Blue net abstract background
Blog Product Updates

Bringing New Capabilities to the DomainTools App for Splunk

We are pleased to announce the latest version of the DomainTools App for Splunk (version 4.3). This release for Splunk, Splunk Enterprise, and Splunk Cloud includes performance and usability enhancements, but perhaps most importantly, it adds new capabilities around passive DNS data from Farsight Security’s DNSDB and new domain triage and monitoring from Iris Detect.

Many DomainTools and Farsight Security users are also Splunk users, and from them we have learned how important it is to have good context around domains that are surfaced in Notable Events. Both Farsight DNSDB and Iris Detect can play important roles in those workflows:

  • If you use Iris Detect to discover new domains that spoof your company or brand (or those of your supply chain or vendor ecosystem), you can now triage new domains matching these Iris Detect Monitors within Splunk, by using the Iris Detect API.
  • You can also synchronize the Iris Detect Watchlist with the Splunk Monitoring list to watch for new domain activity within your environment.
  • For domain infrastructure that merits closer examination, you can delve into the world’s largest database of passive DNS using Farsight DNSDB Standard or Flexible Search. This allows you to gain a better understanding of a domain that was observed in your environment by answering questions such as what other domains shared this IP address at the same time? What other IP addresses or lookalike domains might I want to search or alert on, based on commonalities with the original domain?

In addition to these new features, we also made some other changes and fixes in version 4.3. Specifically, we:

  • Removed Python 2 support due to updated dependent libraries
  • Added a distributed search configuration to address occasional issues when updating in Splunk Cloud
  • Slightly lowered the default risk score thresholds used in the Enrichment Settings page. (Note: this does not override any user-specified thresholds when doing an in-place upgrade)
  • Simplified the DomainTools Settings Menu. We moved Monitoring-specific settings under a new Monitoring menu
  • Replaced HTML dashboards with single-page apps to align with Splunk’s current recommendations for Splunk Cloud

We are always on the lookout for ways to improve your experience and capabilities when working within key security tools such as Splunk. We hope that if you are a Splunk user who has never tried our App, perhaps you’ll give it a look. Or, if you use Splunk, but not Iris Detect or Farsight DNSDB, you might consider those tools as well.