Enricher - Kaspersky#
Note
This article describes how to configure a particular enrichment source. To see how to configure enrichers in general, see Configure enrichers.
Specification |
|
---|---|
Enricher name |
Kaspersky Lab Threat Intelligence Portal Threat Lookup |
Input |
Domain, hashes (hash-sha1, hash-sha256, and hash-md5), ipv4, and uri. |
Output |
Enrichment WHOIS extracts and entities. |
API endpoint |
|
Description |
Kaspersky Threat Intelligence Portal (Threat Lookup) provides a powerful web service with interactive access to 5 petabytes of cyber threat intelligence information, and enables platform users to request threat intelligence about hashes, IP addresses, domains, and URLs. |
Requirements#
Authentication for querying Kasperky’s Portal API requires a SSL certificate in addition to the corresponding username and password.
Configure the enricher parameters#
Edit the enricher.
In the Observable types field, select one or more observable types you want to enrich with data retrieved through the Kaspersky enricher.
In the Username field, enter your username.
In the Password field, enter your username.
In the Path to SSL certificate field, enter the path to your PEM file.
In the URL observables (max) field, enter the maximum number of URL observables.
Select the checkbox Include data with Red/Orange/Yellow/Green/Grey zone for each color zone you want to include data from.
For each color zone, click the Set default maliciousness for Red/Orange/Yellow/Green drop-down menu and select one of the following:
Low maliciousness
Medium maliciousness
High maliciousness The color zones Green and Grey have default values. Green is safe. Grey is unknown.
To store your changes, click Save; to discard them, click Cancel.
Additional information#
Kaspersky uses color-coded zones:
Color |
Definition |
---|---|
Red |
Investigated object can be classified as malicious. |
Grey |
No data is available for the investigated object. |
Green |
Investigated object cannot be classified as malicious. |
Yellow |
Investigated object has the Adware and other status (Adware, Pornware, and other programs). |
Orange |
Investigated object has the Suspicious status (only for IP addresses with threat score from 50 to 74). |
General maliciousness rules:
Data from fields is extracted based on Zones configured in Enricher.
If the Zone is Grey, maliciousness is set to unknown.
If the Zone is Green, maliciousness is set to good.
The algorithm of sorting returned data is as follows:
Zone (red, yellow, grey, and green).
HitsCount (from bigger to lower values).
LastSeen (newer is higher).
Mapping information#
Domain enricher - covered sections:
DomainGeneralInfo - used for creation of URL Indicator and hash observables.
FilesAccessed - used for creation of Hash Indicators, Malware Variants, Malware Families and observables.
UrlReferrals - used for creation of URI observables that belong to the Domain Indicator from DomainGeneralInfo section.
DomainWhoIsInfo - used for creation of WHOIS Enrichment extracts.
IP enricher - covered sections:
IpGeneralInfo - used for creation of IP Indicator and hash observables.
HostedUrls - used for creation of URI observables that belong to the IP Indicator from IpGeneralInfo section.
FilesDownloadedFromIp - used for creation of Hash Indicators, Malware Variants, Malware Families and observables.
IpWhoIs - used for creation of WHOIS Enrichment extracts.
URL enricher - covered sections:
UrlGeneralInfo - used for creation of URL Indicator and hash observables.
FilesAccessed - used for creation of Hash Indicators, Malware Variants, Malware Families and observables.
UrlDomainWhoIs - used for creation of WHOIS Enrichment extracts.
Hash enricher - covered sections:
FileGeneralInfo - used for creation of Hash Indicator and hash observables.
FileDownloadedFromUrls - used for creation of URI observables that belong to the Hash Indicator from FileGeneralInfo section.
FileDownloadedBy - used for creation of Hash Indicators, Malware Variants, Malware Families and observables.