Skip to content
This app leverages the Adaptive Response framework to perform API calls to Security Trails
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README
appserver
bin
default
local
metadata
static
LICENSE
README.md
README.txt
TA-securitytrails-1.0.0.spl
TA-securitytrails-1.1.0.spl
TA-securitytrails-1.2.0.spl
TA-securitytrails.aob_meta
TA-securitytrails_1_3_0_export.tgz
TA-securitytrails_1_4_0_export.tgz
app.manifest

README.md

SecurityTrails Add-On for Splunk

SecurityTrails Mission

SecurityTrails strives to make the biggest treasure-trove of cyber intelligence data readily available in an instant. We work relentlessly to empower experts so they can thwart future attacks with up-to-date data, proprietary tools, and custom solutions.

Overview

This Add-On provides a method to use Splunk Adaptive Response to automate lookup of a Domain or IP against SecurityTrails API located here. Currently we support the following API calls.

  • Get Domain Information
  • List Subdomains
  • List Tags
  • WHOIS
  • Historical DNS
  • Historical WHOIS
  • Domain Searcher (Searching Domains)
  • IP Range Checker

SecurityTrails Add-On For Splunk Requirements

This Add-On requires access to the SecurityTrails API located here and the Splunk Common Information Model App located here

Installation

  1. Either git clone this directory 'git clone https://github.com/secops4thewin/TA-securitytrails.git' or download the spl file located here.
  2. Install the add-on to the indexer and search head in your Splunk environment
  3. On the Search Head open the add on by going to http://yoursplunkserver:8000/en-GB/app/TA-securitytrails/configuration
  4. Enable a proxy if it is required
  5. Click Add-on Settings and enter the API Key and the Index.
  6. Click Save
  7. If you have proxy rules please allow https://api.securitytrails.com from your Search Head
  8. Create a search that produces a result such as a domain name and pass the results using the Splunk tokens such as $result.dest$

Release Notes

1.0.0 Initial release with API functionality

You can’t perform that action at this time.