Splunk Enterprise Security

domaintools (whois) alternatives for Enterprise Security


Hi all,

Are there any alternatives to domaintools whois API for Enterprise Security integration? A lot of customers I'm deploying ES for do not like their paid "Enterprise" model. If someone does have one, have you reverse engineered the built in configurations? Macros, Lookups, Saved Searches, etc.


Path Finder

Hi ctripod - Mark here from DomainTools.

I know paying for high-volume parsed Whois can be difficult to justify when all it gives you is a create date and a basic dashboard based on that one field. Finding young domains on your network is awesome, and you should certainly do that, but it's not the only thing you can do with Whois data.

That's why we built our own TA that populates the whois_index with a bunch of parsed Whois fields like registrant, registrar, create date, name server, etc. And we also bring in our domain reputation score and use it to surface Noteable events. All of that helps you create really interesting searches, and you can also go hunting retroactively for domains with Whois information that matches certain criteria. For example, if you noticed a pattern of malicious domains that were all registered at some sketchy registrar overseas, you could do a search to find other domains that have also been active on your network which were also registered there.

Our TA also provides ES Adaptive Response actions that let you create a watchlist so you get a Noteable Event when another domain shows up that was also registered to that same dodgy registrar. Same thing works with registrant email, name server, and registrant name.

Anyway, the point is our data can do a lot more than that what that one ES dashboard gives you, and we'd welcome a chance to prove it's value.

Free trials are still available, just not directly on our retail site. Email us and we'll gladly help you with that. And ctripod, if you're doing this for your customers on a regular basis, we can streamline that evaluation process as we've done with other system integrators.

Lastly, if you do decide to roll your own, either with direct port 43 queries or another provider, be sure you can keep up with the volume. Our standard offering is contracted at a couple hundred queries per minute and we can go higher if needed.

Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...