api tools osint

SecurityTrails Blog · Feb 06 2018 · SecurityTrails team

SecurityTrails Add-On for Splunk

Reading time: 4 minutes

Days ago we wrote a post where we showed how fast and easy it is to interact with our cool API to retrieve domains, IP addresses, and Whois information. Today, we have some exciting news: The release of an open source SecurityTrails Splunk Add-On.

In case you don't know Splunk, it is the definitive solution for companies and entrepreneurs who need to analyze & monitor machine big data generated by applications, systems, and infrastructure.

Written by our great friend, the skilled Mickey Perre, this Splunk Add-On allows you to work with Splunk Adaptive Response to launch fast & automated DNS lookups for your domains or IP addresses interacting with SecurityTrails API.

Supported API calls

These are the supported API calls that you can use with SecurityTrails Splunk Add-On:

  • Get Domain Information
  • List Subdomains
  • List Tags
  • Current WHOIS information
  • Historical DNS
  • Historical WHOIS
  • Domain Searcher (Searching Domains)
  • IP Range Checker

API calls

We also offer an easy interface to configure all the details you need while interacting with our API:

Interface

And the results of the API call in a JSON like format, which is also available as raw text:

Result

How to use the SecurityTrails Splunk Addon

1. Open a free Splunk account at https://www.splunk.com.

Verify your email and you are ready to go.

2. Login to your splunk.com account.

3. Download the Splunk version depending on your operating system.

In our case, we downloaded Splunk Enterprise for Linux from

www.splunk.com/en_us/download/splunk-enterprise.html

Download the .tgz 326.9 MB version.

4. Once done, extract the tar.gz file.

Move to the splunk/bin directory.

Start splunk: ./splunk start

This will ask you to set an admin username and password.

And then it will start the Splunk server at your localhost:8001 (or 8000, I don't remember).

If the installation finished OK, it should display something like:

Waiting for web server at http://127.0.0.1:8000 to be available........ Done

The Splunk web interface is at http://127.0.0.1:8000

5. Download the required files.

Latest SecurityTrails Splunk Addon file from github.com/secops4thewin/TA-securitytrails or (at the time of writing this guide the latest stable version) version 1.4.0:

github.com/secops4thewin/TA-securitytrails/raw/master/TA-securitytrails_1_4_0_export.tgz

Splunk Common Information Model App from: splunkbase.splunk.com/app/1621/

6. Open http://localhost:8000 or http://127.0.0.1:8000

Enter your admin username and password.

Locate the Gear icon at your top left corner, as you see below:

Splunk gear icon

Then, at your right top area, locate an option called 'Install app from file':

Install app from file

  • Click Install App from File, and then upload the files you downloaded previously (ST Splunk Addon and Splunk Common Information Model App).
  • Restart the Splunk server after each upload.
  • Login back to your Splunk admin panel.

Splunk restart required

7. Configure the SecurityTrails Addon. Move to the left top corner, you will see an 'Apps' menu.

  • Click on the ST addon.
  • Move to 'Addon Settings'
  • Set your API Key
  • Set any index name, something like stindex for example.

Add-on settings

That's it. At this point, the APP should be configured and ready to work.

How can I perform manual queries against the SecurityTrails API?

Inside the SecurityTrails App interface, click on 'SecurityTrails Hunt':

  • Select the API actions you want to perform.
  • Enter a Search Description that will be stored in the Splunk index.
  • Hit Submit button.

Splunk SecurityTrails hunt

For example, in the following screenshot you will see we will be fetching the Get Whois API endpoint, then we can enter any description, enter the name of the domain we want to investigate, and finally hit Submit button.

Splunk SecurityTrails hunt Get WHOIS

The results will be displayed in the second 'Search' window after 30 seconds.

Scroll down a little bit, then hit Refresh icon, as you see below:

Splunk Search results

The results will be displayed immediately.


Are you ready to get started with SecurityTrails Splunk Add-On? Check out our installation guide and full documentation on Github. Also remember that any feedback is greatly appreciated!

SecurityTrails is the biggest effort in cyber intelligence data, and now, with our awesome API integrated with a great analysis software that Splunk is, you can get instant valuable information that will help you to prevent future attacks on your company web infrastructure, domains and DNS.

And if you are not using Splunk, remember that you can still use our awesome API to integrate your application with our big intelligent database. Contact us to request access today.