DomainTools App (v5.4) for Splunk Cloud, Enterprise, and Enterprise Security

Overview

The DomainTools App for Splunk provides direct access to DomainTools’ industry-leading threat intelligence data, predictive risk scoring, and critical tactical attributes to gain situational awareness of malicious domains inside Splunk.

For help with the Splunk app and features, visit Splunk technical documentation. The DomainTools App for Splunk is on Splunkbase at https://splunkbase.splunk.com/app/5226. Note the separate DomainTools App for Splunk SOAR.

Release Notes for 5.4

DomainTools App for Splunk 5.4 is the General Availability (GA) release of our app for Splunk, Splunk Enterprise, and Splunk Cloud.

Our prior version 5.x relase notes

New in 5.4

• Domain Discovery Feed
• Domain RDAP Feed
• Parsed Domain RDAP API

Updated in 5.4

• 206 response handling: Instead of timing out on large data sets, The Splunk app will now return the entire data set using multiple API calls. Consult the Feeds documentation for information about 206 responses.
• Python updated to 3.9 for Splunk SDK

Fixed in 5.4

• Setup logger (splunk.setupSplunkLogger) only runs when enabled

Getting Started

The DomainTools App is designed to be installed on a search head or within a search head cluster. It has been tested with the recommended Splunk deployment model for apps in a clustered environment, including distributed configuration.

Review the Splunk docs on app installation and configuration in a clustered environment, including the page on Distributed Search.

Allow 10-15 minutes after configuration for the enrichment process to start populating the dashboards. New events will be enriched every 5 minutes by default.

Prerequisites

• Splunk Enterprise Security (ES) or Splunk (non-ES).
• DomainTools API key access to the Iris Enrich API and Iris Investigate API.
  • App functionality is still available without these, but management of Iris Investigate monitors, importing Iris Investigate and Detect terms, and ingesting Iris Investigate and Detect discoveries into Splunk will be unavailable
• Firewall and networking
  • api.domaintools.com must be reachable by Splunk.
• Splunk credentials and permissions
  • A Splunk account with admin access is required to install and configure the app
  • After installation, most user functions should be available with less privileged accounts
  • The list_storage_passwords privilege is required for the user account operating the app
  • The admin role may be required to access Splunk's password storage
  • Write privileges are required to update internal stores; for the list of KV stores and descriptions, consult the kv store names table below
• Prior Versions Uninstalled
  • We recommend uninstalling any prior 3.x or 4.x versions of the DomainTools App and performing a fresh installation
  • For best results, use the Splunk web UI to uninstall previous versions, and then remove any remaining DomainTools folders (e.g., /opt/splunk/etc/apps/ $ rm -rf DomainTools-App-for-Splunk/)

Install the DomainTools App

Consult the Splunk Documentation for information about the Splunk platform.

The latest app is available on Splunkbase.

• For Splunk Cloud deployments, install the app directly from Splunkbase.
• For on-prem distributed environments, deploy the DomainTools App to both indexer and search head cluster members using the standard process for deploying apps and add-ons to clusters.

Detailed installation steps (click here)

1. Obtain the latest version of the DomainTools App from Splunkbase.
2. Identify the server with the deployer role.
3. Obtain admin and console access to the server, then ssh into the deployer server.
4. If performing a fresh Install, skip this step: Remove the existing app bundle from the deployer.

# from deployer
/opt/splunk/etc/apps/ $ rm -rf DomainTools-App-for-Splunk/

1. scp tar file to deployer /tmp directory.

# from local
scp -i ~/.ssh/**.pem ./domaintools-App-for-splunk_xxx.tgz user@hostname:/tmp

1. Extract the app to the directory.

/tmp $ sudo tar -xvf domaintools-App-for-splunk_xxx.tgz -C /opt/splunk/etc/apps/
$ sudo chown -R splunk:splunk /opt/splunk/etc/apps/DomainTools-App-for-Splunk/

1. Restart the app.

$ sudo /opt/splunk/bin/splunk restart

1. If performing a fresh Install, skip this step: In the deployer, remove the app from /opt/splunk/etc/shcluster/apps

/opt/splunk/etc/shcluster/apps/ $ sudo rm -rf DomainTools-App-for-Splunk/
/opt/splunk/etc/shcluster/apps/ $ sudo cp -r /opt/splunk/etc/apps/DomainTools-App-for-Splunk/ ./

1. Ensure correct permissions are used.

$ sudo chown -R splunk:splunk

1. Then copy the new one from app/dir.

/opt/splunk/etc/shcluster/apps/DomainTools-App-for-Splunk/

1. Ensure to run the deploy command as a splunk user.

sudo su - splunk

1. Copy out the app to search clusters.
   1. The IP is the IP for one of the searchheads.
   2. Use admin credentials if it asks for them.
   3. Target is the private IP of any one of the search heads in the cluster.
   4. The admin password is the default (SPLUNK-\<instanceid>) - instance-id of the deployer.

/opt/splunk/bin/splunk apply shcluster-bundle -target https://172.16.1.xxx:8089 -auth <user>:<password>

1. Verify the app is deployed by SSH into one of the searchheads. Run a status check on the search head. See below for an example output.

[splunk@ip-172-16-01-xxx ~]$ /opt/splunk/bin/splunk show shcluster-status
Captain:
    dynamic_captain : 1
    elected_captain : Wed Nov 20 15:56:03 2023
    id : D6327B1F-6898-477D-928E-xxx
    initialized_flag : 1
    label : ip-172-16-01-xxx
    mgmt_uri : https://hostname:8089
    min_peers_joined_flag : 1
    rolling_restart_flag : 0
    service_ready_flag : 1

Members:
 ip-172-16-01-xxx
    label : ip-172-16-01-xxx
    mgmt_uri : https://hostname:8089
    mgmt_uri_alias : https://172.16.1.xxx:8089
    status : Up

1. Log in to your splunk instance and verify you can see the DomainTools app installed:

DomainTools App shown on a successful installation

Splunk Cloud Deployment

The DomainTools app is vetted and available for Splunk Cloud. Please follow the instructions to Install apps on your Splunk Cloud Platform deployment to add or update it on your Splunk Cloud installation.

On-Premise Installation

For on-premise installation, first follow the instructions outlined here for Indexer Clusters.

Add a DomainTools and Optional Farsight API Key

Enter your DomainTools API credentials in DT Settings → API Keys. DomainTools API credentials are available from your organization’s API administrator. Your Account Manager or DomainTools Enterprise Support (enterprisesupport@domaintools.com) can ensure your API key is appropriately provisioned.

Use this section to also configure proxies and SSL.

Saving new API credentials will prompt you to enable default saved searches.

Configuration

The following sections go into additional detail to help configure the application to provide the most value in your environment.

Configure the Base Search

The base search is an SPL (Splunk's Search Processing Language) Query that defines which log sources are monitored by the DomainTools App. It outputs the required fields the DomainTools App uses to populate dashboards and enrich events. The app includes a pre-configured, performance-optimized base query. This query will work well in environments where data sources are Common Information Model (CIM) compliant.

To configure the base search, go to DT Settings→ Configure Log Source. The required fields are: url, src, dest, log_source, domain, and _time.

Click for instructions on expanding the base search

First, identify relevant CIM-compliant data sources for ingestion. It may be data sources already configured to use web proxy events, for example. If your base search involves working with relevant data sources that are not CIM-compliant, please go to the Configuring Base Search Using the Custom SPL section.

To use the pre-configured query:

1. Go to DT Settings → Configure Log Source page.
2. Confirm the details of the pre-configured Splunk search query.

The app natively supports logs with multivalue URLs contained in a single event entry, commonly seen in Proofpoint logs. Users who previously may have used mvexpand url to workaround this issue can remove that command to have the urls more accurately reported as a single event.

A regex-based dtdomainextract2 macro is available for high-throughput environments and can significantly increase performance of the url-to-domain conversion with a slight trade-off in accuracy. Notably, some wildcard and exception tlds (e.g. *.np, \!city.kawasaki.jp) can be misidentified as a domain. Note that mvexpand url would still be needed with dtdomainextract2 in environments processing multivalue URLs. The updated base search would look like this:

tstats summariesonly=true count FROM datamodel=Web BY Web.url Web.src Web.dest source _time | rename Web.url AS url | rename Web.src AS src | rename Web.dest AS dest | rename source AS log_source | mvexpand url | \`dtdomainextract2\` | eval domain=lower(domain) | fields url src dest log_source domain _time

1. If needed, customize the pre-configured base search to ensure the required fields are available.
2. Select the Save button.
3. Select the Timeframe for the Base Search.

Base search requirements and recommendations:

• domain and _time are required output fields to operate the app.
• We recommend adding the optional fields Source, Destination, and Log Source in your base search. They provide additional contextual information on the events. The app will also not error out in the absence of these fields.

Performance considerations:

• The Web data model must have acceleration turned on.
• If acceleration is not turned on, yet data has been mapped to the CIM, you can modify the base search to use summariesonly=false with some potential degradation in performance.

If you already have the domains extracted out in the CIM, you can remove the dtdomainextract function from your base search. This will further improve performance.

Click for detailed instructions on configuring the base search with custom SPL

Configuring Base Search using your own custom Search Processing Language query (SPL) may be necessary if data is not yet CIM compliant, or input data sources are from ingested data from several different sources.

First, identify relevant data sources for ingestion. It may contain URLs or hostnames, in addition to domain names. IP addresses are not supported for processing with this app.

The DomainTools solution provides data on domain names, not IPs, subdomains, or full URLs. IPs sent to the Iris APIs will not return useful data and consume rate-limited resources. Querying a URL will result in inconsistent results. The default base search converts URLs to apex domains for the enrichment.

To configure using custom SPL:

1. Craft the Splunk search query that efficiently finds events from your preferred data source(s).
2. It is not necessary (or effective) to write regular expressions or other parsing rules to extract domains in logs filled with hostnames or URLs or de-duplicate logs. This task is handled by DomainTools queue builder search jobs.
3. We recommend using tstats. It is also used in the pre-configured base search for optimization.
   1. If the default tstats base search is not used, there is a known issue in clustered SH environments for both Splunk 7.x and Splunk 8.x; consult the Workaround and Known Issue section and Splunk documentation.
4. Add the query as the base search via DT Settings → Configure Log Source page.
5. Add the query in the Base Search input field and select Save.

Your custom SPL must meet these criteria:

• If your custom search does not begin tstats you must add search to ensure proper functionality once it is merged into the DomainTools scheduled searches.
• Must not start with a pipe | character.
• Ensure the result contains a field named domain or use rename function.
• The search must efficiently return results from the last 10 minutes of events. Ideally in a few seconds, but no longer than two or three minutes.

Example:

search index=mycustomindex | rename url AS domain

The query should be performant in your environment. At a minimum, the query should return ten minutes of events in no more than two minutes of search execution time, with minimal impact on your search head or search head cluster.

Tradeoffs: Pre-Configured and Custom SPL for Base Search

Ensure to select the correct base search method for your environment before proceeding with the installation. The following table lists the tradeoffs between the two methods.

Base Search	Pros	Cons
Pre-Configured	No post-install customization or configuration required, other than the API username and key initial app setup. Finds domain names in every CIM-compliant data source from the Web data model. Fast for most environments.	Requires CIM compliant data sources that use the Web data model with hostnames in the Web.url field. DomainTools Threat Hunting Dashboard will be empty if the base search can’t find domains. Must have acceleration turned on for the Web data model.
Custom SPL	Does not require your data source to be CIM compliant. Can be optimized to your environment and data sources.	May cause performance problems if the search is not manually optimized. May require additional tuning after installation, making this option unsuitable for rigorous change management cycles. Must return the hostname or domain name in a field explicitly named domain.

Configure and Add Saved Searches

Saved Searches (Table: Saved Searches) automate some operational tasks within Splunk.

Manage saved searches in DT Settings --> Configure Saved Searches.

Upon clicking Test Connection after entering your API key above, if the "Queue Builder for Iris Enrich KV Store" saved search is disabled, you will be prompted to enable the default set of saved searches. Selecting enable will turn on the set of seven minimum required saved searches for the Core App functionality noted in the saved searches table.

To enable Iris Investigate and Detect capabilities or alerting in Splunk Enterprise Security, you will need to enable additional saved searches outlined in the table.

To enable a Saved Search, select Edit, and select Edit Schedule.

Configure Notable Events (Splunk ES) or Alerts (non-ES)

Splunk Enterprise Security (ES) gives notifications with Notable Events. For Splunk (non-ES), the DomainTools App generates alerts with the dt_alerts index.

Configure Notable Events for Splunk Enterprise Security

This section only to Splunk Enterprise Security (ES) Notable Events, which are events generated by DomainTools detection rules.

Key enrichment fields already available from DomainTools into Splunk Enterprise Security.

Configure the following fields and labels during the initial setup within your Enterprise Security module:

Enrichment Field Name	Label
dt_num_of_times_enriched	Enrichment Count
dt_looyn_date	Last Seen
log_source	Log Source
dt_age	Domain Age
en_threat_profile_type	DomainTools Threat Profile
dt_is_active	Domain Status
en_risk_score	Risk Score
domain	Domain

Once created, the notable events will automatically display these fields. There is no programmatic way to provision these fields during app deployment. For detailed steps to add custom fields, please refer to this Splunk documentation.

Detailed instructions to create notable events with Splunk Enterprise Security

1. Select the Create Notable Event checkbox under the Alert Settings section.
2. Select or deselect relevant alert criteria in the Monitor Domains, Monitor Young Domain, Monitor Risk Score Increase, and Iris Detect panels. When multiple criteria are selected, they narrow down the alert generation rule. In other words, they form a logical ‘AND’ narrowing.
3. Only Monitor Domains in the DomainTools Monitoring list (default): an alert will only fire against domains that have been added to the monitoring list.
4. Exceeds Domains Risk Score Threshold: Only alert if the domain exceeds the risk threshold defined above.
5. Exceeds Domain Threat Profile Score Threshold: Only alert if the domain exceeds the threat profile threshold defined above.
6. Ignore Iris Detect Domains in DomainTools Monitoring list: ignores anything in the monitoring list where the Source equals "Iris Detect".
7. Monitor DomainTools Iris Tags in Tag Monitoring List: The app will monitor any domains that are tagged in DomainTools Iris investigation platform. Selecting this option will alert you when new domains are observed in your environment that match any Iris tags that have been specified on the Monitoring Tags page.
8. Select the Urgency Tag to associate with the Notable Event: applies the specified urgency level within Splunk Enterprise Security’s Incident Review panel.
9. Monitor young domains: creates a notable event whenever a young domain (lower than the young domain threshold) is observed. Optionally restricted to new domains on the monitoring list. This is useful in conjunction with Iris Investigate monitors that can keep track of newly registered domains. Similarly, select the separate Urgency Tag to associate with the "young domains" Notable Event will apply the specified urgency level within Splunk Enterprise Security’s Incident Review panel.

Configure Alerts with dt_alerts for Splunk (Non-Enterprise)

Users of Splunk (without ES) can generate notifications with dt_alerts and dt_enrich_historyare built from Splunk indexes, and must be created. To create a Splunk index, consult the Splunk documentation on Creating Event Indexes.

Enable Threat Intelligence Feeds

In Settings -> Indexes -> New Index, create the following index based on your feeds:

Feed	Index Name
Newly Active Domains (NAD) Feed	dt_feed_nad
Newly Observed Domains (NOD) Feed	dt_feed_nod
Domain Discovery Feed	dt_feed_domain_discovery
Parsed Domain RDAP Feed	dt_feed_parsed_rdap

Note the Splunk documentation on Creating Event Indexes, the operating/use instructions below, and the full Real-time Threat Intelligence Feeds documentation.

Enable Parsed Domain RDAP API

The Parsed Domain RDAP API is a lookup service, and is separate from the Parsed Domain RDAP Feed, which is above.

Return Parsed Domain RDAP API results with the dtparseddomainrdap search command. This command supports only the domain parameter.

Enable Mass Enrichment

We recommend leaving the current settings as a default. Visit DT Settings → Configure Enrichment and Alerting to change these settings.

The Queue Wait Time is how often the app enriches Domain information, and defaults to 5 minutes. Decreasing the frequency can be helpful to reduce API usage or if the enrichment is taking longer than 5 minutes to run on a higher volume Splunk cluster.

The Cache Settings is the cache DomainTools maintains to reduce API query usage. Disable or reduce the cache retention times (for example, when monitoring volatile domains) in Cache Settings:

• DomainTools maintains a cache to reduce API query usage. A user may wish to disable or reduce the cache retention period times when monitoring volatile domains.
• Enable Cache: Enabled by default to optimize API consumption. Disable the cache to monitor for changes < 1 day old. (CAUTION: this can result in high API consumption.)
• Add the Cache Retention Period: Sets how long domain enrichment should live in the cache before being re-queried. 30 days is the default.

Enable Enrichment History

The DomainTools App supports enrichment history with the custom dt_enrich_history index. This index stores all Enrich values for all domains. When a domain is re-enriched, this index records the new values. The index can be used to compare changes in values across whois info, IPs, SSL fields, risk scores, and other indicators. Indexes including dt_enrich_history can be created and configured in Configure DT Indexes.

Modify Default DomainTools Thresholds

This section defines thresholds used in creating dashboard KPIs and alerts (if enabled) throughout the app.

Consult the Domain Risk Score User Guide to interpret risk scores

• Risk Score Threshold (default value of 75): DomainTools Risk Score used when defining a "suspicious" domain in dashboard KPIs and creating alerts (if enabled) throughout the app.
• Young Domain Age (default value of 7 days)
• Newly registered domains are often an indicator of interest. Specify the age threshold in days for a domain to be included in dashboards and optionally alerting.
• Guided Pivot Threshold (default value of 500)
• When a small set of domains share an attribute (e.g. registrar), that can often be pivoted on in order to find other similar domains of interest. DomainTools tracks how many domains share each attribute and can highlight it for further investigation when the number of domains is beneath the set threshold.
• High Risk Threshold (default value of 90)
• Used by the Risky Observed Domains graph on the Threat Intelligence Dashboard. This sets the minimum DomainTools Risk Score threshold for flagging a domain as High Risk for this graph. Higher risk scores indicate riskier domains.
• Medium Risk Threshold (default value of 70)
• Used by the Risky Observed Domains graph on the Threat Intelligence Dashboard. This sets the minimum DomainTools Risk Score threshold for flagging a domain as Medium Risk for this graph. Higher risk scores indicate riskier domains.

Configure Domain Monitoring with Iris Tags

If you use the Iris investigation platform for domain investigations, you can monitor for domains that are associated with tags your team has applied within Iris, optionally alerting when a tagged domain is observed in Splunk.

The Manage Monitored Tags page with examples of Tags being monitored

To monitor for Iris-tagged domains in Splunk, visit Monitoring → Manage Monitored Tags to add tags to be added to the proactive monitoring list. Once tags are added, domains that share the same tag in Iris are monitored in Splunk.

Configure Iris Detect

Ensure your API key is provisioned for Iris Detect. Visit DT Settings → API Keys, select Test Connection, and it will list Iris Detect APIs.

The DomainTools App requires the following APIs for base product functionality:

• iris-enrich
• iris-investigate
• iris-detect-monitors: required for read-only access to the configured monitored Iris Detect terms within Splunk.
• iris-detect-new-domains: required for read-only access to the new domains matching monitored terms within Splunk.
• iris-detect-watched-domains: read-only access required to access the list of domains marked as “watched” in Iris Detect and pull updates to that list. Optionally, synchronize those domains with the Splunk Monitoring List.

Optionally enable:

• iris-detect-manage-watchlist-domains: useful for triaging domains, adding to the Iris Detect Watchlist to track changes to domain infrastructure over time.
• iris-detect-escalate-domains: used to enable additions to the blocklist and submissions to Google Safe Browsing.

Iris Detect functionality will work without the optional permissions but a user will receive an error if they attempt to watch, block, escalate or ignore a domain within the Iris Detect Results panel.

To configure Iris Detect monitors on the Iris Detect page (Monitoring → Iris Detect), first make sure that the DomainTools - Import Iris Detect Monitors and DomainTools - Import Iris Detect Results saved searches are enabled (DT Settings → Configure Saved Searches).

An Iris Detect Monitored Term (also referred to as “terms”) refers to the series of characters being searched against new domain observations. A term is the basis for an Iris Detect Monitor. It is frequently used as a company or brand name. Adding and editing monitors can currently only be done within the Iris Detect UI.

Import new Iris Detect Monitored Terms

Refresh the list of monitored terms in one of two ways:

1. Select the Refresh Now button on the Iris Detect Monitored Terms page to import any new terms.
2. Under DT Settings → Configured Saved Searches assign an update frequency on the DomainTools - Import Iris Detect Monitors saved search to sync daily or weekly.

Reading the Iris Detect Monitored Terms Table

In the Monitoring → Iris Detect Monitored Terms pane:

• Term: The term itself as it appears in Iris Detect. Adding and editing monitored terms can currently only be done within the Iris Detect UI.
• Monitor Last Updated In Splunk: The date as to when the monitor was refreshed, either manually or via the Daily or Weekly detections. Click “Refresh Now” to force a manual refresh.
• Ingest Daily Detections in Splunk: Select the term(s) to ingest Iris Detect-monitored domains into Splunk so they show up on the Monitoring → Iris Detect Dashboard page.

Import new Iris Detect Results

The Iris Detect Dashboard contains the list of new or changed domains matching the enabled monitored terms. The Iris Detect API allows up to hourly synchronization.

Synchronize Iris Detect results in one of two ways:

1. Select the Refresh Iris Detect Results button on the Iris Detect Dashboard to manually import new domains.
2. Under DT Settings → Configured Saved Searches assign an update frequency on the DomainTools - Import Iris Detect Results. The default schedule is every 2 hours. Note that the DomainTools Iris Detect API is limited to an hourly refresh frequency.

Adding Domains to the Allowlist

Add your list of trusted domains, within your security operations workflow, to help reduce noise and false positives when creating alerts based on domain monitoring.

To add or remove domains in the Allowlist, visit DT Settings → Manage Allowlist and select the allowlist behavior:

1. Exclude from alerts and dashboards (default): Domains in the allowlist won’t be counted towards dashboard visuals, or alerts, if configured
2. Exclude from alerts: Domains won’t be alerted on (applies to users of Splunk Enterprise Security only), but will still appear in dashboard visuals
3. Exclude from dashboards: Domains won’t appear in dashboard visuals but will still appear in alerts (applies to users of Splunk Enterprise Security only).
4. Exclude from all enrichment: Fully ignores the domain in all enrichment, alerts, and visuals
5. Do Nothing: Allowlist is informational-only. Domains remain enriched, alerted upon, and appear in dashboard visuals. This setting can be helpful for temporary use when debugging.

Successfully added domains will show in the Allowlist along with Domain Name, Last Updated Date Time, Last Updated By, Added Date Time, Added By, and Action.

Iris Enrich

Threat Intelligence Dashboard

The Threat Intelligence Dashboard is designed to help organizations gain quick situational awareness of the risk presented by domain names on their network. The dashboard also helps guide teams to effectively leverage DomainTools data in their SOC workflows, with drill-downs that expose the underlying events.

Keep the dashboard and current with the latest information open on an always-on tab or dedicated display, turning on the Auto Refresh. Panels will refresh individually at 5-minute intervals.

Interacting With and Reading the Dashboard Panels

The Threat Profile dashboard panels provide insights based on Splunk Timecharts (consult Reading the Splunk Time Charts for more information).

• Unique Domains Observed: Number of unique domains observed in your network currently being monitored within the DomainTools cache for the selected time period, compared to the previous time period.
• Dangerous Domains: Uses a combination of the suspicious Risk Score threshold being exceeded, threat profile threshold being exceeded, and domain age being younger than the set threshold to determine a domain’s likelihood to be dangerous. Thresholds can be configured on the Enrichment & Alerting settings page. The displayed value indicates the number of domains observed in the selected time period compared to the previous time period.
• Suspicious Domains: Number of Domains with a DomainTools risk score higher than the configured Suspicious Risk Score threshold on the Enrichment & Alerting settings page. The displayed value indicates the number of domains observed in the selected time period compared to the previous time period.
• Young Domains: Number of Domains observed which were recently created, based on the number of days set on the Enrichment & Alerting settings page. The displayed value indicates the number of domains observed in the selected time period compared to the previous time period.
• Events Enriched: Displays the total number of Events associated with Domains enriched by DomainTools during the selected time period.

The following panels provide additional information either as a graph or paginated results:

• Risky Observed Domains
• Consult the Domain Risk Score User Guide for more information on Risk Score.
• Risk Scores are classified by default as either 100 (Known Malicious), 90-99 (High), 70-89 (Medium), or 69 and below (Low).
• Risk score thresholds may be configured under DT Settings → Configure Enrichment & Alerting, Risky Observed Domains Threshold Settings.
• Click on a data point to view the underlying events.
• Filtering by Risk level: All would show the default view used in earlier versions of the application.
• Newly Observed Domains
• The paginated results show newly observed domains, risk score, the time and date that it has been first and last observed, and the number of events associated with that domain observed during the selected time period.
• Threat Map
• Maps the number of suspicious domains observed during the selected time period, based on the GeoLocation of their Hosting IPs or Registrant Country (use the pull-down to select). The Risk Score threshold for a suspicious event is configurable on the Enrichment & Alerting settings page.
• Threat Portfolio
• Plots the number of events associated with domains broken out by Threat Profile category over the selected time range. Click on a category in the legend to display the associated events from the filtered time period. Consult Domain Risk Score Use Guide for more information.
• Top 10 Tags from Cache
• Lists the top Iris Investigate Tags in use and the number of associated domains observed with that tag in the selected time period.

Interacting with the Dashboards

To drill down on the metric, click on each panel. This will show the total instances of all domain detections within the time filter applied to the dashboard. Results can also be filtered over a specified period of time. Hover over each panel to Open in Search, Export, go Fullscreen, or Refresh.

Interacting with the Threat Map

Hover over each country to find the unique domain count with a geo-located IP associated with that country. It is possible to reset to the original position and zoom.

Reading the Splunk Timecharts

The indicators on the top of the Threat Intelligence Dashboard and Monitoring Dashboard utilize Splunk’s "Single Value Visualization" feature to provide a trending context to some of the dashboard metrics. The value displayed matches the filter time (e.g. "Last 15 Minutes") selected, compared to the previous filter time (e.g. previous 15 minutes). These are "bins" in Splunk nomenclature. Regardless of whether the trend is up or down, a green indicator represents a relatively desirable trend (fewer Suspicious Domains, for instance), while a red indicator represents a relatively undesirable trend.

Domain Monitoring Dashboard

The Domain Monitoring dashboard, available from the Monitoring menu, enables the monitoring of suspicious domains within Splunk. The dashboard highlights monitoring KPIs for comprehensive reporting.

Interacting With and Reading the Dashboard Panels

Hover for the tooltips about the panel sections and select the data points to interact. Use these results for further investigations in DomainTools, or to triage and analyze the results in ES Incident Review by selecting the Alerts Generated panel.

Keep the dashboard and current with the latest information open on an always-on tab or dedicated display, turning on the Auto Refresh. Panels will refresh individually at 5-minute intervals.

Details on the individual panels are below:

• Detected Domains: Shows the number of domains detected within your network that are in the Monitored Domains List (configurable under Monitoring → Manage Monitored Domains). This includes any domains in the Allowlist. The displayed value indicates the number of domains observed in the selected time period compared to the previous time period.
• Tagged Suspicious Domains: Suspicious Domains with an Iris Investigate Tag that are being monitored in the DomainTools Tags List, excluding any in the Allowlist. Tags, the Risk Score threshold is configurable under DT Settings → Configure Enrichment & Alerting. The Monitored Tags and Allowlists are configurable under the Monitoring menu. Tags can be added to domains within the DomainTools Iris Investigate UI. The displayed value indicates the number of domains observed in the selected time period compared to the previous time period.
• Iris Detect Domains Observed: Domains Discovered by DomainTools Iris Detect and observed in your network events. This includes any domains in the Allowlist. Add and configure Monitors in Iris Detect, then select how Splunk uses them using the Monitoring → Iris Detect page. The displayed value indicates the number of domains observed in the selected time period compared to the previous time period.
• Iris Investigate Domains Observed: Domains discovered by DomainTools Iris Investigate and observed in your network events. This includes any domains in the Allowlist. The displayed value indicates the number of domains observed in the selected time period compared to the previous time period.
• Total Alerts Generated: Shows the number of alerts that were triggered within the selected time period, compared to the previous. Alerts are created based on rules set on the DT Settings → Configure Enrichment & Alerting page and can be triaged within Splunk Enterprise Security Incident Review or by clicking on the number displayed.
• Total Events Monitored: Shows the number of events associated with the domains detected within your network that are in the DomainTools Monitoring List (configurable under Monitoring → Manage Monitored Domains). This includes any domains in the Allowlist. The displayed value indicates the number of events observed in the selected time period compared to the previous time period.
• Currently Monitoring: Total number of Domains currently being monitored. This panel is not impacted by the dashboard time filter. Add domain monitors via Monitoring → Manage Monitored Domains.
• Suspicious Domains over Time: Shows a timeline of the suspicious domains observed over the filtered time period. Suspicious domains have a Risk Score at or above the suspicious Risk Threshold defined in the Enrichment & Alerting settings page .
• Suspicious Domains Attribute Table: Lists the domains observed with a Risk Score at or above the Risk Threshold defined in the DT Settings → Configure Enrichment & Alerting page.
• Threat Map: Plots the number of unique domains based on their GeoLocation, Hosting IPs and Registrant Country associated with Detected Domains in your cache.
• DomainTools Alerts over Time: Shows a timeline of the unique alerts observed over the filtered time period. Alerts are created based on rules set on the DT Settings → Configure Enrichment & Alerting page.
• DomainTools Top Notable Events: Displays the activity and status of DomainTools alerting rules within your environment. These can be configured on the DT Settings → Configure Enrichment & Alerting page.

Iris Investigate

Domain Profile

The Domain Profile page provides a search function for ad hoc lookups of a single domain. The results provide a single pane of glass view of the domain, a contextual panel, tags, connected infrastructure information, contact details, and related events. Hover over the tooltips about the panel sections and click on the data points to interact. Use these results for further investigations in DomainTools.

Tip: Users can import lists of domains of interest into Splunk. All domains are imported along with their DomainTools Risk Profile for convenient triaging and subsequent monitoring. See the Importing Domains from an Iris Investigation section for more information.

To access and interact with the Domain Profile, visit Investigate → Domain Profile and add the domain in SLD.TLD format.

Tags

The tags associated with the domain. Consult the Set Up Monitoring for Domains with Iris Tags section for more information.

Connected Infrastructure

Connected Infrastructure information (such as Mail Servers, IP addresses, SPF information, Name Servers, SSL information, Registrar/Registry) are obtained from DomainTools datasets.

Guided Pivoting and Discovery

Ad hoc investigations with guided pivots will surface potential investigation points.

Hover over the gray gear icon wheel to show the number of connected domains. If the gray icon is clickable, a blue Pivot button appears. Select this button to import the list of domains associated with this data point.

In cases where the connected domains are larger than the Guided Pivot threshold configured, the gray gear icon is not made into a guided pivot and is not clickable. The Guided Pivot threshold is configurable under DT Settings → Configure Enrichment & Alerting.

Contact Information

The contact information (Admin, Technical, Billing and Registrant) are gleaned from the DomainTools Whois dataset and surfaced on the Splunk app.

Recent Events

While investigating a domain, users can see any related and recent events from their configured log sources across different timeframes.

Domain intelligence from such investigations is automatically added to the cache for future references.

Importing Domains from an Iris Investigation

Import the list of domains from Iris into Splunk using the Export and Import functions.

1. In the Iris Investigation platform, go to the Navigation Menu (3 lines) → under Search → select Import/Export.
2. The subsequent dialog contains the Search Hash to export.
3. From the DomainTools Splunk App, go to Investigate → Import from Iris Investigate, and paste the copied Search Hash in the input field.
4. After submitting, if the Search Hash has no results in the Iris Pivot Engine, there are no domains to import and Splunk will show the message "No results found". The imported domains will be shown as below:

Investigate Domains Within Recent Events

Investigate any domain or URL listed in an Incident Review event with a couple clicks. (Note that URLs are shortened to a domain lookup). Expand the arrow on the incident review event, and next to a domain or URL, expand the arrow under Action.

Farsight DNSDB

Investigate current and historical domain infrastructure with Passive DNS (pDNS) using Farsight’s DNSDB Standard or Flexible search (API Key Required). Please contact enterprisesupport@domaintools.com for provisioning.

DNSDB is a database that stores and indexes both the passive DNS data available via DomainTools Security Information Exchange (SIE), as well as the authoritative DNS data that various zone operators make available.

Enter your Farsight DNSDB API key on the API Keys page.

Farsight pDNS Standard Search (found under the Investigate menu) is a powerful search tool used to uncover related infrastructure against a specific Domain or IP.

Input parameters are as follows:

• Time Range: the time range that should be queried for DNS observations.
• Resource Record Type (RRType): Optionally specify which Record Resource Type (RRType) to search for. RRtype declares the type of mapping that a Resource Record Set establishes. ANY will match all RRTypes except DNSSEC RRTypes and is the default. ANY-DNSSEC will match only the DNSSEC RRTypes. Or enter a custom RRtype in the following text field.
• IP or Domain Name: Specify an IP (IPv4/IPv6), CIDR netblock, hostname (FQDN), or domain to search for. Left- or right-side wildcards are supported. Internationalized Domain Names (IDNs) will be automatically converted to Punycode.

Farsight pDNS Flexible Search (found under the Investigate menu) extends the Farsight DNSDB API with additional search capabilities. It provides more powerful searching capabilities (e.g. wildcards, regular expressions) than Standard Search, but the results will not be as complete as those from Standard Search.

Input parameters:

• Time Range: the time range that should be queried for DNS observations.
• Query: Flexible Searches support strings and patterns. This field will use the selected Syntax under "Match type". For an expanded explanation please visit the user guide.
• Query Type: Specifies which field of the DNS resource record to search. RDATA is the record data value or the "right hand side" of a DNS resource record set. Its content can be IP address(es), domain names, or other content (such as text), depending on the RRtype. An RRname is the owner name of the RRset, or the "left hand side" of a DNS resource record set. It will always be a domain name.
• Match Type: Which Flexible Search syntax to use. Regex is more common and represents the egrep-like Farsight Compatible Regular Expression ("FCRE") syntax, and Globbing is simpler wildcard pattern matching.
• Resource Record Type (RRType): Optionally specify which Resource Record Type (RRType) to search for. RRtype declares the type of mapping that a Resource Record Set establishes. ANY will match all RRTypes except DNSSEC RRTypes and is the default. ANY-DNSSEC will match only the DNSSEC RRTypes.

Iris Detect

The Iris Detect Splunk integration allows you to triage new domains matching Iris Detect Monitors within Splunk, and synchronize the Iris Detect Watch List with the Splunk Monitoring list to watch for new domain activity within your environment.

Interpreting Iris Detect Results

The Monitored Term filter at the top of the page displays the results for all monitors or a selected monitor. The Time Range Filter filters for updates within a specified time period. The Type filter tab at the top of the results page allows you to select between New domains matching the enabled search terms, or Watched domains (domains that have been added to your account’s Iris Detect Watch List) matching the selected terms, or the list of Ignored domains in case of erroneously triaging a domain to the wrong queue.

When new domains are discovered for the Enabled Monitors Terms, they are added in the results table with these fields. Click on a field heading to sort:

• Domain: The full domain name including TLD.
• TLD: The top-level domain for the selected domain.
• Country Code: The country code where the domain is registered.
• ISP: the Internet Service Provider associated with the IP address used by the domain.
• Registrar Name: The name of the registrar.
• Risk Score: The DomainTools Risk Score.
• Risk Score Status: The risk score status indicates whether the scoring is provisional or full. Newly discovered domains will have only initial proximity or phishing scores and the score is designated as provisional. After 24-36 hours, a full risk score is calculated and adds malware and spam scoring values. At that point, the score becomes “full”.
• First Seen/Lifecycle First Seen: the date and time that DomainTools learned that a domain is likely active (or reactivated after going inactive).
• Last Updated: The date Iris Detect last observed any changes to the DNS or Whois attributes associated with the domain.
• IP Address: The numerical address that the domain name resolves to.
• Name Server: The server that translates a domain name into its numerical IP address.
• Mail Server: The server that handles emails sent to the domain.

The Act Column in Iris Detect Results helps triage discovered domains with the following actions:

• Add to the Iris Detect Watchlist: Adds the listed domain to the Iris Detect Watchlist, which provides alerts on changes to these domains if hosting infrastructure or webpage changes are seen. This gives you the ability to track evolving threat campaigns, classify, and identify which domains are most likely to do harm. Such domains are candidates for escalation. The Iris Detect Watchlist can optionally be synchronized with the Splunk Monitoring list.
• Add to the Detect Blocklist API: Marks the domain for blocking. Useful for internal network defense infrastructure. The blocking designation is transmitted through the Iris Detect APIs.
• Escalate to Google Phishing Protection: Domains can be sent to Google’s Phishing Protection team. If Google agrees the domain is malicious, it will be blocked in Chrome browsers globally. This list is also picked up by Safari and Firefox.
• Add to the Splunk Monitoring List: Adds the listed domain to the Monitored Domains List within the DomainTools Splunk App. This can enable detection and alerting if the domain is seen within your monitored log sources.
• Ignore This Domain: If a domain is obviously a false positive, Ignoring the domain removes it from the “new” list on the next refresh. Watched Domains can be ignored if they are no longer of interest for change tracking.
• View Domain Profile: Load the Domain Profile page within Splunk, pulling up the Iris Investigate results for the listed domain.
• Farsight pDNS Search: Run a Farsight pDNS Standard Search (if provisioned) in DNSDB for RRNames containing the listed domain. This is useful for finding any active subdomains as well as seeing the dates when a domain has been active based on DNS traffic observed on Farsight’s Security Information Exchange (SIE).

See the Iris Detect User Guide for more information.

Alerting on Iris Detect Monitors

The DomainTools App for Splunk supports additional monitoring and alerting against domains in the Monitoring List. See Set Up Monitoring for Domains for more information. Synchronize the Iris Detect Watch List with the Monitored Domains List under Monitoring → Managed Monitored Domains.

Selecting the option for Automatic Sync will add and remove watched domains on an automatic schedule based on the Sync Iris Detect Watchlist saved search. The default schedule is every day. Sync Splunk Monitoring List and Iris Detect Watch List will perform the sync on a one-time basis.

This option is also available under the Monitoring → Manage Monitored Domains page, where Sync with Iris Detect Monitoring List means that Automatic Sync will be enabled (both pages mirror the same setting).

Consult the Set up Monitoring section for more details and to set up alerting against monitored domains.

Enrichment Explorer and Enrichment Dashboard

The Enrichment Explorer section available from the main menu provides a user-facing front of the DomainTools enrichment dataset or cache. This allows the user to browse and search from the enrichment cache based on filters.

Selecting the Monitor field to add or remove a domain from your monitoring list. Clicking on the "Allowlist" button will add or remove a domain from your allow list.

If the information for a domain observable appears to be dated (i.e., enrichment date from the past, or a set of domains from an Iris Investigate Search Hash import), the user can explicitly refresh their KV store with the latest Domain Intelligence, or reduce the Cache Retention Period under DT Settings → Configure Enrichment & Alerting.

Enrichment Dashboard

The Enrichment Dashboard visualizes and lists information in a set of panels for frequently encountered domain attributes. Use each panel to search, set the time period of the search, and click through to Splunk search for more information.

• Top Registrars
• Top Nameservers
• Top ISPs
• Top IP Addresses
• Top ASNs
• Top Expired SSL Certificate

WHOIS History

Access WHOIS History in the Whois History menu.

Return WHOIS History search results with dtwhoishistory (note the table of saves searches).

The search supports list (lists results), check_existence (returns a boolean has_history_entries), and count (lists entry count) modes. Sort by date_asc or date_desc.

Domain RDAP (API)

Access the Parsed Domain RDAP API from the Domain RDAP menu.

Return Parsed Domain RDAP Feed results with the dtparseddomainrdap search command. dtparseddomainrdap only supports the domain parameter.

Feeds

The DomainTools App for Splunk supports the following DomainTools Threat Intelligence Feeds, listed with their index name for searching:

Feed	Search Index Name
Domain Discovery Feed	dtfeeddomaindiscovery
Newly Active Domains (NAD) Feed	dtfeednad
Newly Observed Domains (NOD) Feed	dtfeednod
Domain RDAP Feed	dtfeeddomainrdap

Use these feeds in the Search section. The pre-defined [saved searches] are documented in the Saved Searches Table, below (configuration instructions are above).

Feed Parameters

The following parameters are available, and their behavior is documented in Real-time Threat Intelligence Feeds.

Parameter	Type	Valid Values	Description	Example	Required
after	integer	Negative integer, range 60-432,000	The start of the query window in seconds, relative to the current time, inclusive.	after=-60	Required if sessionID not provided.
after	string	ISO 8601 datetime string in UTC form	The start of the query window, inclusive.	after=2024-10-16T10:20:00Z	Required if sessionID not provided.
sessionID	string	1-64 alphanumeric characters ([a-zA-Z0-9-]+)	A string that serves as a unique identifier for the session, used for resuming data retrieval from the last point.	sessionID=mySIEM	Required if after not provided.
domain	string	Domain character set restricted by the DNS specification (Letters, Digits, Hyphens). International characters should be specified in punycode. A trailing dot is acceptable. Multiple domain filters are accepted in a request.	Filter for an exact domain or a substring contained within a domain by prefixing or suffixing your substring with * (at the start and/or end of the value). Multiple parameters are supported. The URL-encoded version of * (%2A) may be required.	domain=*apple*&domain=*microsoft*	No
top	integer	Positive integer, 1-1,000,000,000.	Limits the number of results in the response payload. Primarily for testing.	top=10	No

Schedule Feed Results

Create scheduled NAD or NOD activities in DT Settings -> Configure Saved Searches.

Saved Searches

Extending DomainTools Commands

The Appendix lists all the commands available with the DomainTools application. The more frequently-used commands are defined below, followed by a table of parameter definitions.

Command	Description	Syntax	Parameters	Example
dtdomainextract	Extracts a domain out of a URL field using tldextract. Ensures DomainTools APIs receive proper domain input.	\| dtdomainextract field_in=string field_out=string include_subdomains=bool feature=string	field_in (req.), field_out (req.), include_subdomains (opt.), feature (opt.)	\| dtdomainextract field_in=url field_out=domain
dtirisenrich	Queries Iris Enrich for up to 100 comma-separated domains. Use inline_results to keep event data inline.	\| dtirisenrich domain=string inline_results=string feature=string	domain (req.), inline_results (opt.), feature (opt.)	\| makeresults \| eval domain="domaintools.com" \| dtirisenrich domain=domain inline_results=true
dtirisinvestigate	Queries Iris Investigate for up to 100 domains, or pivots on domain attributes for further investigation.	\| dtirisinvestigate domain=string pivot_type=string pivot_value=string feature=string no_cache=bool	domain (opt.), pivot_type (req.), pivot_value (req.), feature (opt.), no_cache (opt.)	\| dtirisinvestigate pivot_type="ip" pivot_value="x.x.x.x"
dtformatinvestigate	Formats JSON returned by Iris Investigate into a row with component names.	\| dtformatinvestigate output=string feature=string	output (req.), feature (opt.)	\| dtirisinvestigate domain="domaintools.com" \| dtformatinvestigate output=risk
dtdnsdb	Queries DNSDB for Passive DNS info on IP, Domain, Hostname, or Subnet.	\| dtdnsdb target=ip/hostname type=rdata/rrset/raw rrtype=a/aaa/cname/etc time_first_before=time time_first_after=time time_last_before=time time_last_after=time target_type=auto/ip/name bailiwick=bailiwick	target (req.), type (req.), rrtype (req.), bailiwick (opt.), time_first_before (opt.), time_first_after (opt.), time_last_before (opt.), time_last_after (opt.), target_type (opt.)	\| dtdnsdb target=domaintools.com target_type=domain type=rdata rrtype=CNAME
dtdnsdbflex	Performs a DNSDB Passive DNS Flexible Search.	\| dtdnsdbflex query_type=<rdata\|rrnames> match_type=<glob\|regex> query=<pattern> rrtype=A/mx/cname/etc bailiwick=bailiwick time_first_before=time time_first_after=time time_last_before=time time_last_after=time	query_type (req.), match_type (req.), query (req.), rrtype (req.), bailiwick (opt.), time_first_before (opt.), time_first_after (opt.), time_last_before (opt.), time_last_after (opt.)	\| dtdnsdbflex query_type=rdata match_type=regex query="[0-9]{5,6}-ledger\.com\.$"
dtdnsdblimit	Returns DNSDB API query limit, queries remaining, and reset time.	\| dtdnsdblimit	(none)	\| dtdnsdblimit
dtdnsdbenrich	Enriches Splunk events from a query with Passive DNS info from Farsight DNSDB.	\| dtdnsdbenrich field_in=string field_type=domain/ip/raw lookup_type=rrset/rrdata max_count=int time_first_before=time time_first_after=time time_last_before=time time_last_after=time rrtype=any/A/ns/... bailiwick=string include_subdomains=bool	field_in (req.), field_type (req.), lookup_type (req.), max_count (opt.), rrtype (opt.), bailiwick (opt.), time_first_before (opt.), time_first_after (opt.), time_last_before (opt.), time_last_after (opt.), include_subdomains (opt.), feature (opt.)	\| dtdnsdbenrich field_in=domain field_type=domain lookup_type=rrset rrtype=A include_subdomains=true time_first_after=1593070040
dtwhoishistory	Performs a WHOIS history search on a given domain.	\| dtwhoishistory domain=string mode=string	domain (req.), mode (req.), sort (opt.), feature (opt.)	\| dtwhoishistory domain=domain mode="check_existence"

Parameter	Definition
bailiwick	Closest enclosing zone delegated to a nameserver. Optional.
domain	Domain name and TLD, apex-level only. Required for dtirisenrich, optional for dtirisinvestigate.
feature	Feature in the app where the command is called (default: adhoc). Optional.
field_in	Field to extract domains/targets from. Required for dtdomainextract, dtdnsdbenrich.
field_out	Field to output the extracted domain. Required for dtdomainextract.
field_type	Target type (domain, IP, raw). Required for dtdnsdbenrich.
include_subdomains	Boolean flag to include subdomains (default: false). Optional.
inline_results	Boolean to keep event data inline (default: false). Optional.
lookup_type	Specify either rrdata or rrset. Required for dtdnsdbenrich.
match_type	Type of flexible search (glob or regex). Required for dtdnsdbflex.
max_count	Maximum DNSDB results to return per row. Optional for dtdnsdbenrich.
mode	How to express results (list, check_existence, count). Required for dtwhoishistory.
no_cache	Boolean to ensure a new Investigate API query (default: false). Optional.
output	Section of response to format (e.g., summary, risk). Required for dtformatinvestigate.
pivot_type	Data type of pivot value (e.g., "ip", "email"). Required for dtirisinvestigate.
pivot_value	Non-domain data point to resolve to a domain(s). Required for dtirisinvestigate.
query	Pattern for search (glob or regex). Required for dtdnsdbflex.
query_type	Type of flexible DNSDB search (rdata or rrnames). Required for dtdnsdbflex.
rrtype	Filter on specific resource record type (A, AAAA, CNAME, etc). Required for dtdnsdb, dtdnsdbflex, dtdnsdbenrich.
sort	Sort results (date_desc, date_asc). Optional for dtwho
target	Data point to search for historical DNS observations (IP, Hostname, etc). Required for dtdnsdb.
target_type	Type of the target (auto, ip, name). Optional for dtdnsdb.
time_first_after	Unix timestamp; return results after first seen. Optional.
time_first_before	Unix timestamp; return results before first seen. Optional.
time_last_after	Unix timestamp; return results after last seen. Optional.
time_last_before	Unix timestamp; return results before last seen. Optional.
type	Type of search with the target value (rdata, rrset, raw). Required for dtdnsdb.

SPL Examples

The following are a few example SPL commands that leverage DomainTools data for reference:

Enrich 300 events from the main index

index=main | dtdomainextract field_in=url field_out=domain | table url domain | dedup domain | head 300 | dtirisenrich domain=domain

The dtirisenrich command will batch API requests into groups of 100. The head 300 filter in the example limits the example search to three API queries in case this is copy/pasted directly. It should be able to handle as many domains as you want to input if you want to remove that filter.

Use | makeresults | eval domain="domaintools.com" instead of pulling events if you have a set list of domains to enrich.

Use Iris Investigate for a domain

| dtirisinvestigate domain=domaintools.com

Use pivot_type with an ip address

| dtirisinvestigate pivot_type="ip" pivot_value="199.30.228.112"

Look through the DomainTools cache to see when a URL was first and last observed on your network

| lookup dt_stats _key AS domain OUTPUT dt_fooyn_timestamp AS first_observed, dt_looyn_timestamp AS last_observed

Or to provide full context against a datasource and format the date strings

| tstats summariesonly=true count FROM datamodel=Web BY _time Web.url Web.src Web.dest source
|` `rename Web.url AS url | rename Web.src AS src | rename Web.dest AS dest | rename source AS log_source
| dtdomainextract field_in=url field_out=domain
| eval domain=lower(domain)
| fields url src dest log_source domain _time
| table _time domain url
| lookup dt_stats _key AS domain OUTPUT dt_fooyn_timestamp AS first_observed, dt_looyn_timestamp AS last_observed
| eval first_observed=strftime(first_observed, "%Y-%m-%d %H:%M:%S"), last_observed=strftime(last_observed, "%Y-%m-%d %H:%M:%S")

View the latest Domains, URLs and risk scores from the DomainTools cache:

| lookup dt_iris_enrich_data en_domain_name AS domain OUTPUT en_risk_score AS "risk score"

Again, with more context against a data source:

| tstats summariesonly=true count FROM datamodel=Web BY _time Web.url Web.src Web.dest source
| rename Web.url AS url | rename Web.src AS src | rename Web.dest AS dest | rename source AS log_source
| dtdomainextract field_in=url field_out=domain | eval domain=lower(domain) | fields url src dest log_source domain _time | table _time domain url
| lookup dt_iris_enrich_data en_domain_name AS domain OUTPUT en_risk_score AS "risk score"

Show domains associated with an IP using DNSDB

… | dtdnsdbenrich field_in=dest_ip field_type=ip max_count=5

Find recent subdomains under a domain using DNSDB and format the returned unix date fields to be human-readable

... | dtdnsdbenrich field_in=domain field_type=domain lookup_type=rrset rrtype=A include_subdomains=true time_first_after=1593070040

| eval dnsdb_time_first=strftime(dnsdb_time_first, "%Y-%m-%d %H:%M:%S"), dnsdb_time_last=strftime(dnsdb_time_last, "%Y-%m-%d %H:%M:%S")

Enrich 30 events from the main index with Iris Enrich and DNSDB Passive DNS information

index=main
| dtdomainextract field_in=url field_out=domain
| table url domain
| dedup domain
| head 30
| dtirisenrich domain=domain
| dtdnsdbenrich field_in=en_domain_name field_type=domain max_count=5

Set up a recurring search in Splunk using an Iris Investigate search hash

| dtirisinvestigate pivot_type=search_hash pivot_value=U2FsdGVkX196b8iZhQooljda3uKOGzja/B4HY8cyDzz0EOGg5/8CQutnvoxO3KXfkrAjiCVk//8P5JW3aot3V48dDF65m6tMLls9oKnq0kdjmTA6wb1j1yYFUESK6K3/WbVpftsVtr15qmrcXM0xWrIYlpl01b6SBCheVhm+g5MrXLqQ/0bTkihLTtO9OMO5tuzHS8ik/8wkN7THUN/PEN9Sj9E5cFpRb8qojjGAktWj7DLuSbPTfD+hv/qoZTS3 no_cache=true
| eval json = replace(_raw, "^[^\{]+", "")
| spath input=json path=first_seen.value
| rename first_seen.value as first_seen
| table first_seen domain
| collect index=summary_index_icloud

• This example search is using the Iris Investigate command to look up domains containing the substring “icloud” that have been first seen within the last 7 days.
• The output is parsed and put into a table before being collected in a summary index as well. The search could then be saved as a report within Splunk and set up for weekly recurring updates.
• For further documentation on scheduling a report, please see the Reporting Manual in Splunk documentation.

Set up a recurring search in Splunk using a DNSDB regex flexible search

| eval thirty_days_ago=relative_time(now(), "-30d@d")
| eval thirty_days_ago_unix=thirty_days_ago
| dtdnsdbflex query_type=rrnames match_type=regex query="-icloud\.(net|com)\.$" rrtype=A time_last_after=thirty_days_ago_unix

• This example search is using the DNSDB Flexible Search command to look up domains that match a specific pattern.
• For this example, whenever the search executes it will look for domains matching the regex pattern last observed in DomainTools’ DNS sensor network over the past 30 days.
• Note: Creating a relative Unix timestamp and storing it in a variable establishes a relative time fence. This ensures the time window will shift appropriately with the schedule, such as in a report.
• For further documentation on scheduling a report, please see the Reporting Manual in Splunk documentation.
• For further documentation on how to use regular expressions with our DNSDB flexible search command visit the regular expression user guide.

Troubleshooting

Enabling Logging

Logging is disabled by default. To enable logging to help with diagnostics, go to DT Settings → Diagnostic Panel and select Enable Diagnostic Panel. Allow a few minutes for logs to populate, then refresh the page.

Splunk Cloud Configuration during Install

The self-service app installation might run into issues installing components required on indexers. The installation proceeds normally, but attempts to run dtdomainextract return an error. This may be due to Splunk self-service only installing apps on search heads.

Checking the Status of Saved Searches

Having one or more required saved searches disabled is a common customer issue that could manifest itself as incomplete app functionality.

To check on the status of saved searches:

1. Select the DT Settings menu within the app.
2. Select Configure Saved Searches to load the list of saved searches used by the DomainTools app

Compare the scheduled time on the resulting set of reports against the table of Saved Search Names and Descriptions in Appendix A to ensure the required core app saved searches, as well as the additional ones if required for Iris Investigate or Alerting in Splunk Enterprise Security are enabled.

Non-Prod Environments

Validating the App in Non-Production Environments: If you use a staging environment or development environment to test new Splunk apps, ensure the same data sources you plan to use in production are also available to the Splunk search heads in the test environment.

Appendices

Table: Main Configuration Files, Stanzas, and Fields

These configuration files are relevant to utilizing the app and DomainTools datasets.

Note: The configuration files are relevant for this version only. The configuration files, stanzas and fields will be different in other versions.

Conf File	Stanza Tag	Fields	Description
app.conf	package	id	Add details for the Splunk App.
	install	is_configured
	ui	is_visible, label
	launcher	author, description, version
commands.conf	dtaccountinfo	chunked, filename	These are helper commands for the app. The most commonly used ones outside the app are described in greater detail in Extending DomainTools Commands Outside the App, as well as the in-app documentation. chunked is used to indicate the search command supports Splnuk’s “chunked” custom protocol, used by all of these stanzas filename Indicates the location of the Python .py filenames for these commands.
	dtimportirisdetectmonitors	chunked, filename
	dtimportirisdetectresults	chunked, filename
	dtirisdetectescalate	chunked, filename
	dtirisdetectchangestate	chunked, filename
	dtsyncirisdetectwatchlist	chunked, filename
	dtirisinvestigate	chunked, filename
	dtirisenrich	chunked, filename
	dtformatenrich	chunked, filename
	dtformatinvestigate	chunked, filename
	dtexpirecache	chunked, filename
	dtdomainextract	type, filename, streaming, local, passauth, chunked	The template to modify the DomainTools domainextract function to use Splunk SDK SCP1, should the latest SDK face throughput issues.
	dtdnsdb	filename, retainevents, supports_multivalues, streaming, overrides_timeorder, passauth	Queries DNSDB for Passive DNS information against a given IP, Domain, Hostname, or Subnet.
	dtdnsdbflex	filename, retainevents, supports_multivalues, streaming, overrides_timeorder, passauth	Performs a DNSDB Passive DNS Flexible Search.
	dtdnsdbenrich	chunked, filename	Enrich the Splunk events returned by a given SPL_QUERY with Passive DNS information reported by Farsight DNSDB, part of DomainTools.
	validateip	filename, retainevents, supports_multivalues, streaming, overrides_timeorder
	dtdnsdblimit	filename, retainevents, supports_multivalues, streaming, overrides_timeorder, passauth	Returns the dnsdb api query limit, number of queries remaining, as well as the time the remaining queries will reset.
	flushcache	filename, retainevents, supports_multivalues, streaming, overrides_timeorder, passauth
searchbnf.conf	dtaccountinfo-command	syntax, shortdesc, usage, comment1, example1	The syntax (shorter name), description and if the usage is public.
	dtirisinvestigate-command	syntax, shortdesc, usage, comment1, example1, comment2, example2, related
	dtirisdetectmonitors-command	syntax, shortdesc, usage, comment1, example1
	dtsyncirisdetectwatchlist-command	syntax, shortdesc, usage, comment1, example1
	dtirisenrich-command	syntax, shortdesc, usage, comment1, example1, comment2, example2, related
	dtformatinvestigate-command	syntax, shortdesc, usage, comment1, example1, related
	dtformatenrich-command	syntax, shortdesc, usage
	dtdomainextract-command	syntax, shortdesc, usage, comment1, example1, comment2, example2
	dtexpirecache-command	syntax, shortdesc, usage, comment1, example1
	dtdnsdb-command	syntax, description, shortdesc, example1, example2, example3, usage
	dtdnsdbflex-command	syntax, shortdesc, example1, example2, example3, usage
	dtdnsdbenrich-command	syntax, description, shortdesc, example1, example2, example3, usage
	dtdnsdblimit-command	syntax, description, shortdesc, example1, usage
server.conf	shclustering	conf_replication_include.domaintools	Default value is set to true.
transforms.conf	dt_iris_enrich_queue	external_type, collection, fields_list, case_sensitive_match	These are KV store fields. Please see the table in this section KV Store/Collection Name with Descriptions and Fields for the array of fields_list for each stanza.
	dt_iris_enrich_data	external_type, collection, fields_list, case_sensitive_match
	dt_stats	external_type, collection, fields_list, case_sensitive_match
	dt_allowlist	external_type, collection, fields_list
	dt_monitoring_list	external_type, collection, fields_list
	dt_tags_list	external_type, collection, fields_list
	dt_iris_detect_monitors	external_type, collection, fields_list
	dt_iris_detect_results	external_type, collection, fields_list
	dt_iris_investigate	external_type, collection, fields_list
	dt_public_suffix_list	filename, match_type, max_matches	Needed for macro dtdomainextract2
domaintools.conf	domaintools	proxy_enabled	Use a proxy when connecting to the DomainTools API. To enable, set to 1.
		proxy_server	The proxy server address to use.
		proxy_port	The proxy server port to use.
		ssl_enabled	Use SSL when connecting to the DomainTools API. To enable, set to 1.
		custom_certificate_enabled	Use a custom SSL certificate for the SSL connection. To enable set to 1.
		custom_certificate_path	The path to the custom SSL certificate.
		guided_pivot_threshold	The Guided Pivot Threshold on the Domain Profile page. Set a lower value to narrow investigations. 500 is the default and recommended value.
		bulk_enrichment_batch_size	Number of domains batched in an API call. Set the value from 1 to 100.
		optimize_enrichment_searches	This setting enables quicker correlation of cached data of known domains from the Enrichment table. Requires additional disk space. Disabling will reduce disk space consumption but will slow down searches. Set 1 to enable.
		populate_scores	Checks for whether or not to use the Risk Score over lower tiered scores. Turned off (set to 0) by default.
		logging_on	Toggles whether or not to write logs to file.
macros.conf	See the table in this section Key Macros for Enrichment.
savedsearches.conf	See the table in this section Saved Search Names and Descriptions.
collections.conf	See the table in this section KV Store/Collection Name with Descriptions and Fields.
distsearch.conf	replicationWhitelist	domainextract	Path to domainextract custom search command to be copied to indexers
		lib	Path to python libs to be copied to indexers
workflow_actions.conf		dt_iris_lookup	Lookup domain using Iris Investigate
		dt_domain_profile	Lookup domain using Domain Profile
		dt_dnsdb	Lookup passive dns using Farsight pDNS Standard Search

Table: KV Store/Collection Names and Fields

KV Store/ Collection Name	Fields
dt_iris_enrich_queue	_key, domain, queued, observed
dt_iris_enrich_data	_key, _raw, dt_queued, dt_retrieved, dt_observed, en_domain_name, en_is_active, en_adsense_code, en_google_analytics_code, en_alexa_ranking, en_domain_create_date, en_domain_updated_timestamp, en_domain_expiration_date, en_tld, en_website_response_code, en_redirect_url, en_registrant_name, en_registrant_org, en_registrar, en_spf_info, en_additional_whois_email, en_additional_soa_email, en_additional_ssl_raw, en_ssl_info_1_hash, en_ssl_info_1_organization, en_ssl_email, en_ssl_info_1_subject, en_risk_score, en_proximity_score, en_threat_profile_type, en_threat_profile_malware, en_threat_profile_phishing, en_threat_profile_spam, en_threat_profile_evidence, en_additional_name_servers_raw, en_name_server_1_domain, en_name_server_1_host, en_name_server_1_ip, en_name_server_2_domain, en_name_server_2_host, en_name_server_2_ip, en_additional_mx_raw, en_mx_1_domain, en_mx_1_host, en_mx_1_priority, en_mx_1_ip, en_additional_ips_raw, en_ip_1_address, en_ip_1_country_code, en_ip_1_isp, en_ip_1_asn, en_ip_2_address, en_ip_2_country_code, en_ip_2_isp, en_ip_2_asn, en_admin_contact_city, en_admin_contact_country, en_admin_contact_fax, en_admin_contact_name, en_admin_contact_org, en_admin_contact_phone, en_admin_contact_postal, en_admin_contact_state, en_admin_contact_street, en_admin_contact_email, en_billing_contact_city, en_billing_contact_country, en_billing_contact_fax, en_billing_contact_name, en_billing_contact_org, en_billing_contact_phone, en_billing_contact_postal, en_billing_contact_state, en_billing_contact_street, en_billing_contact_email, en_technical_contact_city, en_technical_contact_country, en_technical_contact_fax, en_technical_contact_name, en_technical_contact_org, en_technical_contact_phone, en_technical_contact_postal, en_technical_contact_state, en_technical_contact_street, en_technical_contact_email, en_registrant_contact_city, en_registrant_contact_country, en_registrant_contact_fax, en_registrant_contact_name, en_registrant_contact_org, en_registrant_contact_phone, en_registrant_contact_postal, en_registrant_contact_state, en_registrant_contact_street, en_registrant_contact_email, en_tag, en_tag_raw
dt_stats	_key, dt_last_enriched_datetime, dt_num_of_times_enriched, dt_num_of_AdhocLookups, dt_fooyn_timestamp, dt_looyn_timestamp, en_attribute_name, en_attribute_type, en_risk_score
dt_allowlist	_key, en_attribute_type, _dt_updated, _dt_updated_by, _dt_created, _dt_created_by
dt_monitoring_list	_key, en_attribute_type, _dt_updated, _dt_updated_by, _dt_created, _dt_created_by, _dt_source
dt_tags_list	_key, en_attribute_type, _dt_updated, _dt_updated_by, _dt_created, _dt_created_by
dt_iris_detect_monitors	_key, monitor_id, term, state, match_substring_variations, nameserver_exclusions, text_exclusions, created_date, updated_date, status, created_by, discover_new_domains, dt_updated
dt_iris_detect_results	_key, dt_domain, dt_state, dt_status, dt_discovered_date, dt_escalations, dt_risk_score, dt_risk_status, dt_mx_exists, dt_tld, dt_domains_id, dt_monitor_ids, dt_create_date, dt_ip_address_1, dt_ip_address_2, dt_ip_raw, dt_nameServer_1, dt_nameServer_2, dt_nameServer_raw, dt_mailServer_1, dt_mailServer_2, dt_mailServer_raw, dt_registrar, dt_registrant_contact_email, dt_proximity_score, dt_threat_profile_malware, dt_threat_profile_phishing, dt_threat_profile_spam, dt_threat_profile_evidence, dt_monitor_flag, dt_imported
dt_iris_investigate	_key, dt_pivot_type, dt_pivot_value, dt_investigate_raw, _dt_created
dt_rrset_kvstore
dt_rdata_kvstore

Table: Key Macros for Enrichment

Macro Field Name	Default Value	Description
dt_basesearch		The value that is defined is the base search. Data is pulled directly from the datamodel. We use this search to search for and queue up domains for the app and certain features such as the dashboards.
enable_cache	1 (enabled)	Enrichment setting to determine caching of enriched data. DomainTools will always enrich every domain in the queue. When turned off (set to 0) an API call will be made for every domain.
dt_cache_retention_period	30 (in days)	Enrichment setting. Set the value to how many days back before removing older data from the enrichment kvstore. There is also a saved search that will remove records that are over 30 days old.
dt_proximity_score_threshold	65	Enrichment setting. Set the threshold throughout the app when filtering based on the Proximity score.
dt_threat_profile_score_threshold	85	Enrichment setting. Set the threshold throughout the app when filtering based on the Threat Profile score.
dt_high_risk_threshold	90	Enrichment setting. Set the threshold throughout the app.
dt_medium_risk_threshold	70	Enrichment setting. Set the threshold throughout the app.
dt_refresh_interval	15 (in minutes)	The refresh interval.
dtdomainextract2	See note below table	Alternative to dtdomainextract that does regex-based matching for TLDs. It is higher performance for high-throughput environments, with a small accuracy trade-off. Notably, some multi-level tlds (e.g. edu.np) can be mis-identified as a domain.
dt_risk_score_threshold	75	Enrichment setting. Set the threshold throughout the app when filtering based on the Risk Score.
dt_young_domain_age	7 (in days)	Enrichment setting. The number of days the app considers a domain to be young.
dt_include_allowlisted_domains	0 (false)	Allowlist setting. Set to 1 (enabled) to exclude showing domains in the allowlist in our dashboards.
dt_include_monitoring_list_domains	0 (false)	Setting to include monitoring list domains.
dt_enrich_to_stats_lookup		A partial search that is used by the saved searches that update the enriched data KV Store.
dt_include_allowlisted_domains_in_notable_events	0 (false)	Enrichment alert setting for notable events.
dt_only_monitored_domains_in_notable_events	1 (enabled)	Enrichment alert setting for notable events.
dt_use_risk_threshold_in_notable_events	0 (false)	Enrichment alert setting for notable events.
dt_use_threatprofile_threshold_in_notable_events	0 (false)	Enrichment alert setting for notable events.
dt_ignore_iris_detect_in_notable_events	0 (false)	Enrichment alert setting for notable events.
dt_monitor_tags_in_notable_events	0 (false)	Enrichment alert setting for notable events.
dt_notable_events		Search for notable events provided by the DomainTools App for Splunk ES.
dt_rename_base_fields		Renames the base search fields. For example, rename src to Source, dest as Destination, log_source as Log Source and domain as Domain Name.
dt_rename_iris_fields
unknown_domain_retry	1 (enabled)	Retry enrichment of domains that are unknown to DomainTools.
unknown_domain_retry_time	60 (in minutes)	Number of minutes to wait before trying to re-enrich a domain.
toEpoch(1)	if(isnull(round(relative_time(time(), "$reltime$"))), "$reltime$", round(relative_time(time(), "$reltime$")))	Changes timestamp to epoch.

dtdomainextract2 default value:

rex field=url "(.*:\/\/)?(?P<temp_domain>[^:#\/?]+)" \
| lookup dt_public_suffix_list wildcard_tld AS temp_domain OUTPUT tld AS tld \
| where match(temp_domain, "(.*[.|@])?([\p{L}\w-]+[.]".tld."$)") \
| eval domain = replace(temp_domain, "(.*[.|@])?([\p{L}\w-]+[.]".tld."$)", "\2")

Table: Saved Searches

Access saved searches in DT Settings → Configure Saved Searches.

Name	Type	Description	Required	App Functions
DomainTools - DNSDB Cache Cleanup	Reports	Clears all cached responses that are over a day old	Required for DNSDB	DNSDB
DomainTools - Expire Old Iris Detect Data	Reports	Removes domains imported more than 14 days ago. Default cron_schedule = 0 0 * * *	Required for Iris Detect	Iris Detect
DomainTools - Expire Old Iris Enrich Data	Reports	Removes Iris Enrich enrichment data from the dt_iris_enrich_data collection based on the cache retention settings configured in the app. Default cron_schedule = 0 0 * * *	Required for Iris enrichment	Core App
DomainTools - Expire Old Pivot Data	Reports	Removes Iris Investigate pivot results older than 24 hours.	Required to use the pivot feature through the Domain Profile dashboard	Core App
DomainTools - Expire Old Queue Data	Reports	Removes Iris Enrich domains from the dt_iris_enrich_queue collection that are over a day old. Default cron_schedule = 0 0 * * *	Required for Iris enrichment	Core App
DomainTools - Feed - Domain Discovery	Reports	Retrieves results from the real-time Domain Discovery feed	Optional: Required for the Domain Discovery feed	Domain Discovery feed
DomainTools - Feed - NAD	Reports	Retrieves results from the real-time Newly Active Domains feed	Optional: Required for the Newly Active Domains feed	Newly Active Domains feed
DomainTools - Feed - NOD	Reports	Retrieves results from the real-time Newly Observed Domains feed	Optional: Required for the Newly Observed Domains feed	Newly Observed Domains feed
DomainTools - Feed - RDAP	Reports	Retrieves results from the real-time Parsed Domain RDAP feed	Optional: Required for the Parsed Domain RDAP feed	Parsed Domain RDAP feed
DomainTools - Import Iris Detect Monitors	Reports	Imports newly discovered and watched domains from Iris Detect monitors in the app. Default cron_schedule = 0 0 * * *	Optional: Required for Iris Detect	Iris Detect
DomainTools - Import Iris Detect Results	Reports	Imports newly discovered domains from Iris Detect for monitors enabled in the app. Default cron_schedule = 45 */2 * * *	Optional: Required for Iris Detect	Iris Detect
DomainTools - Iris Enrich History	Report	Saves historical Iris Enrich results	Optional: Required for Iris Detect	Iris Detect
DomainTools - Iris Enrich Monitored Domains	Reports	Refreshes enrichment data for monitored domains based on the frequency configured in the app. Default cron_schedule = 0 0 * * *	Required to enrich monitored domains on a cron schedule	Core App
DomainTools - Iris Enrich Monitored Domains Live	Reports	Refreshes enrichment data for Iris Enrich monitored domains, whenever it is seen on your network. Default cron_schedule = 5 * * * *	Reqired to enrich monitored domains as they are seen in Splunk environment (base search)	Core App
DomainTools - Iris Enrichment	Reports	Enriches domains found in dt_iris_enrich_queue and stores results in the dt_iris_enrich_data collection. By default, the search is scheduled to run every 5 minutes and pulls data over the past 30 minutes. Customize this frequency in the app. Default cron_schedule = */5 * * * *	Required for Iris enrichment*	Core App
DomainTools - Queue Builder for Iris Enrich KV Store	Reports	Extracts domains from raw events based on your configured base search and stores them in the dt_iris_enrich_queue KV store for enrichment. Default cron_schedule = */2 * * * *	Required for Iris enrichment*	Core App
DomainTools - Summary - Timechart count by domain with latest time	Reports	Summarizes events from the base search when the selected time window is greater than 2 hours in any DomainTools dashboard. Default cron_schedule = */5 * * * *	Required for dashboard views 4h or more are needed	Core App
DomainTools - Sync Iris Detect Watchlist	Reports	Syncs the Iris Detect Watchlist with the DomainTools Monitoring List inside of Splunk. Default cron_schedule = 0 0 * * *	Required for Iris Detect	Iris Detect

* The app will function with "DomainTools - Queue Builder for Iris Enrich KV Store" and "DomainTools - Iris Enrichment" disabled, but won’t automatically enrich events. Some customers choose to disable these when building their own enrichment pipelines, using the DomainTools app for ad hoc search or monitoring only.

Table: Alerts

Enable these alerts to create Notable Events from the criteria specified in DT Settings → Configure Enrichment & Alerting.

Name	Type	Description	Required
DomainTools - DomainTools Domain Monitoring - Rule	Alert	Creates events based on enrichment and alerting configuration. Customers wanting to create Notable Events within Enterprise Security must either enable this saved search or enable the correlation search inside Splunk ES. Default cron_schedule = */30 * * * *	Required for alerting at configured thresholds without the Splunk ES correlation search.
DomainTools - DomainTools Iris Detect - Rule	Alert	Creates Iris Detect alerts	Required for alerting at configured thresholds without the Splunk ES correlation search.
DomainTools - DomainTools Risk Score Increase - Rule	Alert	Creates alerts for Risk Score increases	Required for alerting at configured thresholds without the Splunk ES correlation search.
DomainTools - DomainTools Young Domains - Rule	Alert	Creates events based on enrichment and alerting configuration. Default cron_schedule = */30 * * * *	Required for alerting at configured thresholds without the Splunk ES correlation search.

System Architecture Overview

High-level topology of both Splunk and DomainTools resources

The Saved Searches configuration file (savedsearches.conf) defines the processes for enrichment and the Queue Builder for the Iris Enrich KV store. In the Queue Builder process, raw logs in the Splunk Indexes are queried from the Web data model as defined by the DomainTools base search configuration (dt_basesearch).

This process includes checking to see if the domain already exists when comparing to existing Iris Enrich data, as that would indicate if the domain has already been enriched. If not, the new domain is queued for enrichment. Each domain is stored with the enriched data in the KV store.

Domain Enrichment Process between DomainTools and Splunk Indexes

Prior 5.X Release Notes

5.3 Release Notes

New in 5.3

• Support for Newly Active Domains (NAD) and Newly Observed Domains (NOD) Threat Intelligence Feeds

Fixed in 5.3

• Public suffix list in Enrichment Summary
• Guided pivots failing for email addresses
• Newly observed domains race condition

5.2 Release Notes

New in 5.2

• Enrichment Explorer visualization and filters
• Enrichment dashboard panels: Top ASN; Top Registrars; Top SSL Expired Certificates; Top Nameservers; Top ISPs; Top IP

Updated in 5.2

• Additional fields in Enrichment Explorer summary view
• Error handling for Iris Investigate
• Allow multi-value inputs to dtirisenrich command

Fixed in 5.2

• dtwhoishistory documentation
• DNSDB error message specificity

5.1 Release Notes

Updated in 5.1

• Improved API usage reporting
• Improved information and responses around required API products

New in 5.1

• Support for new Iris fields

5.0 Release Notes

New in 5.0

• Send alerts sent to any SOAR platform with the new dt_alerts index
• New configurable Risk Score Increase alert from Iris Detect results.
• Log all domain enrichment values, and compare enrich values over time, using the new dt_enrich_history index.
• Track changes to Whois data with the dtwhoishistory custom search script
• Iris Investigate and Enrich API responses now include website_title, first_seen and server_type, as well as the SSL fields ssl.alt_names, ssl.duration, ssl.common_name, ssl.issuer_common_name, ssl.not_after, and ssl.not_before. These are available in the domain profile, enrichment explorer, and in Enrich and Investigate custom search commands.

Last modified: May 21, 2025