CentralOps Technology Add-On for Splunk

Enrich search events in-line with normalised whois information from CentralOps' free "Domain Dossier" service (50 queries per day limit) using the centralopswhois streaming command.

• Features
• Release notes
• Open Source Components
• Disclaimer
• Support and resources

• Requirements
• Installation
• Upgrade
• Configuration

• Dashboard
• In-line search

• Caching of looked up whois information both within a given search (i.e. if the same domain appears in multiple events, the lookup only occurs once) and outside search (using a KV Store collection) to cache historical lookups
• DoS protection - by default only the first 5 uncached domains will be looked up in a search
• Proxy support (configurable via app setup page)
• Whois dashboard and pre-built panel
• Workflow actions providing pivot from domain fields to whois dashboard
• Automatically summary indexes new whois records
• Summary indexed events mapped to ES' Domain Analysis Data Model

Version 1.1.x of TA-centralops is compatible with:

Version 1.1.0 of TA-centralops fixes the following issues:

• None

Version 1.0.3 of TA-centralops fixes the following issues:

• https://github.com/doksu/TA-centralops/issues/2

• https://github.com/doksu/TA-centralops/issues/3

This app contains Open Source libraries (Apache License - Version 2.0) from the Splunk Software Development Kit for Python (https://github.com/splunk/splunk-sdk-python).

The author in no way endorses the provider's service, has no affiliation whatsoever with the provider, and makes no guarantees about the quality or accuracy of the information provided.

Please post questions at https://answers.splunk.com, however this app is provided as is with no warranty, implied or otherwise; please see the LICENSE document for more information. Feedback about possible improvements and good news stories of how this app has helped your organisation are most welcome.

• None

To function properly, TA-centralops requires the following software:

• Splunk Enterprise 6.4+

Install this app on your search head/s as you would with any other app, then restart Splunk.

If upgrading from v1.0.x to v1.1.x, please be aware that the Whois dashboard's token has changed from 'domain' to 'query' to better reflect the variable's contents, which can now be either a domain or an ip address. For this reason, if you've previously created a local/workflow_actions.conf stanza to override the default 'link.uri' value, it will need to be changed to use the new GET variable. N.B. Changes to workflow actions require a Splunk restart before they are applied.

Under the app menu, click 'Manage Apps'. Find the TA-centralops app and click 'Set up'.

If not using Enterprise Security, either create a 'whois' index or change the summary index to an existing index of your choice (e.g. summary) before using the 'centralopswhois' command. If use of a proxy is required, please fill in the details, e.g: https://proxy.example.com:3128

You may prefer the workflow action to open the 'Whois' dashboard in the Enterprise Security app rather than the default 'Search' app. To do so, create the file TA-centralops/local/workflow_actions.conf with the following contents:

[centralopswhois]
link.uri = /app/SplunkEnterpriseSecuritySuite/centralopswhois_view?form.query=$@field_value$

N.B. Splunk must be restarted and the Incident Review dashboard reopened for this change to take effect.

To add the 'Whois' dashboard to the Enterprise Security menu, click 'Configure' -> 'General' -> 'Navigation', then drag 'Whois' from the 'Unused Reports' list on the left-hand side to the location desired in the menu.

... | centralopswhois [output=<fields|json>] [limit=#] <domain_field_name>

The 'Whois' dashboard can be accessed from any app using the 'Dashboards' menu. Enter a domain in the text field and hit enter.

In searches designed to produce alerts (such as correlation searches), the centralopswhois command can be used to enrich events (if using ES, that enrichment is then included in the notables produced). For example:

| tstats `summariesonly` values(DNS.src) as src_ip from datamodel=Network_Resolution.DNS where NOT DNS.query="*.in-addr.arpa" by DNS.query
| `drop_dm_object_name("DNS")`
| eval domain=lower(query)
| ...
| lookup local=t centralopswhois_cache _key AS domain
| centralopswhois output=json limit=2 domain
| rename domain_whois as whois
| eval now=now()
| eval updated=if(isnull(updated),now,updated)
| outputlookup append=t centralopswhois_cache
| spath input=whois
| rename *{} AS *
| convert timeformat="%Y-%m-%dT%H:%M:%S%z" mktime(creation_date)
| where (now-creation_date)<1209600  \\ domains less than 2 weeks old

Be sure to use the centralopswhois_cache lookup before the centralopswhois command, as it will not perform an external lookup if it has been retrieved from the cache (which is determined by the presence of a populated 'updated' field). Equally, updating the centralopswhois_cache lookup after the centralopswhois command is important so subsequent searches can use the cached information.