icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading BlueCat DNS Edge Technical Add-on for Splunk
SHA256 checksum (bluecat-dns-edge-technical-add-on-for-splunk_150.tgz) d3d7a95a64c9cc62d4b8d969b30c3cb66f48f0e9d6d51e286fff52c1cab073a8 SHA256 checksum (bluecat-dns-edge-technical-add-on-for-splunk_142.tgz) 0e0ef700a9ad06fbe527aaa95b2384aadd33cc0b7853cb7b640367c4a9997cb1 SHA256 checksum (bluecat-dns-edge-technical-add-on-for-splunk_141.tgz) b720634aae3432d5a3aafbd65a155b730c488e7ddf25044eaeb8d6e07a691dfb SHA256 checksum (bluecat-dns-edge-technical-add-on-for-splunk_140.tgz) fb161e272fb977247d23604877f9c9fca64792e7bb8e5f636d0d0250b546b040 SHA256 checksum (bluecat-dns-edge-technical-add-on-for-splunk_130.tgz) 9f72cf2656c1565a5e5319cdbafa4b091d1473eb6a42c7db909c66dbcc4c566e SHA256 checksum (bluecat-dns-edge-technical-add-on-for-splunk_12.tgz) 5729f338b23c53940c7646bb866529ba45a077aeb7b9d72125f91909a8b0c0b0 SHA256 checksum (bluecat-dns-edge-technical-add-on-for-splunk_11.tgz) 86e4eb7a5353e46c3f9cbd9cc7189870f97857056562317b656410a0c16e5867 SHA256 checksum (bluecat-dns-edge-technical-add-on-for-splunk_10.tgz) 69c625910a4222e3109fad0e94afd1066a4e22a2224a6d1e5277fd8ec3c06ac8
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

BlueCat DNS Edge Technical Add-on for Splunk

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Overview
Details
BlueCat DNS Edge is a cloud-based, client-facing firewall that leverages an organization’s existing DNS data and infrastructure to provide visibility, control, and cyber threat detection capabilities to an organization.

The BlueCat DNS Edge Technical Add-On for Splunk is a modular input that integrates data from the BlueCat DNS Edge API for Splunk. This app allows cybersecurity analysts and DNS administrators to collect, monitor, and alert on policy events from their BlueCat NDS Edge service points. Learn about the DNS Edge for Splunk app by visiting here https://splunkbase.splunk.com/app/3817/.

OVERVIEW

About the BlueCat DNS Edge Technical Add-on for Splunk

Author BlueCat
App Version 1.0
Vendor Products BlueCat DNS Edge
Has index-time operations true
Create an index false
Implements summarization false

The BlueCat DNS Edge Technical Add-on for Splunk is a modular input that integrates data from the BlueCat DNS Edge API with Splunk. This app allows DNS administrators and security professionals to collect, monitor, and alert on policy events from their BlueCat DNS Edge service points.

Scripts and binaries

bluecat_dns_edge.py - Script for collecting data from BlueCat DNS Edge API.
credential_manager.py - Script for storing and retrieving credentials securely.
responsehandlers.py - Script for cleaning up data collected from BlueCat DNS Edge API for Splunk ingestion.

Release notes

About this release

Version 1.0 of the BlueCat DNS Edge Technical Add-on is compatible with:

Splunk Enterprise versions 7.0
CIM 4.9.1
Platforms Platform independent
Vendor Products BlueCat DNS Edge
Lookup file changes None
New features

BlueCat DNS Edge Technical Add-on for Splunk includes the following new features:

  • Collect data from BlueCat DNS Edge server API.
  • Collect policy events and policy details.
Fixed issues

Version 1.0 of the BlueCat DNS Edge Technical Add-on for Splunk fixes the following issues:

  • N/A initial release
Known issues

Version 1.0 of the BlueCat DNS Edge Technical Add-on for Splunk has the following known issues:

  • N/A initial release
Third-party software attributions

Version 1.0 of the BlueCat DNS Edge Technical Add-on for Splunk incorporates the following third-party software or libraries.

Support and resources

Questions and answers

General Splunk troubleshooting advice can be found on answers.splunk.com

Support

Please contact edge-splunk@bluecatnetworks.com for support.

INSTALLATION AND CONFIGURATION

Hardware and software requirements

Hardware requirements

BlueCat DNS Edge Technical Add-on for Splunk can be installed on any server that meets the Splunk reference hardware specifications.

Software requirements

BlueCat DNS Edge for Splunk does not require any additional software.

Splunk Enterprise system requirements

Because this app runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.

Download

Download the BlueCat DNS Edge Technical Add-on for Splunk from Splunkbase

Installation steps

The BlueCat DNS Edge Technical Add-on for Splunk is intended to be deployed on Splunk Search Heads. Data collection is intended to be configured on a Splunk Heavy Forwarder but can be run on any Splunk Enterprise instance (Search Head, Indexer, All-in-one, etc.)

To install and configure this app on your supported platform, follow these steps:

  1. Download the BlueCat DNS Edge Technical Add-on for Splunk from Splunkbase.
  2. Login to Splunk with an administrator account (default: admin).
  3. Click the "Apps" dropdown in the upper left corner of the screen and select "Manage Apps".
  4. Select "Install app from file", click "Choose file", navigate to the app package downloaded in the previous step, and click "Upload".

Configure BlueCat DNS Edge Technical Add-on for Splunk

  • After successfully installing the app, browse to "Settings" in the upper right corner of the screen, then select "Data Inputs".
  • From the left hand column, select "BlueCat DNS Edge Modular Input".
  • Click the green "New" button in the upper left hand corner.
Configure DNS Query Log Stream collection
  • Name the input (e.g. DNS Query Log Stream)
  • Enter the hostname of the BlueCat DNS Edge Server (e.g. customer.bluec.at) - DO NOT enter "https" or the trailing "/"
  • Select the endpoint "DNS Query Log Stream"
  • Enter the SIEM Credentials provided with your BlueCat DNS Edge account. Note that this API is only accessible with an applicable API access key. For more information, contact your BlueCat representative.
  • Enter an interval in seconds, less than 300 seconds (DNS Query Log Stream data rotates every 5 minutes)
  • Leave the sourcetype bluecat:dns:edge for the default parsing to apply
  • Select "More settings" to change "host" and "index" values.
    • host: generally this should be the host data was collected by (the host this input is configured on). This is the default value.
    • index: the default is "main" but most Splunk users would send this to an index containing related data (e.g. "bluecat" or "dns"). See Splunk docs for more on indexes.
  • Click "Next" to save these settings.
  • A screen with a checkmark will appear indicating your modular input has been created successfully. Click "Start Searching" to begin searching logs in Splunk.
  • If a red bar appears with a warning message, there is an error. Review configurations and try again or see the troubleshooting section below.
Configure Policy Details collection
  • Name the input (e.g. Policy Details)
  • Enter the hostname of the BlueCat DNS Edge Server (e.g. customer.bluec.at) - DO NOT enter "https" or the trailing "/"
  • Select the endpoint "Policy Details"
  • Enter a BlueCat DNS Edge username (e.g. jsmith@acme.com)
  • Enter the corresponding password and confirm
  • Enter an interval in seconds. This interval dictates how often policy details are pulled into Splunk and should reflect how often BlueCat DNS Edge policies are likely to change. (e.g. 3600)
  • Leave the sourcetype bluecat:dns:edge for the default parsing to apply
  • Select "More settings" to change "host" and "index" values.
    • host: generally this should be the host data was collected by (the host this input is configured on). This is the default value.
    • index: the default is "main" but most Splunk users would send this to an index containing related data (e.g. "bluecat" or "dns"). See Splunk docs for more on indexes.
  • Click "Next" to save these settings.
  • A screen with a checkmark will appear indicating your modular input has been created successfully. Click "Start Searching" to begin searching logs in Splunk.
  • If a red bar appears with a warning message, there is an error. Review configurations and try again or see the troubleshooting section below.
Additional Configuration Notes
  • Searches for BlueCat DNS Edge data rely on a macro called "get_bluecat_dns_edge_index". By default this macro searches index=main. If you changed the index for your BlueCat data, please update this macro with the index name by going to Settings > Advanced Search > Search macros > get_bluecat_dns_edge_index and updating the search to match the index your data is in (e.g. index=bluecat)
  • These inputs can be modified at any time by visiting Settings > Data Inputs > BlueCat DNS Edge Modular Input
  • To get started with visualizing this data, install the BlueCat DNS Edge App for Splunk
Troubleshooting
  • Search Splunk internal logs: index=_internal sourcetype=splunkd log_level!=INFO bluecat_dns_edge.py
  • Verify data collection host has access to BlueCat DNS Edge server on port 443.

USER GUIDE

Data types

This app provides the index-time and search-time knowledge for the following types of data from BlueCat DNS Edge:

Data type

BlueCat DNS Edge Policy Events. These are DNS requests made to the BlueCat DNS Edge service point that triggered a policy action (monitor, allow, or block)

  • bluecat:dns:edge

These data types support the following Common Information Model data models:

  • Network Resolution (DNS)

Release Notes

Version 1.5.0
Sept. 5, 2019

Version 1.4.2
Nov. 29, 2018

Version 1.4.1
Sept. 28, 2018

Version 1.4.0
Aug. 17, 2018

Version 1.3.0
May 11, 2018

Version 1.2
April 27, 2018

Version 1.1
Jan. 18, 2018

Version 1.0
Dec. 9, 2017

64
Installs
462
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2019 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.