As you know only all too well if the subject line of this blog got your attention, each second there is a massive influx of events in Splunk and similar tools. Can you relate? We’re pretty sure we know the answer to that! But stepping back a bit: in case you’re not already familiar with it,the DomainTools App for Splunk allows you to rapidly enrich domains with tagging, Domain Risk Score, domain age, Whois, IPs, active DNS, website and SSL certificate data to surface evidence of malicious activity. And now, with our latest release, we have made improvements we think you’re going to like if you already use the app, or which may pique your interest if you’ve not yet tried it out.
The DomainTools Splunk App 4.2 Dashboard
Splunk is very powerful, of course; that’s why in many organizations, there are one or more employees entirely dedicated to its care and feeding. Recognizing that you’ve got enough on your hands just getting the most out of your investment in Splunk,we’ve worked hard over the years to make the DomainTools app as easy to install, configure, maintain, and use as possible. Version 4.2 has several enhancements that can help with that. None of these changes is, by itself, revolutionary.But the little things add up, and can streamline your experience in the app, and save your team valuable time, with these enhancements. Here’s a thorough but far from comprehensive list of some of the things we’ve added and changed in the 4.2 release:
New:
- You can power an always-on SOC display withauto-refreshing Threat Profile and Monitoring dashboard panels.
- 时间就是生命,所以这个版本的n cansimplify your triage process, investigating domains flagged in Enterprise Security Incident Review within the DomainTools app Domain Profile page.
- Along the same lines, to expedite your workflow, you can now add domains to monitoring or allow-listsdirectly from DomainTools Enrichment Explorer.
- We’ve added anew regex-based dtdomainextract2 macroto improve performance.
- You can nownatively enrich logs containing multivalue URLs(this might be especially valuable to you Proofpoint users).
Changed or Fixed:
- To improve performance,logging has been disabled by default. It can be re-enabled in the Diagnostic Panel.
- The app now allows for“Informational”-level urgency tagswhen creating Notable Events in Enterprise Security.
- We’veexpanded configuration levels for allow-list actions.
- The “Active Domains” panel on the Threat Intelligence Dashboard has been replaced by “Risky Observed Domains” to focus on the threat indicators of importance.
- Threat Portfolio and Domain Alerts Over Time timelines show the number ofevents instead of domains. (You can click on the legend entry to show all matching events of a given type during the filtered time period.).
- Threat profile panelspreserve the search time framein the Splunk query for a more consistent experience.
- You can now Search Enrichment Explorer and Domain Profile, or add to the Allowlist or Monitoring Listusing “defanged” domains(e.g. example[.]com—no need to delete those brackets now!).
- We removed the sparklines on dashboard panels—feedback from our users was that they were more confusing than helpful!
- And, last but most definitely not least –we’ve improved our in-app documentation anduser guide.
If you’re curious about seeing it in action, be on the lookout for awebinar coming up on November 2that will introduce the app in general, and also highlight some of these enhancements.
Finally, we’d like to thank our users for giving us valuable feedback on the app. Most of these changes originated directly from conversations with our customers. There’s no substitute for the expertise of the practitioners who use these tools every day to help make the Internet a safer place. Thank you!
