You can configure Kaspersky Threat Feed App by selecting the Settings link in QRadar Console.
Settings link
You specify the settings in a form that appears after you select the Settings link.
Settings form
The following settings fields are available:
The authentication token to access QRadar RestApi.
You can specify an existing token or create a new token.
The IP address and port that Feed Service listens on for incoming events.
If you have installed Kaspersky CyberTrace on the same computer on which QRadar is installed, Kaspersky Threat Feed App will not be able to connect to QRadar because the iptables rules forbid the communication of a Docker container, in which Kaspersky Threat Feed App is running, and the QRadar computer.
To make Kaspersky Threat Feed App work on the QRadar computer, connect to the QRadar computer using the SSH protocol and run the following command:
iptables -I INPUT -i <D_interface> -p tcp --destination-port <FS_port> -j ACCEPT
This command includes:
<D_interface>—I
nterface of the Docker container that contains Kaspersky Threat Feed App for QRadar. To find the <D_interface>
name, perform the following:
psql -U qradar -c "select id, name from installed_application;"
A table appears. Find the value for the identifier of Kaspersky Threat Feed App (hereinafter <app_id>
) from the id
column.
docker ps
In the output result, find the image with the .../qapp/<app_id>:x.x.x
name, where x.x.x
is the installed version of Kaspersky Threat Feed App, and find its CONTAINER ID
value (hereinafter <container_id>
).
docker inspect <container_id> | grep NetworkMode
The output result appears, in the format "NetworkMode": "<D_interface>"
. Substitute this result for <D_interface>
in the command above.
<FS_port>
—Port that Feed Service listens on for incoming events.If you run the above command, the added rule will be present in iptables only until iptables is restarted, or the QRadar computer is restarted. To add this rule permanently, add it to the /etc/sysconfig/iptables
file (the path to the iptables file depends on the environment configuration).
Also note that you cannot specify the 127.0.0.1
IP address even if Kaspersky Threat Feed App is installed on the QRadar computer. Specify the external IP address of the QRadar computer instead.
The log source name of Feed Service as it is registered in QRadar. This name is displayed in the Name column of the window that opens after Admin > Log Sources is selected in QRadar Console.
If the Feed Service log source was added automatically when you sent the initial set of Feed Service events to QRadar, the log source name is Kaspersky Threat Feed Service @ [id]
, where [id]
is the identifier of Feed Service events. (By default, [id]
is KL_Threat_Feed_Service_v2
). If you had to add Feed Service to QRadar as a log source manually because you did not have the latest QRadar updates, the log source name is [id];
that is, KL_Threat_Feed_Service_v2
by default.
It takes some time to visualize the requested data after you have changed the log source name or the installed Kaspersky Threat Feed App. While the data is being loaded, a progress bar is displayed. The time required for getting all the data depends on the selected period over which the data is visualized.
After you configure Kaspersky Threat Feed App, you can run the verification test by clicking the Run self-test button.
Self-test results
A test result of Failed
for any feed means that a tested object is assigned to an incorrect category. The error can originate, for example, in an incorrect configuration file.