Thursday, April 14, 2016

Forensic Investigator Splunk App - Version 1.1.3

By Tony Lee


It has been a little while since we released new features in the Forensic Investigator Splunk App, so we are excited about the latest update.  We have received excellent feedback on the app and have also been brainstorming some ideas for new tools to include.  Here is what we have in store for you in version 1.1.3 which is now available for free via the Splunk App store.

High Level

New Features
 - Added a chat program for collaboration!  It is a first stab, but give it a try (Help -> Chat Program)
 - Added an additional whois lookup vendor - - ex:
 - Added a link extractor to rip links out of a page (URL/IP -> Link Extractor)
 - Added permalink information to VT lookup page
 - Added disk usage monitor (Help -> Disk Monitor)  (Uses REST API)
 - Added license analysis page (Help -> License Usage) (*Need to have _internal logs on indexer and role based access)

Bug Fixes
 - Fixed VT lookup script, incorrectly detecting MD5 hashes in URL - if (re.findall(r"(^[a-fA-F\d]{32})", sys.argv[1]))
 - Fixed VT Lookup script, removed leading white spaces lstrip()
 - Fixed bug in BulkWhois to provide state/province information

Chat Program

This is a first stab at a collaboration mechanism within Splunk.  It works for a quick and dirty.  The only annoyance is the refresh every 5 seconds.  I am sure it can be made fancier with some Java Script so if you do a little dev and want to contribute--we would appreciate it.

Additional WHOIS vendor

For a while, it appears that bulkwhois had an ISP issue.  Thus, we added a second provider as another option.  Big thanks to

Link Extractor

This is useful if you don't want to visit a potentially malicious site, but you want to know the links on the site.  This tool will rip all of the links from the page safely and quickly.

Disk Usage

This last tool is useful for those who need to monitor how much storage is left on their indexers.  This is customizable to your server name and volume that holds indexed data.  By default it is set to my development box which is a simple Kali VM.


Hopefully you will enjoy the new features of the app.  As always, we appreciate the great feedback we are receiving.  Please send more ideas from within the app using Help --> Send Feedback.