Overview 3 

What’s New in 3.4: 4 

Deployment Guide 5 

Prerequisites: 5 

DomainTools API Key 5 

Download the DomainTools App from Splunkbase 5 

Uninstalling prior versions 5 

Splunk admin credentials 5 

Splunk SPL 6 

Writing your own custom SPL 7 

Your custom SPL must meet these criteria: 7 

Validating App in Non-Production environments 7 

App Installation 8 

Installation Steps: 8 

Configuration Steps: 9 

App Validation 13 

Key App Functionalities: 14 

Threat Intel Dashboard 14 

Domain Profile Tab 15 

Tag Management Dashboard 16 

Dashboard Configuration: 16 

Domain Monitoring Dashboard 18 

Dashboard Configuration: 19 

Enterprise Security Capabilities 21 

Configuration: 21 

Enrichment Explorer Tab 23 

 

   

 

 

Overview  The DomainTools solution for Splunk provides direct access within Splunk to DomainTools' industry-leading threat intelligence data on domain names and the infrastructure that supports them.   

  Customers who deploy the app in Splunk benefit from:  

● Increased visibility to events associated with risky domain names ● Precisely targeted threat hunting activities ● Rich domain data pre-populated in Splunk lookups and indexes ● Proactive Monitoring of malicious domains leveraging PhishEye API ● Leverage Tagged Domains from DNS Investigations from DomainTools Iris platform 

 The DomainTools App works in parallel with Splunk Enterprise Security (ES) but does not depend on it. Customers who have not yet deployed ES can still realize significant value from the DomainTools solution.   

   

 

 

 

What’s New in 3.4:  With 3.4 release, we introduce the following capabilities for our Users:  

- Tag Management using DomainTools Iris Tags: - Domain Monitoring inside Splunk - Enterprise Security Capabilities and Dashboards - Enrichment Explorer for Domain Enrichment data 

 You can read further about these in the Key Functionalities sections below. Key functionalities in the app are enabled by the DomainTools Iris Enrich API. So if you do not have access to Iris Enrich API, please reach out to us at Sales@DomainTools.com  

   

 

 

Deployment Guide  

Prerequisites: The DomainTools App is able to extract domain names from your proxy logs, DNS logs, or a similar data source that contains domain names. The App comes pre-configured with a performance-optimized query that will work well in environments that are already configured to efficiently locate web proxy events from data sources that comply with the Splunk Common Information Model, or CIM.   

DomainTools API Key You will need a DomainTools Enterprise API username and API key to complete the app setup.   DomainTools typically provides access to obtain the API credentials by creating an account for the primary point of contact in your organization. If you need to obtain new API keys to evaluate the app, contact us via email at Sales@DomainTools.com and we will assist you. 

Download the DomainTools App from Splunkbase The latest App is available on Splunkbase at this URL: https://splunkbase.splunk.com/app/3376   If you currently have an older version of the App (or the TA) and intend to upgrade, please note that it will require you to uninstall the current version and perform a fresh installation. Kindly review the release notes of respective versions carefully so you are aware of any breaking changes. Please contact DomainTools Support for assistance with Installation/ Upgrade of the app.  

Uninstalling prior versions 

For best results, use the Splunk web UI to completely uninstall any previous versions of the DomainTools App or TA. Then use command-line access to remove any remaining DomainTools specific folders.  

Splunk admin credentials You must have a Splunk account with admin credentials to successfully install and configure the App. After the App is installed, most user functions should be available with less privileged accounts. You may also need command-line access (i.e. SSH access) to perform some deployment and diagnostics functions, especially if you are deploying in a clustered environment.  

 

 

Splunk SPL It is also possible to customize the App with your own Search Processing Language query (SPL). This may be necessary if your data sources are not yet CIM complaint, or if you have unique requirements such as accessing data from several different sources.   However, if you opt to configure the app with your own custom SPL query, you must ensure the query is performant in your environment. At a minimum, the query should return ten minutes of events in no more than two minutes of search execution time, with minimal impact on your search head or search head cluster.  It is vital that you select the correct base search method for your environment before you proceed with the installation.  

Base Search  Pros  Cons 

Pre-Configured  1. No post-install customization or configuration required, other than the API username & key initial app setup  

2. Finds domain names in every CIM-compliant data source from the Web data model   

3. Fast for most environments 

1. Requires CIM compliant data sources that use the Web data model with hostnames in the Web.url field  

2. DomainTools Threat Hunting Dashboard will be empty if the base search can’t find domains   

3. Must have acceleration turned on for the Web data model 

Custom SPL  1. Does not require your data source to be CIM compliant  

2. Can be optimized to your environment & data sources 

1. May cause performance problems if the search is not manually optimized  

2. May require additional tuning after installation, making this option unsuitable for rigorous change management cycles  

3. Must return the hostname or domain name in a field explicitly named “domain” 

 

 The pre-configured base search in the App is:  

tstats summariesonly=true count(Web.url) FROM datamodel=Web BY Web.url |

rename Web.url AS domain | fields domain

 For this to work, the Web data model must have acceleration turned on. If acceleration is not turned on, but data has been mapped to the CIM, you can modify the base search to use summariesonly=false with some potential degradation in performance.  

 

 

 

Writing your own custom SPL If the pre-configured base search won’t work for you and you must write your own SPL, first identify a datasource that contains URLs (web links) or hostnames that represent communication from your network to the public Internet. In most cases, web proxy logs provide the best visibility into these domains.  Next, review your source data carefully to ensure it contains as few IP addresses as possible. The DomainTools solution provides data on domain names, not IPs, so any IPs sent to the API will not return useful data and consume rate-limited resources.  Finally, craft a Splunk search query that efficiently finds events from your preferred datasource(s) and configure this as the new base search in the settings for the DomainTools App.  (Domaintools for Splunk → Settings → Application Settings → Custom Values -> Base Search Definition)  

Your custom SPL must meet these criteria:  

● If your custom search does not begin tstats you must add search to ensure proper functionality once it is merged into the DomainTools scheduled searches.  

● Your custom search must not start with a pipe | character.  ● Ensure the result contains a field named domain or use rename. ● The search must efficiently return results from the last 10 minutes of events, ideally in a few seconds, but 

no longer than two or three minutes.  

For example: search index=mycustomindex | rename url AS domain

 It is not necessary (or effective) to write regular expressions or other parsing rules to find the primary domain names in logs filled with hostnames or URLs, or to try and de-duplicate them. The rest of the DomainTools queue builder search jobs will handle this for you. The use of tstats in the pre-configured search is primarily for optimization, and we recommend using it as well if you build your own custom SPL.  

Validating App in Non-Production environments If you use a staging environment or development environment to test new Splunk apps, ensure the same data source you plan to use in production is also available to the Splunk search heads in the test environment.   If the data is not available, the DomainTools solution will not be able to progress beyond Level 0 in the capability matrix above. Move the app to production before you continue with the evaluation.     

 

 

App Installation  The DomainTools App is designed to be installed on a search head or within a search head cluster. It has been tested with the recommended Splunk deployment model for apps in a clustered environment, including distributed configuration, but it is important to follow Splunk guidelines to ensure a successful deployment.   We encourage customers to review the Splunk docs on app install and config in a clustered environment, including: https://docs.splunk.com/Documentation/Splunk/7.2.4/DistSearch/PropagateSHCconfigurationchanges   

Installation Steps: 1. Identify the server with the deployer role and obtain admin & console access to the server. 2. Obtain the latest version of the DomainTools App and complete the setup and configuration for the 

DomainTools App locally ($SPLUNK_HOME/etc/apps/TA-domaintools) 3. Then move DomainTools folder to $SPLUNK_HOME/etc/shcluster/apps/ 4. Deploy a configuration bundle to the search head members. 5. Log in to one of the search head members and verify the setup and configuration for the DomainTools 

app.   This can be done by navigating to the DomainTools for Splunk app → Settings → Application Settings and checking to make sure your API Username is displayed under API Usage.  

  

   

https://splunk-sh1.com:8000/en-US/manager/TA-domaintools/apps/local/TA-domaintools/setup?action=edit  

  DomainTools provides support for apps deployed in this standard configuration model. Although it is possible to use an alternative method for deploying apps, such as a configuration management tool, those methods create 

 

 

scenarios that are unique to your environment, and as such, DomainTools can provide only limited support for those deployments. 

Configuration Steps:  

1. The first step is to finalize the setup of the app using the standard Splunk app setup page.  2. Click on the DomainTools app in the list of Splunk apps. 3. The default app setup page should appear instead of the DomainTools Threat Hunting Dashboard. If it 

does not appear, click the “Apps” drop-down at the very top of the Splunk web UI, then “Manage Apps”, and find “DomainTools for Splunk” in the list. Click the “Setup” link in the row for the app to access the app setup page. 

4. Enter the DomainTools API username and API key. 5. Save the settings and the DomainTools app dashboard should load. 

  

 

 Next, review the app configuration page and make any necessary changes. Be sure to review any changes made to the base search (see above). 

1. Locate the “DomainTools for Splunk” app in the Splunk UI and open it to view the app’s default page: DomainTools Threat Hunting dashboard. 

2. Click “Settings” on the toolbar, then “DomainTools App Configuration” 3. The app will verify your API credentials and list the products you have access to. Most customers will 

want to use the “Iris Enrich” API, but if you do not have access to that endpoint, the app will allow selecting alternate end-points (Risk/ Reputation API).  

  

 

 

4. Review the search under the “Custom Search Definition” and ensure it will work in your environment. Consider running the search manually over a small set of data (about 10 minutes) to ensure it runs without errors. If you see errors, or it cannot find the data you need to enrich, you may need to write a custom search. 

5. Adjust the threshold for DomainTools Proximity Score and Risk Scores in the settings page under the Enrichment section. The app is already populated with default values for your convenience. These values are used to highlight risky domains in your dashboards:  

  

6. Ensure the “Activate populating search” is selected if you are targeting a Level 3 capability and have prepared the “whois” index. 

7. Click “Save” in the upper right corner of the page to finalize your settings. 8. For DomainTools PhishEye users, with access to DomainTools PhisEye API, the following Saved Searches 

must be enabled  

1. Splunk -> Settings -> Searches, Reports and Alerts (under Knowledge)  

 

 

 2. Apply the following filters in Searches, Reports and Alerts screen 

a. Select Type = “Reports” b. Select App = ”DomainTools for Splunk” c. Enter “PhishEye” in textbox 

 

  

3. Enable the below two Saved Searches a. DomainTools Maintenance - Expire Stale PhishEye Entries in KV Store b. DomainTools PhishEye - Import PhishEye results 

  

 

 

  

   

 

   

 

 

App Validation After the app is installed, follow the corresponding test plan to ensure the app is working correctly.  

Test Coverage  Test Plan 

Confirms connectivity to DomainTools APIs 

 

1. Access the DomainTools app in the Splunk UI  

2. Enter “domaintools.net” in the search box in the upper right corner of the app, then click the “ Lookup” button  

3. The results page will load with at least a domain age, an IP address, and a set of name servers. 

Ensures pre-configured base search (or user-defined custom search) finds events with domains.  

Validates enrichment of domains with DomainTools data and persistence in KV lookups. 

 

1. Wait at least 30 minutes after installing the app  

2. Access the DomainTools app page and confirm the “Total Domains Events” number is non-zero, and increasing over time  

3. Check the “Show” box next to “Diagnostics” at the top of the dashboard, then confirm the “Retrieved” count is non-zero, incrementing, and, after a few hours, is significantly higher than “Pending”.  

4. After a couple of hours, at least some of the other dashboard panels at the top of the Threat Hunting Dashboard should become non-zero. Clicking each number should drill-down to show source events. 

Confirms component risk scores and other Iris data can be accessed from custom searches.  Confirms basic integration with Splunk ES. 

1. Consider writing a custom Splunk search based to find domains with a high DomainTools Threat Profile malware score.  

2. If you are using Splunk Enterprise Security (ES), check for new Noteable Events to be raised when events occur containing domain names scored higher than the configured threshold in the DomainTools app config (by default, 90). 

Validates a working whois index and confirms the jobs to populate it are working as expected. 

1. Search “index=whois” and confirm multiple entries for domain names, with most fields populated  

2. If you are using Splunk Enterprise Security (ES), access the “Domain Analysis” dashboard and confirm that newly observed domains are listed in the dashboard panels. 

Enabling PhishEye Monitoring  If you are a DomainTools PhishEye user, and have monitors enabled in PhishEye, you can manually refresh to bring your monitors inside Splunk.  

 For adding new monitors, please following PhishEye documentations.  Once added, click ‘Import New Monitors’ under DomainTools Monitoring 

->Configure Settings (and scroll down to the bottom of the page)  

  

 

 

 Key App Functionalities:  Threat Intel Dashboard  

  The dashboard is powered by DomainTools Risk Score, a proprietary scoring algorithm that proactively identifies malicious domain names before they are weaponized. The technology is based on machine learning algorithms applied to DomainTools' unparalleled coverage of domain name features and infrastructure characteristics.  The dashboard is designed to help organizations gain quick situational awareness of the risk presented by domain names on their network. The dashboard also helps guide teams to effectively leverage DomainTools data in their SOC workflows, with drill-downs that expose the underlying events.  

Threat Hunting Surface meaningful alerts that are enriched by the comprehensive Iris dataset, to identify malicious intent.

Event Enrichment-at-Scale Leverage the DomainTools Iris dataset for immediate access to dozens of attributes attached to every domain event in Splunk.

Proactive Risk Scoring Raise alerts with batch processing and access Risk Score, Proximity and Threat Profile classifiers.

 

 

Domain Profile Tab  The Domain Profile page allows Splunk users to perform an ad-hoc lookup of a single domain observable from inside Splunk.   

 

 All domain intelligence data from such a look is automatically added to the Splunk KV store for future references.  

   

 

 

Tag Management Dashboard  This feature allows Splunk users to leverage Tags associated with a known domain from DomainTools Iris investigation platform for further triaging and monitoring. If an when a domain is observed in the organization's network, all Tags from DomainTools Iris platform are automatically retrieved and displayed inside Splunk during the domain enrichment process.   

  The Tagging dashboard gives a central view of the observed domains within the customer's network. It includes Tags, Risk Score associated with the Tagged Domains, Event Timeline associated with Observed Domains and operational metrics around Tagged Events.   

Dashboard Configuration:  The Tag Management configuration setting area further allows users to customize the consumption of these tags inside of Splunk. Once an Iris Tag is visible in Splunk, a Splunk analyst can either further add the Tag to a list of 'Critical Tags' or 'Suppressed Tags'.  

  

● Critical Tags will enable proactive monitoring of the tags in the event logs. Any future observations of that domain will generate a notable event (for Splunk ES customers). 

 

 

 ● Suppressed Tags, as the name suggests, provides users to reduce false positives of known benign 

domains. These tags will not enable monitoring and trigger notable events, however, users will be able to see operational metrics associated with these domains (e.g. Events associated with Suppressed Tags) 

 

   

   

 

 

Domain Monitoring Dashboard  Domain Monitoring enables the monitoring of malicious domains within Splunk. The dashboard brings some of the monitoring KPIs for comprehensive reporting.    Some of the key metrics the dashboard surfaces: 

● Critical Domains observed in your network ● Total Number of Critical Events associated ● PhishEye Domains observed in your network ● Total Number of Events related to PhishEye Events ● Timeline of Occurrence - When Domains when monitored in the network ● Persistent Monitoring List 

  

  DomainTools PhishEye customers can bring in PhishEye (PE) terms (or Monitors) inside of Splunk. This is enabled with our PE API and allows Splunk analysts to discover newly registered domains and monitor them inside of Splunk.   If you do not have access to PhishEye Api, a Splunk analyst can also monitor for specific Domains (Indicators) manually. In such a case, the PhishEye related section in the dashboard (right-hand section) will not have relevant data to display.  

 

 

  

   

Dashboard Configuration:  The app can be configured to manage the list of Monitors and actively manage the monitoring list. You can choose to use Manual Monitoring, PhishEye Monitoring or both, as deemed appropriate.  Manual Monitoring: Manually enter a list of domains that the analyst wishes to monitor. Domains added to this list persists until explicitly deleted by the user. To add or remove an entry from this list, the user can simply use the below ‘Add IOC’ or ‘Remove IOC’ boxes respectively.  

   

 

 

PhishEye Monitoring: It conveniently lists all the terms (also called PhishEye Monitors) that have been enabled for monitoring by the organization. Please see above, if you do not have access to DomainTools PhishEye product.  

1. To enable a term, select the term and click submit 

  

2. Once a term is enabled, the App will retrieve newly registered domains every 24 hours. Please allow time for this refresh to happen.  

  We also readily bring in the PhishEye risk scores associated with these domains.   

 

   

 

 

Enterprise Security Capabilities  ES Dashboard consolidates all the Enterprise Security (ES) feature sets that DomainTools TA enables inside of Splunk. The purpose of this dashboard is to improve visibility and operational efficiencies around the ES functionalities.  Key metrics of the dashboard: 

● Top Notable Events Created by Count ● Cumulative Risk Scores of a Domain in the customer's environment ● Notable Events created by Urgency ● Timeline of Notable Events ● Cumulative Risk Score of a customer's Asset ● List of DomainTools Correlation Searches by Status 

 

  Users can click on any of the metrics and review the drill down searches and data associated with these events. 

Configuration:  Per Splunk best practices, all the underlying Correlation Searches (CS) are disabled on deployment by default. Customers can use the dashboard to conveniently track the activation status of these searches at any time.  To enable/ disable the searches, follow the below steps: 

 

 

 1. Splunk Enterprise Security App -> Configure -> Content -> Content Management 2. Filter Saved Searches by: 

a. Type - Correlation Search b. App - DomainTools for Splunk 

3. Enable these correlation searches to receive Notable Events to combine asset risk: a. DomainTools Modify Aggregate Asset and Identities Risk b. DomainTools High Aggregate Risk Assets 

4. Enable these correlation searches to receive Notable Events for combine domain risk: a. DomainTools High Aggregate Risk Assets b. DomainTools High Aggregate Risk Domains 

5. Enable these correlation searches to receive Notable Events for monitored domains: a. DomainTools Critical Monitored Domain 

6. Enable these correlation searches to receive Notable Events for tagged domains: a. DomainTools Critical Tags 

7. Enable these correlation searches to receive Notable Events for domains with high-risk score: a. High Risk Score Correlation Search 

 

  

   

 

 

Enrichment Explorer Tab  The Enrichment Explorer tab allows Splunk users to browse and search the entire DomainTools enrichment dataset (Splunk KV store) conveniently.    

  Besides being able to look up domain observables, users can also: 

● Filter by Domain Age ● Filter by Risk Score ● Filter by various DomainTools Risk Analytics 

  Finally, if the intelligence for an observable appears to be dated (enrichment date from the past), the user can explicitly refresh their KV store with the latest Domain Intelligence.   Currently, this feature supports a comma-separated list of up to 100 domains.