Installation guide¶

Getting started¶

Install the DomainTools App on a search head or within a search head cluster. A search head is a Splunk component that handles search requests and presents results to users. This app has been tested with the recommended Splunk deployment model for apps in a clustered environment, including distributed configuration.

Review the Splunk docs on app installation and configuration in a clustered environment. See how to propagate search head cluster configuration changes.

After configuration, wait 10-15 minutes for the enrichment process to start populating the dashboards. Enrichment adds threat intelligence data to your domain observations. The app enriches new events every 5 minutes by default.

Prerequisites¶

Splunk Enterprise Security (ES) or Splunk (non-ES).
DomainTools API key access to the Iris Enrich API and Iris Investigate API.
App capabilities are still available without these, but management of Iris Investigate monitors, importing Iris Investigate and Detect terms, and ingesting Iris Investigate and Detect discoveries into Splunk won't be available
Firewall and networking
Splunk must be able to reach api.domaintools.com.
Splunk credentials and permissions
You need a Splunk account with admin access to install and configure the app
After installation, most user functions should be available with less privileged accounts
The user account operating the app needs the list_storage_passwords privilege
You may need the admin role to access Splunk's password storage
You need write privileges to update internal stores; for the list of KV stores and descriptions, consult the kv store names table below
Prior Versions Uninstalled
We recommend you uninstall any prior 3.x or 4.x versions of the DomainTools App and perform a fresh installation
For best results, use the Splunk web UI to uninstall previous versions, and then remove any remaining DomainTools folders (for example, /opt/splunk/etc/apps/ $ rm -rf DomainTools-App-for-Splunk/)

Install the DomainTools App¶

Consult the Splunk Documentation for information about the Splunk platform.

The latest app is available on Splunkbase.

For Splunk Cloud deployments, install apps on your Splunk Cloud Platform deployment using the self-service app installation process directly from Splunkbase.
For on-prem distributed environments, deploy the DomainTools App to both indexer and search head cluster members using the standard process for deploying apps and add-ons to clusters.

Expand for detailed installation steps

Obtain the latest version of the DomainTools App from Splunkbase.
Identify the server with the deployer role.
Obtain admin and console access to the server, then ssh into the deployer server.
If performing a fresh Install, skip this step: Remove the existing app bundle from the deployer.
```
# from deployer
/opt/splunk/etc/apps/ $ rm -rf DomainTools-App-for-Splunk/
```

scp tar file to deployer /tmp directory.

# from local
scp -i ~/.ssh/**.pem ./domaintools-App-for-splunk_xxx.tgz user@hostname:/tmp

Extract the app to the directory.

/tmp $ sudo tar -xvf domaintools-App-for-splunk_xxx.tgz -C /opt/splunk/etc/apps/
$ sudo chown -R splunk:splunk /opt/splunk/etc/apps/DomainTools-App-for-Splunk/

Restart the app.
```
$ sudo /opt/splunk/bin/splunk restart
```

If performing a fresh Install, skip this step: In the deployer, remove the app from /opt/splunk/etc/shcluster/apps

/opt/splunk/etc/shcluster/apps/ $ sudo rm -rf DomainTools-App-for-Splunk/
/opt/splunk/etc/shcluster/apps/ $ sudo cp -r /opt/splunk/etc/apps/DomainTools-App-for-Splunk/ ./

Ensure correct permissions are used.
```
$ sudo chown -R splunk:splunk
```

Then copy the new one from app/dir.

/opt/splunk/etc/shcluster/apps/DomainTools-App-for-Splunk/

Ensure to run the deploy command as a splunk user.
```
sudo su - splunk
```
Copy out the app to search clusters.
1. The IP is the IP for one of the searchheads.
2. Use admin credentials if it asks for them.
3. Target is the private IP of any one of the search heads in the cluster.
4. The admin password is the default (SPLUNK-\<instanceid>) - instance-id of the deployer.
```
/opt/splunk/bin/splunk apply shcluster-bundle -target https://172.16.1.xxx:8089 -auth <user>:<password>
```

Verify the app is deployed by SSH into one of the searchheads. Run a status check on the search head. See below for an example output.

[splunk@ip-172-16-01-xxx ~]$ /opt/splunk/bin/splunk show shcluster-status
Captain:
    dynamic_captain : 1
    elected_captain : Wed Nov 20 15:56:03 2023
    id : D6327B1F-6898-477D-928E-xxx
    initialized_flag : 1
    label : ip-172-16-01-xxx
    mgmt_uri : https://hostname:8089
    min_peers_joined_flag : 1
    rolling_restart_flag : 0
    service_ready_flag : 1

Members:
ip-172-16-01-xxx
    label : ip-172-16-01-xxx
    mgmt_uri : https://hostname:8089
    mgmt_uri_alias : https://172.16.1.xxx:8089
    status : Up

Log in to your Splunk instance and verify you can see the DomainTools app installed.

Splunk Cloud¶

The DomainTools app is vetted and available for Splunk Cloud. Please follow the instructions to Install apps on your Splunk Cloud Platform deployment to add or update it on your Splunk Cloud installation.

On-premise installation¶

For on-premise installation, first follow the distributed installation instructions for Indexer Clusters.

Add a DomainTools API key and optional Farsight API key¶

Enter your DomainTools API credentials in DT Settings → API Keys. DomainTools API credentials are available from your organization's API administrator. Your Account Manager or DomainTools Enterprise Support enterprisesupport@domaintools.com can ensure your API key is appropriately provisioned.

Use this section to also configure proxies and SSL.

When you save new API credentials, the system prompts you to enable default saved searches.

Next steps¶

After installation, configure the app:

Base Configuration - Configure your base search and saved searches
Advanced Features - Enable threat feeds, alerts, and Iris Detect