Adding a custom or third-party feed

This section explains how to add a custom or third-party feed and change its settings.

The form for adding a custom or third-party feed can be disabled due to restrictions imposed by the license key or licensing level.

All custom or third-party feeds that you add to Kaspersky CyberTrace must be in UTF-8 encoding. If your custom or third-party feeds have a different encoding, make sure to convert them to UTF-8.

You can add custom feeds that contain subnet masks of Class C networks. These feeds can be used in the matching process: you can mark the feed field as IP.

Currently, you can add feeds through only one field of the URL or DOMAIN type. That is, if you mark one field in a feed as URL or DOMAIN, do not mark another field in the feed as URL or DOMAIN. The URL and DOMAIN types are counted as the same field type.

No KL_ALERT_OutdatedFeed events are generated for the added feeds.

Adding a custom feed

To add a custom or third-party feed:

  1. Add a new feed.
  2. Choose feed fields to be used for matching.

To add a new feed:

  1. In the Filtering rules for feeds section, click Add custom feed.

    The Custom feed window opens:

    Custom feed window

    Adding a custom or third-party feed

  2. For any custom or third-party feed, specify the following information:
    • Feed name

      In the feed name, you can use Latin letters, digits, underscores, and hyphens. The name must differ from other feed names that are already used.

    • Path to the feed

      You can specify the path in one of the following forms:

      • Full path on the computer where Kaspersky CyberTrace is installed
      • Network path

        The specified network path is available for the active user account, while Feed Service and Feed Utility run under the LocalService account. Therefore, if you need to download custom and third-party feeds from a network directory, give the LocalService user account access to this network directory.

        The network directory must be mapped.

        You can only specify the network path in Windows.

      • HTTP(S) address
      • FTP address
    • Certificate

      Path to the certificate that gives access to the feed. The full path must be specified.

      You can only specify the certificate path if the feed will be downloaded over an HTTPS connection.

    • Feed type

      This type can be one of the following:

      • json

        If a feed in JSON format contains a field with a subnet mask value, Kaspersky CyberTrace discloses data only if it is a first-level field. If this field is nested, Kaspersky CyberTrace cannot disclose data.

      • stix

        Kaspersky CyberTrace supports STIX versions 1 and 1.1.

      • csv
      • xml
  3. For a CSV feed, also specify a delimiter. By default, a semicolon (;) is used as a delimiter.
  4. For an XML feed, also specify the root element. This allows you to use the names of feed elements relative to the root element. Which element to specify as the root depends on the level of nesting in a given feed.

    In the following example, the root element is root:

    <root>

    <url>http</url>

    <ip>1</ip>

    </root>

    <root>

    <url>https</url>

    <ip>2</ip>

    </root>

    In the following example, the root element is root/element*:

    <root>

    <element1>

    <url>http</url>

    <ip>1</ip>

    </element1>

    </root>

    <root>

    <element2>

    <url>https</url>

    <ip>2</ip>

    </element2>

    </root>

    Note the use of a wildcard character (*). For more information on the proper use of wildcards for an XML feed, see instructions for choosing feed fields to be used for matching.

  5. For a STIX feed, also specify the following information:
    • Upload from TAXII-server

      If this check box is selected, the STIX feed must be downloaded from the TAXII server.

    • Collection name

      The name of the collection that must be downloaded from the TAXII server. Note that you can specify only one collection name at a time.

      Kaspersky CyberTrace does not support TAXII feeds that have information about the reputation of one object. IBM feeds like xfe.ipr and xfe.url are not supported.

    • Authentication type (Basic or None)

      If basic authentication is used, specify the user name and password to the TAXII server.

After you specify a custom or third-party feed and the settings for it, the feed is fully loaded and a part of it is displayed so that you can choose the fields of the feed to be used in the matching process.

Selecting feed fields for matching

Selecting feed fields for matching

This is relevant for feeds in the following formats: CSV, JSON, or XML.

To choose feed fields to be used for matching,

For every field, specify the following information:

After a STIX feed is added, Kaspersky CyberTrace fully loads it for use.

In some cases (when a STIX feed is too large or the TAXII server used for downloading the feed is too slow, or both), it may take Kaspersky CyberTrace up to an hour to load a STIX feed.

When adding a custom or third-party feed, feeds updating can be performed. In this case, you will see a notification about it, and a new feed will not be added. We recommend that you wait awhile and then try again to add a feed.

Changing the settings of a custom or third-party feed

To change the settings of a custom or third-party feed, in the Filtering rules for feeds section, click the name of the feed that you want to modify and then click Edit.

Editing a custom or third-party feed

Editing a custom or third-party feed

In the Edit custom feed window that opens, make any necessary changes and click Save.

You can change all the settings of a custom or third-party feed, except the feed type. For example, you cannot change a CSV feed to JSON.

Adding new fields to a custom or third-party feed

If a new field or fields have been added to your custom or third-party feed being used, and you want Kaspersky CyberTrace to start using these new fields, do the following:

Page top