Adding a custom or third-party feed

This section explains how to add a custom or third-party feed and change its settings. Make sure that the General tenant is selected from the drop-down list that has all available tenants, which is located in the upper-left area of the window.

You can add feeds through only one field of the URL or DOMAIN type. That is, if you mark one field in a feed as URL or DOMAIN, do not mark another field in the feed as URL or DOMAIN. The URL and DOMAIN types are counted as the same field type.

When you add a feed, it is automatically added and enabled in all settings tenants.

Adding a custom feed

To add a feed:

1. In the Filtering rules for feeds section, click Add custom feed.

   The Custom feed window opens:

   

   Adding a custom or third-party feed

2. For any custom or third-party feed, specify the following information:
   • Feed name

     In the feed name, you can use Latin letters, numbers, underscores, and hyphens. The name must differ from other feed names that are already used.

     Do not use FalsePositive or InternalTI as the feed name, since they are reserved for the built-in supplier names of Kaspersky CyberTrace.

     Do not use the @ character in the feed name if basic authentication is used, and the user name or password contains @.

   • Vendor name

     From the drop-down list, select the name of the feed vendor or add a new one.

   • Path to the feed

     You can specify the path in one of the following forms:

     • Full path on the computer where Kaspersky CyberTrace is installed
     • Network path

       The specified network path is available for the active user account, while Feed Service and Feed Utility run under the LocalService account. Therefore, if you need to download custom and third-party feeds from a network directory, give the LocalService user account access to this network directory.

       The network directory must be mapped.

       You can only specify the network path in Windows.

     • HTTP(S) address

       Starting from Kaspersky CyberTrace version 4.0, you can download Kaspersky Threat Data Feeds and diff feeds, which were not added at the moment of the product release, from https://wlinfo.kaspersky.com. For information about diff feeds, see subsection "Downloading diff feeds" from section "Working with feeds".

       You can use an IPv4 or an IPv6 address. An IPv6 address must be enclosed in square brackets. For more information, see RFC 2732.

     • FTP address
   • Certificate

     Path to the certificate that gives access to the feed. The full path must be specified.

     You can only specify the certificate path if the feed will be downloaded over an HTTPS connection.

     If you download Kaspersky Threat Data Feeds from https://wlinfo.kaspersky.com, the field contains the preset value Kaspersky Lab certificate. You cannot change this value.

   • Feed type

     This type can be one of the following:

     • json

       If a feed in the JSON format contains a field with a subnet mask value, Kaspersky CyberTrace discloses data only if it is a first-level field. If this field is nested, Kaspersky CyberTrace cannot disclose data.

       If you download Kaspersky Threat Data Feeds from https://wlinfo.kaspersky.com, the JSON format is used. You cannot change this value.

     • stix

       If a feed is in the STIX format, you also need to choose the STIX version:

       • For STIX 1.0 or 1.1, select 1
       • For STIX 2.0, select 2
       • For STIX 2.1, select 2.1
     • csv
     • xml
     • misp
   • Confidence

     The level of confidence of the feed. This field cannot be empty. The range of possible values is from 1 to 100.

     The preset values are 100 for feeds from Kaspersky, 50 for OSINT feeds, and 50 for third-party feeds. You can change these values.

     Level of confidence is provided in the Feeds > Feed > confidence attribute of the Feed Service configuration file.

   • Authentication type

     The authentication type can be Basic or None.

     The basic authentication scheme is available if the path to the feed is an HTTP(S) or FTP address. For this type of authentication, enter the following settings:

     • User name

       This field cannot be empty.

     • Password

     Authentication type is provided in the Settings > Feeds > Feed parameter of the Feed Utility configuration file.

3. For a STIX feed, also specify the following information:
   • Get from a TAXII server

     If this check box is selected, the STIX feed must be downloaded from the TAXII server.

     For a STIX 2.0 feed, specify a TAXII 2.0 server. For a STIX 2.1 feed, specify a TAXII 2.1 server.

     When a STIX feed is downloaded from the TAXII server, Kaspersky CyberTrace parses this feed and counts the number of indicators.

   • Collection name

     The name of the collection that must be downloaded from the TAXII server. Note that you can specify only one collection name at a time.

     Kaspersky CyberTrace does not support TAXII feeds that have information about the reputation of one object. IBM feeds like xfe.ipr and xfe.url are not supported.

4. For CSV and XML feeds, specify the following information:
   • For a CSV feed, specify a delimiter. After that, the rule will be applied immediately and the columns will be split. By default, a semicolon (;) is used as a delimiter.
   • For an XML feed, specify the root element. This allows you to use the names of feed elements relative to the root element. Which element to specify as the root depends on the level of nesting in a given feed.

     In the following example, the root element is root:

   <root> <url>http</url> <ip>1</ip> <url>https</url> <ip>2</ip> </root>

   In the following example, the root element is root/element*:

   <root> <element1> <url>http</url> <ip>1</ip> </element1> <element2> <url>https</url> <ip>2</ip> </element2> </root>

   You cannot use wildcard characters (the asterisk (*) or question mark (?)) to specify the path, only the root element.

After you specify a custom or third-party feed and the settings for it, the feed is fully loaded and part of it is displayed so that you can choose the fields of the feed to be used in the matching process (see subsection "Configuring feed fields to be used for matching (CSV, JSON, XML feeds)" below).

Selecting feed fields for matching

This is relevant for feeds in the following formats: CSV, JSON, XML. After a STIX or MISP feed is added, Kaspersky CyberTrace fully loads it for use.

In some cases, such as when a STIX feed is too large and/or the TAXII server used for downloading the feed is too slow, it may take Kaspersky CyberTrace up to an hour to load a STIX feed.

Configuring feed fields to be used for matching (CSV, JSON, XML feeds)

When choosing fields for matching from diff feeds, ignore all fields inside the metadata element.

To choose feed fields to be used for matching, specify the following information for each field:

• Field type

  One of the following values can be used as the field type:

  • URL
  • MD5
  • SHA1
  • SHA256
  • IP
  • DOMAIN
  • CONTEXT

    Note that there must be at least one field with a type other than CONTEXT. Such fields are used for matching. When such a field is involved in the detection process, a detection event is generated with the %FEEDNAME%_%FIELDTYPE% category, where %FEEDNAME% is the feed name and %FIELDTYPE% is the field type.

    A feed can have one field of the CONTEXT type, at most one field of the URL or DOMAIN type, and several fields of other types. The URL and DOMAIN types are considered the same field type.

• Field name

  This name will be referred to in the matching process.

  In the field name, you can use Latin letters, numbers, underscores, and hyphens. The name must contain at least one Latin letter.

• Reference to the data in the feed:
  • For a CSV feed, specify the column number.
  • For a JSON feed, specify the property name.

    For JSON feeds, the name of the property is case-sensitive. Specify property names in the same case as they are in a JSON feed.

    To specify a nested field, use a slash (/): for example, mainField/subField.

  • For an XML feed, specify the element.

    Specify the full path to the element relative to the root element. You cannot use wildcard characters (the asterisk (*) or question mark (?)) to specify the path, only the root element. The path is case sensitive.

    In the following example, if you specified root/element* as the root element, then the full path to the elements relative to the root element is url and ip, not root/element1/url or root/element2/ip:

  <root> <element1> <url>http</url> <ip>1</ip> </element1> <element2> <url>https</url> <ip>2</ip> </element2> </root>

When adding a custom or third-party feed, feeds updating can be performed. In this case, you will be notified about it and a new feed will not be added. We recommend that you wait awhile and then try again to add a feed.

Page top