icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

We are working on something new...

A Fresh New Splunkbase
We are designing a New Splunkbase to improve search and discoverability of apps. Check out our new and improved features like Categories and Collections. New Splunkbase is currently in preview mode, as it is under active development. We welcome you to navigate New Splunkbase and give us feedback.
Cancel Visit New Splunkbase Visit
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us
My Account
Login Signup
Support & Services
Search Splunk Documentation Splunk Answers Education & Training User Groups Splunk App Developers Support Portal Contact Us

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

End User License Agreement for Third-Party Content

Splunk Websites Terms and Conditions of Use

Thank You

Downloading Certificate Transparency Log add-on for Splunk
SHA256 checksum (certificate-transparency-log-add-on-for-splunk_131.tgz) fd444301ed7679c80e5f66efb7b40e75b114527c23d2c062ad6fad986db8378a SHA256 checksum (certificate-transparency-log-add-on-for-splunk_130.tgz) f985d3908b93ebfad85c3912d72d02bb28aecf99bc4d2e18b5db536ee6c36f3d SHA256 checksum (certificate-transparency-log-add-on-for-splunk_121.tgz) 897cc43cb5c3740280a26e60a6aaf13522b8f46e72f529c217ae1ca56c851fdf SHA256 checksum (certificate-transparency-log-add-on-for-splunk_120.tgz) 7f85a2594be3dca1aae4d30276b3832c08483256302793f4e84992cf74d85b9c
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate
splunk

Certificate Transparency Log add-on for Splunk
This app has been archived. Learn more about app archiving.
This app is NOT supported by Splunk. Please read about what that means for you here.
Overview
Details
This add-on for Splunk can be used to monitor certificate transparency logs.
For example to watch certificates issued for your domains or malicious look-a-likes.

It outputs the certificate logs as CIM compliant events in Splunk. This allows you to create an alert in Splunk or Splunk Enterprise Security that fires when a certificate gets issued for your-domain-suspicious-fishing-domain dot tld.

Certificate Transparency Log Monitor for Splunk

This add-on for Splunk can be used to monitor certificate transparency logs.
For example to watch certificates issued for your domains or malicious look-a-likes.

It outputs the certificate logs as CIM compliant events in Splunk. This allows you to create an alert in Splunk or Splunk Enterprise Security that fires when a certificate gets issued for your-domain-suspicious-fishing-domain dot tld.

Supported Splunk versions and platforms

Splunk version Linux Windows
6.3 Yes Yes
6.4 Yes Yes
6.5 Yes Yes
6.6 Yes Yes
7.0 Yes Yes
7.1 Yes Yes

Additional requirements:

  • Splunk heavy forwarder instance: Splunk Universal Forwarder is not supported due to Python dependencies
  • KVstore: used to keep track of the most recently seen ct log entry

Install the TA-ct-log add-on for Splunk

Single instance Splunk deployments

  1. In Splunk, click on "Manage Apps"
  2. Click "Browse more apps", search for "TA-ct-log" and install the add-on

Distributed Splunk deployments

Instance type Supported Required Description
Heavy Forwarder Yes Yes Install this add-on on a heavy forwarder to get Certificate Transparency Logs into Splunk
Search head Yes Yes Install this add-on on your search head(s) where CIM compliance of CT Logs is required
Indexer Yes No There is no need to install this add-on on an indexer. This add-on should be installed on a heavy forwarder that does the index time parsing.
Universal Forwarder No No This add-on is not supported on a Universal Forwarder because it requires Python

The following table lists support for distributed deployment roles in a Splunk deployment:

Deployment role Supported Description
Search head deployer Yes Install this add-on on your search head deployer to enable CIM compliance of CT Logs in a Search Head Cluster
Cluster Master No There is no need to install this add-on on a Cluster Master. This add-on should be installed on a heavy forwarder that performs parsing at index time.
Deployment Server Depends This add-on can be (1) deployed unconfigured to a client or (2) deployed preconfigured.

Configure TA-ct-log add-on for Splunk

  1. Go to the Input tab of the Certificate Transparency add-on for Splunk
  2. Click "Create new Input"
  3. Configure:
    • Name: e.g. argon2018
    • Interval: how often to poll the certificate log for new entries
    • Index: what Splunk index to send the certificate log events to
    • Certificate Log URL: the base url of the log e.g. "ct.googleapis.com/logs/argon2018/", without https:// and without the API endpoint) for more urls see https://www.gstatic.com/ct/log_list/all_logs_list.json

Events in Splunk

The add-on extracts these certificate fields and maps them to the corresponding fields in the CIM Certificate datamodel.

  • Subject (DN)
  • Issuer (DN)
  • Public key bit size
  • Public key type
  • Certificate serial
  • Certificate validity
  • Certificate signature algorithm
  • Certificate version
  • Log metadata: LogEntryType (0=x509, 1=precert) and Timestamp

In Splunk this looks like:

Input overview

Current RFC6962 compliance

Chapter 5.3 of the RFC specifies a number of steps that a monitor should implement.
Currently only steps 5 and 7 are partially implemented, and the current status can be summarized as: "It gets logs. Period."

Step Implemented? Description
1 n Fetch the current STH
2 n Verify the STH signature
3 n Fetch all the entries in the tree corresponding to the STH
4 n Confirm that the tree made from the fetched entries produces the same hash as that in the STH
5 Y Fetch the current STH (Section 4.3). Repeat until the STH changes
6 n Verify the STH signature
7 Y Fetch all the new entries in the tree corresponding to the STH (Section 4.6). If they remain unavailable for an extended period, then this should be viewed as misbehavior on the part of the log.

Because the current implementation lacks signature verification, it cannot be used to monitor the append-only character of the certificate transparency log Feel free to submit a Pull Request, or wait for future releases to implement these verification features.

Supported data structures

Data structure Implemented? Log endpoint Description
MerkleTreeLeaf Y /ct/v1/get-entries The structure containing TimestampedEntries
TimestampedEntry Y /ct/v1/get-entries The structure containing x509_entry or precert_entry
x509_entry Y /ct/v1/get-entries Certificates entries
precert_entry n /ct/v1/get-entries Pre-certificate entries
TreeHeadSignature n /ct/v1/get-sth

Support

This is an open source project without warranty of any kind. No support is provided. However, a public repository and issue tracker are available at https://github.com/jorritfolmer/TA-ct-log

Third party software credits

The following software components are used in this add-on:

  1. Splunk Add-on Builder version 2.2.0 by Splunk and the third-party software it uses
  2. asn1crypto version 0.24.0 by Will Bond

CHANGELOG

1.2.1

  • Fixed exception when parsing Windows-1252 encoded certificate fields
  • Fixed exception when parsing asn1 of huge paypal phishing subjectaltnam

1.2.0

  • Added x509 extension subjectAltName decoding
  • Added tags for CIM Certificate datamodel

1.1.0

  • Added CIM compliant fields
  • Added Log status dashboard
  • Improved performance by not checkpointing every entry index in KVstore

1.0.1

  • Fixed timestamp issue in props.conf
  • Added leaf index field to facilitate gap detection
  • Added more documentation

1.0.0

Initial release with support for x509_entries

Release Notes

Version 1.3.1
Nov. 26, 2020
  • Added support for Splunk 8.1 by cowardly using Py2 mode and aborting quest to get cryptography dependency working on Py3
Version 1.3.0
Dec. 28, 2019

Added support for Splunk 8.x and Python 3.x
Version 1.2.1
May 24, 2018
  • Fixed exception when parsing Windows-1252 encoded certificate fields
  • Fixed exception when parsing asn1 of huge paypal phishing subjectaltname
Version 1.2.0
May 11, 2018
  • Added x509 extension subjectAltName decoding
  • Added tags for CIM Certificate datamodel
  • Added CIM compliant fields
  • Added Log status dashboard
  • Improved performance by not checkpointing every entry index in KVstore
  • Fixed timestamp issue in props.conf
  • Added leaf index field to facilitate gap detection
  • Added more documentation
1,527
Downloads
Share Subscribe LOGIN TO DOWNLOAD
Version
Built by
Jorrit Folmer
Support
Not Supported
Questions on Splunk Answers Flag as inappropriate App Contents: Inputs App Contents: Inputs App Contents: Inputs App Contents: Inputs
Compatibility
Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise Products: Splunk Enterprise
Splunk Versions: 9.3, 9.2, 9.1, 9.0, 8.2, 8.1, 8.0, 7.3, 7.2, 7.1 Platform: Platform Independent CIM Versions: 4.x Splunk Versions: 8.0, 7.3, 7.2, 7.1 Platform: Platform Independent CIM Versions: 4.x Splunk Versions: 7.1, 7.0 Platform: Platform Independent CIM Versions: 4.x Splunk Versions: 7.1, 7.0 Platform: Platform Independent CIM Versions: 4.x
Licensing
End User License Agreement for Third-Party Content
Category & Contents
Categories: Security, Fraud & Compliance
App Type: Add-on
Subscribe Share

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps from Splunk, our partners and our community. Find an app for most any data source and user need, or simply create your own with help from our developer portal.

Submit New Splunk App Dev Resources
PLATFORM
Data-to-Everything Platform
Splunk Cloud
Splunk Enterprise
Splunk Machine Learning Toolkit
Splunk Data Stream Processor
Pricing
Free Trials & Downloads
SECURITY PRODUCTS
Splunk Enterprise Security
Splunk Phantom
Splunk Mission Control
Splunk User Behavior Analytics
IT OPERATIONS & OBSERVABILITY PRODUCTS
Splunk Infrastructure Monitoring
Splunk IT Service Intelligence
Splunk Application Performance Monitoring
Splunk On-Call
SOLUTIONS BY INITIATIVE
Cloud Transformation
SOLUTIONS BY FUNCTION
Security
IT
Devops
SOLUTIONS BY INDUSTRY
Aerospace & Defense
Communications
Energy & Utilities
Financial Services
Healthcare
Higher Education
Manufacturing
Nonprofits
Online Services
Public Sector
Retail
WHY SPLUNK?
Why Splunk?
Customer Stories
Partners
Data-to-Everything
Diversity & Inclusion
SUPPORT
Support Portal
Support Programs
Splunk Answers
Contact Us
Product Security Updates
RESOURCES
Events
Webinars
Blogs
Customer Success
Expert Services
Data Insider
View All Resources
FOR DEVELOPERS
Documentation
Best Practices
Get Started with Splunk
Training & Certification
User Groups
Community
Splunkbase
Splunk dev
COMPANY
About Splunk
Careers
Leadership
Splunk for Good
Splunk Ventures
Splunk Protects
Newsroom
COVID-19 Response
SPLUNK SITES
.conf
Splunk Live!
T-Shirt Store
Investor Relations
Follow Us:
© 2005-2024 Splunk LLC All rights reserved.
Sitemap | Privacy | Website Terms of Use | Splunk Licensing Terms | Export Control | Modern Slavery Statement | Splunk Patents | Report a Problem
Splunk, Splunk>,Turn Data Into Doing, Data-to-Everything, and D2E are trademarks or registered trademarks of Splunk LLC in the United States and other countries. All other brand names,product names,or trademarks belong to their respective owners.