Days ago we wrote a post where we showed how fast and easy it is to interact with our cool API to retrieve domains, IP addresses, and Whois information. Today, we have some exciting news: The release of an open source SecurityTrails Splunk Add-On.

In case you don't know Splunk, it is the definitive solution for companies and entrepreneurs who need to analyze & monitor machine big data generated by applications, systems, and infrastructure.

Written by our great friend, the skilled Mickey Perre, this Splunk Add-On allows you to work with Splunk Adaptive Response to launch fast & automated DNS lookups for your domains or IP addresses interacting with SecurityTrails API.

Supported API calls

These are the supported API calls that you can use with SecurityTrails Splunk Add-On:

Get Domain Information

List Subdomains

List Tags

Current WHOIS information

Historical DNS

Historical WHOIS

Domain Searcher (Searching Domains)

IP Range Checker

We also offer an easy interface to configure all the details you need while interacting with our API:

And the results of the API call in a JSON like format, which is also available as raw text:

How to use the SecurityTrails Splunk Addon

1. Open a free Splunk account at https://www.splunk.com.

Verify your email and you are ready to go.

2. Login to your splunk.com account.

3. Download the Splunk version depending on your operating system.

In our case, we downloaded Splunk Enterprise for Linux from

www.splunk.com/en_us/download/splunk-enterprise.html

Download the .tgz 326.9 MB version.

4. Once done, extract the tar.gz file.

Move to the splunk/bin directory.

Start splunk: ./splunk start

This will ask you to set an admin username and password.

And then it will start the Splunk server at your localhost:8001 (or 8000, I don't remember).

If the installation finished OK, it should display something like:

Waiting for web server at http://127.0.0.1:8000 to be available........ Done

The Splunk web interface is at http://127.0.0.1:8000

5. Download the required files.

Latest SecurityTrails Splunk Addon file from github.com/secops4thewin/TA-securitytrails or (at the time of writing this guide the latest stable version) version 1.4.0:

github.com/secops4thewin/TA-securitytrails/raw/master/TA-securitytrails_1_4_0_export.tgz

Splunk Common Information Model App from: splunkbase.splunk.com/app/1621/

Enter your admin username and password.

Locate the Gear icon at your top left corner, as you see below:

Then, at your right top area, locate an option called 'Install app from file':

Click Install App from File, and then upload the files you downloaded previously (ST Splunk Addon and Splunk Common Information Model App).

Restart the Splunk server after each upload.

Login back to your Splunk admin panel.

7. Configure the SecurityTrails Addon. Move to the left top corner, you will see an 'Apps' menu.

Click on the ST addon.

Move to 'Addon Settings'

Set your API Key

Set any index name, something like stindex for example.

That's it. At this point, the APP should be configured and ready to work.

How can I perform manual queries against the SecurityTrails API?

Inside the SecurityTrails App interface, click on 'SecurityTrails Hunt':

Select the API actions you want to perform.

Enter a Search Description that will be stored in the Splunk index.

Hit Submit button.

For example, in the following screenshot you will see we will be fetching the Get Whois API endpoint, then we can enter any description, enter the name of the domain we want to investigate, and finally hit Submit button.

The results will be displayed in the second 'Search' window after 30 seconds.

Scroll down a little bit, then hit Refresh icon, as you see below:

The results will be displayed immediately.

Are you ready to get started with SecurityTrails Splunk Add-On? Check out our installation guide and full documentation on Github. Also remember that any feedback is greatly appreciated!

SecurityTrails is the biggest effort in cyber intelligence data, and now, with our awesome API integrated with a great analysis software that Splunk is, you can get instant valuable information that will help you to prevent future attacks on your company web infrastructure, domains and DNS.

And if you are not using Splunk, remember that you can still use our awesome API to integrate your application with our big intelligent database. Contact us to request access today.