This add-on for Splunk can be used to monitor certificate transparency logs.
For example to watch certificates issued for your domains or malicious look-a-likes.
It outputs the certificate logs as CIM compliant events in Splunk. This allows you to create an alert in Splunk or Splunk Enterprise Security that fires when a certificate gets issued for your-domain-suspicious-fishing-domain dot tld.
|Heavy Forwarder||Yes||Yes||Install this add-on on a heavy forwarder to get Certificate Transparency Logs into Splunk|
|Search head||Yes||Yes||Install this add-on on your search head(s) where CIM compliance of CT Logs is required|
|Indexer||Yes||No||There is no need to install this add-on on an indexer. This add-on should be installed on a heavy forwarder that does the index time parsing.|
|Universal Forwarder||No||No||This add-on is not supported on a Universal Forwarder because it requires Python|
The following table lists support for distributed deployment roles in a Splunk deployment:
|Search head deployer||Yes||Install this add-on on your search head deployer to enable CIM compliance of CT Logs in a Search Head Cluster|
|Cluster Master||No||There is no need to install this add-on on a Cluster Master. This add-on should be installed on a heavy forwarder that performs parsing at index time.|
|Deployment Server||Depends||This add-on can be (1) deployed unconfigured to a client or (2) deployed preconfigured.|
The add-on extracts these certificate fields and maps them to the corresponding fields in the CIM Certificate datamodel.
In Splunk this looks like:
Chapter 5.3 of the RFC specifies a number of steps that a monitor should implement.
Currently only steps 5 and 7 are partially implemented, and the current status can be summarized as: "It gets logs. Period."
|1||n||Fetch the current STH|
|2||n||Verify the STH signature|
|3||n||Fetch all the entries in the tree corresponding to the STH|
|4||n||Confirm that the tree made from the fetched entries produces the same hash as that in the STH|
|5||Y||Fetch the current STH (Section 4.3). Repeat until the STH changes|
|6||n||Verify the STH signature|
|7||Y||Fetch all the new entries in the tree corresponding to the STH (Section 4.6). If they remain unavailable for an extended period, then this should be viewed as misbehavior on the part of the log.|
Because the current implementation lacks signature verification, it cannot be used to monitor the append-only character of the certificate transparency log Feel free to submit a Pull Request, or wait for future releases to implement these verification features.
|Data structure||Implemented?||Log endpoint||Description|
|MerkleTreeLeaf||Y||/ct/v1/get-entries||The structure containing TimestampedEntries|
|TimestampedEntry||Y||/ct/v1/get-entries||The structure containing x509_entry or precert_entry|
This is an open source project without warranty of any kind. No support is provided. However, a public repository and issue tracker are available at https://github.com/jorritfolmer/TA-ct-log
The following software components are used in this add-on:
Initial release with support for x509_entries
Added support for Splunk 8.x and Python 3.x
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.