If you’ve spent any time in a SOC, you may be familiar with the challenge of handling and analyzing DNS logs at scale. The volume of these logs can be overwhelming, creating visibility gaps for domain-based threat indicators. A missed indicator can quickly escalate into a security incident which costs precious time and resources - particularly without the ability to rapidly enrich related events.
Our newest integration solves this issue. We at DomainTools are thrilled to announce the pairing of our data with Cribl Stream, which ensures your team gets real-time, actionable context on DNS logs when and where they need it. Instead of missing important indicators or spending time on manual pivots, analysts can enrich DNS logs in motion across security and observability pipelines, accelerating threat detection and significantly improving overall SOC efficiency.
The Power of Data Pipelining Meets Domain Intelligence
Cribl excels at making sure the right data gets to the right place at the right time, and the DomainTools integration - which we built as a dedicated Cribl Pack - is designed to make our data a native part of that process.
What this means for your SOC:
- Real-Time Feed Ingestion: Stream comprehensive DomainTools data sets like the Parsed Domain RDAP and Domain Discovery Feeds directly into your Cribl pipelines. This is essential for both pre-processing and post-processing enrichment, ensuring you have fresh, high-fidelity data to work with, not stale lookups.
- Dynamic Log Enrichment: Enrich the most common logs seen in the SOC (DNS, firewall, proxy, endpoint), with the DomainTools Risk Score and reputation data in-flight. We leverage Cribl’s functionality to dynamically tag these enriched events, enabling your team to act immediately without modifying the source system or relying on complicated SIEM lookup rules.
- Data Routing and Filtering: Use DNS intelligence for powerful routing decisions. You can set filtering rules such as only sending domains with a Risk Score higher than 80 to a SIEM instance (like Splunk or Sentinel), and routing all other traffic to a lower-cost destination like S3 or a data lake.
Getting Started: Implementation Methods
We engineered the data ingestion process with two distinct approaches, giving your architecture team the flexibility they need for deployment whether you prioritize simplicity or deep customization.
Option A - The Cribl Pack Implementation (Quick Start)
The easiest path to deployment is using our pre-built Cribl Pack. This option is ideal for rapid integration and streamlined administration:
- Pack Components: The .crbl Pack is a consolidated file containing all necessary pipelines, routes, parsers, knowledge objects, and lookup files. This means you deploy once, and all the logic is instantly configured.
- Feed Integration: The Pack handles the setup for ingesting the Parsed Domain RDAP and Domain Discovery Feeds as input streams, supporting both real-time and batch ingestion scenarios.
- Deployment: The Pack is designed to be highly portable across environments with no external dependencies on other software, and our detailed documentation includes example workflows for common enrichment and routing tasks.
Option B - Data Source Implementation (Maximum Flexibility)
For teams that need additional control over their data sources or already have complex ingestion rules, DomainTools feeds can be set up as continuous data sources:
- Source Configuration: You can configure DomainTools feeds directly as standard data sources within Cribl (e.g., HTTP/S, TCP, Kafka). This supports both push (DomainTools sending feeds to Cribl) and pull (Cribl fetching feeds) configurations.
- Compatibility: This approach ensures the ingestion mechanism works seamlessly with a wide range of external technologies like Splunk, Elastic Beats, Kafka, Kinesis, and more.
- Error Handling: By treating the feeds as a data source, you inherit Cribl’s robust error handling, including dedicated logging and metrics for failed ingestion and customizable retry logic and fallback handling.
Implement Real-Time Context Today
We built this integration to remove the friction from your daily workflow. By deploying the DomainTools Cribl Pack or configuring our feeds as a continuous data source, your analysts will benefit from real-time, dynamically enriched intelligence. It’s time to modernize your pipeline, close those visibility gaps, and secure the strategic value of continuous domain intelligence.
Heading
