DomainTools App for Splunk and Splunk ES
Overview
Details
Customers who deploy the app in Splunk benefit from:
+ Increased visibility to events associated with risky domain names
+ Precisely targeted threat hunting activities
+ Rich domain data pre-populated in Splunk lookups and indexes
+ Proactive Monitoring of malicious domains leveraging PhishEye API
+ Leverage Tagged Domains from DNS Investigations from DomainTools Iris platform
+ Surface Notable Events in Splunk ES with DomainTools Risk Score
The DomainTools App for Splunk is powered by the DomainTools Risk Score, a proprietary scoring algorithm that finds malicious domain names before they can be weaponized. The technology is based on machine learning algorithms applied to DomainTools' unparalleled coverage of domain name features and infrastructure characteristics.
The app also includes Threat Hunting Dashboard to gain quick situational awareness of the risk presented by domain names on your network and helps guide teams to effectively leverage DomainTools data in their SOC workflows.
Download the DomainTools App for Splunk 3.4 User Guide.
We hope to relase major enhancements in upcoming release. Please email your feedback to splunk@domaintools.com
- The current version of DomainTools App vetted for Splunk Cloud is 3.4.2. If recent releases of our App do not show support for Splunk Cloud, you can request cloud vetting to be performed on the app by creating a support ticket with Splunk Support and Services. Once the app passes cloud vetting, it can be installed on your Splunk Cloud instance. As a Splunk customer, only you can request cloud vetting for our apps.
Release Notes for version 3.4.2
- 3.4.x continues to remain in Beta, since its launch at .Conf 19. Please email your feedback to splunk@domaintools.com for any issues with this version.-
This release is a patch to 3.4 and addresses some of the issues discovered since 3.4 release. We also added Splunk recommendations to make 3.4 Splunk Cloud compatible.
Following are some of the key changes introduced in this patch release:
- Implement Splunk best practices for Splunk Cloud compatibility
- Append macro definition for 'Dangerous Domain' in DomainTools Threat Investigation dashboard
- Replace Scripted Inputs with Saved Searches for Cloud compatibility
- Decommissioned Brand Monitor functionality from the App (replaced by DomainTools PhishEye)
If you are using the 3.4 version, an upgrade to 3.4.2 is highly recommended.
Release Notes for DomainTools App for Splunk 3.4
3.4 is the latest release for DomainTools users leveraging Splunk and Splunk ES.
There are multiple key features introduced in this release of the App:
- Tag Management using DomainTools Iris Tags:
- Domain Monitoring inside Splunk
- Enterprise Security Capabilities and Enterprise Security Dashboards
- Enrichment Explorer for Domain Enrichment data
In addition to the above new features, existing capabilties from previous versions of the app has also been retained. Notable mentions are:
- Threat Management Dashboard
- Adhoc Domain Profile Lookup inside Splunk
Lastly, the app improves upon its previous versions in optimizing API perfomance in leveraging the latest DomainTools Iris Enrich API. We also addressed numerous bugs and issues reported by our customers.
Release Notes for version 3.3.392
3.3.392 was released to address issues in Splunk Cloud environemnts wrt limited search head functionalities in prior versions. The hotfix addresses the following changes:
- Enables domain profile in Splunk Cloud environment
- disables top 1 million sites download & filter
The 3.3.39 version of DomainTools TA for Splunk contains performance enhancements that will benefit new users of the app.
Existing users of the DomainTools TA may also benefit from these fixes, especially if they are experiencing specific problems addressed in this build. However, we encourage users who are upgrading to first contact us to understand the changes and anticipate the impact on an existing deployment.
- New default domain name search optimized for performance, using the CIM and data model acceleration (DMA). Customers who are not yet using the CIM and DMA will need to customize the search for their environment. More details are available in the DomainTools TA Deployment Guide.
- Renamed "base_search" macro to "dt_base_search" to avoid naming collisions. Existing customers who use the base_search macro in their own custom searches will need to change their searches to use the new macro.
- Used more descriptive names for the scheduled searches to more clearly communicate their function, and ensured that only the necessary jobs were enabled.
- Performed dode cleanup and minor refactoring to ensure compliance with the latest Splunk AppInspect guidelines.
- Adjusted permissions on multiple objects to allow non-admin users to utilize more functionality in the app.
- Populating the Whois index is now optional as the job is not enabled by default. We recommend enabling the DomainTools Enterprise - Whois Index Populator" or "DomainTools Iris - Whois Index Populator" to enable historical searches for malicious domain names beyond the cache period of the lookups (by default, 30 days). Consult the DomainTools TA Deployment Guide for more details.
Release Notes
Version 3.4.2
Check *Details Page* for additional information.
3.4.x is the latest release and currently in Beta.
#Release Notes for version 3.4.2
This release is a patch to 3.4 and addresses some of the issues discovered since 3.4 release. We also added Splunk recommendations to make 3.4 Splunk Cloud compatible.
Following are some of the key changes introduced in this patch release:
- Implement Splunk best practices for Splunk Cloud compatibility
- Append macro definition for 'Dangerous Domain' in DomainTools Threat Investigation dashboard
- Replace Scripted Inputs with Saved Searches for Cloud compatibility
- Fix for missing tag field
- Decommissioned Brand Monitor functionality from the App (replaced by DomainTools PhishEye)
If you are using the 3.4 version, an upgrade to 3.4.2 is highly recommended.
Version 3.3.392
This is a Splunk Cloud only hotfix released for issues around limited search head functionalities. This version should not be used for other environments. The hotfix addresses the following:
1. Enables domain profile in Splunk Cloud environment
2. disables top 1 million sites download & filter