Settings for Kaspersky Threat Feed App for MISP are specified in the settings.py file.
The settings.py file contains the following parameters:
MISP_URLURL or IP address of the MISP instance.
If your MISP instance uses an SSL certificate to establish secure connections over HTTPS, then the URL must begin with the https:// protocol specifier. Otherwise, the converter will not be able to delete obsolete events from MISP.
The default value is an empty string. If you do not specify a value, Kaspersky Threat Feed App for MISP will not start.
AUTH_KEYAUTH key of the MISP instance.
The AUTH key is available in the MISP web interface.
The default value is an empty string. If you do not specify a value, Kaspersky Threat Feed App for MISP will not start.
RECORDS_COUNTThe maximum number of records imported from Kaspersky Threat Data Feeds.
We do not recommend to change this value.
If this value is 0, all records are imported.
The default value for this parameter is 200000.
PROCESS_TIMEOUTInternal parameter.
We do not recommend to change this value.
The default value (in seconds) for this parameter is 2.
QUEUE_SIZEInternal parameter.
We do not recommend to change this value.
The default value for this parameter is 10000.
WORKERS_COUNTThe number of processes created when feeds are processed.
The recommended number of processes is (CPU_CORES * 2) - 2, where CPU_CORES is the number of CPU cores.
If the target computer has two cores, set this value to 1.
The default value for this parameter is 2.
LOG_LEVELThe logging level for the converter.
Two logging levels are available: DEBUG and INFO. The DEBUG level is used by default.
When the INFO logging level is enabled, the converter writes less information to the log files than when the DEBUG level is enabled. Before enabling the INFO debug level, make sure that the converter works without errors. Otherwise, error information may not be logged or may be logged only partially at the INFO debug level.
LOG_OUTPUTThe output format for logs. Logs can be written to a file or to the stdout stream.
Feed Utility log settings are not affected by this parameter and can be configured by changing the LogSettings parameter in the %service_dir%/feed_util/template.conf file. For more information about Feed Utility logs, see the online documentation for Kaspersky CyberTrace.
This parameter can have the following values: STDOUT, FILE.
The default value for this parameter is STDOUT.
LOG_FILENAMEA path and file name for the log file.
If a path is not specified, the log file is created in the %service_dir% directory. Make sure that a user that runs the converter has sufficient rights to write to this file.
The default value for this parameter is 'misp_converter.log'.
FEEDSA dictionary that contains the identifiers and names of feeds. By default, only demo feeds are enabled. The dictionary may also contain filters applied to the feed records that will be re-used by Feed Utility without modification. Uncomment the feeds that should be converted to MISP format. Do not change feed names or identifiers.
By default, the following filter is set for the records in the IP Reputation Data Feed and Demo IP Reputation Data Feed:
'Demo_IP_Reputation_Data_Feed': {'id': '87', 'filters': {'threat_score': '[75;*]'}}
'IP_Reputation_Data_Feed': {'id': '68', 'filters': {'threat_score': '[75;*]'}}
The default filter imports only those feed records that contain IP addresses considered dangerous (that is, with a threat_score greater than or equal to 75).
By default, the following filter is set for the records of the ICS Vulnerability Data Feed:
'ICS Vulnerability Data Feed': {'id':'151', 'filters': {'kla_id': 'KLCERT'}}
The default filter imports only those feed records whose kla_id field is equal to KLCERT.
Parameters applied only to the Vulnerability Data Feed
ADD_HAS_EXPLOITS_FIELDFlag indicating that the has_exploits field is added to a MISP event. This field is 1, if a feed record for vulnerable files contains exploits. If a feed record does not contain exploits, the value is 0.
If the value of ADD_HAS_EXPLOITS_FIELD is True, the has_exploits field is added.
The default value for this parameter is True.
VULN_FILES_COUNTThe maximum number of vulnerable files added to a MISP event from a feed.
If this value is 0, no vulnerable files are added.
The default value for this parameter is 5.
EXPLOITS_FILES_COUNTThe maximum number of exploits added to a MISP event from a feed.
If this value is 0, no exploits are added.
The default value for this parameter is 5.
Parameters applied only to the ICS Vulnerability Data Feed
ICS_VULN_FILES_COUNTThe maximum number of vulnerable files added to a MISP event from a feed. If this value is 0, no vulnerable files are added.
The default value for this parameter is 5.
ICS_EXPLOITS_FILES_COUNTThe maximum number of exploits added to a MISP event from a feed. If this value is 0, no exploits are added.
The default value for this parameter is 5.
ICS_ADD_HAS_EXPLOITS_FIELDFlag indicating that the has_exploits field is added to a MISP event. This field is 1, if a feed record contains an array of exploits. If a feed record does not contain an array of exploits, the value is 0.
If the value of ICS_ADD_HAS_EXPLOITS_FIELD is True, the has_exploits field is added.
The default value for this parameter is True.
Parameters for removing events
TAGS_TO_DELETETags for selecting previously imported events that you want to remove from the MISP instance. For example, you may want to remove previously imported events if Kaspersky Threat Feed App for MISP.terminates abnormally.
The default value is 'kaspersky',which means that all events of all feeds will be removed.
If you want to remove only certain events, change the parameter value to a comma-separated list of tags (for example, 'kaspersky:phishing-url', 'kaspersky:apt-hash'). In this case, only those events that contain at least one of the specified tags will be removed.