icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading ThreatPipes
SHA256 checksum (threatpipes_013.tgz) 55df3a0f028b39f20f8d5f3c0bcc09c57d4f546a6dfd0eb4a7d474ebaa260c6c SHA256 checksum (threatpipes_012.tgz) 6548da2fff58f106c3edfa261bc3fccef311bd4d0d4cc3c5084b4d65ddbb8705 SHA256 checksum (threatpipes_011.tgz) aa39d6f73949b7252858b54003aadd944858a4a8009d65378a612c2b8c096402
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
Why you should download this app?

Discover where your (or someone else's) network can be compromised.

"The ultimate offensive and defensive security tool for Splunk".

ThreatPipes App for Splunk

Why you should download this app

Discover where your (or someone else's) network can be compromised.

The ultimate offensive and defensive security tool for Splunk.

Download the ThreatPipes App for Splunk on Splunkbase FREE here.

About ThreatPipes

ThreatPipes is a reconnaissance tool that automatically queries 100’s of data sources to gather intelligence on IP addresses, domain names, e-mail addresses, names and more.

You simply specify the target you want to investigate, pick which modules to enable and then ThreatPipes will collect data to build up an understanding of all the entities and how they relate to each other.

DNS, Whois, Web pages, passive DNS, spam blacklists, file meta data, threat intelligence lists as well as services like SHODAN, HaveIBeenPwned? and many others are used to discover intelligence on a target.

By following chains of intelligence, ThreatPipes also uncovers other affiliated targets that have a relationship to your original target. For example, a domain entered in a scan might resolve to SSL certificates, to known malicious domains, to IP addresses, and so on.

The data returned from a ThreatPipes scan will reveal a lot of information about your target, providing insight into possible data leaks, vulnerabilities or other sensitive information that can be leveraged during a penetration test, red team exercise, blue team activities, or for threat intelligence.

Teamed with Splunk, you can explore and examine this intelligence gathered by ThreatPipes in ways never before possible.

Download ThreatPipes FREE here: https://www.threatpipes.com.

Quick start guide

1. Install Splunk App

Install this app on a single Splunk instance in the normal way. It should work on distributed deployments too (but we have not tested setup yet).

2. Select how you want to import data

You have two options for this:

  1. Stream events from ThreatPipes to Splunk (requires ThreatPipes license) [read 2a]
  2. Manually import data from ThreatPipes to Splunk [read 2b]

2a. Stream data from ThreatPipes to Splunk (requires ThreatPipes license)

Setup your ThreatPipes instance to stream to Splunk by specifying your Splunk server under Server Settings in ThreatPipes.

By default the ThreatPipes Splunk app ships with an input listening on tcp:514 disabled by default using sourcetype=threatpipes-syslog. Make sure at least one input is enabled before attempting to stream data.

When starting a scan (that you want the intel to be streamed to Splunk) make sure you have checked the "Log Stream".

2b. Export scan data from ThreatPipes and import to Splunk

Export all or partial results from a scan in .csv format.

You can also export scan data for multiple scans in .csv format using the scan list view.

Import ThreatPipes data to Splunk "Import ThreatPipes data to Splunk")

Import the data to Splunk using your preferred method. Be sure to select sourcetype=threatpipes-csv and index=threatpipes

3. Start Splunking

Intel overview

Start on the Mains dashboard. It will show you an overview of all the intelligence imported from ThreatPipes. Click on any panel to drill down to the Scan Dashboard.

Intel analysis

Take a deeper look at the intelligence generate for potentially risky data that you can use offensively (e.g. network weaknesses) or defensively (e.g threat intelligence).

Cross reference intel

See if any of the intel uncovered by ThreatPipes is seen in the logs stored in you Splunk instance to identify potential threats.

Filter and export

Export the intel as threat lists to use with Splunk Enterprise security (and other tools).

Release Notes

Version 0.1.3


Initial release.


Contact the Threatpipes team here


This code is licensed under an MIT license.

Download the source code on Gitlab.

Developer guide


You can use this test data to populate dashboards for testing, if needed:


Using MacOS, create a .tar.gz for Splunkbase:

COPYFILE_DISABLE=1 tar -czv --exclude='.*' -f threatpipes-splunk.tar.gz threatpipes-splunk/

Release Notes

Version 0.1.3
Nov. 22, 2019

Added support for streaming data

Version 0.1.2
Nov. 12, 2019

Added log matching to intel.

Version 0.1.1
Nov. 11, 2019

First release. Upload exported ThreatPipes scan CSV / JSON files for analysis.


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2020 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.