icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Certificate Transparency Log add-on for Splunk
SHA256 checksum (certificate-transparency-log-add-on-for-splunk_131.tgz) 7855ee29b0b9b56be7d696dd3d16c125a6d3817dec273c089bffd68d5ec52742 SHA256 checksum (certificate-transparency-log-add-on-for-splunk_130.tgz) bb21da65a8983d849efef49a42ea72e7df88d3d0a61b47af8f74828fd699e0a5 SHA256 checksum (certificate-transparency-log-add-on-for-splunk_121.tgz) 8624c86c277896779bccdb52ecb4819439445155b38082cadcae6920f6bad385 SHA256 checksum (certificate-transparency-log-add-on-for-splunk_120.tgz) 656f638f45c09a9af09a276b65d55468bc7865355faab0e2ee9059910e85be67
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

splunk

Certificate Transparency Log add-on for Splunk

Splunk Cloud
This app is NOT supported by Splunk. Please read about what that means for you here.
Overview
Details
This add-on for Splunk can be used to monitor certificate transparency logs.
For example to watch certificates issued for your domains or malicious look-a-likes.

It outputs the certificate logs as CIM compliant events in Splunk. This allows you to create an alert in Splunk or Splunk Enterprise Security that fires when a certificate gets issued for your-domain-suspicious-fishing-domain dot tld.

Certificate Transparency Log Monitor for Splunk

This add-on for Splunk can be used to monitor certificate transparency logs.
For example to watch certificates issued for your domains or malicious look-a-likes.

It outputs the certificate logs as CIM compliant events in Splunk. This allows you to create an alert in Splunk or Splunk Enterprise Security that fires when a certificate gets issued for your-domain-suspicious-fishing-domain dot tld.

Supported Splunk versions and platforms

Splunk version Linux Windows
6.3 Yes Yes
6.4 Yes Yes
6.5 Yes Yes
6.6 Yes Yes
7.0 Yes Yes
7.1 Yes Yes

Additional requirements:

  • Splunk heavy forwarder instance: Splunk Universal Forwarder is not supported due to Python dependencies
  • KVstore: used to keep track of the most recently seen ct log entry

Install the TA-ct-log add-on for Splunk

Single instance Splunk deployments

  1. In Splunk, click on "Manage Apps"
  2. Click "Browse more apps", search for "TA-ct-log" and install the add-on

Distributed Splunk deployments

Instance type Supported Required Description
Heavy Forwarder Yes Yes Install this add-on on a heavy forwarder to get Certificate Transparency Logs into Splunk
Search head Yes Yes Install this add-on on your search head(s) where CIM compliance of CT Logs is required
Indexer Yes No There is no need to install this add-on on an indexer. This add-on should be installed on a heavy forwarder that does the index time parsing.
Universal Forwarder No No This add-on is not supported on a Universal Forwarder because it requires Python

The following table lists support for distributed deployment roles in a Splunk deployment:

Deployment role Supported Description
Search head deployer Yes Install this add-on on your search head deployer to enable CIM compliance of CT Logs in a Search Head Cluster
Cluster Master No There is no need to install this add-on on a Cluster Master. This add-on should be installed on a heavy forwarder that performs parsing at index time.
Deployment Server Depends This add-on can be (1) deployed unconfigured to a client or (2) deployed preconfigured.

Configure TA-ct-log add-on for Splunk

  1. Go to the Input tab of the Certificate Transparency add-on for Splunk
  2. Click "Create new Input"
  3. Configure:
    • Name: e.g. argon2018
    • Interval: how often to poll the certificate log for new entries
    • Index: what Splunk index to send the certificate log events to
    • Certificate Log URL: the base url of the log e.g. "ct.googleapis.com/logs/argon2018/", without https:// and without the API endpoint) for more urls see https://www.gstatic.com/ct/log_list/all_logs_list.json

Events in Splunk

The add-on extracts these certificate fields and maps them to the corresponding fields in the CIM Certificate datamodel.

  • Subject (DN)
  • Issuer (DN)
  • Public key bit size
  • Public key type
  • Certificate serial
  • Certificate validity
  • Certificate signature algorithm
  • Certificate version
  • Log metadata: LogEntryType (0=x509, 1=precert) and Timestamp

In Splunk this looks like:

Input overview

Current RFC6962 compliance

Chapter 5.3 of the RFC specifies a number of steps that a monitor should implement.
Currently only steps 5 and 7 are partially implemented, and the current status can be summarized as: "It gets logs. Period."

Step Implemented? Description
1 n Fetch the current STH
2 n Verify the STH signature
3 n Fetch all the entries in the tree corresponding to the STH
4 n Confirm that the tree made from the fetched entries produces the same hash as that in the STH
5 Y Fetch the current STH (Section 4.3). Repeat until the STH changes
6 n Verify the STH signature
7 Y Fetch all the new entries in the tree corresponding to the STH (Section 4.6). If they remain unavailable for an extended period, then this should be viewed as misbehavior on the part of the log.

Because the current implementation lacks signature verification, it cannot be used to monitor the append-only character of the certificate transparency log Feel free to submit a Pull Request, or wait for future releases to implement these verification features.

Supported data structures

Data structure Implemented? Log endpoint Description
MerkleTreeLeaf Y /ct/v1/get-entries The structure containing TimestampedEntries
TimestampedEntry Y /ct/v1/get-entries The structure containing x509_entry or precert_entry
x509_entry Y /ct/v1/get-entries Certificates entries
precert_entry n /ct/v1/get-entries Pre-certificate entries
TreeHeadSignature n /ct/v1/get-sth

Support

This is an open source project without warranty of any kind. No support is provided. However, a public repository and issue tracker are available at https://github.com/jorritfolmer/TA-ct-log

Third party software credits

The following software components are used in this add-on:

  1. Splunk Add-on Builder version 2.2.0 by Splunk and the third-party software it uses
  2. asn1crypto version 0.24.0 by Will Bond

CHANGELOG

1.2.1

  • Fixed exception when parsing Windows-1252 encoded certificate fields
  • Fixed exception when parsing asn1 of huge paypal phishing subjectaltnam

1.2.0

  • Added x509 extension subjectAltName decoding
  • Added tags for CIM Certificate datamodel

1.1.0

  • Added CIM compliant fields
  • Added Log status dashboard
  • Improved performance by not checkpointing every entry index in KVstore

1.0.1

  • Fixed timestamp issue in props.conf
  • Added leaf index field to facilitate gap detection
  • Added more documentation

1.0.0

Initial release with support for x509_entries

Release Notes

Version 1.3.1
Nov. 26, 2020
  • Added support for Splunk 8.1 by cowardly using Py2 mode and aborting quest to get cryptography dependency working on Py3
Version 1.3.0
Dec. 28, 2019

Added support for Splunk 8.x and Python 3.x

Version 1.2.1
May 24, 2018
  • Fixed exception when parsing Windows-1252 encoded certificate fields
  • Fixed exception when parsing asn1 of huge paypal phishing subjectaltname
Version 1.2.0
May 11, 2018
  • Added x509 extension subjectAltName decoding
  • Added tags for CIM Certificate datamodel
  • Added CIM compliant fields
  • Added Log status dashboard
  • Improved performance by not checkpointing every entry index in KVstore
  • Fixed timestamp issue in props.conf
  • Added leaf index field to facilitate gap detection
  • Added more documentation
116
Installs
767
Downloads
Share Subscribe LOGIN TO DOWNLOAD

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.