--- title: "Bulk Domain Enrichment" slug: "bulk-domain-enrichment" tags: ["Bulk Enrichment", "Domain Analysis", "Risk Score"] updated: 2025-12-31T16:54:18Z published: 2025-12-31T16:54:18Z --- > ## Documentation Index > Fetch the complete documentation index at: https://help.silentpush.com/llms.txt > Use this file to discover all available pages before exploring further. # Bulk Domain Enrichment Silent Push's Bulk Domain Enrichment feature enables security analysts, threat hunters, and Network investigators to process up to 100 domains simultaneously, delivering comprehensive enriched data in a single Query. ## Access Bulk Domain Enrichment From the left navigation menu, select **Advanced Query Builder > Enrichment Queries > Domain – bulk**for handling lists of domains. This interface supports silent pushes for automated workflows, tabbed views for organized results, and PADNS lookups for additional historical context. The bulk interface is user-friendly, supporting up to 100 domains for efficient processing. Follow these steps: 1. In the **Domains** field (marked with an asterisk as required), enter one domain per line. The maximum is 100 domains to ensure optimal performance and API limits. For example: `example.comsuspicious-domain.netmalware-site.org` - (Optional) Click **Explain** next to the field to view the methodology behind risk score calculations, including weighted factors like listing density and age anomalies. - (Optional) Check the **Scan Data** box to include raw scanning outputs, such as vulnerability scans or port scans, for more in-depth forensics. 2. Select **Simple Query** for standard enrichment or **Advanced Query** to customize filters (e.g., by date range or score thresholds). 3. Click **Search** to initiate processing. Results are displayed in a tabular or JSON view, with options to sort by risk score or rank. 4. Use **Tab View** for multi-perspective analysis or **Lookup PADNS** to cross-reference passive DNS records. 5. Export the full JSON response for integration with tools like SIEMs or spreadsheets. 6. Generate a shareable API endpoint for automation or team collaboration. 7. Clear inputs for a new batch. ## Save Bulk Queries 1. Configure parameters, including your domain list and options like scan data. 2. Click **Save Query**. 3. Enter a **Name** and **Description**. 4. Click **Save** to store it in the **Saved Queries** menu, accessible for quick reloads. ## Key Enrichment Data for Domains Bulk Domain Enrichment aggregates rich datasets tailored to domain analysis. For each domain in your list, you'll receive: | **Data type** | Description | | --- | --- | | **Tranco Rank** | Global popularity ranking of the domain, indicating traffic volume and legitimacy. | | **Dynamic Domain Indicator** | Flags if the domain exhibits behaviors typical of dynamically generated malicious domains (e.g., DGA - Domain Generation Algorithms). | | **URL Shortener Indicator** | Identifies whether the domain is used as a URL shortener, which can mask phishing or redirect traffic. | | **Basic Domain Info** | Core details like creation date, registrar, Whois data, and nameservers. | | **Warning Flags** | Alerts for risks such as open directories, expired SSL certificates, exposed S3 buckets, or other misconfigurations. | | **IP & ASN Scores** | Associated IP addresses and Autonomous System Numbers (ASNs) with reputational scores. | | **Listing Scores** | Aggregation of blacklisting across threat feeds to quantify exposure to known malicious activity. | | **Nameserver Reputation Data** | Evaluation of the domain's nameservers for abuse history or takedown events. | | **Server Changes** | Timeline of infrastructure shifts, like IP or ASN changes, to detect evasion tactics. | | **Silent Push Risk Score** | A proprietary composite score assessing overall threat level, factoring in reputation, listings, and behavioral indicators. | ## Sample Output ```json {  "status_code": 200,  "error": null,  "response": {    "domains": [      {        "domain": "example.com",        "tranco_rank": 100,        "dynamic_domain_indicator": false,        "url_shortener_indicator": false,        "basic_info": {          "creation_date": "19950414",          "registrar": "EXAMPLE REGISTRAR",          "nameservers": ["ns1.example.com", "ns2.example.com"]        },        "warning_flags": {          "open_directories": false,          "expired_certificates": false,          "open_s3_buckets": false        },        "ip_asn_scores": [          {            "ip": "93.184.216.34",            "asn": 15133,            "asn_name": "EDGECAST, US",            "sp_risk_score": 2          }        ],        "listing_score": 0,        "nameserver_reputation": 9,        "server_changes": [          {            "change_date": "20230115",            "type": "IP_UPDATE"          }        ],        "sp_risk_score": 2,        "sp_risk_score_explain": {          "decider": "low_listings_and_high_reputation"        }      },      {        "domain": "suspicious-domain.net",        "tranco_rank": null,        "dynamic_domain_indicator": true,        "url_shortener_indicator": false,        "basic_info": {          "creation_date": "20250901",          "registrar": "SHADY REGISTRAR LTD",          "nameservers": ["ns.malware.net"]        },        "warning_flags": {          "open_directories": true,          "expired_certificates": true,          "open_s3_buckets": false        },        "ip_asn_scores": [          {            "ip": "192.0.2.1",            "asn": 12345,            "asn_name": "RISKY ASN",            "sp_risk_score": 9          }        ],        "listing_score": 85,        "nameserver_reputation": 1,        "server_changes": [],        "sp_risk_score": 9,        "sp_risk_score_explain": {          "decider": "high_listings_and_dynamic_indicator"        }      }    ]  } } ``` In a comprehensive response, each entry expands with subfields such as `listing_score_explain` (a breakdown of threat feeds) and `asn_reputation_explain` (takedown history metrics), mirroring the depth seen in single-query outputs. The human-readable name (e.g., example.com) associated with an indicator of compromise (IoC) or network resource, used to identify and access websites or services in threat intelligence analysis. The IP address or subnet used in typosquatting queries to identify domains mimicking legitimate ones, aiding in the detection of phishing or fraudulent infrastructure. A DNS request (resource record name, rrname) used to retrieve information about a domain, IP, or other network entity for threat analysis. A metric representing the concentration of blacklisting occurrences across threat feeds for a domain or associated infrastructure, used as a weighted factor in risk scoring to quantify exposure to known malicious patterns. Unusual patterns in a domain's registration age or infrastructure longevity, such as extremely short lifespans or sudden age discrepancies, used as weighted factors in risk score calculations to flag potential malicious or evasive behavior. Host scanning data retrieved through enrichment queries, including details like certificates, open directories, or favicons, used to validate and analyze potential threats. Real-time assessments of software weaknesses on domain-associated servers, such as outdated protocols or exposed endpoints, optionally included in raw outputs for proactive risk mitigation in bulk analyses. A feature leveraging passive DNS data to investigate and correlate related threats, such as associated IPs, domains, or other indicators. The ranking of a domain on the Tranco Top 10,000 list, indicating its popularity and potential legitimacy. Publicly available data collected during domain registration or DNS updates, used to analyze domain ownership and history. Autonomous System Number, a unique numeric identifier assigned to an Autonomous System (AS) for managing IP address routing within and between networks on the internet