Kaspersky CyberTrace App reads its parameters from the configuration files. These configuration files define input settings, output settings, and the event format used by Kaspersky CyberTrace App.
Restart Splunk and Feed Service after you have made changes to the Kaspersky CyberTrace App configuration files.
Edit only those Kaspersky CyberTrace App configuration files that are described in this section. Editing other Kaspersky CyberTrace App configuration files may result in unpredictable behavior.
About the configuration files
The following configuration files can be used to configure Kaspersky CyberTrace App ($SPLUNK_HOME
is the Splunk installation directory):
$SPLUNK_HOME/etc/apps/Kaspersky-CyberTrace-App-for-Splunk/default/commands.conf
This configuration file specifies the command for the lookup script.
$SPLUNK_HOME/etc/apps/Kaspersky-CyberTrace-App-for-Splunk/default/inputs.conf
This configuration file specifies the Kaspersky CyberTrace App input settings. This includes ports and addresses for data from event sources and for incoming detection events from Feed Service.
$SPLUNK_HOME/etc/apps/Kaspersky-CyberTrace-App-for-Splunk/default/outputs.conf
This configuration file specifies the parameters for forwarding events to Feed Service.
$SPLUNK_HOME/etc/apps/Kaspersky-CyberTrace-App-for-Splunk/default/props.conf
This configuration file specifies the parameters for processing input data.
$SPLUNK_HOME/etc/apps/Kaspersky-CyberTrace-App-for-Splunk/default/savedsearches.conf
This configuration file specifies the parameters for alert templates.
In addition, the lookup script uses its own configuration file:
$SPLUNK_HOME/etc/apps/Kaspersky-CyberTrace-App-for-Splunk/bin/config.json
For more information about editing this file, see the section about configuring the lookup script.
Default commands.conf file
This file specifies the lookup script that Kaspersky CyberTrace App will use when the user runs the klsearch
command.
Below, you can view the default contents of the commands.conf configuration file.
[klsearch] filename = kl_search.py |
Default inputs.conf file
This file specifies input settings for Kaspersky CyberTrace App.
By default, Kaspersky CyberTrace App does the following:
:9998
.:3000
(and then forwards it to address 127.0.0.1:9999
, which is specified in outputs.conf).Below, you can view the default contents of the inputs.conf configuration file.
[tcp://:9998] _INDEX_AND_FORWARD_ROUTING=local connection_host = dns index = main sourcetype = kl_cybertrace_events source = tcp:9998 disabled = false
[tcp://:3000] _TCP_ROUTING = service9999 |
Default outputs.conf file
This file specifies the output settings for Kaspersky CyberTrace App.
By default, Kaspersky CyberTrace App forwards data from the address :3000
to the Feed Service at the address 127.0.0.1:9999
. The input port (:3000
) is specified in inputs.conf.
Below, you can view the default contents of the outputs.conf configuration file.
[tcpout] defaultGroup = noforward disabled = false
[indexAndForward] index=true
[tcpout:service9999] disabled=false server = 127.0.0.1:9999 sendCookedData = false |
Default props.conf file
This file specifies how Splunk processes incoming data.
By default, Kaspersky CyberTrace App does the following:
For example, if the incoming data has the sequence "%data_1%\n\n%data_2%"
and the line breaker is one or more \n
symbols, Splunk splits this sequence into two events (%data_1%
and %data_2%
).
Below, you can view the default contents of the props.conf configuration file.
[source::tcp:3000] TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 17 TIME_FORMAT = %b %d %H:%M:%S LINE_BREAKER = ([\n]+) SHOULD_LINEMERGE = false
[source::tcp:9998] TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 17 TIME_FORMAT = %b %d %H:%M:%S LINE_BREAKER = ([\n]+) SHOULD_LINEMERGE = false |
Managing event sources
You can change the port Kaspersky CyberTrace App listens on for incoming events from a source, or add new event sources.
To change the port Kaspersky CyberTrace App listens on for incoming events from a source:
3000
to the port number that you want.For example, if you want to change 3000
to 3010
, the record in inputs.conf looks like the following:
[tcp://:3010] _TCP_ROUTING = service9999 |
For example, if you want to change 3000
to 3010
, the record in props.conf looks like the following:
[source::tcp:3010] TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 17 TIME_FORMAT = %b %d %H:%M:%S LINE_BREAKER = ([\n]+) SHOULD_LINEMERGE = false |
To add a new event source:
service9999
TCP routing rule.All data from this input will be forwarded to Feed Service.
Make sure that data from the new event source matches the Feed Service regular expressions defined in the Feed Service configuration file. For example, you can do this by using Kaspersky CyberTrace Web.
Below is an example of adding the address :3001
as the event source; it specifies that data from :3001
must be processed as are other input data in the default integration scheme (in this scheme, the forwarder, indexer, and search head are installed on a single computer).
# to inputs.conf [tcp://:3001] _TCP_ROUTING = service9999
# to props.conf [source::tcp:3001] TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 17 TIME_FORMAT = %b %d %H:%M:%S LINE_BREAKER = ([\n]+) SHOULD_LINEMERGE = false |
Changing the address and port for data from Feed Service
By default, Kaspersky CyberTrace App is configured to receive data from Feed Service at port :9998
at any available address. This is specified in the inputs.conf configuration file of Kaspersky CyberTrace App. If you want to receive data from Feed Service only at a specific address and port (for example, if Splunk has access to several network interfaces), edit the inputs.conf file accordingly.
Use the following rules to specify the address and port where data from Feed Service must be received by Kaspersky CyberTrace App:
[tcp://127.0.0.1:<port>]
[tcp://<address>:<port>]
[tcp://:<port>]
Note that this format can affect security, because Kaspersky CyberTrace App will receive information at the specified port of every available network interface.
In the format examples above, <address>
and <port>
are the IP address and port that Kaspersky CyberTrace App will listen on for incoming data from Feed Service.
You may also have to change the addresses and ports specified in the Feed Service configuration file and the lookup script configuration file.
Below are examples of specifying the address and port where data from Feed Service is to be received.
In the following example, Feed Service and Splunk are located on the same computer. Kaspersky CyberTrace App receives detection events at port :9998
port of that same computer.
[tcp://127.0.0.1:9998] _INDEX_AND_FORWARD_ROUTING=local connection_host = dns index = main sourcetype = kl_cybertrace_events source = tcp:9998 disabled = false |
In the following example, Feed Service and Splunk are located on different computers. Kaspersky CyberTrace App receives detection events from Feed Service at address 192.0.2.42:9997
.
[tcp://192.0.2.42:9997] _INDEX_AND_FORWARD_ROUTING=local connection_host = dns index = main sourcetype = kl_cybertrace_events source = tcp:9997 disabled = false |
In the following example, Kaspersky CyberTrace App receives detection events from Feed Service at port 3000
of any available address.
[tcp://:3000] _INDEX_AND_FORWARD_ROUTING=local connection_host = dns index = main sourcetype = kl_cybertrace_events source = tcp:3000 disabled = false |
Adding email addresses to alert templates
Kaspersky CyberTrace App comes with several alert templates that you can use and customize from the Alerts dashboard.
The following alert templates are available:
This alert is triggered if there were matches with Kaspersky Threat Data Feeds in the past 24 hours.
This alert is triggered if there were no matches with Kaspersky Threat Data Feeds in the past 24 hours.
This alert is triggered if there were 5000 matches with Kaspersky Threat Data Feeds in the course of 1 minute.
This alert is triggered if Feed Service is unavailable.
This alert is triggered when Feed Service is started.
Following are the default Kaspersky CyberTrace App settings:
To turn them off, use the Alerts dashboard.
Send email
" action is defined for all alerts.Splunk will send an email message to the email address specified for the action.
Send email
" action.If you want to test the alert templates, add a valid email address to each alert.
You can either use the Splunk program interface to edit alerts or edit the savedsearches.conf file of Kaspersky CyberTrace App.
To add an email address to an alert template:
action.email.to
parameter for the alert template.In the following example, the email address user@example.com
is added to an alert template.
#... action.email.to = user@example.com #... |