The lookup script is used to match individual URLs, IP addresses, and hashes to Kaspersky Threat Data Feeds. It can be invoked from the Search dashboard of Kaspersky CyberTrace App.
The lookup script uses configuration parameters from a configuration file located in $SPLUNK_HOME/etc/apps/Kaspersky-CyberTrace-App-for-Splunk/bin/config.json ($SPLUNK_HOME is the Splunk installation directory).
Edit this file only if you want to change the integration scheme. By default, the lookup script is configured to send data to Feed Service to address 127.0.0.1:9999.
Default lookup script configuration file
The following are the contents of the default lookup script configuration file.
{ "service_addr": "127.0.0.1", "service_port": 9999, "pattern": "ip=%IP% md5=%MD5% sha1=%SHA1% sha256=%SHA256% url=%URL%\n" } |
Lookup script configuration file parameters
The following parameters are available in this configuration file:
service_addrIP address that Feed Service listens on for incoming events.
service_portPort that Feed Service listens on for incoming events.
patternPattern that the lookup script will use for events sent to Feed Service.
Specify a pattern that allows the events to be parsed with the regular expressions from the InputSettings > RegExps element in the Feed Service configuration file.
Lookup script output with the default pattern
By default, the lookup script substitutes the following values in the pattern parameter with data passed from Splunk:
%IP%—IP address%MD5%—MD5 hash%SHA1%—SHA1 hash%SHA256%—SHA256 hash%URL%—URLThe following example demonstrates the resulting events from different lookup script searches.
# searching for an URL | klsearch url=example.com # sent to Feed Service ip=- md5=- sha1=- sha256=- url=example.com
# searching for two MD5 hashes | klsearch md5="CA9CDCDA5C36C4CC24AF91ADDBD2CEF3|44D88612FEA8A8F36DE82E1278ABB02F" # sent to Feed Service ip=- md5=CA9CDCDA5C36C4CC24AF91ADDBD2CEF3 sha1=- sha256=- url=- ip=- md5=44D88612FEA8A8F36DE82E1278ABB02F sha1=- sha256=- url=- |