General workflow

Kaspersky Threat Feed App for MISP works as follows:

1. Feed Utility is used to download feeds.

   Feed Utility is a tool that downloads and filters Kaspersky Threat Data Feeds according to rules defined in its configuration file. For more information, see the Feed Utility guide.

2. For imports other than the first import, the diff of a feed is created.
3. The new records of the feed are converted to MISP-format files and saved to the specified directory.
4. Obsolete records are removed from the MISP instance using its REST API.

Kaspersky Threat Feed App for MISP can create two kinds of updates:

• A full diff update

  This update contains records with changed context fields. It takes a significant amount of time. The converter performs a full diff update only at intervals (in hours) defined by the full_update_interval_h parameter.

• An update with a truncated diff

  This update only adds records with new indicators of compromise (IOC) and deletes records with obsolete IOC. The converter performs this update at intervals defined by the schedule specified for the cron utility.

  

  Kaspersky Threat Feed App for MISP workflow

Page top