-
Notifications
You must be signed in to change notification settings - Fork 80
2.0 Extension Options
There are four main configuration groups in ThreatPinch Lookup:
- Lookup types: specifies the item(s) of interest on sites and determine when a tooltip will be displayed
- Request groups: advanced settings to control when a tooltip is displayed
- Request lookups: the external data sources to be called upon to gather relevant information for the activated lookup type
ThreatPinch lookup comes with preconfigured data sources (request lookups). Some of these require additional information from each end user (usernames, API keys, etc.). This table displays any request lookups that require such information. Items with a red “Fix issue” button still need some information from you. Items marked with a blue “Review” button already have the information filled in, but can be edited/viewed as required.
To enter the required information:
- Click “Fix Issue”.
- You will be presented with a dialog. Register if necessary, then input the required information.
- Click “Save Changes” when complete.
- The page should refresh and you will notice the button beside that entry has changed to “Review”.
Request Groups are used to control when a Request Lookup (data source) will be called. To help understand why this is important, consider the following scenario:
You want to use ThreatPinch Lookup to provide additional context when reviewing logs on your organization’s local SIEM (https:// siem.example.com). There are some internal asset management systems that can provide information on certain internal IP ranges (/8, /24). For any external IP addresses observed, ThreatPinch Lookup should use external sources to gather information.
This is where request groups come into play. The following options are available:
- CIDR Allow List: a list of networks in CIDR notation. Applicable request lookups will execute when a hovered over IP is in these ranges.
- CIDR Deny List: a list of networks in CIDR notation. Applicable request lookups will not execute when a hovered over IP is in these ranges.
- FQDN Allow List: a list of hosts. Applicable request lookups will execute when a hovered over host matches an item in this list.
- FQDN Deny List: a list of hosts. Applicable request lookups will not execute when a hovered over host matches an item in this list.
- RFC 1918?: a true or false value. Applicable request lookups will only execute if a hovered over IP is in RFC1918 space.
- Website Allow List: a list of websites. Applicable request lookups will execute when the current page matches an item in this list.
- Website Deny List: a list of websites. Applicable request lookups will not execute when the current page matches an item in this list.
Keeping the above scenario in mind, the following request groups could be created to fit that requirement:
- LOCAL: {Website Allow List: [https://siem.example.com/], CIDR Allow List: [/8, /24], RFC1918: false}, everything else blank
- INTERNET: {RFC1918: false}, everything else blank
Lookup types contain patterns that ThreatPinch Lookup will search websites for in order to display the appropriate data in a tooltip. Default lookup types are:
- MD5
- SHA2
- CVE
- FQDN
- IPV4
Each default tooltip can have the following fields modified:
- Lookup Type Enabled: a true or false value. Turns the lookup type off or on (the tooltip won’t show if set to false).
- Tooltip Height: an integer value. Sets the tooltip height in pixels.
- Tooltip Width: an integer value. The width of the tooltip in pixels.
- Hover Delay: an integer value. The amount of time between putting your pointer over an item and having the tooltip display in milliseconds.
- Popup Length: an integer value. The delay before the tooltip disappears in milliseconds.