Step 9 (optional). Installing Kaspersky Threat Feed App

This section describes how to install Kaspersky Threat Feed App.

Only a user account that has the System Administrator role can manage Kaspersky Threat Feed App.

Getting Kaspersky Threat Feed App

You can get the Kaspersky Threat Feed App installation package from IBM Security App Exchange.

Installing Kaspersky Threat Feed App

To install Kaspersky Threat Feed App:

  1. In QRadar, select Admin and then Extensions Management.
  2. In the Extensions Management form, click the Add button.

    QRadar25

    Extensions Management form

  3. Select the application file archive.
  4. Select the Install immediately check box.
  5. Click Add.
  6. Click Install.

    A list of changes to be made is displayed. In particular, the custom event properties that will be added are displayed.

    QRadar18

    Custom event properties to be added

    The following custom event properties are added when the app is installed:

    • urls
    • feed
    • geo
    • hash
    • files
    • first_seen
    • last_seen
    • mask
    • popularity
    • threat
    • whois
    • URL
    • SHA1 Hash
    • SHA256 Hash
    • MD5 Hash
    • ip
    • records_count

    You will use these properties to enable the indexes of the added custom event properties and to specify the log source type.

    If you use Kaspersky Threat Feed App, you can remove the fields added to QRadar when retrieving custom event properties. These fields duplicate the fields used in Kaspersky Threat Feed App. If instead you remove the fields added during the Kaspersky Threat Feed App installation, the application may not work correctly.

  7. Click Install again.

    Kaspersky Threat Feed App appears in the Extensions Management form after it is installed.

  8. Refresh the browser window before you use the app.

    After Kaspersky Threat Feed Service App is installed, its name will appear as a tab—Kaspersky Data Feeds—in QRadar Console.

    QRadar17

    Kaspersky Data Feeds tab

  9. In QRadar Console, select Kaspersky Data Feeds tab.

    The Configuration required form will appear.

    Configuration required form

  10. In the Configuration required form:
    1. In the QRadar authentication token field, specify an authentication token to access QRadar REST API.

      You can specify an existing token or create a new token.

      If the specified token expires, the Configuration required form will appear again the next time you select Kaspersky Data Feeds. In this case, you must specify a new token.

    2. In the Feed Service connection string field, specify the IP address and port that Feed Service listens on for incoming events.

      You cannot specify the 127.0.0.1 IP address, even if Kaspersky Threat Feed App is installed on the QRadar computer. Instead, specify the external IP address of the QRadar computer.

    3. In the Feed Service log source name field, specify the log source name of Feed Service as it is registered in QRadar.

      This name is displayed in the Name column of the window that opens after Admin > Log Sources is selected in QRadar Console. For example, KL_Threat_Feed_Service_v2.

      For more information about specifying log sources, see the section about configuring Kaspersky Threat Feed App.

Page top