How to integrate Kaspersky Threat Data Feeds with Micro Focus ArcSight
The recommended way of integrating is to use Kaspersky CyberTrace. It allows checking URLs, file hashes, and IP addresses contained in events that arrive in Micro Focus ArcSight ESM. The URLs, file hashes, and IP addresses are checked against threat data feeds from Kaspersky, or from other vendors or sources loaded to CyberTrace. During the matching process, Kaspersky CyberTrace determines the indicator category and generates an event supplemented with actionable context.
To install the SIEM connector for Micro Focus ArcSight ESM:
- Download Kaspersky CyberTrace.
- Follow the documentation to install the package.
Find the download files for Kaspersky CyberTrace in this article.
Please note that the SIEM connector for ArcSight has been tested with ArcSight ESM 6.5 and later.
Kaspersky Threat Feed App for ArcSight ESM
Kaspersky Threat Feed App for ArcSight ESM is an application that allows to match observables from events received by ArcSight ESM against Kaspersky Threat Data Feeds using SIEM built-in capabilities (without CyberTrace).
The process of importing Kaspersky Threat Data Feeds is done using Kaspersky Feed Utility and the kl_feed_for_arcsight.py script. Feeds are downloaded and converted to a format that can be imported to ArcSight ESM. kl_feed_for_arcsight.py script generates events in CEF format and sends them to ArcSight SmartConnector, which sends them to ArcSight ESM. ArcSight ESM receives events from SmartConnector and fills the lists with indicators from Kaspersky Threat Data Feeds according to the rules contained in the Kaspersky_Threat_Data_Feeds.arb package. After Kaspersky Threat Data Feeds are imported to ArcSight ESM, the fields of events that arrive in ArcSight ESM are matched against indicators from the feeds in accordance with rules contained in Kaspersky_Threat_Data_Feeds.arb. If a field matches a feed record, ArcSight ESM adds a detection event to the Active List.
You can download Kaspersky Threat Feed App for ArcSight ESM: