Splunk Enterprise Security

Enterprise Security - New Domain Analysis Dashbaord - Help with the WHOIS functionality

Path Finder

Hey Splunkers,

Working on configuring Enterprise Security and need a hand with New Domain Analysis Dashboard. Here's whats up:

  • Under "Domain Type" when I select "Newly Seen" -- I see plenty of results and all but the bottom panel populate correctly.
  • Under "Domain Type" when I select "Newly Registered" -- none of the panels populate.

My hunch is that whatever mechanism that calls the "whois" doesn't work correctly. I went into "SA-NetworkProtection\bin" and chmoded all the python files to execute. Permissions look right.

The problem (I think) is that my ES search head has no internet access. Pretty sure I need to open up the mechanism that makes the whois work. Any advice on this? Documentation? Instructions?

As always, thanks in advance!

0 Karma

Path Finder

Search for "whois" at http://docs.splunk.com/Documentation/ES/3.2/Install/AdvancedThreatdashboards
You need to sign up for another service at domaintools at a minimum it looks like.

Explorer

Any luck with a fix?

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!