How to integrate Kaspersky Threat Data Feeds with Malware Information Sharing Platform (MISP) for Linux

Latest update: November 30, 2022 ID: 14787
 
 
 
 

Malware Information Sharing Platform (MISP) is an open-source software solution for analyzing threats and exchanging information. Kaspersky offers the two ways of integrating Kaspersky Threat Data Feeds with MISP: by using Kaspersky Threat Feed App for MISP version 1.x and version 2.x.

Both applications allow you to import and update Kaspersky Threat Data Feeds in a MISP instance.

 
 
 
 

Kaspersky Threat Feed App for MISP v1

In case of Kaspersky Threat Feed App for MISP v1, every feed is imported as a MISP event. Indicators from the feeds are added to events as attributes.

This version is suitable for working with large sets of indicators, has better performance, but limits the possibility of correlating events based on their context.

To integrate with MISP:

  1. Download Kaspersky Threat Feed App for MISP. The .tar.gz file for Linux can be downloaded here.
  2. Follow the instructions in the documentation to install the package.
 
 
 
 

Kaspersky Threat Feed App for MISP v2

Kaspersky Threat Feed App for MISP v2 has the following features in comparison with Kaspersky Threat Feed App for MISP v1:

  • The application imports Kaspersky Threat Data Feeds using the Feeds feature of MISP by converting the feeds to MISP JSON format (Kaspersky Threat Feed for MISP version 1.x uses the API for importing feeds). Every record from Kaspersky Threat Data Feeds is imported as a MISP event.
  • This allows the users to correlate records based on their context (in Kaspersky Threat Feed for MISP version 1.x, MISP events include all records from every data feed).

Kaspersky Threat Feed App for MISP v2 is well suited for working with small feeds (such as APT) and allows analysts to pay more attention to the analysis (looking for the relations between different indicators) of threat intelligence.

Because of MISP performance, we do not recommend that you import more than one feed into one MISP instance (except APT and Demo feeds) using application v2. Loading all Kaspersky Threat Data Feeds into a single MISP instance is not supported in this version.

To integrate with MISP:

  1. Download Kaspersky Threat Feed App for MISP. The .tar.gz file for Linux can be downloaded here.
  2. Follow the instructions in the documentation to install the package.
 
 
 
 
 
Did you find what you were searching for?
Thank you for your feedback!