Installing Kaspersky Threat Intelligence Portal for Resilient
March 6, 2019
ID 178177
To install Kaspersky Threat Intelligence Portal for Resilient:
- Download the kaspersky_tip_enrichment-%version%.zip package from the IBM Security App Exchange portal to a computer that has the IBM Resilient Incident Response Platform installed or to any other computer with Python and resilient-circuits installed. (In kaspersky_tip_enrichment-%version%.zip, %version% is the application version.)
To install resilient-circuits, run
pip install resilient-circuitsfrom the command line.The package includes the LICENSE file containing the End User License Agreement (EULA).
To install and use the application, you must unconditionally accept the EULA that comes with the application package.
- Install the application with the following command:
pip install kaspersky_tip_enrichment-%version%.zipwhere
%version%is the application version. - Make sure that the application has been installed successfully:
- For Linux, enter:
resilient-circuits list - For Windows, enter:
resilient-circuits.exe list
The following message appears:
The following packages and components are installed:kaspersky-tip-enrichment==%version%:KasperskyTipEnrichmentFunctionComponentwhere
%version%is the application version. - For Linux, enter:
- Apply pre-configured customizations from the Kaspersky Lab package to the IBM Resilient Incident Response Platform:
- In Linux, enter:
resilient-circuits customize - In Windows, enter:
resilient-circuits.exe customize
- In Linux, enter:
- In the web user interface of the IBM Resilient Incident Response Platform, in the drop-down list in the upper-right corner, select Customization Settings and make sure that the following is true:
- The tabs below contain items prefixed with
[KL]:- Rules
- Workflows
- Functions
- The Message Destinations tab contains an item named
Kaspersky TIP.
- The tabs below contain items prefixed with
- Update the Resilient configuration file so that it includes the application settings:
- In Linux, enter:
resilient-circuits config -u - In Windows, enter:
resilient-circuits.exe config -u
- In Linux, enter:
- Edit the app.config file. By default, on Linux systems, it is located at
~/.resilient/app.config, where~is your home directory. On Windows systems, app.config is located atC:\Users\%username%\.resilient\app.config, where%username%is your Windows user name. Specify the following settings in app.config:pem_cert_pathThe absolute path to the PEM certificate file that grants access to Kaspersky Threat Intelligence Portal.
Make sure that resilient-circuits has read permission for the directory where the PEM certificate file is located.
- Credentials for the Kaspersky Threat Intelligence portal account:
usernameUser name for the Kaspersky Threat Intelligence Portal account.
passwordPassword for the Kaspersky Threat Intelligence Portal account.
If you suspect that your credentials for the Kaspersky Threat Intelligence Portal account have been compromised, please contact your technical account manager (TAM).
proxySettings of the proxy server that is used for querying Kaspersky Threat Intelligence Portal. Leave this setting blank or delete it from the configuration file if you do not use a proxy server when accessing Kaspersky Threat Intelligence Portal. If you want to use a proxy server, specify it in one of the following forms:
- If the proxy server requires authentication:
%user%:%pass%@%host%:%port%, where you must substitute%user%and%pass%with the user name and password for the proxy server, and substitute%host%and%port%with the host and port of the proxy server. - If the proxy server does not require authentication:
%host%:%port%, where you must substitute%host%and%port%with the host and port of the proxy server.
If possible, grant the application access to the proxy server without authentication. This type of access reduces the risk of compromising your proxy server credentials.
- If the proxy server requires authentication:
records_countThe maximum number of records per section returned by Kaspersky Threat Intelligence Portal for Resilient at a time. By default, 10 records per section are returned.
outputThe location where the information received from Kaspersky Threat Intelligence Portal is displayed.
Possible values:
notesThe information is added to incidents as notes.
descriptionThe information is added to the artifact descriptions.
- Optionally, set up logging as follows:
logdir=/tmpDestination for storing log files.
logfile=resilient.logName of the log file.
loglevel=DEBUGLogging level, which defines the number and type of messages saved to the log file. You can specify any of the following values, listed in decreasing order of severity:
CRITICAL,ERROR,WARN,INFO(default),DEBUG. For more information, see section "Edit the Configuration File" in the IBM Resilient Incident Response Platform Function Developer's Guide. We recommend specifyingDEBUG: in this case, the log file will contain diagnostically helpful information.
Although setting up logging is optional, we recommend that you not skip this step, because it is easier to find and solve potential problems when information has been saved.
For more information on using log files for troubleshooting, see section "Troubleshooting", subsection "Using log files to find and resolve issues with Kaspersky Threat Intelligence Portal for Resilient".
The app.config file stores your credentials for Kaspersky Threat Intelligence Portal and for the proxy server. We recommend using the res-keyring utility to add this sensitive information to your keystore system instead of storing credentials in app.config in plain text (default behavior). For details, see the README for Resilient Python APIs. If you cannot use the res-keyring utility, we strongly recommend that you take extra precautions to secure the app.config file.
- Run the application by using the following command:
- In Linux, enter:
resilient-circuits run - In Windows, enter:
resilient-circuits.exe run
- In Linux, enter:
