Skip to content

Advanced features configuration

After you configure the base settings, enable advanced features including threat feeds, alerting, Iris Detect integration, and domain monitoring.

Configure notable events (Splunk ES) or alerts (non-ES)

Splunk Enterprise Security (ES) provides notifications with Notable Events. For Splunk (non-ES), the DomainTools App generates alerts with the dt_alerts index.

Configure notable events for Splunk Enterprise Security

This section applies only to Splunk Enterprise Security (ES) Notable Events, which are events generated by DomainTools detection rules.

Key enrichment fields are already available from DomainTools into Splunk Enterprise Security.

Configure the following fields and labels during the initial setup within your Enterprise Security module:

  • dt_num_of_times_enriched: Enrichment Count
  • dt_looyn_date: Last Seen
  • log_source: Log Source
  • dt_age: Domain Age
  • en_threat_profile_type: DomainTools Threat Profile
  • dt_is_active: Domain Status
  • en_risk_score: Risk Score
  • domain: Domain

Once created, the notable events automatically display these fields. There is no programmatic way to provision these fields during app deployment. For detailed steps, see how to add a field to notable event details.

Detailed instructions to create notable events with Splunk Enterprise Security
  1. Select the Create Notable Event checkbox under the Alert Settings section.
  2. Select or deselect relevant alert criteria in the Monitor Domains, Monitor Young Domain, Monitor Risk Score Increase, and Iris Detect panels. When multiple criteria are selected, they narrow down the alert generation rule. In other words, they form a logical 'AND' narrowing.
  3. Only Monitor Domains in the DomainTools Monitoring list (default): an alert will only fire against domains that have been added to the monitoring list.
  4. Exceeds Domains Risk Score Threshold: Only alert if the domain exceeds the risk threshold defined above.
  5. Exceeds Domain Threat Profile Score Threshold: Only alert if the domain exceeds the threat profile threshold defined above.
  6. Ignore Iris Detect Domains in DomainTools Monitoring list: ignores anything in the monitoring list where the Source equals "Iris Detect".
  7. Monitor DomainTools Iris Tags in Tag Monitoring List: The app will monitor any domains that are tagged in DomainTools Iris investigation platform. Selecting this option will alert you when new domains are observed in your environment that match any Iris tags that have been specified on the Monitoring Tags page.
  8. Select the Urgency Tag to associate with the Notable Event: applies the specified urgency level within Splunk Enterprise Security's Incident Review panel.
  9. Monitor young domains: creates a notable event whenever a young domain (lower than the young domain threshold) is observed. Optionally restricted to new domains on the monitoring list. This is useful in conjunction with Iris Investigate monitors that can keep track of newly registered domains. Similarly, select the separate Urgency Tag to associate with the "young domains" Notable Event will apply the specified urgency level within Splunk Enterprise Security's Incident Review panel.

Configure alerts with dt_alerts for Splunk (non-Enterprise)

Users of Splunk (without ES) can generate notifications with dt_alerts and dt_enrich_history. These indexes must be created in Splunk. To create a Splunk index, see how to create event indexes.

Enable threat feeds

Create the following indexes for threat feeds:

  • Domain Discovery Feed: dt_feed_domain_discovery
  • Domain Hotlist: dt_feed_domainhotlist
  • Newly Active Domains (NAD) Feed: dt_feed_nad
  • Newly Observed Domains (NOD) Feed: dt_feed_nod
  • Newly Observed Hostnames (NOH) Feed: dt_feed_noh
  • Parsed Domain RDAP Feed: dt_feed_parsed_rdap

For instructions on creating indexes, see how to create event indexes. For operating and use instructions, see the threat feeds usage section. For complete details, see the Real-time Threat Feeds documentation.

Configure threat feeds: Set up and query a DomainTools threat feed in Splunk ES

These steps will guide you through adding the new threat intelligence source to Splunk ES.

1. Navigate to threat intelligence management

In Splunk ES, navigate from the top menu bar: Configure > Threat Intelligence Management.

2. Create a new threat source

On the Threat Intelligence Sources page, click the New button, then select Line Oriented.

3. Configure general settings

Fill out the fields with the details of your threat feed.

  • Name: A unique name for this feed. This name becomes the value in the threat_key field, which is critical for searching. Example: nod_domains_feed
  • Description: A clear description of the feed's purpose. Example: Newly Observed Domains from DomainTools API.
  • Type: domain (the indicator type this feed provides).
  • URL: The full URL of the threat feed API endpoint. Example: https://api.domaintools.com/v1/feed/nod/?api_key=<APIKEY>&api_username=<APIUSER>&after=-60
  • Weight: A number that helps in calculating risk scores for assets that match this intelligence. Example: 60
  • Interval: How often Splunk should fetch the feed, in seconds. Example: 60 (for 60 seconds).
  • Max Age: (Optional) How long indicators from this feed should be retained. Use s, m, h, or d for time units. Example: -30d (to keep indicators for 30 days).
  • Max Size: (Optional) The maximum download size in bytes. Example: 104857600 (for 100 MB).

4. Configure parsing settings

This section tells Splunk how to extract the domain and timestamp from each line of the feed.

  • File Parser: auto
  • Delimiting regular expression: Leave empty since each line is a self-contained event (a single JSON object).
  • Extracting regular expression: A regular expression to capture the necessary values. Use the following: {"timestamp":"(\[^"\]+)","domain":"(\[^"\]+)"}.
  • Ignoring regular expression: Leave empty.
  • Fields: This maps the captured groups from your regex to Splunk fields. Example: timestamp:$1, domain:$2
  • Skip header lines: 0 (NOD has no header).

5. Save and enable

  • Click Save.
  • Find your new feed in the list and ensure it is Enabled. Splunk begins downloading and processing the feed on the schedule you set.

Verify and test query threat feeds

1. Run diagnostic queries to find the "ground truth"

The Splunk UI sometimes uses different field names than what is stored in the raw data. The following queries bypass all abstractions and show you the real data. Run these queries with the time range picker set to "All time".

  1. Inspect the Raw Data Collection. This query looks directly inside the KV Store collection for IP/domain intelligence.
| inputlookup ip_intel | head 10

2. Analyze the output

The results of this query will show you the true field names. You will likely see:

  • domain: The domain indicator.
  • time: A long number (like 1755770625). This is the Unix Epoch timestamp.
  • threat_key: The name you gave the feed in the setup (e.g., nod_domains_feed).

This is the most important step. It confirms that you must search using threat_key.

3. Run your test SPL queries

Now that you know the correct field names, you can build reliable queries.

Query 1: See the 100 most recent domains from your feed

This is the primary query for viewing your latest indicators.

| inputlookup ip_intel
| search threat_key="nod_domains_feed"
| sort - time
| head 100
| eval _time=time
| table _time, domain, threat_key
Query 2: Check if a specific domain is on your threat list

Use this to see if a known-bad domain has been imported.

| inputlookup ip_intel
| search threat_key="nod_domains_feed" AND domain="some-malicious-domain.com"
Query 3: Find domains containing a specific keyword

This is useful for hunting threats related to a specific brand or term.

| inputlookup ip_intel
| search threat_key="nod_domains_feed" AND domain="*microsoft*"

Enable the Parsed Domain RDAP API

The Parsed Domain RDAP API is a lookup service, and is separate from the Parsed Domain RDAP Feed, which is described previously.

Return Parsed Domain RDAP API results with the dtparseddomainrdap search command. This command supports only the domain parameter.

Modify default DomainTools thresholds

This section defines thresholds used in creating dashboard KPIs and alerts (if enabled) throughout the app.

Consult the Domain Risk Score User Guide to interpret risk scores

  • Risk Score Threshold (default value of 75): DomainTools Risk Score used when defining a "suspicious" domain in dashboard KPIs and creating alerts (if enabled) throughout the app.
  • Young Domain Age (default value of 7 days)
  • Newly registered domains are often an indicator of interest. Specify the age threshold in days for a domain to be included in dashboards and optionally alerting.
  • Guided Pivot Threshold (default value of 500)
  • When a small set of domains share an attribute (for example, registrar), that can often be pivoted on to find other similar domains of interest. DomainTools tracks how many domains share each attribute and can highlight it for further investigation when the number of domains is beneath the set threshold.
  • High Risk Threshold (default value of 90)
  • Used by the Risky Observed Domains graph on the Intelligence Dashboard. This sets the minimum DomainTools Risk Score threshold for flagging a domain as High Risk for this graph. Higher risk scores indicate riskier domains.
  • Medium Risk Threshold (default value of 70)
  • Used by the Risky Observed Domains graph on the Threat Intelligence Dashboard. This sets the minimum DomainTools Risk Score threshold for flagging a domain as Medium Risk for this graph. Higher risk scores indicate riskier domains.

Configure domain monitoring with Iris tags

If you use the Iris investigation platform for domain investigations, you can monitor for domains that are associated with tags your team has applied within Iris, optionally alerting when a tagged domain is observed in Splunk.

The Manage Monitored Tags page with examples of Tags being monitored
The Manage Monitored Tags page with examples of Tags being monitored

To monitor for Iris-tagged domains in Splunk, visit Monitoring → Manage Monitored Tags to add tags to be added to the proactive monitoring list. Once tags are added, domains that share the same tag in Iris are monitored in Splunk.

Configure Iris Detect

Ensure your API key is provisioned for Iris Detect. Visit DT Settings → API Keys, select Test Connection, and it will list Iris Detect APIs.

The DomainTools App requires the following APIs for base product capability:

  • iris-enrich
  • iris-investigate
  • iris-detect-monitors: required for read-only access to the configured monitored Iris Detect terms within Splunk.
  • iris-detect-new-domains: required for read-only access to the new domains matching monitored terms within Splunk.
  • iris-detect-watched-domains: read-only access required to access the list of domains marked as "watched" in Iris Detect and pull updates to that list. Optionally, synchronize those domains with the Splunk Monitoring List.

Optionally enable:

  • iris-detect-manage-watchlist-domains: useful for triaging domains, adding to the Iris Detect Watchlist to track changes to domain infrastructure over time.
  • iris-detect-escalate-domains: used to enable additions to the blocklist and submissions to Google Safe Browsing.

Iris Detect capability works without the optional permissions but a user receives an error if they attempt to watch, block, escalate or ignore a domain within the Iris Detect Results panel.

To configure Iris Detect monitors on the Iris Detect page (Monitoring → Iris Detect), first make sure that the DomainTools - Import Iris Detect Monitors and DomainTools - Import Iris Detect Results saved searches are enabled (DT Settings → Configure Saved Searches).

An Iris Detect Monitored Term (also referred to as "terms") refers to the series of characters being searched against new domain observations. A term is the basis for an Iris Detect Monitor. It is frequently used as a company or brand name. Adding and editing monitors can currently only be done within the Iris Detect UI.

Import new Iris Detect monitored terms

Refresh the list of monitored terms in one of two ways:

  1. Select the Refresh Now button on the Iris Detect Monitored Terms page to import any new terms.
  2. Under DT Settings → Configured Saved Searches assign an update frequency on the DomainTools - Import Iris Detect Monitors saved search to sync daily or weekly.

Read the Iris Detect monitored terms table

In the Monitoring → Iris Detect Monitored Terms pane:

  • Term: The term itself as it appears in Iris Detect. Adding and editing monitored terms can currently only be done within the Iris Detect UI.
  • Monitor Last Updated In Splunk: The date when the monitor was refreshed, either manually or via the Daily or Weekly detections. Click "Refresh Now" to force a manual refresh.
  • Import Daily Detections in Splunk: Select the term(s) to import Iris Detect-monitored domains into Splunk so they show up on the Monitoring → Iris Detect Dashboard page.

Import new Iris Detect results

The Iris Detect Dashboard contains the list of new or changed domains matching the enabled monitored terms. The Iris Detect API allows up to hourly synchronization.

Synchronize Iris Detect results in one of two ways:

  1. Select the Refresh Iris Detect Results button on the Iris Detect Dashboard to manually import new domains.
  2. Under DT Settings → Configured Saved Searches assign an update frequency on the DomainTools - Import Iris Detect Results. The default schedule is every 2 hours. Note that the DomainTools Iris Detect API is limited to an hourly refresh frequency.

Add domains to the allowlist

Add your list of trusted domains, within your security operations workflow, to help reduce noise and false positives when creating alerts based on domain monitoring.

To add or remove domains in the Allowlist, visit DT Settings → Manage Allowlist and select the allowlist behavior:

  1. Exclude from alerts and dashboards (default): Domains in the allowlist won't be counted towards dashboard visuals, or alerts, if configured
  2. Exclude from alerts: Domains won't be alerted on (applies to users of Splunk Enterprise Security only), but will still appear in dashboard visuals
  3. Exclude from dashboards: Domains won't appear in dashboard visuals but will still appear in alerts (applies to users of Splunk Enterprise Security only).
  4. Exclude from all enrichment: Fully ignores the domain in all enrichment, alerts, and visuals
  5. Do Nothing: Allowlist is informational-only. Domains remain enriched, alerted upon, and appear in dashboard visuals. This setting can be helpful for temporary use when debugging.

Successfully added domains will show in the Allowlist along with Domain Name, Last Updated Date Time, Last Updated By, Added Date Time, Added By, and Action.

Next steps

After you configure advanced features, explore:

  • Dashboards - View threat intelligence and monitor suspicious domains
  • Investigation Tools - Use Domain Profile, Iris Investigate, and Farsight DNSDB