Skip to content

Custom search commands

The DomainTools App provides custom search commands that extend Splunk's capabilities with DomainTools threat intelligence and investigation features.

Extend DomainTools commands

This reference lists all the commands available with the DomainTools application. The frequently used commands are defined below, followed by parameter definitions.

dtdomainextract

Extracts a domain from a URL field using tldextract. Ensures DomainTools APIs receive proper domain input.

  • Syntax: \| dtdomainextract field_in=string field_out=string include_subdomains=bool feature=string
  • Parameters:
  • field_in (required)
  • field_out (required)
  • include_subdomains (optional)
  • feature (optional)
  • Example: \| dtdomainextract field_in=url field_out=domain

dtirisenrich

Queries Iris Enrich for up to 100 comma-separated domains. Use inline_results to keep event data inline.

  • Syntax: \| dtirisenrich domain=string inline_results=string feature=string
  • Parameters:
  • domain (required)
  • inline_results (optional)
  • feature (optional)
  • Example: \| makeresults \| eval domain="domaintools.com" \| dtirisenrich domain=domain inline_results=true

dtirisinvestigate

Queries Iris Investigate for up to 100 domains, or pivots on domain attributes for further investigation.

  • Syntax: \| dtirisinvestigate domain=string pivot_type=string pivot_value=string feature=string no_cache=bool
  • Parameters:
  • domain (optional)
  • pivot_type (required)
  • pivot_value (required)
  • feature (optional)
  • no_cache (optional)
  • Example: \| dtirisinvestigate pivot_type="ip" pivot_value="x.x.x.x"

dtformatinvestigate

Formats JSON returned by Iris Investigate into a row with component names.

  • Syntax: \| dtformatinvestigate output=string feature=string
  • Parameters:
  • output (required)
  • feature (optional)
  • Example: \| dtirisinvestigate domain="domaintools.com" \| dtformatinvestigate output=risk

dtdnsdb

Queries DNSDB for Passive DNS information on IP, Domain, Hostname, or Subnet.

  • Syntax: \| dtdnsdb target=ip/hostname type=rdata/rrset/raw rrtype=a/aaa/cname/etc time_first_before=time time_first_after=time time_last_before=time time_last_after=time target_type=auto/ip/name bailiwick=bailiwick
  • Parameters:
  • target (required)
  • type (required)
  • rrtype (required)
  • bailiwick (optional)
  • time_first_before (optional)
  • time_first_after (optional)
  • time_last_before (optional)
  • time_last_after (optional)
  • target_type (optional)
  • Example: \| dtdnsdb target=domaintools.com target_type=domain type=rdata rrtype=CNAME

dtdnsdbflex

Performs a DNSDB Passive DNS Flexible Search.

  • Syntax: \| dtdnsdbflex query_type=<rdata\|rrnames> match_type=<glob\|regex> query=<pattern> rrtype=A/mx/cname/etc bailiwick=bailiwick time_first_before=time time_first_after=time time_last_before=time time_last_after=time
  • Parameters:
  • query_type (required)
  • match_type (required)
  • query (required)
  • rrtype (required)
  • bailiwick (optional)
  • time_first_before (optional)
  • time_first_after (optional)
  • time_last_before (optional)
  • time_last_after (optional)
  • Example: \| dtdnsdbflex query_type=rdata match_type=regex query="[0-9]{5,6}-ledger\.com\.$"

dtdnsdblimit

Returns the DNSDB API query limit, queries remaining, and reset time.

  • Syntax: \| dtdnsdblimit
  • Parameters: (none)
  • Example: \| dtdnsdblimit

dtdnsdbenrich

Enriches Splunk events from a query with Passive DNS information from Farsight DNSDB.

  • Syntax: \| dtdnsdbenrich field_in=string field_type=domain/ip/raw lookup_type=rrset/rrdata max_count=int time_first_before=time time_first_after=time time_last_before=time time_last_after=time rrtype=any/A/ns/... bailiwick=string include_subdomains=bool
  • Parameters:
  • field_in (required)
  • field_type (required)
  • lookup_type (required)
  • max_count (optional)
  • rrtype (optional)
  • bailiwick (optional)
  • time_first_before (optional)
  • time_first_after (optional)
  • time_last_before (optional)
  • time_last_after (optional)
  • include_subdomains (optional)
  • feature (optional)
  • Example: \| dtdnsdbenrich field_in=domain field_type=domain lookup_type=rrset rrtype=A include_subdomains=true time_first_after=1593070040

dtwhoishistory

Performs a WHOIS history search on a given domain.

  • Syntax: \| dtwhoishistory domain=string mode=string
  • Parameters:
  • domain (required)
  • mode (required)
  • sort (optional)
  • feature (optional)

Example searches

Set up a recurring search in Splunk using an Iris Investigate search hash

| dtirisinvestigate pivot_type=search_hash pivot_value=U2FsdGVkX196b8iZhQooljda3uKOGzja/B4HY8cyDzz0EOGg5/8CQutnvoxO3KXfkrAjiCVk//8P5JW3aot3V48dDF65m6tMLls9oKnq0kdjmTA6wb1j1yYFUESK6K3/WbVpftsVtr15qmrcXM0xWrIYlpl01b6SBCheVhm+g5MrXLqQ/0bTkihLTtO9OMO5tuzHS8ik/8wkN7THUN/PEN9Sj9E5cFpRb8qojjGAktWj7DLuSbPTfD+hv/qoZTS3 no_cache=true
| eval json = replace(_raw, "^[^\{]+", "")
| spath input=json path=first_seen.value
| rename first_seen.value as first_seen
| table first_seen domain
| collect index=summary_index_icloud
  • This example search is using the Iris Investigate command to look up domains containing the substring "icloud" that have been first seen within the last 7 days.
  • The output is parsed and put into a table before being collected in a summary index as well. The search could then be saved as a report within Splunk and set up for weekly recurring updates.
  • For further documentation on scheduling a report, please see the Reporting Manual in Splunk documentation.
| eval thirty_days_ago=relative_time(now(), "-30d@d")
| eval thirty_days_ago_unix=thirty_days_ago
| dtdnsdbflex query_type=rrnames match_type=regex query="-icloud\.(net|com)\.$" rrtype=A time_last_after=thirty_days_ago_unix
  • This example search is using the DNSDB Flexible Search command to look up domains that match a specific pattern.
  • For this example, whenever the search executes it looks for domains matching the regular expression pattern last observed in DomainTools' DNS sensor network over the past 30 days.
  • Note: Creating a relative Unix timestamp and storing it in a variable establishes a relative time fence. This ensures the time window shifts appropriately with the schedule, such as in a report.
  • For further documentation on scheduling a report, please see the Reporting Manual in Splunk documentation.
  • For further documentation on how to use regular expressions with the DNSDB flexible search command visit the regular expression user guide.