Feed

Describes a feed or supplier.

Path

Feeds > Feed

Attributes

This element has the following attributes:

Feed element attributes

Attribute

Description

enabled

Specifies if the feed or supplier is enabled globally (across all tenants).

filename

The name of the supplier or the file name of the feed in the directory specified in the ServiceSettings > Bases element.

This attribute is mandatory.

confidence

The level of confidence of the feed or supplier. You can use values in the range of 1 to 100. The preset values are 100 for feeds from Kaspersky, 50 for OSINT feeds, and 50 for third-party feeds or suppliers.

This attribute is mandatory.

outdated_alert_period

The period (in hours) following the last feed update, after which a notification about the outdated feed (KL_ALERT_OutdatedFeed) is sent to the event target.

To turn off notifications for this feed, set this parameter to 0. If the attribute is omitted, the value of the ServiceSettings > OutdatedBasesAlertPeriod element is used.

We recommend that you set this parameter to 120 for commercial Kaspersky Data Feeds and to 720 for Kaspersky advanced persistent threat (APT) feeds. Also, we recommend that for OSINT feeds you set this parameter to 0 or another value that is convenient for you.

For third-party suppliers, this parameter is set to 0 by default.

This attribute is optional.

indicator_lifetime

The period (in hours), after which indicators of compromise from the feed or supplier are removed from the database. If the indicator is detected on the basis of the incoming event, it is not removed from the database, but the feed that contains this indicator or the supplier that provided it can no longer be used in the matching process.

To enable an infinite time limit for the feed or supplier invalidation, set this attribute to 0. By default, the value of this attribute is 120.

This attribute is mandatory (except for Kaspersky Threat Data Feeds).

vendor

Name of the feed or supplier vendor.

This attribute is optional.

use_for_retroscan

Specifies if the indicators from the feed or supplier must be used for retrospective scan.

If the indicators must be used for retrospective scan, the value of this attribute is true.

If the indicators must not be used for retrospective scan, the value of this attribute is false.

is_restapi

Indicates that the supplier was added with the REST API.

If the supplier was added with the REST API, the value of this attribute is true.

This attribute is optional.

Nested elements

This element is a container for the following nested elements:

Example

The following is an example of this element.

<Feed filename="Demo_Botnet_CnC_URL_Data_Feed.json" enabled="true" confidence="100">

<ActionableFields>

...

</ActionableFields>

</Feed>

Page top