Incoming feed - Kaspersky APT Reports#
This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Create and configure incoming feeds.
Kaspersky APT Reports
Kaspersky APT JSON
Ingests APT (Advanced Persistent Threat) reports from the Kaspersky Threat Intelligence Portal API that includes: PDF reports, YARA rules, and OpenIOC XML files.
Feed packages are ingested as Report entitites with the PDF report attached, as well as associated observables and indicators.
Client certificate provided by Kaspersky.
User name and password for your Kaspersky Portal account.
Configure the incoming feed#
Create or edit an incoming feed.
Under Transport and content, fill out these fields:
Required fields are marked with an asterisk (*).
Select Kaspersky APT Reports from the drop-down menu.
Select Kaspersky APT JSON from the drop-down menu.
Set this to the Kaspersky Threat Intelligence Portal API endpoint.
By default, this is set to
Set this to your Kaspersky Threat Intelligence Portal user name.
Set this to your Kaspersky Threat Intelligence Portal password.
Path to SSL certificate file*
Enter the path to the client certificate provided by Kaspersky.
You may need to generate a
pemfile from the file Kaspersky provides. See Kaspersky: Requesting reports using API for more information.
See SSL certificates for more information.
Selected by default. Select this option to enable SSL for this feed.
Create unique reports for all incoming PDF attachments
Enable this to have the platform create a unique report entity each time it encounters a new PDF attachment when the feed is run.
Start ingesting from*
Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.
Store your changes by selecting Save.
The Kaspersky Threat Intelligence Portal API requires you to use a client certificate to authenticate when connecting to their servers.
To use an SSL certificate, it must be:
Accessible on the EclecticIQ Intelligence Center host.
Placed in a location that can be accessed by the
To make sure that EclecticIQ Intelligence Center can access the SSL certificate:
Upload the SSL certificate to a location on the EclecticIQ Intelligence Center host.
On the EclecticIQ Intelligence Center host, open the terminal.
Change ownership of the SSL certificate by running as root in the terminal:
chown eclecticiq:eclecticiq /path/to/cert.pem
/path/to/cert.pemis the location of the SSL certificate EclecticIQ Intelligence Center needs to access.