Step 11 (optional). Configuring Kaspersky Threat Feed App

You can configure Kaspersky Threat Feed App by selecting the Settings link in QRadar Console.

Settings link in QRadar.

Settings link

You specify the settings in a form that appears after you select the Settings link.

Settings window in QRadar.

Settings form

The following settings fields are available:

QRadar authentication token
The authentication token to access QRadar RestApi.

You can specify an existing token or create a new token.
Kaspersky CyberTrace Service connection string
The IP address and port that Kaspersky CyberTrace Service listens on for incoming events.

If you have installed Kaspersky CyberTrace on the same computer on which QRadar is installed, Kaspersky Threat Feed App will not be able to connect to QRadar because the iptables rules forbid the communication of a Docker container, in which Kaspersky Threat Feed App is running, and the QRadar computer.

To make Kaspersky Threat Feed App work on the QRadar computer, connect to the QRadar computer using the SSH protocol and run the following command:

iptables -I INPUT -i <D_interface> -p tcp --destination-port <FS_port> -j ACCEPT

This command includes:
- <D_interface>—Interface of the Docker container that contains Kaspersky Threat Feed App for QRadar.
  To find the <D_interface> name, perform the following:
  1. Find the identifier of Kaspersky Threat Feed App by running the following command:
    psql -U qradar -c "select id, name from installed_application;"
    
    A table appears. Find the value for the identifier of Kaspersky Threat Feed App (hereinafter <app_id>) from the id column.
  2. Find the identifier of the Docker container in which Kaspersky Threat Feed App is contained by running the following command:
    docker ps
    
    In the output result, find the image with the .../qapp/<app_id>:x.x.x name, where x.x.x is the installed version of Kaspersky Threat Feed App, and find its CONTAINER ID value (hereinafter <container_id>).
  3. Find the interface name for the Docker image that contains Kaspersky Threat Feed App, by running the following command:
    docker inspect <container_id> | grep NetworkMode
    
    The output result appears, in the format "NetworkMode": "<D_interface>". Substitute this result for <D_interface> in the command above.
- <FS_port>—Port that Kaspersky CyberTrace Service listens on for incoming events.
If you run the above command, the added rule will be present in iptables only until iptables is restarted, or the QRadar computer is restarted. To add this rule permanently, add it to the /etc/sysconfig/iptables file (the path to the iptables file depends on the environment configuration).

Also note that you cannot specify the 127.0.0.1 IP address even if Kaspersky Threat Feed App is installed on the QRadar computer. Specify the external IP address of the QRadar computer instead.
Kaspersky CyberTrace Service log source name
The log source name of Kaspersky CyberTrace Service as it is registered in QRadar. This name is displayed in the Name column of the window that opens after Admin > Log Sources is selected in QRadar Console.

If the Kaspersky CyberTrace Service log source was added automatically when you sent the initial set of Kaspersky CyberTrace Service events to QRadar, the log source name is Kaspersky Threat Feed Service @ [id], where [id] is the identifier of Kaspersky CyberTrace Service events. (By default, [id] is KL_Threat_Feed_Service_v2). If you had to add Kaspersky CyberTrace Service to QRadar as a log source manually because you did not have the latest QRadar updates, the log source name is [id]; that is, KL_Threat_Feed_Service_v2 by default.

It takes some time to visualize the requested data after you have changed the log source name or the installed Kaspersky Threat Feed App. While the data is being loaded, a progress bar is displayed. The time required for getting all the data depends on the selected period over which the data is visualized.

After you configure Kaspersky Threat Feed App, you can run the verification test by clicking the Run self-test button.

Settings window in QRadar. Self-test results.

Self-test results

A test result of Failed for any feed means that a tested object is assigned to an incorrect category. The error can originate, for example, in an incorrect configuration file.

Page top