App Version: 1.1.0 Date: April 13, 2018
The Farsight DNSDB for Splunk App℠ gives organizations of all sizes broad analysis and investigation capabilities. The primary purpose of the Farsight DNSDB for Splunk application is to add contextual information and situational awareness from DNSDB to the organization’s internal event data as managed in Splunk.
DNSDB is the most comprehensive database of passive DNS data about how IPs, domains, and Internet infrastructures interconnect and evolve. By augmenting an organization’s internal log data with real-time Internet DNS information, security teams will be better able to analyze threats and adversary infrastructure and capabilities. This will enable them to identify, detect, correlate and take action on the intelligence.
All it takes is a simple click in Splunk. With that single click, users can learn the history and infrastructure associated with a suspicious domain name or suspicious IP address, and by doing so, gain critical insights into their event data. Users can also add this capability to their existing workflow to automatically pre-populate contextual information for all IPs and domain names visited by any of their hosts.
With its global array of sensors, Farsight Security receives more than 200,000 observations per second, observations which illuminate most material changes to the global DNS. Farsight DNSDB App for Splunk users get those real-time changes the same minute they are first observed. With more than 13 billion domains and hostnames collected since 2010 – all indexed for easy searches – DNSDB enables threat intelligence teams, security analysts and incident responders to search for specific hosts or subdomains within a domain and gain immediate insight into subordinate names under base domains.
Farsight DNSDB for Splunk allows a Splunk® Enterprise user to run DNSDB queries from an included dashboard, as well as through search commands.
Version 1.1.0 of Farsight DNSDB for Splunk is compatible with: Splunk Enterprise versions: 7.0, 6.6, 6.5, 6.4, 6.3, 6.2
Version 1.1.0 is the current release of Farsight DNSDB for Splunk. It includes the following features:
Version 1.1.0 of Farsight DNSDB for Splunk incorporates the following third-party software or libraries.
Each DNSDB lookup done takes time to complete. Every event that is passed to it will generate a query to DNSDB. A search for over a few thousand events may take a moment to complete.
Farsight DNSDB API access is capped at a contracted number of queries per day. Every event passed to the DNSDB lookup will count as a query towards the user’s daily quota. Please be mindful of this when using the lookup functionality so as to not accidentally exhaust your daily query limit. (Should this happen on a regular basis, the query limits can be changed to meet the needs of your threat intelligence team).
Before installing Farsight DNSDB App for Splunk, please ensure:\
Farsight DNSDB for Splunk can run on Windows, OS X, or Linux.
Farsight DNSDB for Splunk app has no specific additional hardware requirements.
Because this add-on runs on Splunk Enterprise, all of the Splunk Enterprise system requirements apply.
Install the application within Splunk by browsing to Apps > Manage Apps > Find more apps online,
and searching for Farsight DNSDB.
Or, download the package from Splunkbase at: https://splunkbase.splunk.com/app/3050 and then upload it to your Search Head.
Follow the on-screen installation steps and then restart Splunk.
To install and configure this app on your supported platform, follow these steps:
SPLUNK INSTALL APP /PATH/TO/APP.TAR.GZ
Here are detailed, stepwise instructions to initially set up the Farsight DNSDB for Splunk app.
Login to your Splunk Enterprise instance as the administrator user.
From the entry screen, select the gear icon next to Apps.
Click the [Install app from file] button.
Click the [Choose File] button and select the SPL file provided by Farsight. Click [Upload]
Installation of the Farsight DNSDB App will require a restart of Splunk. If you wish to restart now, click [Restart Splunk].
Once the restart is complete, login as the Administrator user again.
Click [Set up now] to configure the Farsight DNSDB App.
Enter your Farsight API key. Leave the API URI as: https://api.dnsdb.info - If you do not have a Farsight API key, please go to: https://www.farsightsecurity.com/trialrequest/?request=splunk - If you have licensed DNSDB-Export, please change the API URI to the URI used on your export server.
Click on the Splunk> logo to return to the main screen. To access the App, click on [Farsight DNSDB for Splunk].
You are now ready to use the Farsight DNSDB for Splunk app.
To provide context for ALL domains and IP addresses within your Splunk instance, you can enable automatic lookups to ensure the information you may need will be immediately ready.
Please note that this will cause a high number of DNSDB queries to occur.
Instructions to enable automatic lookups:
Login to your Splunk Enterprise instance as the administrator user.
Select Settings from the Top Menu-bar and in the Knowledge section select “Lookups”
Find “Automatic lookups”, click “Add new”
Set the following fields (see attached screenshot for detailed view):
It should look something like this:
Return to the main page and open search.
Search for “.”
Once configured, the easiest way to use this app is through the built-in DNSDB dashboard. Choose a time range, type an IP address or hostname into the target field and press enter.
Farsight DNSDB for Splunk also comes with two commands and a lookup so that you can incorporate DNSDB queries into your own searches and dashboards. Below is usage documentation for all three of them.
Runs a DNSDB query on the given target. If target is an IP address, query is RDATA. Otherwise, query is RRSET. “before” and “after” fields can be supplied optionally to limit the time range of the query.
dnsdb target=**ip/hostname** type=**rdata/rrset** [rrtype=**A/MX/CNAME/etc] [earliest=**time**] [latest=**latest**]
dnsdb target=203.0.113.0/24 type="rdata" dnsdb target="example.com" latest=1446000216
Returns the DNSDB API query limit per day, the number of queries remaining today, as well as the time when the query limit will next reset.
Runs dnsdb command on a set of targets.
lookup dnsdb [fields]
lookup dnsdb dnsdb_ip AS srcip OUTPUT dnsdb_host
*Problem: App returns error “Authorization failed. Check API key”.
Cause: API Key is missing or incorrect.
Resolution Check that your API key is entered correctly.
*Problem: App returns error “Query limit reached”.
Cause: You have reached your query limit.
Resolution Wait until your limit resets (likely at midnight daily) until making more queries.
Technical support is available via email to firstname.lastname@example.org. Support requests will be responded to within 24 hours Monday through Friday.
Farsight Security, Inc. is the world’s largest provider of historical and real-time DNS intelligence solutions. We enable security teams to qualify, enrich and correlate all sources of threat data and ultimately save time when it is most critical - during an attack or investigation. Our solutions provide enterprise, government and security industry personnel and platforms with unmatched global visibility, context and response. Farsight Security is headquartered in San Mateo, California, USA. Learn more about how we can empower your threat platform and security team with Farsight Security passive DNS solutions at www.farsightsecurity.com or follow us on Twitter: @FarsightSecInc.