How to integrate Kaspersky Threat Data Feeds with RSA NetWitness

Kaspersky offers the two ways of integrating Kaspersky Threat Data Feeds with RSA NetWitness: by using either Kaspersky CyberTrace or Kaspersky Threat Feed App for RSA NetWitness.

Kaspersky CyberTrace

The recommended way of integrating is to use Kaspersky CyberTrace. Kaspersky CyberTrace allows you to check URLs, file hashes, and IP addresses contained in events that arrive in RSA NetWitness. The URLs, file hashes, and IP addresses are checked against threat data feeds from Kaspersky (or other vendors) or against sources loaded to CyberTrace. During the matching process, Kaspersky CyberTrace determines the indicator category and generates an event supplemented with actionable context.

To install the SIEM connector for RSA NetWitness:

1. Download Kaspersky CyberTrace. Find the download files for Kaspersky CyberTrace in this article.
2. Follow the instructions in the product documentation to install the package.

Kaspersky Threat Feed App for RSA NetWitness

Also, you can use Kaspersky Threat Feed App for RSA NetWitness which is the application that allows you to match observables from events received by RSA NetWitness against Kaspersky Threat Data Feeds using SIEM built-in capabilities (without CyberTrace).

Kaspersky Threat Data Feeds are downloaded and converted to a format that can be imported to RSA NetWitness. After that, RSA NetWitness can match fields of events received by RSA NetWitness against indicators contained in Kaspersky Threat Data Feeds. If a match is detected, RSA NetWitness will add context from the corresponding Kaspersky Threat Data Feeds record to the matched event that contains this IoC.

You can download Kaspersky Threat Feed App for RSA NetWitness:

1. The documentation file can be downloaded here.
2. The .tgz file for Linux can be downloaded here.