Using Kaspersky Threat Intelligence Portal for Splunk Phantom
August 23, 2019
ID 184496
This section explains how to use Kaspersky Threat Intelligence Portal for Splunk Phantom.
The table below contains information about actions provided by Kaspersky Threat Intelligence Portal for Splunk Phantom.
Actions provided by Kaspersky Threat Intelligence Portal for Splunk Phantom
Action | Input | Output |
IP address | Zone, danger level, and categories of the IP address and the related APT reports | |
URL | Zone and categories of the URL and the related APT reports | |
Domain | Zone and categories of the domain and the related APT reports | |
File | Zone and categories of the file hash and the related APT reports | |
Report ID | APT report description and tags | |
Indicator (IP address, URL, domain, or file) | Full information about the indicator in Kaspersky Threat Intelligence Portal |
We advise you to follow these recommendations:
- Do not run tasks that use Kaspersky Threat Intelligence Portal for Splunk Phantom for processing all incoming events, because the daily quota can be exhausted very quickly.
- Get detailed information about an object only when necessary, because this task involves transferring a large amount of data and is slower than others.
- Use your own scripts to parse the raw response from Kaspersky Threat Intelligence Portal and get information from it.