DomainTools App For Splunk and Splunk ES

Gain fast insights and situational awareness around risky infrastructure DomainTools enables Security Operations Centers (SOCs) and security analysts to take domain observables from their network and connect them with other active domains on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. With the influx in events per second rising, organizations need the ability to execute high-volume queries with improved response times. The DomainTools App for Splunk delivers, with enrichment at scale and drill-down details to add context. Leveraging the DomainTools Iris and Farsight DNSDB datasets, users have immediate access to dozens of attributes attached to every domain event in Splunk, efficiently delivering event enrichment at scale. Domain Monitoring SOCs and Security Analysts can leverage the DomainTools Iris Detect product in Splunk to discover and watch newly registered domains associated with any terms their organization currently monitors (such as a brand or company name), and to monitor domains and append domains to your allowlist (list of trusted domains) from the Domain Investigation workflow. Predictive Risk Scoring DomainTools Risk Score gives teams with emerging threat hunting skills an instant advantage in helping to identify and optionally alert on Splunk events with suspicious domains they would have otherwise missed. Individual component scores give experienced hunters the tools they need to refine their alerts and precisely target their resources. DomainTools Risk Score, including Proximity and Threat Profile classifiers, is available in both key-value stores and Splunk indexes. Proven Capability for Enterprise Organizations DomainTools’ proven solution for Splunk includes a cloud-certified Splunk Application that deploys on Splunk search heads in both standalone and clustered configurations, with and without Splunk Enterprise Security. Event sources can be customized to match the unique requirements of each environment. DomainTools Capabilities in Splunk Reduce MTTD • Bulk enrichment of domains with meaningful context • At-a-glance alerting and reporting of malicious network traffic • Domain monitoring using DomainTools Iris Detect Reduce MTTR • Discover newly registered domains and further enable monitoring • Create a Splunk ES notable event in case a high-risk domain is observed • Investigate connected infrastructure using Iris and Farsight Passive DNS The DomainTools App works in parallel with Splunk Enterprise Security (ES) but does not depend on it. Customers who have not yet deployed ES can still realize significant value from the DomainTools solution.

Built by DomainTools Integrations Team

Latest Version 5.4.0

April 2, 2025

Release notes

Compatibility

Not Available

Platform Version: 9.4, 9.3, 9.2, 9.1, 9.0

Rating

0

(0)

Log in to rate this app

Support

Developer Supported app

Learn more

Ranking

#7

in Threat Intel

#21

in Network Security

Gain fast insights and situational awareness around risky infrastructure DomainTools enables Security Operations Centers (SOCs) and security analysts to take domain observables from their network and connect them with other active domains on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure. With the influx in events per second rising, organizations need the ability to execute high-volume queries with improved response times. The DomainTools App for Splunk delivers, with enrichment at scale and drill-down details to add context. Leveraging the DomainTools Iris and Farsight DNSDB datasets, users have immediate access to dozens of attributes attached to every domain event in Splunk, efficiently delivering event enrichment at scale. Domain Monitoring SOCs and Security Analysts can leverage the DomainTools Iris Detect product in Splunk to discover and watch newly registered domains associated with any terms their organization currently monitors (such as a brand or company name), and to monitor domains and append domains to your allowlist (list of trusted domains) from the Domain Investigation workflow. Predictive Risk Scoring DomainTools Risk Score gives teams with emerging threat hunting skills an instant advantage in helping to identify and optionally alert on Splunk events with suspicious domains they would have otherwise missed. Individual component scores give experienced hunters the tools they need to refine their alerts and precisely target their resources. DomainTools Risk Score, including Proximity and Threat Profile classifiers, is available in both key-value stores and Splunk indexes. Proven Capability for Enterprise Organizations DomainTools’ proven solution for Splunk includes a cloud-certified Splunk Application that deploys on Splunk search heads in both standalone and clustered configurations, with and without Splunk Enterprise Security. Event sources can be customized to match the unique requirements of each environment. DomainTools Capabilities in Splunk Reduce MTTD • Bulk enrichment of domains with meaningful context • At-a-glance alerting and reporting of malicious network traffic • Domain monitoring using DomainTools Iris Detect Reduce MTTR • Discover newly registered domains and further enable monitoring • Create a Splunk ES notable event in case a high-risk domain is observed • Investigate connected infrastructure using Iris and Farsight Passive DNS The DomainTools App works in parallel with Splunk Enterprise Security (ES) but does not depend on it. Customers who have not yet deployed ES can still realize significant value from the DomainTools solution.