Kaspersky Threat Feed App reads its parameters from configuration files. These configuration files define inputs, outputs, and the event format used by Kaspersky Threat Feed App.
Restart Splunk when you make changes to Kaspersky Threat Feed App configuration files.
You can edit only those Kaspersky Threat Feed App configuration files that are described in this section. Editing other Kaspersky Threat Feed App configuration files may result in unpredictable behavior.
About the configuration files
The following configuration files can be used to configure Kaspersky Threat Feed App:
$SPLUNK_HOME/etc/apps/Kaspersky-Threat-Feed-App-for-Splunk/default/commands.confThis configuration file specifies a command for the lookup script.
$SPLUNK_HOME/etc/apps/Kaspersky-Threat-Feed-App-for-Splunk/default/inputs.confThis configuration file specifies inputs used by Kaspersky Threat Feed App, including ports and addresses for data from event sources and for incoming match events from Feed Service.
$SPLUNK_HOME/etc/apps/Kaspersky-Threat-Feed-App-for-Splunk/default/outputs.confThis configuration file specifies parameters for forwarding events to Feed Service.
$SPLUNK_HOME/etc/apps/Kaspersky-Threat-Feed-App-for-Splunk/default/props.confThis configuration file specifies parameters for processing data from inputs.
$SPLUNK_HOME/etc/apps/Kaspersky-Threat-Feed-App-for-Splunk/default/savedsearches.confThis configuration file specifies parameters for alert templates.
In addition, the lookup script uses its own configuration file:
$SPLUNK_HOME/etc/apps/Kaspersky-Threat-Feed-App-for-Splunk/bin/config.jsonFor more information about editing this file, see Editing the lookup script configuration file.
Default commands.conf file
This file specifies a command that is used for the lookup script.
By default, Kaspersky Threat Feed App:
klsearch command for the lookup script.The following is the default commands.conf configuration file.
[klsearch] filename = kl_search.py |
Default inputs.conf file
This file specifies inputs for Kaspersky Threat Feed App.
By default, Kaspersky Threat Feed App:
:9998.:3000 (and then forwards it to 127.0.0.1:9999, which is specified in ouputs.conf).The following is the default inputs.conf configuration file.
[tcp://:9998] _INDEX_AND_FORWARD_ROUTING=local connection_host = dns index = kl_detect sourcetype = kl_detect_sourcetype source = tcp:9998 disabled = false
[tcp://:3000] _TCP_ROUTING = service9999 |
Default outputs.conf file
This file specifies outputs for Kaspersky Threat Feed App.
By default, Kaspersky Threat Feed App:
:3000 to the Feed Service on 127.0.0.1:9999. The input port (:3000) is specified in inputs.conf.The following is the default outputs.conf configuration file.
[tcpout] defaultGroup = noforward disabled = false
[indexAndForward] index=true
[tcpout:service9999] disabled=false server = 127.0.0.1:9999 sendCookedData = false |
Default props.conf file
This file specifies how data received from inputs must be processed by Splunk.
By default, Kaspersky Threat Feed App:
\n symbols as a line breaker for incoming data. For example, if the incoming data has a %data_1%\n\n%data_2% sequence, Splunk will break this sequence into two events (%data_1% and %data_2%).
The following is the default props.conf configuration file.
[source::tcp:3000] TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 17 TIME_FORMAT = %b %d %H:%M:%S LINE_BREAKER = ([\n]+) SHOULD_LINEMERGE = false
[source::tcp:9998] TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 17 TIME_FORMAT = %b %d %H:%M:%S LINE_BREAKER = ([\n]+) SHOULD_LINEMERGE = false |
Adding new inputs (event sources)
To add new inputs (event sources), you have to edit the inputs.conf and props.conf configuration files.
To add a new input:
service9999. All data from this input will be forwarded to Feed Service.Make sure that data from the new input matches the Feed Service regular expressions defined in the Feed Service configuration file.
Below is an example of adding :3001 as an input; it specifies that input from :3001 must be processed as other default integration scheme inputs.
# to inputs.conf [tcp://:3001] _TCP_ROUTING = service9999
# to props.conf [source::tcp:3001] TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 17 TIME_FORMAT = %b %d %H:%M:%S LINE_BREAKER = ([\n]+) SHOULD_LINEMERGE = false |
Changing the address and port for data from Feed Service
By default, Kaspersky Threat Feed App is configured to receive data from Feed Service on port :9998 at any available address. This is specified in the inputs.conf configuration file of Kaspersky Threat Feed App. If you want to receive data from Feed Service only at a specific address and port (for example, if Splunk has access to several network interfaces), you must edit the inputs.conf file accordingly.
Use the following rules to specify an address and a port where data from Feed Service must be received by Kaspersky Threat Feed App:
[tcp://127.0.0.1:<port>]
[tcp://<address>:<port>]
[tcp://:<port>]
Note that this format can affect security, because Kaspersky Threat Feed App will receive information through the specified port of every available network interface.
In the format examples above, <address> and <port> are the IP address and the port on which Kaspersky Threat Feed App must listen for incoming data from Feed Service.
You also may have to change the addresses and ports specified in the Feed Service configuration file and the lookup script configuration file. For more information about changing addresses and ports, see Changing the integration scheme.
Below are examples of specifying an address and a port where data from Feed Service is to be received.
In the following example, Feed Service is is located on the same computer with Splunk. Kaspersky Threat Feed App accepts matches on :9998 port of the same computer.
[tcp://127.0.0.1:9998] _INDEX_AND_FORWARD_ROUTING=local connection_host = dns index = kl_detect sourcetype = kl_detect_sourcetype source = tcp:9998 disabled = false |
In the following example, Feed Service and Splunk are located on different computers. Kaspersky Threat Feed App accepts matches from Feed Service on 192.0.2.42:9997.
[tcp://192.0.2.42:9997] _INDEX_AND_FORWARD_ROUTING=local connection_host = dns index = kl_detect sourcetype = kl_detect_sourcetype source = tcp:9997 disabled = false |
In the following example, Kaspersky Threat Feed App accepts matches from Feed Service on port :3000 of any available address.
[tcp://:3000] _INDEX_AND_FORWARD_ROUTING=local connection_host = dns index = kl_detect sourcetype = kl_detect_sourcetype source = tcp:3000 disabled = false |
Adding email addresses to alert templates
By default, alert templates that come with Kaspersky Threat Feed App have an empty email field. If you want to test the alert templates, you have to add a valid email address to each alert. You can either use the Splunk interface to edit alerts, or edit the savedsearches.conf file for Kaspersky Threat Feed App.
To add an email address to an alert template:
action.email.to parameter for each alert template.Below is an example of adding user@example.com as an email address to an alert template.
#... action.email.to = user@example.com #... |