Black background with purple-pink glossy webbing

DomainTools App for Splunk and Splunk Enterprise Security

For your convenience, we’ve included the video transcription below

Confidence In The Data

Welcome. In this video we’re going to be taking a look at the DomainTools App for Splunk and Splunk Enterprise Security. The DomainTools App for Splunk leverages our Iris dataset which is Comprehensive, Accurate and Timely. We’re tracking over 330 million active domains and we’re picking up hundreds of thousands of newly registered or discovered domains every day. Our rich historical repository of DNS and registration data allows us to connect the dots on malicious registration activity and powers our Domain Risk Score methods.

For example, when we look at a domain like owa-office3365[.]com, you’ll observe that we really have four risk scores for this domain. The first we’ll look at is our Proximity score. Proximity let’s us know how close a domain is to existing known bad domains within our dataset. So we can explore things like the hosting infrastructure behind the domain or registration details around the domain. Both of these let us know this domain is in close proximity to existing bad domains within Iris.

Our machine learning classifiers are more predictive in nature. They’re looking at the features like the domain name string, the age, the infrastructure and the registration details behind the domain. For example, today we have a high level of confidence this domain was registered for the purposes of phishing as noted by the 98.

Enrich And Hunt With The Iris Dataset

The Iris Enrich API was purpose built for large scale event decoration meaning we can enrich proxy logs, DNS query logs, or email domain logs within your SIEM. What are we hunting for? Things like young/newly registered domains or newly observed domains, domains with high Risk Scores, specific adversary infrastructure details things like hosting providers or registrars, name servers, mail servers, SSL certificates and more. Domains that have been tagged via our Iris investigation UI, or targeted phishing domains that are attacking a keyword or brand that you’re keeping an eye on.

Where To Find The DomainTools App For Splunk And Splunk ES

We can get started in Splunkbase where you can find the DomainTools App for Splunk and Splunk Enterprise Security. Once it is installed on your search head or your search head cluster, you can drop your API key in, configure your base search and we’re off and running with enrichment. We’ll start by looking at our DomainTools threat hunting dashboard. This dashboard is meant to give us a quick look at the details of the domains that we’ve spotted in your logs over the last 24 hours. We can help flag out things like those young domains so if a domain was registered 5 days ago and is emailing your finance department we’re going to find that here. Newly observed domains so domains we haven’t spotted before in your logs. Domains that score highly for a machine learning score for either malware, phishing or spam.

How DomainTools Defines Dangerous Domains

When it comes to looking at the risky domains, we can look for specific registrar activity, specific SSL certificate details. We can also flag out dangerous domains. Dangerous domains are a blended score for us here at DomainTools. What we’re looking at when it comes to dangerous domains are both the Risk Score threshold for our machine learning classifiers for malware or for phishing or our Proximity threshold. So we’re looking at both of those together so you have to close to known badness and look like a phishing or a malware domain here. So our starting point domain that owa-office3365[.]com would certainly qualify here.

Capabilities Within the DomainTools App for Splunk and Splunk ES

Live Lookups And Hunting For Correlated Domains

We can perform live lookups inside of our app meaning we can go perform a live lookup against the API and pull that data directly into Splunk without having to leave. So we can pull this data in and look at the most recent registration details, hosting infrastructure details, any registrant details we might have gotten. And also the most updated Risk Scores as well. We can quickly craft a query here that allows us to look at the rest of the KV store that we’re populating with data to hunt for correlated domains. So we can look for things like the hosting ISP providers, so maybe hey there’s a couple of specific hosting providers we want to keep an eye on. Or we can look at things like name servers, registrars, TLD spaces, certs, anything really that can potentially be useful when it comes to an investigation but we populate this data for 30 days by default in the KV store.

Automate Phishing With PhishEye For Splunk

We can automate our phishing detection so if we’re tracking specific keywords or brands with our PhishEye tool and hunting for lookalike domains on a daily basis, we can pull those directly into Splunk. So we can identify these spoofed domains as they are registered or discovered, we can generate this list and ingest it automatically daily into Splunk and then we can monitor logs for specific phishing domain activity.

Bring Actionable Threat Intelligence Into Splunk

We can bring actionable threat Intel into Splunk from using the Iris investigate UI. In that UI, we can highlight and then tag domains. These tags are local to our account but they will flow out on API calls. So if we tag a domain in the Iris UI and then we catch that domain in a log 6 months, 8 months, 10 months later, that tag is going to flow through so we can either trigger notable events with our tags or suppress them. Speaking of, our Enterprise Security tab allows us to manage and customize any of the “out-of-the-box” correlation searches that the DomainTools provides. And Our integration within the notable event framework allows us to pop directly out to our Iris investigation platform or go directly to that live lookup page if we want to stay inside of Splunk but either way we can get a deeper dive on a specific domain.

The DomainTools App for Splunk allows us to convert our enrichment into threat intelligence, allows us to understand the risk factors of domain names that we’re finding in our logs, allows to precisely target our threat hunting on domain ownership hosting providers within our logs, it allows us to surface meaningful alerts and filter out noise. And it allows us to classify domain names based on their likely malicious use.