Splunk Enterprise Security

domaintools (whois) alternatives for Enterprise Security


Hi all,

Are there any alternatives to domaintools whois API for Enterprise Security integration? A lot of customers I'm deploying ES for do not like their paid "Enterprise" model. If someone does have one, have you reverse engineered the built in configurations? Macros, Lookups, Saved Searches, etc.


Path Finder

Hi ctripod - Mark here from DomainTools.

I know paying for high-volume parsed Whois can be difficult to justify when all it gives you is a create date and a basic dashboard based on that one field. Finding young domains on your network is awesome, and you should certainly do that, but it's not the only thing you can do with Whois data.

That's why we built our own TA that populates the whois_index with a bunch of parsed Whois fields like registrant, registrar, create date, name server, etc. And we also bring in our domain reputation score and use it to surface Noteable events. All of that helps you create really interesting searches, and you can also go hunting retroactively for domains with Whois information that matches certain criteria. For example, if you noticed a pattern of malicious domains that were all registered at some sketchy registrar overseas, you could do a search to find other domains that have also been active on your network which were also registered there.

Our TA also provides ES Adaptive Response actions that let you create a watchlist so you get a Noteable Event when another domain shows up that was also registered to that same dodgy registrar. Same thing works with registrant email, name server, and registrant name.

Anyway, the point is our data can do a lot more than that what that one ES dashboard gives you, and we'd welcome a chance to prove it's value.

Free trials are still available, just not directly on our retail site. Email us and we'll gladly help you with that. And ctripod, if you're doing this for your customers on a regular basis, we can streamline that evaluation process as we've done with other system integrators.

Lastly, if you do decide to roll your own, either with direct port 43 queries or another provider, be sure you can keep up with the volume. Our standard offering is contracted at a couple hundred queries per minute and we can go higher if needed.

Get Updates on the Splunk Community!

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...

Cloud Platform | Discontinuing support for TLS version 1.0 and 1.1

Overview Transport Layer Security (TLS) is a security communications protocol that lets two computers, ...