Incoming feed - Kaspersky Threat Intelligence


This procedure describes how to configure incoming feeds for a particular feed data source, transport type, or content type.
For more information about configuring common options shared across all incoming feeds, see Configure incoming feeds general options.


Specifications

Transport type

Kaspersky Threat Intelligence Data Feeds

Content type

Kaspersky JSON

Ingested data

JSON.

Processed data

Consists of Indicators, TTPs (Malware Variants, Attack Patterns), observables and it sets relationships where applicable.

Description

This integration enables the Threat Intelligence Analyst to leverage a wealth of Threat Intelligence data, including TTPs, indicators and observables (via the URL and IP Address feeds) within multiple categories of interest, such as ransomware, phishing, malicious URLs, IP reputation, malicious files and trojans for mobile, and botnet.

Requirements

Kaspersky Threat Intelligence Data Feeds is compatible with EclecticIQ Platform release 2.3.0 and later.
Users need a certificate issued from Kaspersky.

Limitations

We cover 9 feeds for Kaspersky Threat Intelligence Data Feeds, but access to them is determined/limited by the issued certificate from Kaspersky.
This means that this feed will download and process the feeds it has access to and skip the others.

The feeds are big, so processing them can take some time.

Configure the incoming feed

  1. Create or edit an incoming feed.

  2. From the Transport type drop-down menu, select Kaspersky Threat Intelligence Data Feeds.

  3. From the Content type drop-down menu, select Kaspersky JSON.

  4. The API URL field is automatically filled in with the default domain for the endpoint.
    You can add a proxy or set up ports according to your needs.
    Default value: https://wlinfo.kaspersky.com/api/v1.0/.

  5. The SSL verification checkbox is automatically selected.

  6. In the Path to SSL certificate field, enter the path to your PEM file.

  7. To store your changes, click Save; to discard them, click Cancel.

Additional information

When the feed is run, three API calls are made in the background. In the first call we get the list of the available feeds that is supported.
The next API call extracts the link that is used in the third call to download zipped JSON file.

There are 9 feeds available:

  1. Malicious Hash Data Feed (66).

  2. Mobile Malicious Hash Data Feed (67).

  3. IP Reputation Data Feed (68).

  4. Mobile Botnet Data Feed (139).

  5. P-SMS Trojan Data Feed (73).

  6. Ransomware URL Data Feed (99).

  7. Botnet C&C URL Exact Data Feed (115).

  8. Phishing URL Exact Data Feed (116).

  9. Malicious URL Exact Data Feed (117).

Processing time of Exact feeds (115, 116 and 117) is longer, as those feeds are bigger in size: because instead of a single mask that covers a whole family of IOCs, it has exact data.

We also cover 3 demo-feeds:

  1. Demo Botnet C&C URL Data Feed (85).

  2. Demo Malicious Hash Data Feed (86).

  3. Demo IP Reputation Data Feed (87).

Test the feed

  1. In the top navigation bar, click Data Configuration > Incoming feeds.

  2. Click the feed that you just created, using the steps above.

  3. In the Overview view, click Download now.

  4. Click Ingested entities and check that entities have been ingested into the platform.

Or:

  1. In the top navigation bar, click Intelligence > All intelligence > Browse.

  2. Click the Entities tab.

  3. In the top-left corner, click images/download/attachments/33587742/filter.PNG .

  4. From the Source drop-down menu, select the incoming feed you have just created, using the steps.

  5. You can also filter also by entity type: from the Entity drop-down menu, select the entity types you want to include in the filtered results.

See also