into Tines.
- Domain Search. Obtaining all information about a domain: its DNS records, associated domains, geolocation, subnet, and ASN where it is located;
- IP Search. Obtaining all information about the IP address: related domains, geolocation, subnet and ASN, ports used, registrar organization;
- Certificate Search. Information about certificates. Lifespan, registrar, associated domains;
- Response Search. HTTP/HTTPS response data. Headers and content of sites, services used on them, IP addresses, potential CVEs;
- Domain Whois Search. Information from the Whois database. Owning organization of the domain, its contacts, and registration address;
- IP Whois Search. Information from the Whois database. Subnet and ASN, geolocation. Owning organization, its contacts, and registration address.
You can learn more about these tools by testing them on Netlas.io. Now I will show how you can ensure the interaction of your objects.
You have already seen how the relationship between two Events and one Domain Information was framed. All other objects can be connected in the same way. As an example, let’s make a small mechanism that checks whether a site is on a third-party web-hosting, or whether it hosted on a dedicated server. As a rule, in the case of shared web-hosting, many domains will point to one IP address. So we need to make a DNS search by A-record.
Let’s start creating the schema
The first item will be the already familiar Event Transforms. One of them is for entering the API key, the second is for the domain we are interested in.
Next, we need an object that will return information about the domain. This is the already mentioned Domain Information. So far, nothing new is happening, but the next two parts of our simple mechanism are already more interesting.
We need to add another Event Transform, this time implementing the delay. Due to Netlas restrictions, users cannot access the API more than once per second, this is what the delay will decide. The next object will be slightly modified Response Information. The Event setting is not of particular interest, you just need to select the “delay” mode of operation and set a one second delay, but Response Information is somewhat more complicated.
Let’s start with the fact that you need to change the URL that the object accesses. By default, Response Information is pulled to “https://app.netlas.io/api/responses/". We do not need it, and instead we will enter the address “https://app.netlas.io/api/domains_count/". This endpoint returns the number of domains that match a query.
Next, we need to make a request that will be sent to the Netlas API. Since we want to know the number of domains whose A record matches the one under investigation, the query will look like “a:x.x.x.x”, where x.x.x.x is the first A record obtained as a result of the previously added Domain Information. To do this, you must use the following payload: “a:get_domain_information_in_netlas_io.body.dns.a”. By the way, this is how you can get data from related mechanisms in Tines :)
In order to complete our mechanism, it remains to add only three details. Firstly, this is Trigger, which, based on the received number of domains, will make a choice: report on shared hosting or not. Secondly, these are two Send Emails.
The final “story” will look like this:
Let’s test the resulting mechanism. Take two domains as experimental objects: “target.com” and “netlas.io”. After they were entered in turn in the domainName Event, two notifications came in the mail: that netlas.io is located on a virtual host, and target.com is not.
In this article, I showed you how to use Netlas’ integrated Tines features, including a small practical example. Of course, the possibilities of this platform are much more extensive than what is written here. For example, you can link several “stories”, and forward letters from one to another, pulling input data from them. Tines is a handy tool that will allow you to build complex mechanisms with minimal programming skills.
As usual, I wish you success in your work!