Kaspersky Threat Intelligence Portal for ArcSight

You can use ArcSight to look up IP addresses, URLs, and hashes in Kaspersky Threat Intelligence Portal. To do this, you must perform several preliminary actions:

1. Import the certificate for Kaspersky Threat Intelligence Portal to the browser that is used by default in ArcSight.
2. Import the KL_TIP_Lookup.arb package to ArcSight.

To import the KL_TIP_Lookup.arb package to ArcSight:

1. In ArcSight Console, select the Packages tab.
2. Click the Import button.

   

   Importing a package

3. In the Open dialog box, select the KL_TIP_Lookup.arb package.
4. In the Packages for Installation dialog box, select the Install check box for this package and click Next.

   

   Selecting packages to install

5. In the Importing Packages dialog box, click OK.

After the package is installed, it is added to the Packages > Shared > All Packages > Public folder.

Imported package

To look up a value in Kaspersky Threat Intelligence Portal:

1. In ArcSight, open an active channel that contains events from any event source.

   

   A form with events

   Looking up a value by using the context menu is implemented for active channels only.

2. Right-click the value that you want to look up in Kaspersky Threat Intelligence Portal.
3. In the context menu, select Integration Commands > KL TIP Lookup.

   

   Context-menu for an event

   The browser opens a Kaspersky Threat Intelligence Portal web page with the information about the selected indicator.

   

   Kaspersky Threat Intelligence Portal page

   For more information about Kaspersky Threat Intelligence Portal, refer to the documentation displayed after you click the HELP link in the upper right area of the Kaspersky Threat Intelligence Portal window.

You can also perform a lookup in ArcSight Command Center by using the context menu for an indicator.

Performing a lookup in ArcSight Command Center

Page top