General workflow

Kaspersky Threat Feed App for MISP works as follows:

  1. User runs the converter (main.py) with the parameters specified in the "Command-line parameters" section.
  2. The converter (main.py) generates a configuration file for Feed Utility based on the template.conf file.
  3. Feed Utility is used to download feeds.

    Feed Utility is a tool designed to simplify the process of downloading and filtering data feeds. Able to compare feed versions and apply rules from a configuration file, this tool is a core component of integration with the Kaspersky Data Feeds API. For more information, see the Feed Utility guide,

    For information about filtering data feeds, see the "Filtering rules" section. The filtering rules can be configured in the FEEDS parameter of the settings.py file.

  4. Once the converter has been initialized, the user uses the MISP UI to specify the path to the feed storage folder (see the "Loading converted feeds to MISP" section).
  5. To run the converter on a regular basis, the user can set up cron jobs via the command-line (see the "Scheduling feeds conversion" section).
  6. The feed's new records are converted to MISP-format files and saved to the "workdir/%feed_name%" directory inside the converter's parent folder.
  7. For each subsequent import, the difference between the versions is determined.
  8. During the update, revoked records are removed from the MISP instance via the REST API. Kaspersky Threat Feed App for MISP can perform two types of updates:
Page top