DNSDB Splunk Integration Technical Overview
Overview
Splunk® and Farsight Security® Inc. (Now a part of DomainTools) have partnered together to allow access to Farsight’s Passive DNS data from within the Splunk platform. Splunk is a popular SIEM platform for organizing, searching, monitoring, analyzing, and visualizing machine gathered data in a web interface. Farsight has co-developed two Apps for the Splunk platform; the Farsight DNSDB℠ App for Splunk and the Farsight Sentry Manager App for Splunk. These Apps give Splunk Enterprise customers the ability to use Farsight’s DNSDB and Security Information Exchange (SIE) as additional resources with their current Splunk workflows and analytics.
Technical Description
With the Farsight DNSDB App, users can learn the history and associated infrastructure of a suspicious domain name or IP to gain critical contextual information for their existing event data. Users can add this capability to an existing workflow to generate queries automatically and populate contextual information for all domains and addresses that were the target of DNS requests made by hosts in their infrastructure.
With the Farsight Sentry Manager App users can create Splunk events for patterns matched within Farsight’s SIE channels. When added to Splunk, this allows users to map out and investigate new threats to their network in real-time.
Both the Farsight DNSDB App and Farsight Sentry Manager App for Splunk allow for better visibility in the detection, identification, and analysis of new and exist threats to the user’s network.
Hardware and Software Requirements
The Farsight Splunk Apps are web based applications that can be accessed via any browser supported by Splunk Enterprise.
The Farsight Splunk Apps have no specific hardware and software requirements, as they are run within a Splunk Enterprise environment. All of the Splunk Enterprise system requirements apply.
Farsight DNSDB for Splunk
Use of the Farsight DNSDB for Splunk App requires access to Splunk Enterprise and a Farsight DNSDB API key. A 30-day trial for DNSDB API is available upon request. To request a trial or learn more about the Farsight subscription services please contact Farsight Security.
Farsight Sentry Manager for Splunk
Use of the Farsight Sentry Manager for Splunk app requires access to Splunk Enterprise and a Farsight Brand Sentry or Farsight Domain Sentry API key. To request a trial for Farsight Brand Sentry or Farsight Domain Sentry or to learn more about the Farsight subscription services please contact Farsight Security.
