Using Kaspersky Threat Intelligence Portal for Resilient

Kaspersky Threat Intelligence Portal for Resilient provides additional information about the following types of artifacts (indicators, in Resilient terms): URLs, file hashes (MD5, SHA-1, SHA-256), domains, and IP addresses. An artifact is data that supports or relates to an incident.

You can get more details about an artifact by using the web interface of the IBM Resilient Incident Response Platform, as explained in the procedure below.

To get additional information about an artifact from Kaspersky Threat Intelligence Portal:

1. On the menu bar, click List Incidents.

   The Incidents page opens with the All Open Incidents filter selected.

   

   All Open Incidents table

2. In the All Open Incidents table, select an incident and click its ID or name.

   A page for the selected incident opens.

3. Select the Artifacts tab.

   The Artifacts table appears, listing all artifacts associated with the selected incident.

   

   Artifacts table

4. Locate the artifact for which you want additional information and, in the Actions column, click the browse () button.
5. From the drop-down list, select the type of information (each available type is prefixed with [KL]) to be requested from Kaspersky Threat Intelligence Portal, as shown in the image below.

   

   Selecting the type of enrichment information from the drop-down list

   The table below lists all information types available for the corresponding group of artifacts.

   Types of enrichment information available for artifacts

   Artifact type	Enrichment information	Description
   DNS Name, URI Path, URL, URL Referrer	Category	Provides general information about the selected artifact, and the zone.
   	DNS Resolutions	Provides DNS resolutions for the selected artifact.
   	Related Files	Provides the list of files related to the selected artifact.
   	Related URLs	Provides the list of URLs related to the selected artifact.
   	Subdomains	Provides the list of subdomains. This type of information is only available for the DNS Name artifact.
   IP Address	Category	Provides general information about the specified IP address, and the zone.
   	DNS Resolutions	Provides DNS resolutions for the specified IP address.
   	Files Downloaded from IP	Provides the list of files downloaded from the specified IP address.
   	Hosted URLs	Provides the list of URLs hosted on the specified IP address.
   Malware MD5 Hash, Malware SHA-1 Hash, Malware SHA-256 Hash	Category	Provides general and detection information about the file identified by the selected hash, and the zone.
   	Certificates	Provides the list of signatures and certificates of the file identified by the selected hash.
   	Paths and Names	Provides the list of paths and names of files related to the file identified by the selected hash.
   	Related Files	Provides the list of files related to the file identified by the selected hash.
   	Related URLs	Provides the list of URLs related to the file identified by the selected hash.

   After you select the information type, a message pops up in the upper part of the screen, informing you that your request was processed.

   

   Message that your request was processed

   It usually takes 2–3 seconds, but might take up to 40 seconds, for the application to get the information from Kaspersky Threat Intelligence Portal. You can track the progress of your request by clicking the Actions button in the upper-right corner and selecting Action Status in the drop-down list. The Action Status window that opens lists all the requests in a table. You can filter the table (by request status) by selecting or clearing the corresponding check boxes in the drop-down list, as shown in the image below.

   

   Action Status window

   If the request to Kaspersky Threat Intelligence Portal is successful, the information is added to the selected incident.

   • If the output setting is set to notes, the information of the specified type is added to the incident as a new note. Besides this information, the note contains a link to the lookup page of the artifact on Kaspersky Threat Intelligence Portal.

   

   Incident note that contains enriched information from Kaspersky Threat Intelligence Portal

   • If the output setting is set to description, the artifact description is enriched with the information about the specified type. Click the refresh button in your browser to update the user interface so that the updated description appears in the artifact. The information is preceded by a header that reads == Kaspersky Threat Intelligence Portal Information ==, as shown in the image below.

   

   Enriched information preview

   Each subsequent request to Kaspersky Threat Intelligence Portal completely overwrites the information under the == Kaspersky Threat Intelligence Portal Information == header returned by a previous request. If you want to add some custom text to the artifact description, make sure to place it before this header to keep the text intact.

6. If the output setting is set to description, click the artifact description value in the table of the associated artifacts to view the enriched description.

   The Details window opens, as shown in the image below.

   

   Artifact description enriched with information from Kaspersky Threat Intelligence Portal

   If the enriched artifact description contains HTTP status codes 401, 403, or 404, or an error message stating that the certificate file was not found, see the relevant solution in section "Troubleshooting".