DomainTools App for Splunk Enterprise, Cloud, and Enterprise Security - DomainTools Technical Documentation
Skip to content

DomainTools App for Splunk Enterprise, Cloud, and Enterprise Security

Overview

The DomainTools App for Splunk provides direct access to DomainTools' industry-leading threat data, predictive risk scoring, and critical tactical attributes to gain situational awareness of malicious domains inside Splunk.

For help with the Splunk app and features, visit Splunk technical documentation. The DomainTools App for Splunk is on Splunkbase at https://splunkbase.splunk.com/app/5226. Note the separate DomainTools App for Splunk SOAR.

Key features

  • Real-time threat intelligence enrichment - Automatically enrich domain observations with DomainTools threat data
  • Iris Enrich, Investigate, and Detect integration - Access the full Iris platform capabilities within Splunk
  • Farsight DNSDB passive DNS lookups - Query historical DNS data for investigation
  • Automated alerting and monitoring - Create notable events and alerts based on risk thresholds
  • Custom dashboards and visualizations - Pre-built dashboards for threat intelligence and domain monitoring
  • Threat Feeds - Import real-time feeds including NOD, NAD, NOH, Domain Discovery, and more

Prerequisites overview

Before installing the DomainTools App, ensure you have:

  • Splunk Enterprise Security (ES) or Splunk (non-ES)
  • DomainTools API key with access to Iris Enrich API and Iris Investigate API
  • Firewall access - Splunk must be able to reach api.domaintools.com
  • Splunk credentials - Administrator access to install and configure the app
  • Prior versions uninstalled - Remove any 3.x or 4.x versions before installing

For detailed prerequisites, see the Installation Guide.

Quick start

  1. Install the app - Follow the installation guide for your Splunk deployment type (Cloud, on-premise, or distributed)
  2. Configure base settings - Set up your base search, saved searches, and enrichment settings
  3. Explore dashboards - View threat intelligence and monitor suspicious domains

Documentation

Getting started

Using the App

Reference

Release notes

Version 5.6

DomainTools App for Splunk 5.6 is a minor release focused on quality-of-life enhancements.

Updated in version 5.6:

  • Updated Python Wrapper for feed streaming

Fixed in version 5.6:

  • Fixed Splunk Cloud Platform compatibility issue

Version 5.5

DomainTools App for Splunk 5.5 includes new threat feed support and bug fixes.

New in version 5.5:

Fixed in version 5.5:

  • Fixed Iris Detect domains showing inconsistent results with escalated domains

Version 5.4.1

Updated in version 5.4.1:

  • The tldextract library includes private domains as TLDs
  • Support for socks5/socks5h proxies with support for remote DNS resolution
  • Recent Events table is now its own dashboard
  • Turn off logging on domainextract by default

Version 5.4

New in version 5.4:

Updated in version 5.4:

  • 206 response handling: Instead of timing out on large data sets, The Splunk app will now return the entire data set using multiple API calls. Consult the Feeds documentation for information about 206 responses.
  • Python updated to 3.9 for Splunk SDK

Fixed in version 5.4:

  • Setup logger (splunk.setupSplunkLogger) only runs when enabled

Prior version 5.x release notes

Support

For help with the DomainTools App for Splunk: