Incoming feed - Kaspersky Lab Threat Intelligence APT Reports

This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Configure incoming feeds general options.

Specifications

Transport types

Kaspersky APT Reports

Content type

Kaspersky APT JSON

Ingested data

Ingests APT (Advanced Persistent Threat) reports from the Kaspersky Threat Intelligence Portal API that includes: PDF reports, YARA rules, and OpenIOC XML files.

Processed data

Feed packages are ingested as Report entitites with the PDF report attached, as well as associated observables and indicators.

Requirements

  • Client certificate provided by Kaspersky.

  • User name and password for your Kaspersky Portal account.

Configure the incoming feed

  1. Create or edit an incoming feed.

  2. Under Transport and content, fill out these fields:

    Required fields are marked with an asterisk (*).

    Field

    Description

    Transport type*

    Select Kaspersky APT Reports from the drop-down menu.

    Content type*

    Select Kaspersky APT JSON from the drop-down menu.

    API URL*

    Set this to the Kaspersky Threat Intelligence Portal API endpoint.

    By default, this is set to https://tip.kaspersky.com/api/.

    Username*

    Set this to your Kaspersky Threat Intelligence Portal user name.

    Password*

    Set this to your Kaspersky Threat Intelligence Portal password.

    Path to SSL certificate file*

    Enter the path to the client certificate provided by Kaspersky.

    You may need to generate a pem file from the file Kaspersky provides. See Kaspersky: Requesting reports using API for more information.

    See SSL certificates for more information.

    SSL verification

    Selected by default. Select this option to enable SSL for this feed.

    Create unique reports for all incoming PDF attachments

    Enable this to have the platform create a unique report entity each time it encounters a new PDF attachment when the feed is run.

    Start ingesting from*

    Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.

  3. Store your changes by selecting Save.

SSL certificates

The Kaspersky Threat Intelligence Portal API requires you to use a client certificate to authenticate when connecting to their servers.

To use an SSL certificate with the platform, it must be:

  • Accessible on the EclecticIQ Platform host.

  • Placed in a location that can be accessed by the eclecticiq user.

  • Owned by eclecticiq:eclecticiq.

To make sure that the platform can access the SSL certificate:

  1. Upload the SSL certificate to a location on the platform host.

  2. On the platform host, open the terminal.

  3. Change ownership of the SSL certificate by running as root in the terminal:

    chown eclecticiq:eclecticiq /path/to/cert.pem

    Where /path/to/cert.pem is the location of the SSL certificate the platform needs to access.