The lookup script is used to match individual URLs, IP addresses, and hashes to Kaspersky Threat Data Feeds. It can be invoked from the Search dashboard of Kaspersky CyberTrace App for Search Head.
The lookup script uses configuration parameters from a Search Head App configuration file. By default, this file is located in the $SPLUNK_HOME\etc\apps\Kaspersky-CyberTrace-App-for-Splunk-Search-Head\bin\config.json ($SPLUNK_HOME is the Splunk installation directory).
Changing the address of Feed Service used by the lookup script
By default, the lookup script is configured to send data to Feed Service to the address 127.0.0.1:9999.
To change the address of Feed Service used by the lookup script:
config.json configuration file of Search Head App, locate the service_addr and service port parameters.Changing the output pattern
For more information about changing the output pattern of the lookup script, see section "Configuring the lookup script (single-instance deployment)".
Page top