This section describes Kaspersky Threat Data Feeds that can be imported to a MISP instance.
Commercial feeds
Commercial feeds are regular Kaspersky Threat Data Feeds.
The following commercial feeds are available:
A set of IP addresses that belong to the infrastructure used in APT campaigns.
A set of domains that belong to the infrastructure used in APT campaigns.
A set of hashes that cover malicious artifacts used by APT actors to conduct APT campaigns.
This feed contains the mitre field. During conversion to MISP format, the techniques indicated in the mitre field are applied.
A set of exact URLs with context that cover desktop botnet C&C servers and related malicious objects.
A set of hashes and extra context that are described in Kaspersky Crimeware Reports and related to objects used to conduct fraudulent campaigns. The feed is used for investigation of cyber incidents.
This feed contains the mitre field. During conversion to MISP format, the techniques indicated in the mitre field are applied.
A set of domains and extra context that are described in Kaspersky Crimeware Reports and belong to the infrastructure used in fraudulent campaigns. The feed is used for investigation of cyber incidents.
A set of file hashes with corresponding context covering malicious objects used to attack Industrial Control Systems (ICS) infrastructure.
A set of security vulnerabilities in both ICS and the commonly used IT systems integrated into ICS networks.
By default, the filtering rule configured in the settings.py file allows downloading only the indicators of compromise that relate to critical infrastructures. This configuration enhances ICS protection accuracy.
A set of URLs with context covering malicious links used to download malware that infects Internet of Things-enabled (IoT) devices.
A set of IP addresses with context that cover different categories of suspicious and malicious hosts.
By default, the filtering rule configured in the settings.py file cuts off indicators of compromise with a threat_score parameter value less than 75.
A set of file hashes with context that cover the most dangerous, prevalent, or emerging malware.
This feed contains the mitre field. During conversion to MISP format, the techniques indicated in the mitre field are applied.
A set of exact URLs with context that cover malicious websites and web pages.
A set of URLs and masks for detecting C&C servers and web resources that are related to mobile botnets.
A set of file hashes with context for detecting malicious objects that infect mobile Google™ Android™ and Apple® iPhone® devices.
A set of exact URLs with context that cover phishing websites and web pages.
A set of URLs, domains, and hosts with context that cover ransomware links and websites.
A set of file hashes with context that cover vulnerabilities in applications and cover exploits that use those vulnerabilities.
Demo feeds
Demo feeds can be used for evaluation purposes. These feeds provide lower detection rates than their corresponding commercial versions.
The following demo feeds are available:
Provides lower detection rates than the Botnet CnC URL Data Feed.
Provides lower detection rates than the IP Reputation Data Feed.
By default, the filtering rule configured in the settings.py file cuts off indicators of compromise with a threat_score parameter value less than 75.
Provides lower detection rates in comparison with Malicious Hash Data Feed.
This feed contains the mitre field. During conversion to MISP format, the techniques indicated in the mitre field are applied.
We recommend that you not use commercial feeds together with their demo versions. If you plan to use commercial feeds after you use demo feeds, remove the MISP events that correspond to demo feeds.
Page top