Overview

Details

Gain fast insights and situational awareness around risky infrastructure

DomainTools enables Security Operations Centers (SOCs) and security analysts to take domain observables from their network and connect them with other active domains on the Internet. Those connections inform risk assessments, help profile attackers, guide online fraud investigations, and map cyber activity to attacker infrastructure.

With the influx in events per second rising, organizations need the ability to execute high-volume queries with improved response times. The DomainTools App for Splunk delivers, with enrichment at scale and drill-down details to add context. Leveraging the DomainTools Iris and Farsight DNSDB datasets, users have immediate access to dozens of attributes attached to every domain event in Splunk, efficiently delivering event enrichment at scale.

Domain Monitoring

SOCs and Security Analysts can leverage the DomainTools Iris Detect product in Splunk to discover and watch newly registered domains associated with any terms their organization currently monitors (such as a brand or company name), and to monitor domains and append domains to your allowlist (list of trusted domains) from the Domain Investigation workflow.

Predictive Risk Scoring

DomainTools Risk Score gives teams with emerging threat hunting skills an instant advantage in
helping to identify and optionally alert on Splunk events with suspicious domains they would have otherwise missed. Individual component scores give experienced hunters the tools they need to refine their alerts and precisely target their resources. DomainTools Risk Score, including Proximity and Threat Profile classifiers, is available in both key-value stores and Splunk indexes.

Proven Capability for Enterprise Organizations

DomainTools’ proven solution for Splunk includes a cloud-certified Splunk Application that deploys on Splunk search heads in both standalone and clustered configurations, with and without Splunk Enterprise Security. Event sources can be customized to match the unique requirements of each environment.

DomainTools Capabilities in Splunk

Reduce MTTD
• Bulk enrichment of domains with meaningful context
• At-a-glance alerting and reporting of malicious network traffic
• Domain monitoring using DomainTools Iris Detect

Reduce MTTR
• Discover newly registered domains and further enable monitoring
• Create a Splunk ES notable event in case a high-risk domain is observed
• Investigate connected infrastructure using Iris and Farsight Passive DNS

The DomainTools App works in parallel with Splunk Enterprise Security (ES) but does not depend on it. Customers who have not yet deployed ES can still realize significant value from the DomainTools solution.

What's New?

The latest update for the DomainTools App for Splunk, version 5.0.0, bring additional enrichment capabilities, completely reworked dashboards, a variety of enhancements to make the app easier to use, and a more streamlined installation process. While our dashboards continue to help highlight data of interest, we understand that many users prefer to interact with data on their own dashboards and custom Splunk searches. Learn more about these new features and try out some of our examples.

Download the Installation and User Guide:

DomainTools App for Splunk 5.x User Guide

DomainTools App for Splunk 5.0.0:

DomainTools App for Splunk 5.0.0 is the General Availability (GA) release of our app for Splunk, Splunk Enterprise, and Splunk Cloud, with an all new frontend compatible with Splunk's latest guidelines. Please review the release notes to understand the key features and changes in this release.

Pre-requisites:

Access to Iris Enrich and Iris Investigate APIs are required
Access to Farsight DNSDB and Iris Detect APIs are optional but recommended for full app functionality

Release Notes

Version 5.5.0

Aug. 18, 2025

New Release

Added Support for Newly Observed Host Feed (NOH)
Added support for Real Time Risk Feed
Added support for Real Time Domain Hotlist
Added Support for Proxy Testing

Bug Fixes

Iris Detect domains showing inconsistent results with escalated domains

Version 5.4.1

May 19, 2025

include_psl_private_domains
update domainextract and domainextract2 suffix lists
add support for socks5/socks5h proxies with support for remote dns resolution
add new optional parameter to turn on logging for domainextract custom search command to prevent unwanted logs
separate "recent events" panel from domain profile into it's own dashboard with a full time picker to prevent unwanted wait times for the domain profile dashboard to load

Version 5.4.0

April 2, 2025

Implemented Parsed Domain RDAP Feed
Implemented Domain Discovery Feed
Added support for Parsed Domain RDAP API
- RDAP search command
- RDAP dashboard
Updated 206 Responses for Large Datasets
Update Splunk Python-SDK to latest version

Version 5.3.2

Feb. 13, 2025

Updated to support Splunk SDK for Python (1.7.0). Upgrade to 2.0.2 or later.

Version 5.3.1

Jan. 6, 2025

WHOIS Sort parameter bug fix

PhishEye Tooltip updated

Version 5.3.0

Nov. 21, 2024

Support for Newly Active Domains
Support for New Observed Domains

Version 5.2.0

Oct. 16, 2024

Splunk 5.2 Release Notes:

New
Enrichment dashboard

Top ASN dashboard

Top Registrars dashboard

Top SSL Expired Certificates dashboard

Top Nameservers dashboard

Top ISPs dashboard

Top IP dashboard

Visualization and filters in Enrichment Explorer

Updated

Additional fields in Enrichment Explorer summary view

Error handling for Iris Investigate

Allow multi-value inputs to dtirisenrich command

Version 5.1.0

Aug. 26, 2024

Fixed issues:
- Text overlap observed under Domain Profile Dashboard
- Charts and Tables at the bottom of some dashboard does not show X axis labels at 100% page zoom.
- DT Settings Configure Enrichment - Selection box text does not match with Pop up info.
- Panel mouse hover "Fullscreen" option incorrect behavior.
Added time picker for "API Usage" dashboard
Filter selection under Threat Intelligence and Monitoring Dashboard will reset to default value after page reload
Added DNSDB Usage to API Usage dashboard
Enabled limited app functionality based on account provisioning
Added support to new fields
- ga4
- gtm_codes
- fb_codes
- hotjar_codes
- baidu_codes
- yandex_codes
- matomo_codes
- statcounter_project_codes
- statcounter_security_codes
Enhanced the functionality of the "Test Connection/View Account"

Version 5.0.0

July 3, 2024

Enrich history is being populated during normal enrichment process
Enrich history is being populated during monitored enrichment process
New alert for increased risk score
New alert for increased risk score AND risk score greater than threshold
New alert for detect domains
Alerts for ES only are generated
Alerts for Non ES only are generated
Alerts for both ES and Non ES are generated
Alerts for both ES and Non ES are shown correctly in dashboards
New Iris fields are populated during enrichment process
New Iris fields are populated in domain profile
New Iris fields are pivotable

Version 4.5.0

June 3, 2024

● Punycode domain enrichment error fixed
● Iris Detect Dashboard "Refresh Successful" despite rate limit error corrected
● Domain Profile pivot highlighting on some fields updated
● Extra "0"s on domain profile page removed
● Name Server IP Guided Pivot updated
● React dashboards: sorting by risk score updated
● Recent events panel now shows domains with non-ascii characters
● Updated Enrich script to handle domains with an underscore character
● Provide a function for unescaping URLs

Version 4.4.4

April 1, 2024

Fix Splunk Cloud compatibility for deprecated APIs

Version 4.4.3

Dec. 5, 2023

Changes and Fixes:

Fixes read only file system error when updating suffix list.

Version 4.4.2

Sept. 27, 2023

Changes and Fixes:

Resolves an installation issue on distributed Splunk 9 clusters using Splunk’s new folder structures
Resolved an issue with the Iris Detect Monitors page causing repeated queries on page load
Fixes consistency between panel reporting and result sets on the Threat Intelligence and Monitoring Pages
Adds a “no_cache” option to dtirisinvestigate to bypass the local KV store lookup, forcing an API call
Removed hard-coded ports from most functions (a notable exception being DNSDB functions), deferring to the Server Settings -> General Settings, management port.
Fixes some Iris Detect logs not showing on the diagnostic panel.

Version 4.4.1

May 8, 2023

What's New?

The latest updates, v4.4 and v4.4.1 bring additional enrichment capabilities, completely reworked dashboards, a variety of enhancements to make the app easier to use, and a more streamlined installation process. While our dashboards continue to help highlight data of interest, we understand that many users prefer to interact with data on their own dashboards and custom Splunk searches. Learn more about these new features and try some of our examples.

Changes and Fixes:

Removes the need to separately install the app on indexers
Resolves an issue enriching domains containing non-ASCII and uppercase characters.
Fixes an issue on the Threat Intel page where the threat map would not update based on the applied filter.
Fixes the on-click link for the threat map on the Monitoring Dashboard.

Version 4.4.0

March 21, 2023

New:
-Added an inline Passive DNS lookup command, dtdnsdbenrich
-All pages have been rebuilt using SimpleXML and React, resolving HTML dashboard warnings and removing dependencies on older versions of jQuery

Deprecated:
-Removed PhishEye (replaced by Iris Detect)
-Stopped replicating KV stores to indexers (if you miss it, please let us know!)

Changes and Fixes:
-The Iris Detect page has been separated into two pages: an Iris Detect Dashboard and Iris Detect Monitored Term setup page
-Added an inline_results option to dtirisenrich to preserve previous fields
-Resolved an issue that would cause Iris Detect domains to be imported into Splunk, regardless of whether or not a monitored term was enabled
-Resolved an issue on Splunk 9 when Iris Detect domains would not be imported at all
-Domains with parsing issues are logged (if Diagnostic Panel is enabled) and skipped, resolving a queue builder error in some environments
-Improved in-app documentation and syntax highlighting on custom search commands

Version 4.3.1

Sept. 13, 2022

New:
- Manage previously-ignored Iris Detect Monitor alerts within Splunk (API Functionality Required)
- Improved checks for invalid domains, skipping and logging them (if enabled) during enrichment

Changes and Fixes:
- Fixes support for proxy usage broken in 4.3
- Fixes a parsing error on the DNSDB Flexible Search page when using regexes
- Fixes a display issue for the Risk Score panel on the Domain Profile page
- Updated DomainTools branding

Version 4.3.0

May 26, 2022

New:
• Triage new domains matching Iris Detect Monitors within Splunk (API Functionality Required)
• Synchronize the Iris Detect Watch List with the Splunk Monitoring list to watch for new domain activity within your environment
• Investigate domain infrastructure with Passive DNS (pDNS) using Farsight’s DNSDB Standard or Flexible search (API Key Required)

Changes and Fixes:
• Removed Python 2 support due to updated dependent libraries
• Added a distributed search configuration to address occasional issues when updating in Splunk Cloud
• Slightly lowered the default risk score thresholds used in the Enrichment Settings page. This does not override any user-specified thresholds when doing an in-place upgrade
• Simplified the DT Settings Menu. Moved Monitoring-specific settings under a new Monitoring menu
• Replaced HTML dashboards with single page apps to maintain Splunk Cloud compatibility
• Updated to jQuery v3.6
• Minor fixes and UI polishing

Version 4.2.1

Dec. 3, 2021

Fix:
• Adds a trigger stanza in app.conf to avoid unnecessary "restart required" messages.

Version 4.2.0

Sept. 28, 2021

New
• Power an always-on SOC display with auto-refreshing Threat Profile and Monitoring dashboard panels
• Simplify your triage process, investigating domains flagged in Enterprise Security Incident Review within the DomainTools app Domain Profile page
• Improve app performance using a new regex-based dtdomainextract2 macro
• Expedite your workflow, adding domains to monitoring or allow-lists directly from DomainTools Enrichment Explorer
• Natively enrich logs containing multivalue URLs (most commonly encountered with Proofpoint)

Changes and Fixes
• To improve performance, logging has been disabled by default. It can be re-enabled in the Diagnostic Panel
• Allows for “Informational”-level urgency tags when creating Notable Events in Enterprise Security
• Expanded configuration levels for allow-list actions
• Improved in-app documentation and user guide
• See the user guide for additional changes

5,177

Downloads

Share Subscribe

Version

Built by

DomainTools Integrations Team

Support

Developer Supported

Contact Developer Questions on Splunk Answers Flag as inappropriate