This section provides basic information about Kaspersky Threat Feed App and the components required for its use.
About the product
Kaspersky Threat Feed App for Splunk integrates Kaspersky Threat Intelligence Data Feeds into the Splunk environment to highlight risks and implications associated with security breaches, aid in mitigating cyberthreats more effectively and defend against attacks even before they are launched.
Kaspersky Threat Feed App basics
Kaspersky Threat Feed App is a Splunk app. It does the following:
Additionally, Kaspersky Threat Feed App comes with alert templates that demonstrate the basic trigger conditions that can be used with Kaspersky Threat Feed App for Splunk.
About the dependencies
Kaspersky Threat Feed App will not work on its own. It requires two other components provided by Kaspersky Lab.
To use Kaspersky Threat Feed App, you need to get the following from Kaspersky Lab:
Threat Data Feeds contain information about a wide range of cyberthreats; this information includes indicators of compromise (IOC) for these cyberthreats. Threat Data Feeds are used by Kaspersky Threat Feed App and Kaspersky Threat Feed Service. For a full list of available Threat Data Feeds, see Data feeds from Kaspersky Lab.
Threat Feed Service analyzes events that are collected by Splunk from event sources and matches URLs, IP addresses, and hashes to Threat Data Feeds.
Indicators of compromise (IOCs) from Threat Data Feeds are not loaded into Splunk, and instead are processed by Kaspersky Threat Feed Service. This reduces the load on Splunk that comes from matching events with big numbers of IOCs. In case of a match, rich contextual information about the incident is passed to Splunk and is displayed by Kaspersky Threat Feed App in the Kaspersky Threat Feed Matches dashboard.
To get Threat Data Feeds and Kaspersky Threat Feed Service, please contact Kaspersky Lab. For more information, see http://www.kaspersky.com/enterprise-security/intelligence-services.