SecurityTrails Add-On for Splunk
Reading time: 5 minutesDays ago we wrote a post where we showed how fast and easy it is to interact with our cool API to retrieve domains, IP addresses, and Whois information. Today, we have some exciting news: The release of an open source SecurityTrails Splunk Add-On.
In case you don't know Splunk, it is the definitive solution for companies and entrepreneurs who need to analyze & monitor machine big data generated by applications, systems, and infrastructure.
Written by our great friend, the skilled Mickey Perre, this Splunk Add-On allows you to work with Splunk Adaptive Response to launch fast & automated DNS lookups for your domains or IP addresses interacting with SecurityTrails API.
Supported API calls
These are the supported API calls that you can use with SecurityTrails Splunk Add-On:
- Get Domain Information
- List Subdomains
- List Tags
- Current WHOIS information
- Historical DNS
- Historical WHOIS
- Domain Searcher (Searching Domains)
- IP Range Checker
We also offer an easy interface to configure all the details you need while interacting with our API:
And the results of the API call in a JSON like format, which is also available as raw text:
How to use the SecurityTrails Splunk Addon
1. Open a free Splunk account at https://www.splunk.com.
Verify your email and you are ready to go.
2. Login to your splunk.com account.
3. Download the Splunk version depending on your operating system.
In our case, we downloaded Splunk Enterprise for Linux from
www.splunk.com/en_us/download/splunk-enterprise.html
Download the .tgz 326.9 MB version.
4. Once done, extract the tar.gz file.
Move to the splunk/bin directory.
Start splunk: ./splunk start
This will ask you to set an admin username and password.
And then it will start the Splunk server at your localhost:8001 (or 8000, I don't remember).
If the installation finished OK, it should display something like:
Waiting for web server at http://127.0.0.1:8000 to be available........ Done
The Splunk web interface is at http://127.0.0.1:8000
5. Download the required files.
Latest SecurityTrails Splunk Addon file from github.com/secops4thewin/TA-securitytrails or (at the time of writing this guide the latest stable version) version 1.4.0:
github.com/secops4thewin/TA-securitytrails/raw/master/TA-securitytrails_1_4_0_export.tgz
Splunk Common Information Model App from: splunkbase.splunk.com/app/1621/
6. Open http://localhost:8000 or http://127.0.0.1:8000
Enter your admin username and password.
Locate the Gear icon at your top left corner, as you see below:
Then, at your right top area, locate an option called 'Install app from file':
- Click Install App from File, and then upload the files you downloaded previously (ST Splunk Addon and Splunk Common Information Model App).
- Restart the Splunk server after each upload.
- Login back to your Splunk admin panel.
7. Configure the SecurityTrails Addon. Move to the left top corner, you will see an 'Apps' menu.
- Click on the ST addon.
- Move to 'Addon Settings'
- Set your API Key
- Set any index name, something like stindex for example.
That's it. At this point, the APP should be configured and ready to work.
How can I perform manual queries against the SecurityTrails API?
Inside the SecurityTrails App interface, click on 'SecurityTrails Hunt':
- Select the API actions you want to perform.
- Enter a Search Description that will be stored in the Splunk index.
- Hit Submit button.
For example, in the following screenshot you will see we will be fetching the Get Whois API endpoint, then we can enter any description, enter the name of the domain we want to investigate, and finally hit Submit button.
The results will be displayed in the second 'Search' window after 30 seconds.
Scroll down a little bit, then hit Refresh icon, as you see below:
The results will be displayed immediately.
Are you ready to get started with SecurityTrails Splunk Add-On? Check out our installation guide and full documentation on Github. Also remember that any feedback is greatly appreciated!
SecurityTrails is the biggest effort in cyber intelligence data, and now, with our awesome API integrated with a great analysis software that Splunk is, you can get instant valuable information that will help you to prevent future attacks on your company web infrastructure, domains and DNS.
And if you are not using Splunk, remember that you can still use our awesome API to integrate your application with our big intelligent database. Contact us to request access today.
