icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading DomainTools App for Splunk (Legacy)
SHA256 checksum (domaintools-app-for-splunk-legacy_350.tgz) 306586bf304c8a96a44aaa8db8f2d5bdf39dc1ee3fe5e9aa9f1a45ed74a673f5 SHA256 checksum (domaintools-app-for-splunk-legacy_343.tgz) 6f673c9079bb2f95ec97f1bdb574b8049f5f8476321e42e44e67bc84b9eaa37d
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

DomainTools App for Splunk (Legacy)

Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
The DomainTools App for Splunk provides direct access within Splunk to DomainTools' industry-leading threat intelligence data on domain names, the individuals who control them, and the infrastructure that supports them.

++ We have a new DomainTools App supporting Splunk 8.x environments and built on the latest SDK. Please see 'Details' tab to access the new app ++

Customers who deploy the app in Splunk benefit from:
+ Increased visibility to events associated with risky domain names
+ Precisely targeted threat hunting activities
+ Rich domain data pre-populated in Splunk lookups and indexes
+ Proactive Monitoring of malicious domains leveraging PhishEye API
+ Leverage Tagged Domains from DNS Investigations from DomainTools Iris platform
+ Surface Notable Events in Splunk ES with DomainTools Risk Score

The DomainTools App for Splunk is powered by the DomainTools Risk Score, a proprietary scoring algorithm that finds malicious domain names before they can be weaponized. The technology is based on machine learning algorithms applied to DomainTools' unparalleled coverage of domain name features and infrastructure characteristics.

The app also includes Threat Hunting Dashboard to gain quick situational awareness of the risk presented by domain names on your network and helps guide teams to effectively leverage DomainTools data in their SOC workflows.

We have a new DomainTools App supporting Splunk 8.x environments and built on the latest SDK. While we will continue to support this older version of the app, subsequent features will only be available in the new app. Please write to us at enterprisesupport@domaintools.com if you need assistance with the new app.

Download User Guides:

- DomainTools App for Splunk 3.5 User Guide
- DomainTools App for Splunk 3.4 User Guide

For Splunk Cloud Customers

  • The current version of DomainTools App vetted for Splunk Cloud is 3.4.3. If recent releases of our App do not show support for Splunk Cloud, you can request cloud vetting to be performed on the app by creating a support ticket with Splunk Support and Services. Once the app passes cloud vetting, it can be installed on your Splunk Cloud instance. As a Splunk customer, only you can request cloud vetting for our apps.

Release Notes for version 3.5 (latest)

DomainTools App for Splunk 3.5 is the General Availability (GA) release for 3.4.x Beta versions of our app.

Fixed:

  • Fixes Memory leak issues with an unconfigured/dormant app
  • Retrieves correct PhishEye API keys in environments with conflicting third-party apps
  • Accurate domain count inside the Threat Map in the Threat Intelligence Dashboard
  • Correctly counts the Total Events KPI in the Threat Intelligence dashboard
  • Eliminates duplicate PhishEye API calls

Changes:

  • Alexa 1M filtering has been deprecated. The capability removed from the App Settings page
  • Brand Monitor UI feature has been deprecated. Underlying code components removed from the app

We expect 3.5 to be the final major release supporting Splunk 7.x environments.

DomainTools App for Splunk 3.5 REQUIRES access to one of the below API sets:
- Iris Package - Iris Enrich & PhishEye APIs (Complete App functionality)
- Risk Score API (Limited App functionality)
- Reputation Score API (Limited App functionality)

Release Notes for version 3.4.3

This release is a patch to 3.4.x and addresses some of the issues discovered since 3.4 release.

The release addresses the following issues:
- Allow Non-Iris-API customers to perform ad-hoc lookups
- Brings in new tags from Iris for observed domains
- Resolves ES dashboard REST API error noticed on indexer clusters
- ES dashboard to display only DomainTools notable events

If you are using the 3.4 or 3.4.2 version, an upgrade to 3.4.3 is highly recommended. If you are in Splunk Cloud, kindly read instructions above "For Splunk Cloud Customers" to upgrade to this version.

Release Notes for version 3.4.2

This release is a patch to 3.4 and addresses some of the issues discovered since 3.4 release. We also added Splunk recommendations to make 3.4 Splunk Cloud compatible.

Following are some of the key changes introduced in this patch release:
- Implement Splunk best practices for Splunk Cloud compatibility
- Append macro definition for 'Dangerous Domain' in DomainTools Threat Investigation dashboard
- Replace Scripted Inputs with Saved Searches for Cloud compatibility
- Decommissioned Brand Monitor functionality from the App (replaced by DomainTools PhishEye)

Release Notes for DomainTools App for Splunk 3.4

There are multiple key features introduced in this release of the App:

  • Tag Management using DomainTools Iris Tags:
  • Domain Monitoring inside Splunk
  • Enterprise Security Capabilities and Enterprise Security Dashboards
  • Enrichment Explorer for Domain Enrichment data

In addition to the above new features, existing capabilties from previous versions of the app has also been retained. Notable mentions are:

  • Threat Management Dashboard
  • Adhoc Domain Profile Lookup inside Splunk

Lastly, the app improves upon its previous versions in optimizing API perfomance in leveraging the latest DomainTools Iris Enrich API. We also addressed numerous bugs and issues reported by our customers.

Release Notes for version 3.3.392

3.3.392 was released to address issues in Splunk Cloud environemnts wrt limited search head functionalities in prior versions. The hotfix addresses the following changes:

  1. Enables domain profile in Splunk Cloud environment
  2. disables top 1 million sites download & filter

The 3.3.39 version of DomainTools TA for Splunk contains performance enhancements that will benefit new users of the app.

Existing users of the DomainTools TA may also benefit from these fixes, especially if they are experiencing specific problems addressed in this build. However, we encourage users who are upgrading to first contact us to understand the changes and anticipate the impact on an existing deployment.

  1. New default domain name search optimized for performance, using the CIM and data model acceleration (DMA). Customers who are not yet using the CIM and DMA will need to customize the search for their environment. More details are available in the DomainTools TA Deployment Guide.
  2. Renamed "base_search" macro to "dt_base_search" to avoid naming collisions. Existing customers who use the base_search macro in their own custom searches will need to change their searches to use the new macro.
  3. Used more descriptive names for the scheduled searches to more clearly communicate their function, and ensured that only the necessary jobs were enabled.
  4. Performed code cleanup and minor refactoring to ensure compliance with the latest Splunk AppInspect guidelines.
  5. Adjusted permissions on multiple objects to allow non-admin users to utilize more functionality in the app.
  6. Populating the Whois index is now optional as the job is not enabled by default. We recommend enabling the DomainTools Enterprise - Whois Index Populator" or "DomainTools Iris - Whois Index Populator" to enable historical searches for malicious domain names beyond the cache period of the lookups (by default, 30 days). Consult the DomainTools TA Deployment Guide for more details.

Release Notes

Version 3.5.0
Aug. 17, 2020

DomainTools App for Splunk 3.5 is the General Availability (GA) release for 3.4.x Beta versions of our app. We expect 3.5 to be the final major release supporting Splunk 7.x environment

3.5 Release Notes :

Fixed:
Fixes Memory leak issues with an unconfigured/dormant app
Retrieves correct PhishEye API keys in environments with conflicting third-party apps
Accurate domain count inside the Threat Map in the Threat Intelligence Dashboard
Correctly counts the Total Events KPI in the Threat Intelligence dashboard
Eliminates duplicate PhishEye API calls

Changes:
Alexa 1M filtering has been deprecated. The capability removed from the App Settings page
Brand Monitor UI feature has been deprecated. Underlying code components removed from the app

DomainTools App for Splunk 3.5 will continue to support the below APIs:
Iris Enrich API
PhishEye API
Risk Score API **
Reputation Score API **
** limited functionality within the app, as prior versions

Version 3.4.3
Dec. 10, 2019

Check "Details Page" for additional information.

3.4.3 is considered a Beta release

#Release Notes for version 3.4.3
This release is a patch to 3.4.x and addresses some of the issues discovered since 3.4 release.

The release addresses the following issues:
- Allow Non-Iris-API customers to perform ad-hoc lookups
- Brings in new tags from Iris for observed domains
- Resolves ES dashboard REST API error noticed on indexer clusters
- ES dashboard to display only DomainTools notable events

If you are using the 3.4 or 3.4.2 version, an upgrade to 3.4.3 is highly recommended. If you are in Splunk Cloud, kindly read instructions in "Details Page" for requesting this version to be deployed in your Cloud instance.

461
Installs
3,232
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2021 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.