Kaspersky CyberTrace

Contents

Feeds

Defines how events must be checked against feeds.

Path

Feeds

Attributes

This element has the following attributes:

Feeds element attributes

Attribute

Description

per_scan_detect_limit

This attribute specifies how many times a field from an event can be matched against feeds.

For example, a certain URL can match many feed records, so there will be many detection events. The per_scan_detect_limit attribute is used to limit the number of generated events.

This attribute is optional. If it is omitted, the number of generated events is not limited.

update_frequency

This attribute specifies the update period (in minutes) for the feeds.

You can use one of the following values: 0, 30, 60, 120, 240, 480, 960, or 1440.

The value 0 means that Kaspersky CyberTrace does not update feeds automatically.

This attribute is optional. If it is omitted, the value 30 is used by default.

Nested elements

This element is a container for the following nested element:

  • Feed

    Every Feed element describes a feed.

    A configuration file must contain at least one Feed element.

Example

The following is an example of this element.

<Feeds per_scan_detect_limit="10000" update_frequency="30">

<Feed filename="Demo_Botnet_CnC_URL_Data_Feed.json" enabled="true" confidence="100">

...

</Feed>

<Feed filename="Demo_Malicious_Hash_Data_Feed.json" enabled="true" confidence="100">

...

</Feed>

<Feed filename="Demo_IP_Reputation_Data_Feed.json" enabled="true" confidence="100">

...

</Feed>

</Feeds>

Page top
Feed

Describes a feed or supplier.

Path

Feeds > Feed

Attributes

This element has the following attributes:

Feed element attributes

Attribute

Description

enabled

Specifies if the feed or supplier is enabled globally (across all tenants).

filename

The name of the supplier or the file name of the feed in the directory specified in the ServiceSettings > Bases element.

This attribute is mandatory.

confidence

The level of confidence of the feed or supplier. You can use values in the range of 1 to 100. The preset values are 100 for feeds from Kaspersky, 50 for OSINT feeds, and 50 for third-party feeds or suppliers.

This attribute is mandatory.

outdated_alert_period

The period (in hours) following the last feed update, after which a notification about the outdated feed (KL_ALERT_OutdatedFeed) is sent to the event target.

To turn off notifications for this feed, set this parameter to 0. If the attribute is omitted, the value of the ServiceSettings > OutdatedBasesAlertPeriod element is used.

We recommend that you set this parameter to 120 for commercial Kaspersky Data Feeds and to 720 for Kaspersky advanced persistent threat (APT) feeds. Also, we recommend that for OSINT feeds you set this parameter to 0 or another value that is convenient for you.

For third-party suppliers, this parameter is set to 0 by default.

This attribute is optional.

indicator_lifetime

The period (in hours), after which indicators of compromise from the feed or supplier are removed from the database. If the indicator is detected on the basis of the incoming event, it is not removed from the database, but the feed that contains this indicator or the supplier that provided it can no longer be used in the matching process.

To enable an infinite time limit for the feed or supplier invalidation, set this attribute to 0. By default, the value of this attribute is 120.

This attribute is mandatory (except for Kaspersky Threat Data Feeds).

vendor

Name of the feed or supplier vendor.

This attribute is optional.

use_for_retroscan

Specifies if the indicators from the feed or supplier must be used for retrospective scan.

If the indicators must be used for retrospective scan, the value of this attribute is true.

If the indicators must not be used for retrospective scan, the value of this attribute is false.

is_restapi

Indicates that the supplier was added with the REST API.

If the supplier was added with the REST API, the value of this attribute is true.

This attribute is optional.

Nested elements

This element is a container for the following nested elements:

  • Field

    This element is obsolete starting from Kaspersky CyberTrace version 4.0.

    A Field element specifies the rules for checking an event against the records of the feed.

    For more information about this element, see section "About feed matching rules".

  • ActionableFields

    Defines actionable fields.

Example

The following is an example of this element.

<Feed filename="Demo_Botnet_CnC_URL_Data_Feed.json" enabled="true" confidence="100">

<ActionableFields>

...

</ActionableFields>

</Feed>

Page top
Feed > ActionableFields

Defines the fields that must be inserted into the outgoing events apart from the context. An outgoing event contains context and actionable fields.

Path

Feeds > Feed > ActionableFields

Attributes

This element has no attributes.

Nested elements

This element is a container for the following nested element:

ActionableFields > ActionableField

Defines a single actionable field.

This element has the following attributes:

ActionableField element attributes

Attribute

Description

name

The name of the field as it is used in the feed

output_name

Contains the name of the field as it will be inserted into outgoing events.

If the output_name attribute is omitted or contains an empty value, the field name in the outgoing event will be the same as the field name specified in the feed.

Example

The following is an example of this element.

<ActionableFields>

<ActionableField name="information" output_name="cs4"/>

<ActionableField name="threat" output_name="cs3"/>

</ActionableFields>

Page top
About feed matching rules

Starting from Kaspersky CyberTrace version 4.0, the Feeds > Feed > Field element is obsolete. Information in this section applies only to Kaspersky CyberTrace 3.1.0 and below.

Feed Service checks incoming events against the feeds specified in the Feeds > Feed elements. For each specified feed, matching rules are set with one or more Field elements. Each Field element describes how a particular field in the feed must match the data from incoming events.

The following is an example of a Field element:

<Field name="mask" matching_type="Url" input_regexp_to_match="RE_URL" category="KL_BotnetCnC_URL" />

The Field element must have the following attributes:

  • name

    The name of the field in the feed must be specified in the name attribute. Note that field names are case-sensitive. For example, fields "md5" and "MD5" are different fields.

    To specify nested fields, use the '/' delimiter. For example, name="detail/info" specifies the info field in a feed that has the following content:[ { "hash":"234D123...", "detail": [ { "info" : "some value" } ] } ].

  • matching_type

    The type of matching must be specified in the matching_type attribute.

    The following values are possible:

    • "Url"

      The event field will be checked for conformance to the URL masks stored in the feed. For more information about the masks stored in feeds, contact your technical account manager (TAM).

    • "Exact"

      Comparison of two strings will be performed: the event field and the field stored in the feed.

    • "Hash"

      The event field will be checked to determine whether it is equal to the one stored in the feed. This matching type is used only for hashes.

  • input_regexp_to_match

    Name of a regular expression that is used for matching. The value of this attribute must be one of the regular expression names from the InputSettings > RegExps element.

  • category

    The category that will be used in the outgoing event.

All the attributes of the Field element are required.

The following is an example of the feed matching rules for a specific feed:

<Feed filename="Botnet_CnC_URL_Data_Feed.json">

<Field name="mask" matching_type="Url" input_regexp_to_match="RE_URL" category="KL_BotnetCnC_URL" />

<Field name="files/MD5" matching_type="Hash" input_regexp_to_match="RE_MD5" category="KL_BotnetCnC_Hash_MD5" />

<Field name="files/SHA1" matching_type="Hash" input_regexp_to_match="RE_SHA1" category="KL_BotnetCnC_Hash_SHA1" />

<Field name="files/SHA256" matching_type="Hash" input_regexp_to_match="RE_SHA256" category="KL_BotnetCnC_Hash_SHA256" />

</Feed>

The following is an example of the feed matching rules for a specific feed for ArcSight:

<Feed filename="Botnet_CnC_URL_Data_Feed.json">

<Field name="mask" matching_type="Url" input_regexp_to_match="RE_URL" category="KL_BotnetCnC_URL" />

<Field name="files/MD5" matching_type="Hash" input_regexp_to_match="RE_HASH" category="KL_BotnetCnC_Hash_MD5" />

<Field name="files/SHA1" matching_type="Hash" input_regexp_to_match="RE_HASH" category="KL_BotnetCnC_Hash_SHA1" />

<Field name="files/SHA256" matching_type="Hash" input_regexp_to_match="RE_HASH" category="KL_BotnetCnC_Hash_SHA256" />

</Feed>

If you have events that contain the event source IP address, we recommend that you check them against IP Reputation Data Feed. This must be done because the event source may be a bot or a malicious device of some other kind that takes part in a DoS attack on the user resources. To check such events against IP Reputation Data Feed, add an SRC_IP regular expression to find the event source IP addresses. Also, add a rule for IP Reputation Data Feed to use the SRC_IP regular expression, so that the configuration file will contain the following records:

<Feed filename="IP_Reputation_Data_Feed.json">

<Field name="ip" matching_type="Exact" input_regexp_to_match="RE_IP" category="KL_IP_Reputation" />

<Field name="ip" matching_type="Exact" input_regexp_to_match="SRC_IP" category="KL_IP_Reputation" />

</Feed>

Also, add the reference to the value found by the SRC_IP regular expression (%SRC_IP%) to the OutputSettings > EventFormat element.

Page top