Skip to content

Bre77/hibp

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

145 Commits

.devcontainer

.devcontainer

 
 

.vscode

.vscode

 
 

bin

bin

 
 

src/main

src/main

 
 

.babelrc.js

.babelrc.js

 
 

.build.sh

.build.sh

 
 

.eslintrc.js

.eslintrc.js

 
 

.gitignore

.gitignore

 
 

.npmignore

.npmignore

 
 

README.md

README.md

 
 

babel.config.js

babel.config.js

 
 

make.sh

make.sh

 
 

package.json

package.json

 
 

stylelint.config.js

stylelint.config.js

 
 

webpack.config.js

webpack.config.js

 
 

yarn.lock

yarn.lock

 
 

Repository files navigation

Have I Been Pwned Domain Search app for Splunk

Leverage the Have I Been Pwned Domain Search API to efficiently monitor for breaches on all your domains directly in Splunk. This app supports multiple API Keys and works on all Splunk deployment types, including Splunk Cloud.

https://splunkbase.splunk.com/app/6996 https://github.com/Bre77/hibp

Description

This app will create an event each time an email address is found in a breach on Have I Been Pwned, and maintains an automatic lookup to enrich these events with the full breach details without wasting ingest license usage. The app also includes multiple dashboards to help you understand the data out of the box. Supports multiple HIBP API keys, and monitoring multiple domains.

Works on all Splunk deployment types, including Splunk Cloud. See installation instructions for more details.

This app was created by Brett Adams, and is not supported by Have I Been Pwned or Troy Hunt.

Install

It is strongly recommended you create a new index with very long retention for this data. The data generated by this app is very small in size.

Only configure your HIBP API key in one place, where you want the data to actually be collected. This could be:

  • Splunk Cloud Victoria Search Head (or Search Head Cluster)
  • Splunk Cloud Classic Input Data Manager
  • Splunk Enterprise Heavy Forwarder

You must also install and configure this app without the HIBP API key on any Search Head that will use the app or search the data, otherwise the breaches lookup wont get populated. This includes Enterprise Security and Classic experience search heads. A restart appears to be required only in some instances, specifically Search Head Clusters.

This app requires the KV Store for both search time lookups and input time checkpoints.

Troubleshooting

You will need to restart Splunk Cloud Search Head Clusters to configure this app.

The modular input's logs can be found at index=_internal component=ExecProcessor hibp_domainsearch

This app requires the KV Store for both search time lookups and checkpoints.

If your architecture restricts internet access on Search Heads, you could sync the hibp-breaches lookup from a Heavy Forwarder using TA-SyncKVStore.

Credits

This app was created and is supported by Brett Adams (@Bre77).

Special Thanks to James Hodgkinson (@yaleman) for providing access to his domain for development and testing.

Special Thanks to Troy Hunt (@troyhunt) for creating Have I Been Pwned, the Domain Search API, and collaborating with me on the new API endpoints and rating limiting. You can read more about this at www.troyhunt.com/all-new-have-i-been-pwned-domain-search-apis-and-splunk-integration

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

15 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases 10

v1.1.1 Latest
Oct 14, 2023
+ 9 releases

Packages

No packages published

Contributors 2

  •  
  •  

Languages