Step 9 (optional). Installing Kaspersky Threat Feed App

This section describes how to install Kaspersky Threat Feed App.

Only a user account that has System Administrator role can manage Kaspersky Threat Feed App.

Getting Kaspersky Threat Feed App

You can get the Kaspersky Threat Feed App installation package from IBM Security App Exchange.

Installing Kaspersky Threat Feed App

To install Kaspersky Threat Feed App:

  1. In QRadar, select Admin and then Extensions Management.
  2. In the Extensions Management form, click the Add button.

    QRadar25

    Extensions Management form

  3. Select the application file archive.
  4. Select the Install immediately check box.
  5. Click Add.
  6. Click Install.

    A list of changes to be made is displayed. In particular, the custom event properties that will be added are displayed.

    QRadar18

    Custom event properties to be added

    The following custom event properties are added when the app is installed:

    • urls
    • feed
    • geo
    • hash
    • files
    • first_seen
    • last_seen
    • mask
    • popularity
    • threat
    • whois
    • URL
    • SHA1 Hash
    • SHA256 Hash
    • MD5 Hash
    • ip
    • records_count

    You will work with these properties as described in sections "Step 8 (optional). Enabling the indexes of the added custom event properties" and "Specifying the log source type".

  7. Click Install again.

    Kaspersky Threat Feed App appears in the Extensions Management form after it is installed.

  8. Refresh the browser window before you use the app.

    After Kaspersky Threat Feed Service App is installed, its name will appear as a tab—Kaspersky Data Feeds—in QRadar Console.

    QRadar17

    Kaspersky Data Feeds tab

  9. In QRadar Console, select Kaspersky Data Feeds tab.

    The Configuration required form will appear.

    Configuration required form

  10. In the Configuration required form:
    1. In the QRadar authentication token field, specify an authentication token to access QRadar RestApi.

      You can specify an existing token or create a new one. For more information about creating a new token, see section "Authorized services".

      If the specified token expires, the Configuration required form will appear again the next time you select Kaspersky Data Feeds. In this case, you must specify a new token.

    2. In the Feed Service connection string field, specify the IP address and port that Feed Service listens on for incoming events.

      You cannot specify the 127.0.0.1 IP address, even if Kaspersky Threat Feed App is installed on the QRadar computer. Instead, specify the external IP address of the QRadar computer.

      For more information about specifying Feed Service connection string, see section "Configuring Kaspersky Threat Feed App".

    3. In the Feed Service log source name field, specify the log source name of Feed Service as it is registered in QRadar.

      This name is displayed in the Name column of the window that opens after Admin > Log Sources is selected in QRadar Console.

      For more information about specifying log sources, see section "Configuring Kaspersky Threat Feed App".

Page top