This section describes how to install Kaspersky Threat Feed App.
Only a user account that has the System Administrator role can manage Kaspersky Threat Feed App.
Getting Kaspersky Threat Feed App
You can get the Kaspersky Threat Feed App installation package from IBM Security App Exchange.
Installing Kaspersky Threat Feed App
To install Kaspersky Threat Feed App:
Extensions Management form
A list of changes to be made is displayed. In particular, the custom event properties that will be added are displayed.
Custom event properties to be added
The following custom event properties are added when the app is installed:
urls
feed
geo
hash
files
first_seen
last_seen
mask
popularity
threat
whois
URL
SHA1 Hash
SHA256 Hash
MD5 Hash
ip
records_count
You will use these properties to enable the indexes of the added custom event properties and to specify the log source type.
If you use Kaspersky Threat Feed App, you can remove the fields added to QRadar when retrieving custom event properties. These fields duplicate the fields used in Kaspersky Threat Feed App. If instead you remove the fields added during the Kaspersky Threat Feed App installation, the application may not work correctly.
Kaspersky Threat Feed App appears in the Extensions Management form after it is installed.
After Kaspersky Threat Feed Service App is installed, its name will appear as a tab—Kaspersky Data Feeds—in QRadar Console.
Kaspersky Data Feeds tab
The Configuration required form will appear.
Configuration required form
You can specify an existing token or create a new token.
If the specified token expires, the Configuration required form will appear again the next time you select Kaspersky Data Feeds. In this case, you must specify a new token.
You cannot specify the 127.0.0.1
IP address, even if Kaspersky Threat Feed App is installed on the QRadar computer. Instead, specify the external IP address of the QRadar computer.
This name is displayed in the Name column of the window that opens after Admin > Log Sources is selected in QRadar Console. For example, KL_Threat_Feed_Service_v2
.
For more information about specifying log sources, see the section about configuring Kaspersky Threat Feed App.