Settings for Kaspersky Threat Feed App for MISP are specified in the settings.py file.
The settings.py file contains the following parameters:
RECORDS_COUNTDefines the maximum number of records imported from Kaspersky Threat Data Feeds.
It is not recommended to change this value.
If this value is 0, all records are imported.
The default value for this parameter is 200000.
FEEDSA dictionary that contains the identifiers and names of feeds. Also, the dictionary can contain the filters applied to the feed records that will be re-used by Feed Utility without modification. Uncomment those feeds that must be converted to MISP format. Do not change feed names or identifiers.
By default, the following filter is set for the records of IP Reputation Data Feed and Demo IP Reputation Data Feed:
'Demo_IP_Reputation_Data_Feed': {'id': '87', 'filters': {'threat_score': '[75;*]'}},
'IP_Reputation_Data_Feed': {'id': '68', 'filters': {'threat_score': '[75;*]'}},
The default filter allows importing only those feed records that contain IP addresses considered dangerous (that is, the threat_score field for which is equal to or exceeds 75).
LOG_LEVELDefines the logging level for a converter.
Two logging levels are available: DEBUG and INFO. The DEBUG level is used by default.
When the INFO logging level is enabled, the converter writes less information to the log files compared to when the DEBUG level is enabled. Before enabling the INFO debug level, make sure that the converter works without errors. Otherwise, the information about errors may not be logged or may be logged only partially on the INFO debug level.
LOG_OUTPUTDefines the output format for logs. Logs can be written to a file or to the stdout stream.
Feed Utility logging settings are not affected by this parameter and can be configured by changing the LogSettings parameter in the %service_dir%/feed_util/template.conf file. For more information about Feed Utility logging, see the online documentation for Kaspersky CyberTrace.
This parameter can have the following values: STDOUT, FILE.
The default value for this parameter is STDOUT.
LOG_FILENAMEDefines a path and file name for the log file.
If a path is not specified, the log file is created in the %service_dir% directory. Make sure that a user that runs the converter has sufficient rights to write to this file.
PROCESS_TIMEOUTInternal parameter.
It is not recommended to change this value.
The default value for this parameter is 2.
QUEUE_SIZEInternal parameter.
It is not recommended to change this value.
The default value for this parameter is 10000.
WORKERS_COUNTThe number of processes that are created when feeds are processed.
The recommended number of processes is (CPU_CORES * 2) - 2, where CPU_CORES is the number of CPU cores.
If the target computer has two cores, set this value to 1.
VULN_FILES_COUNTDefines the maximum number of vulnerable files added to a MISP event from a feed.
If this value is 0, no vulnerable files are added.
You can set this parameter only for Vulnerability Data Feed.
EXPLOITS_FILES_COUNTDefines the maximum number of exploits added to a MISP event from a feed.
If this value is 0, no exploits are added.
You can set this parameter only for Vulnerability Data Feed.
ADD_HAS_EXPLOITS_FIELDFlag indicating that the has_exploits field is added to a MISP event. This field takes the 1 value, if a feed record for vulnerable files contains exploits. Otherwise, if a feed record does not contain exploits, the value is 0.
If the value of ADD_HAS_EXPLOITS_FIELD is True, the has_exploits field is added.
You can set this parameter only for Vulnerability Data Feed.