This section explains how to add a custom or third-party feed and change its settings. Make sure that the General tenant is selected from the drop-down list that has all available tenants, in the upper-left area of the window.
You can add feeds through only one field of the URL or DOMAIN type. That is, if you mark one field in a feed as URL or DOMAIN, do not mark another field in the feed as URL or DOMAIN. The URL and DOMAIN types are counted as the same field type.
When you add a feed, it is automatically added and enabled in all settings tenants.
Adding a custom feed
To add a feed:
The Custom feed window opens:
Adding a custom or third-party feed
In the feed name, you can use Latin letters, numbers, underscores, and hyphens. The name must differ from other feed names that are already used.
Do not use FalsePositive or InternalTI as the feed name, since they are reserved for the built-in supplier names of Kaspersky CyberTrace.
Do not use the @
character in the feed name if basic authentication is used, and the user name or password contains @
.
From the drop-down list, select the name of the feed vendor or add a new one.
You can specify the path in one of the following forms:
The specified network path is available for the active user account, while Feed Service and Feed Utility run under the LocalService account. Therefore, if you need to download custom and third-party feeds from a network directory, give the LocalService user account access to this network directory.
The network directory must be mapped.
You can only specify the network path in Windows.
Starting from Kaspersky CyberTrace version 4.0, you can download Kaspersky Threat Data Feeds and diff feeds, which were not added at the moment of the product release, from https://wlinfo.kaspersky.com. For information about diff feeds see subsection "Downloading diff feeds" from section "Working with feeds".
You can use an IPv4 or an IPv6 address. An IPv6 address must be enclosed in square brackets (see RFC 2732 for more information).
Path to the certificate that gives access to the feed. The full path must be specified.
You can only specify the certificate path if the feed will be downloaded over an HTTPS connection.
If you download Kaspersky Threat Data Feeds from https://wlinfo.kaspersky.com, the field contains the preset value Kaspersky Lab certificate
. You cannot change this value.
This type can be one of the following:
If a feed in JSON format contains a field with a subnet mask value, Kaspersky CyberTrace discloses data only if it is a first-level field. If this field is nested, Kaspersky CyberTrace cannot disclose data.
If you download Kaspersky Threat Data Feeds from https://wlinfo.kaspersky.com, JSON format is used. You cannot change this value.
Kaspersky CyberTrace currently supports STIX versions 1.0 and 1.1.
The level of confidence of the feed. This field cannot be empty. The range of possible values is from 1 to 100.
The preset values are 100
for feeds from Kaspersky, 50
for OSINT feeds, 50
for third-party feeds. You can change these values.
Level of confidence is provided in the Feeds > Feed > confidence
attribute of the Feed Service configuration file.
The authentication type can be Basic or None.
The basic authentication scheme is available if the path to the feed is an HTTP(S) or FTP address. For this type of authentication, enter the following settings:
This field cannot be empty.
Authentication type is provided in the Settings > Feeds > Feed
parameter of the Feed Utility configuration file.
If this check box is selected, the STIX feed must be downloaded from the TAXII server.
When a STIX feed is downloaded from the TAXII server, Kaspersky CyberTrace parses this feed and counts the number of indicators.
The name of the collection that must be downloaded from the TAXII server. Note that you can specify only one collection name at a time.
Kaspersky CyberTrace does not support TAXII feeds that have information about the reputation of one object. IBM feeds like xfe.ipr and xfe.url are not supported.
In the following example, the root element is root
:
|
In the following example, the root element is root/element*
:
|
You cannot use wildcard characters (the asterisk (*
) or question mark (?
)) to specify the path, only the root element.
After you specify a custom or third-party feed and the settings for it, the feed is fully loaded and a part of it is displayed so that you can choose the fields of the feed to be used in the matching process (see subsection "Configuring feed fields to be used for matching (CSV, JSON, XML feeds)" below).
Selecting feed fields for matching
This is relevant for feeds in the following formats: CSV, JSON, XML. After a STIX or MISP feed is added, Kaspersky CyberTrace fully loads it for use.
In some cases (when a STIX feed is too large or the TAXII server used for downloading the feed is too slow, or both), it may take Kaspersky CyberTrace up to an hour to load a STIX feed.
Configuring feed fields to be used for matching (CSV, JSON, XML feeds)
When choosing fields for matching from diff feeds, ignore all fields inside the metadata
element.
To choose feed fields to be used for matching, specify the following information for each field:
One of the following values can be used as the field type:
Note that there must be at least one field with a type other than CONTEXT. Such fields are used for matching. When such a field is involved in the detection process, a detection event is generated with the %FEEDNAME%_%FIELDTYPE%
category, where %FEEDNAME%
is the feed name and %FIELDTYPE%
is the field type.
A feed can have one field of the CONTEXT type, at most one field of the URL or DOMAIN type, and several fields of other types. The URL and DOMAIN types are considered the same field type.
This name will be referred to in the matching process.
In the field name, you can use Latin letters, numbers, underscores, and hyphens. The name must contain at least one Latin letter.
For JSON feeds, the name of the property is case-sensitive. Specify property names in the same case as they are in a JSON feed.
To specify a nested field, use a slash (/
): for example, mainField/subField
.
Specify the full path to the element relative to the root element. You cannot use wildcard characters (the asterisk (*
) or question mark (?
)) to specify the path, only the root element. The path is case sensitive.
In the following example, if you specified root/element*
as the root element, then the full path to the elements relative to the root element is url
and ip
, not root/element1/url
or root/element2/ip
:
<root> <element1> <url>http</url> <ip>1</ip> </element1> <element2> <url>https</url> <ip>2</ip> </element2> </root> |
When adding a custom or third-party feed, feeds updating can be performed. In this case, you will see a notification about it, and a new feed will not be added. We recommend that you wait awhile and then try again to add a feed.
Page top