This article describes how to configure incoming feeds for a particular feed source. To see how to configure incoming feeds in general, see Configure incoming feeds general options.
Kaspersky APT Reports
Kaspersky APT JSON
Ingests APT (Advanced Persistent Threat) reports from the Kaspersky Threat Intelligence Portal API that includes: PDF reports, YARA rules, and OpenIOC XML files.
Feed packages are ingested as Report entitites with the PDF report attached, as well as associated observables and indicators.
Client certificate provided by Kaspersky.
User name and password for your Kaspersky Portal account.
Configure the incoming feed
Create or edit an incoming feed.
Under Transport and content, fill out these fields:
Required fields are marked with an asterisk (*).
Select Kaspersky APT Reports from the drop-down menu.
Select Kaspersky APT JSON from the drop-down menu.
Set this to the Kaspersky Threat Intelligence Portal API endpoint.
By default, this is set to https://tip.kaspersky.com/api/.
Set this to your Kaspersky Threat Intelligence Portal user name.
Set this to your Kaspersky Threat Intelligence Portal password.
Path to SSL certificate file*
Enter the path to the client certificate provided by Kaspersky.
You may need to generate a pem file from the file Kaspersky provides. See Kaspersky: Requesting reports using API for more information.
See SSL certificates for more information.
Selected by default. Select this option to enable SSL for this feed.
Create unique reports for all incoming PDF attachments
Enable this to have the platform create a unique report entity each time it encounters a new PDF attachment when the feed is run.
Start ingesting from*
Ingest data from the feed source starting from this date and time. Use the drop-down calendar to select the date and time you want to start ingesting feed data from.
Store your changes by selecting Save.
The Kaspersky Threat Intelligence Portal API requires you to use a client certificate to authenticate when connecting to their servers.
To use an SSL certificate with the platform, it must be:
Accessible on the EclecticIQ Platform host.
Placed in a location that can be accessed by the eclecticiq user.
Owned by eclecticiq:eclecticiq.
To make sure that the platform can access the SSL certificate:
Upload the SSL certificate to a location on the platform host.
On the platform host, open the terminal.
Change ownership of the SSL certificate by running as root in the terminal:
Where /path/to/cert.pem is the location of the SSL certificate the platform needs to access.