Searching with the lookup script

Kaspersky CyberTrace App for Splunk comes with a lookup script. This script allows you to match individual URLs, IP addresses, and hashes to Kaspersky Threat Data Feeds.

You can run the lookup script from the Search dashboard in Kaspersky CyberTrace App for Splunk.

Search dashboard

For information about configuring the lookup script, see section "Step 3 (optional). Configuring the lookup script".

Syntax

Use the following syntax to match a single URL, IP address, or hash:

| klsearch <type>=<value>

The following parameters are used:

• <type>

  Type of data passed to the lookup script.

  This parameter can be one of the following:

  • url
  • md5
  • sha1
  • sha256
  • ip
• <value>

  Value of the passed data.

You can specify several values at once. Note that you have to use quotes:

| klsearch <type>="<value1>|<value2>|<value3>"

You can also specify several data types in one search:

| klsearch <type1>=<value1> <type2>=<value2>

Syntax examples

Following are examples of using the lookup script.

Search for a URL:

| klsearch url=example.com

Search for several MD5 hashes:

| klsearch md5="CA9CDCDA5C36C4CC24AF91ADDBD2CEF3|44D88612FEA8A8F36DE82E1278ABB02F"

Search for MD5 and SHA256 hashes:

| klsearch md5=44D88612FEA8A8F36DE82E1278ABB02F sha256=275A021BBFB6489E54D471899F7DB9D1663FC695EC2FE2A2C4538AABF651FD0F

Page top