How to integrate Kaspersky Threat Data Feeds with ArcSight
To integrate threat data feeds with ArcSight, you can use Kaspersky CyberTrace or Kaspersky Threat Feed App for ArcSight ESM.
Kaspersky CyberTrace
Kaspersky CyberTrace allows to check URLs, file hashes, and IP addresses contained in events arriving in ArcSight ESM. The URLs, file hashes, and IP addresses are checked against Kaspersky Threat Data Feeds or feeds from other vendors and sources uploaded to Kaspersky CyberTrace. During the matching process, Kaspersky CyberTrace determines the indicator category and generates an event with information on necessary actions to take.
To install the SIEM application for ArcSight ESM:
- Download the installation file for Kaspersky CyberTrace from this article.
- Install the application using these guides.
Please note that the SIEM application for ArcSight has been tested with ArcSight ESM version 6.5 and higher.
Kaspersky Threat Feed App for ArcSight ESM
Kaspersky Threat Feed App for ArcSight ESM is an application used for matching events received by ArcSight ESM against Kaspersky Threat Data Feeds using built-in SIEM capabilities (without Kaspersky CyberTrace).
The import of threat data feeds is performed using Kaspersky Feed Utility and the kl_feed_for_arcsight.py script. The feeds are uploaded and converted to a format which can be imported to ArcSight ESM. The kl_feed_for_arcsight.py script generates events in the CEF format and sends them to ArcSight SmartConnector that transfers them to ArcSight ESM. ArcSight ESM receives the events from SmartConnector and fills in the lists with the indicators from threat data feeds according to the rules contained in Kaspersky_Threat_Data_Feeds.arb. After importing threat data feeds to ArcSight ESM, the fields of events arriving in ArcSight ESM are matched against the indicators from the feeds according to the rules from Kaspersky_Threat_Data_Feeds.arb. If a field matches a data feed, ArcSight ESM adds the detected event to the active list.
To install Kaspersky Threat Feed App for ArcSight ESM:
- Download the installation file in the TGZ format for Linux: Kaspersky_ThreatDataFeed_for_ArcSight-1.1.tar.xz.
- Install the application using these guides.