Configuring Kaspersky Threat Intelligence Portal for Splunk Phantom

This section describes how to configure Kaspersky Threat Intelligence Portal for Splunk Phantom.

To configure Kaspersky Threat Intelligence Portal for Splunk Phantom:

1. In Splunk Phantom, click the Home split button and in the drop-down list select Apps.
2. Select the Unconfigured Apps tab.
3. Find Kaspersky Threat Intelligence in the list of the unconfigured apps.
4. Click CONFIGURE NEW ASSET.

   

   Unconfigured apps

5. On the Asset info tab, in the Asset name text box, specify the name for the new asset as you wish.

   Other settings on this tab are optional.

   

   Asset information

6. Select the Asset Settings tab.

   

   Asset settings

7. Select both the I understand and accept the Terms and Conditions check box and the I understand and accept Privacy Policy check box.

   The Terms and Conditions as well as a link to the Privacy Policy are provided in the description of the app. If you do not accept either the Terms and Conditions or Privacy Policy, you cannot use Kaspersky Threat Intelligence Portal for Splunk Phantom.

8. In the Portal user name and Portal password text boxes, specify the user name and password for Kaspersky Threat Intelligence Portal.
9. Click the PEM certificate for Kaspersky Threat Intelligence Portal text box.

   A standard Windows dialog box appears.

10. In the dialog box, select the PEM-formatted certificate to use with Kaspersky Threat Intelligence Portal.

    If you have a PFX-formatted certificate, you can convert it to PEM format as described at https://tip.kaspersky.com/help/Doc_data/ConvertingCertToPEM.htm.

11. In the Maximum number of records to display text box, specify the maximum number of records that can be retrieved when getting detailed information about an object.

    Also, the maximum number of object categories are retrieved when you look up a hash on Kaspersky Threat Intelligence Portal. The default value is 10.

12. Click SAVE.
13. Click TEST CONNECTIVITY.

    Kaspersky Threat Intelligence Portal for Splunk Phantom will make a test request to Kaspersky Threat Intelligence Portal. The Testing Connectivity dialog box appears.

    

    Testing Connectivity dialog box

    If the specified settings are correct, Kaspersky Threat Intelligence Portal for Splunk Phantom can connect to Kaspersky Threat Intelligence Portal. If you receive an error message, see possible solutions in section "Troubleshooting".

    In the Testing Connectivity dialog box you can also see your daily request quota and the number of requests made today.

If the connection test succeeds, you can start using Kaspersky Threat Intelligence Portal for Splunk Phantom. For possible reasons for the connection test failure, see section "Troubleshooting".