How to integrate Kaspersky Threat Data Feeds with Micro Focus ArcSight

 

Kaspersky Threat Data Feeds

 
 
 
 

How to integrate Kaspersky Threat Data Feeds with Micro Focus ArcSight

Back to article list
Latest update: November 22, 2019 ID: 13852
 
 
 
 
Kaspersky offers the two ways of integrating Kaspersky Threat Data Feeds with Micro Focus ArcSight: by using Kaspersky CyberTrace or Kaspersky Threat Feed App for ArcSight ESM.

Kaspersky CyberTrace

The recommended way of integrating is to use Kaspersky CyberTrac for ArcSight (SIEM connector). It allows checking URLs, file hashes, and IP addresses contained in events that arrive in Micro Focus ArcSight ESM. The URLs, file hashes, and IP addresses are checked against threat data feeds from Kaspersky, or from other vendors or sources loaded to CyberTrace. During the matching process, Kaspersky CyberTrace determines the indicator category and generates an event supplemented with actionable context.

To install the SIEM connector for Micro Focus ArcSight ESM:

  1. Download Kaspersky CyberTrace for ArcSight. 
  2. Follow the documentation to install the package. 

Download Kaspersky CyberTrace for ArcSight:

  • The .msi file for Windows can be downloaded here
  • The .zip file for Windows can be downloaded here
  • The .rpm file for Linux can be downloaded here
  • The .deb file for Linux can be downloaded here
  • The .tgz file for Linux can be downloaded here

Please note that the SIEM connector for ArcSight has been tested with ArcSight ESM 6.5 and later. 

Kaspersky Threat Feed App for ArcSight ESM

Kaspersky Threat Feed App for ArcSight ESM is an application that allows to match observables from events received by ArcSight ESM against Kaspersky Threat Data Feeds using SIEM built-in capabilities (without CyberTrace).

The process of importing Kaspersky Threat Data Feeds is done using Kaspersky Feed Utility and the kl_feed_for_arcsight.py script. Feeds are downloaded and converted to a format that can be imported to ArcSight ESM. kl_feed_for_arcsight.py script generates events in CEF format and sends them to ArcSight SmartConnector, which sends them to ArcSight ESM. ArcSight ESM receives events from SmartConnector and fills the lists with indicators from Kaspersky Threat Data Feeds according to the rules contained in the Kaspersky_Threat_Data_Feeds.arb package. After Kaspersky Threat Data Feeds are imported to ArcSight ESM, the fields of events that arrive in ArcSight ESM are matched against indicators from the feeds in accordance with rules contained in Kaspersky_Threat_Data_Feeds.arb. If a field matches a feed record, ArcSight ESM adds a detection event to the Active List.

You can download Kaspersky Threat Feed App for ArcSight ESM:

  • The documentation file can be downloaded here
  • The .tgz file for Linux can be downloaded here
 
 
 
 
Was this information helpful?
Yes No
Thank you
 
 
 

 
 

How can we improve this article?

Your feedback will be used for content improvement purposes only. If you need assistance, please contact technical support.

Submit Submit

Thank you for your feedback!

Your suggestions will help improve this article.

OK