Discover where your (or someone else's) network can be compromised.
> The ultimate offensive and defensive security tool for Splunk.
ThreatPipes is a reconnaissance tool that automatically queries 100’s of data sources to gather intelligence on IP addresses, domain names, e-mail addresses, names and more.
You simply specify the target you want to investigate, pick which modules to enable and then ThreatPipes will collect data to build up an understanding of all the entities and how they relate to each other.
DNS, Whois, Web pages, passive DNS, spam blacklists, file meta data, threat intelligence lists as well as services like SHODAN, HaveIBeenPwned? and many others are used to discover intelligence on a target.
By following chains of intelligence, ThreatPipes also uncovers other affiliated targets that have a relationship to your original target. For example, a domain entered in a scan might resolve to SSL certificates, to known malicious domains, to IP addresses, and so on.
The data returned from a ThreatPipes scan will reveal a lot of information about your target, providing insight into possible data leaks, vulnerabilities or other sensitive information that can be leveraged during a penetration test, red team exercise, blue team activities, or for threat intelligence.
Teamed with Splunk, you can explore and examine this intelligence gathered by ThreatPipes in ways never before possible.
Download ThreatPipes FREE here: https://www.threatpipes.com.
Install this app on a single Splunk instance in the normal way. It should work on distributed deployments too (but we have not tested setup yet).
You have two options for this:
Setup your ThreatPipes instance to stream to Splunk by specifying your Splunk server under Server Settings in ThreatPipes.
By default the ThreatPipes Splunk app ships with an input listening on
tcp:514 disabled by default using
sourcetype=threatpipes-syslog. Make sure at least one input is enabled before attempting to stream data.
When starting a scan (that you want the intel to be streamed to Splunk) make sure you have checked the "Log Stream".
Export all or partial results from a scan in
You can also export scan data for multiple scans in
.csv format using the scan list view.
"Import ThreatPipes data to Splunk")
Import the data to Splunk using your preferred method. Be sure to select
Start on the Mains dashboard. It will show you an overview of all the intelligence imported from ThreatPipes. Click on any panel to drill down to the Scan Dashboard.
Take a deeper look at the intelligence generate for potentially risky data that you can use offensively (e.g. network weaknesses) or defensively (e.g threat intelligence).
See if any of the intel uncovered by ThreatPipes is seen in the logs stored in you Splunk instance to identify potential threats.
Export the intel as threat lists to use with Splunk Enterprise security (and other tools).
You can use this test data to populate dashboards for testing, if needed:
Using MacOS, create a
.tar.gz for Splunkbase:
COPYFILE_DISABLE=1 tar -czv --exclude='.*' -f threatpipes-splunk.tar.gz threatpipes-splunk/
Added support for streaming data
Added log matching to intel.
First release. Upload exported ThreatPipes scan CSV / JSON files for analysis.
Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.
As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.