icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Log4Shell Vulnerability: Information and guidance for you. Get resources.

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading DomainTools App For Splunk and Splunk ES
SHA256 checksum (domaintools-app-for-splunk-and-splunk-es_421.tgz) 793fa1fc63498038980450b7f83f5b4da31ed56c0d77579072245c1cab6e320f SHA256 checksum (domaintools-app-for-splunk-and-splunk-es_420.tgz) dfd18060fe05a4dd2d194ba1f2ce045ef54075f7ffc22dfba907d5381032b814 SHA256 checksum (domaintools-app-for-splunk-and-splunk-es_413.tgz) a4d74a714279090ea1159072d38c192c92942900c42f642a522458759bcb65cb SHA256 checksum (domaintools-app-for-splunk-and-splunk-es_412.tgz) fe2e6f78597c07d32b799378aa05347ee926a95a86c8b59ee4d05a983a4f0534 SHA256 checksum (domaintools-app-for-splunk-and-splunk-es_411.tgz) 18728f96126f1e8672492475f88cbdd28a9bb5a3f69fdd946e8b0c9f03a0e9d3
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate


DomainTools App For Splunk and Splunk ES

Splunk Cloud
Gain fast insights and situational awareness around risky infrastructure

DomainTools enables Security Operations Centers (SOCs) and security analysts to take domain observables from their network and connect them with other active domains on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure.

With the influx in events per second rising, organizations need the ability to execute high-volume queries with improved response times. The DomainTools App for Splunk delivers, with enrichment at scale and drill-down details to add context. Leveraging the DomainTools Iris dataset, users have immediate access to dozens of attributes attached to every domain event in Splunk, efficiently delivering event enrichment at scale.

Domain Monitoring

SOCs and Security Analysts can leverage the DomainTools PhishEye product in Splunk to discover newly registered domains associated with any terms their organization currently monitors (such as a brand or company name), and to monitor domains and append domains to your allowlist (list of trusted domains) from the Domain Investigation workflow.

Predictive Risk Scoring

DomainTools Risk Score gives teams with emerging threat hunting skills an instant advantage in helping to identify and optionally alert on Splunk events with suspicious domains they would have otherwise missed. Individual component scores give experienced hunters the tools they need to refine their alerts and precisely target their resources. DomainTools Risk Score, including Proximity and Threat Profile classifiers, is available in both key-value stores and Splunk indexes.

Proven Capability for Enterprise Organizations

DomainTools’ proven solution for Splunk includes a cloud-certified Splunk Application that deploys on Splunk search heads in both standalone and clustered configurations, with and without Splunk Enterprise Security. Event sources can be customized to match the unique requirements of each environment.

DomainTools Capabilities in Splunk

Reduce MTTD
• Bulk enrichment of domains with meaningful context
• At-a-glance alerting and reporting of malicious network traffic
• Domain monitoring using DomainTools PhishEye

Reduce MTTR
• Discover newly registered domains and further enable monitoring
• Create a Splunk notable event in case a high-risk domain is observed
• Automate the Incident Response (IR) process

The DomainTools App works in parallel with Splunk Enterprise Security (ES) but does not depend on it. Customers who have not yet deployed ES can still realize significant value from the DomainTools solution.

Download User Guides:

For Splunk Cloud Customers

  • DomainTools App for Splunk 4.2 is available for Splunk and Splunk Enterprise Customers.
  • A new version of the app, DomainTools App for Splunk 4.2 is vetted for Splunk Cloud.
  • If newer releases of our App do not show support for Splunk Cloud, you may request cloud vetting to be performed on the app by creating a support ticket with Splunk Support and Services. Once the app passes cloud vetting, it can be installed on your Splunk Cloud instance. As a Splunk customer, only you can request cloud vetting for our apps.

DomainTools App for Splunk 4.2:

DomainTools App for Splunk 4.2 is a General Availability (GA) release for Splunk 8.x users. With DomainTools app for Splunk 4.2, we provide improved capabilities, performance, and usability. Conveniences such as configurable auto-refreshing dashboards, new in 4.2, help enhance situational awareness. Please review the release notes to understand some of the key features and changes in this release.


  • Access to Iris Enrich and Iris Investigate APIs are required
  • Access to PhishEye API is optional but recommended for full app functionality

New in 4.x Releases:

  • App Diagnostic Dashboard to provide visibility into audit activities of the app
  • API Usage Dashboard to provide visibility into query consumption
  • A native Allowlisting ability to suppress monitoring of trusted domains
  • Introducing Investigation of Domain IOCs leveraging DomainTools Guided Pivot analytics
  • Ability to import IOCs from DomainTools using Iris export hash
  • Ability to discover connected domain IOCs for proactive monitoring
  • Richer domain context for notable events generated by DomainTools detection rules
  • Re-architected App with full support for recent Splunk SDK supporting Splunk 8.0 and Python 3 environments
  • Support for configuring proxies and custom SSL certs within App UI
  • Ability to add proxy authentication via the App UI
  • Workflow action to investigate IOC in DomainTools Iris platform
  • Support for streaming command in Base Search definition
  • A new field in the Enrichment Explorer - ‘Observed in Logs’ to convey if a domain was seen in your logs


  • Redesigned ThreatIntel Dashboard with optimized searches
  • Redesigned Monitoring Dashboard for centralized monitoring
  • Redefined workflow to ingest PhishEye IOCs into Splunk
  • Redesigned Dashboard for ad-hoc domain Lookup

Deprecated Functionalities (From 3.x and older versions of our app) :

  • Brand monitor functionality
  • Alexa 1M filtering
  • Support removed for DomainTools Classic APIs

Release Notes

Version 4.2.1
Dec. 3, 2021

• Adds a trigger stanza in app.conf to avoid unnecessary "restart required" messages.

Version 4.2.0
Sept. 28, 2021

• Power an always-on SOC display with auto-refreshing Threat Profile and Monitoring dashboard panels
• Simplify your triage process, investigating domains flagged in Enterprise Security Incident Review within the DomainTools app Domain Profile page
• Improve app performance using a new regex-based dtdomainextract2 macro
• Expedite your workflow, adding domains to monitoring or allow-lists directly from DomainTools Enrichment Explorer
• Natively enrich logs containing multivalue URLs (most commonly encountered with Proofpoint)

Changes and Fixes
• To improve performance, logging has been disabled by default. It can be re-enabled in the Diagnostic Panel
• Allows for “Informational”-level urgency tags when creating Notable Events in Enterprise Security
• Expanded configuration levels for allow-list actions
• Improved in-app documentation and user guide
• See the user guide for additional changes

Version 4.1.3
April 20, 2021

• Resolves Splunk Cloud compatibility issues related to installation on indexers during deployment
• Eliminates the need for localop installation workaround on Splunk Cloud
• Resolves an error when using the Events Enriched drill-down
• Resolves an error when trying to run a Queue Builder search with over ~500K events
• Eliminates the need for scpv2 workaround (see upgrade notes)

Version 4.1.2
March 23, 2021

• Resolves Splunk Cloud compatibility issues
• Resolves inconsistencies with file paths
• Resolves inconsistencies with default python version

Note that version 4.1.2 is vetted for Splunk Cloud. See DomainTools App for Splunk 4.x User Guide for additional details and installation instructions:

Version 4.1.1
March 2, 2021

• Ability to add proxy authentication via the App UI
• Workflow action to investigate IOC in DomainTools Iris platform
• Support for streaming command in Base Search definition
• A new field in the Enrichment Explorer - ‘Observed in Logs’ to convey if a domain was seen in your logs

• Resolves inconsistencies with importing DomainTools IOCs via search hash
• Resolves inconsistencies with last enrichment time for investigated domains via Domain Profile
• Resolves inconsistencies with tag detection
• Resolves inconsistencies with drill down functionality
• Resolves inconsistencies with Risk Score presentation for scores of 100. Domains associated with Critical risk (a risk score of 100) will now consistently display “Proximity” as the risk profile. Configuration updates required

Note that version 4.1.1 is not vetted for Splunk Cloud. See DomainTools App for Splunk 4.x User Guide for additional details:

Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk Inc. in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.