Looking up indicators

This section describes how to get information about an indicator by using Kaspersky Threat Intelligence Portal for Splunk Phantom.

To look up an indicator in Kaspersky Threat Intelligence Portal:

In Splunk Phantom, click the Home split button and in the drop-down list select Indicators.
Select the Events tab.
In the list, click the event that contains the indicator that you want to look up in Kaspersky Threat Intelligence Portal.
Select the Artifacts tab.
In the ARTIFACTS list, click the row that relates to the indicator you want to look up in Kaspersky Threat Intelligence Portal.
The row expands and the event information is displayed. The indicator itself is in the Details section.
Click the indicator that you want to look up in Kaspersky Threat Intelligence Portal.
A form related to the indicator appears.
Select the Run Action tab.
Expand the desired action group and select the action that you want to take:
- To look up an IP address, select the ip reputation action.
- To look up a URL, select the url reputation action.
  Note that a URL is normalized before being sent to Kaspersky Threat Intelligence Portal: a login, password, port, and other elements are discarded.
- To look up a domain, select the domain reputation action.
- To look up a hash, select the file reputation action.
Actions on an indicator

The Run Action form opens.
Click LAUNCH.

The information about the indicator is now displayed in Splunk Phantom. The information displayed depends on the indicator type: IP address, URL, domain, or file hash (see subsections below).

Information about an IP address

The table below describes information about an IP address that Splunk Phantom displays.

IP address intelligence

KL TIP response field	Splunk Phantom field	Description
-	IP	Requested IP address.
-	Status	`failed`—If the request to Kaspersky Threat Intelligence Portal failed. `success`—If the request to Kaspersky Threat Intelligence Portal succeeded.
Zone	Zone	Color of the zone that the IP address belongs to (red, orange, gray, green).
ThreatScore	Threat score	Probability that the IP address will appear dangerous (0 to 100).
Categories	Categories	Categories of the IP address.
HasApt	Related to APT	Indicates whether the IP address is related to an advanced persistent threat (APT) attack.
RelatedAptReports/Title	APT report name	Name of the APT report to which the IP address is related.
RelatedAptReports/Id	APT report ID	Identifier of the APT report to which the IP address is related. This value can be used for retrieving the whole APT report.

Information about a URL

The table below describes information about a URL that Splunk Phantom displays.

URL intelligence

KL TIP response field	Splunk Phantom field	Description
-	URL	Requested URL.
-	Status	`failed`—If the request to Kaspersky Threat Intelligence Portal failed. `success`—If the request to Kaspersky Threat Intelligence Portal succeeded.
Zone	Zone	Color of the zone that the URL belongs to (red, gray, green).
Categories	Categories	Categories of the URL.
HasApt	Related to APT	Indicates whether the URL is related to an APT attack.
RelatedAptReports/Title	APT report name	Name of the APT report to which the URL is related.
RelatedAptReports/Id	APT report ID	Identifier of the APT report to which the URL is related. This value can be used for retrieving the whole APT report.

Information about a domain

The table below describes information about a domain that Splunk Phantom displays.

Domain intelligence

KL TIP response field	Splunk Phantom field	Description
-	Domain	Requested domain.
-	Status	`failed`—If the request to Kaspersky Threat Intelligence Portal failed. `success`—If the request to Kaspersky Threat Intelligence Portal succeeded.
Zone	Zone	Color of the zone that the domain belongs to (red, gray, green).
Categories	Categories	Categories of the domain.
HasApt	Related to APT	Indicates whether the domain is related to an APT attack.
RelatedAptReports/Title	APT report name	Name of the APT report to which the domain is related.
RelatedAptReports/Id	APT report ID	Identifier of the APT report to which the domain is related. This value can be used for retrieving the whole APT report.

Information about a hash

The table below describes information about a hash that Splunk Phantom displays.

Hash intelligence

KL TIP response field	Splunk Phantom field	Description
Md5	MD5	MD5 hash of the object.
Sha1	SHA1	SHA1 hash of the object.
Sha256	SHA256	SHA256 hash of the object.
-	Status	`failed`—If the request to Kaspersky Threat Intelligence Portal failed. `success`—If the request to Kaspersky Threat Intelligence Portal succeeded.
Zone	Zone	Color of the zone that the hash belongs to (red, yellow, gray, green).
Categories	Categories	Categories of the hash. The number of the displayed categories is limited by the `Maximum number of records to display` parameter.
HasApt	Related to APT	Indicates whether the hash is related to an APT attack.
RelatedAptReports/Title	APT report name	Name of the APT report to which the hash is related.
RelatedAptReports/Id	APT report ID	Identifier of the APT report to which the hash is related. This value can be used for retrieving the whole APT report.

Page top