Using Kaspersky Threat Intelligence Portal for Splunk Phantom

This section explains how to use Kaspersky Threat Intelligence Portal for Splunk Phantom.

The table below contains information about actions provided by Kaspersky Threat Intelligence Portal for Splunk Phantom.

Actions provided by Kaspersky Threat Intelligence Portal for Splunk Phantom

Action	Input	Output
ip reputation	IP address	Zone, danger level, and categories of the IP address and the related APT reports
url reputation	URL	Zone and categories of the URL and the related APT reports
domain reputation	Domain	Zone and categories of the domain and the related APT reports
file reputation	File	Zone and categories of the file hash and the related APT reports
get reports	Report ID	APT report description and tags
get detailed info	Indicator (IP address, URL, domain, or file)	Full information about the indicator in Kaspersky Threat Intelligence Portal

We advise you to follow these recommendations:

• Do not run tasks that use Kaspersky Threat Intelligence Portal for Splunk Phantom for processing all incoming events, because the daily quota can be exhausted very quickly.
• Get detailed information about an object only when necessary, because this task involves transferring a large amount of data and is slower than others.
• Use your own scripts to parse the raw response from Kaspersky Threat Intelligence Portal and get information from it.

In this section Looking up indicators Retrieving APT Intelligence reports Getting detailed information about indicators Using Kaspersky Threat Intelligence Portal for Splunk Phantom in playbooks

Page top