The lookup script is used to match individual URLs, IP addresses, and hashes to Kaspersky Lab feeds. It can be invoked from the Search dashboard of Kaspersky Threat Feed App.
The lookup script uses configuration parameters from a configuration file located in $SPLUNK_HOME/etc/apps/Kaspersky-Threat-Feed-App-for-Splunk/bin/config.json.
Edit this file only if you want to change the integration scheme.
By default, the lookup script is configured to send data to Feed Service located at 127.0.0.1:9999.
Default lookup script configuration file
The following is the default lookup script configuration file.
{ "service_addr": "127.0.0.1", "service_port": 9999, "pattern": "ip=%IP% md5=%MD5% sha1=%SHA1% sha256=%SHA256% url=%URL%\n" } |
Lookup script configuration file parameters
The following parameters are available in this configuration file:
service_addrIP address where Feed Service is located.
service_portPort where Feed Service is located.
patternPattern for Feed Service. The lookup script uses this pattern when it sends data to Feed Service.
This parameter must correspond to regular expressions from the InputSettings > RegExps element in Feed Service configuration file.
Lookup script output with the default pattern
By default, the lookup script substitutes the following values in the pattern parameter with data passed from Splunk:
%IP%—IP address%MD5%—MD5 hash%SHA1%—SHA1 hash%SHA256%—SHA256 hash%URL%—URLThe following example demonstrates the resulting events from different lookup script searches.
# searching for an URL |klsearch url=example.com # sent to Feed Service ip=- md5=- sha1=- sha256=- url=example.com
# searching for two MD5 hashes |klsearch md5="CA9CDCDA5C36C4CC24AF91ADDBD2CEF3|44D88612FEA8A8F36DE82E1278ABB02F" # sent to Feed Service ip=- md5=CA9CDCDA5C36C4CC24AF91ADDBD2CEF3 sha1=- sha256=- url=- ip=- md5=44D88612FEA8A8F36DE82E1278ABB02F sha1=- sha256=- url=- |