How to integrate Kaspersky Threat Data Feeds with Micro Focus ArcSight

Latest update: March 27, 2023 ID: 13852
 
 
 
 
Kaspersky offers the two ways of integrating Kaspersky Threat Data Feeds with Micro Focus ArcSight: by using Kaspersky CyberTrace or Kaspersky Threat Feed App for ArcSight ESM.

Kaspersky CyberTrace

The recommended way of integrating is to use Kaspersky CyberTrace. It allows checking URLs, file hashes, and IP addresses contained in events that arrive in Micro Focus ArcSight ESM. The URLs, file hashes, and IP addresses are checked against threat data feeds from Kaspersky, or from other vendors or sources loaded to CyberTrace. During the matching process, Kaspersky CyberTrace determines the indicator category and generates an event supplemented with actionable context.

To install the SIEM connector for Micro Focus ArcSight ESM:

  1. Download Kaspersky CyberTrace. 
  2. Follow the documentation to install the package.

Find the download files for Kaspersky CyberTrace in this article.

Please note that the SIEM connector for ArcSight has been tested with ArcSight ESM 6.5 and later. 

Kaspersky Threat Feed App for ArcSight ESM

Kaspersky Threat Feed App for ArcSight ESM is an application that allows to match observables from events received by ArcSight ESM against Kaspersky Threat Data Feeds using SIEM built-in capabilities (without CyberTrace).

The process of importing Kaspersky Threat Data Feeds is done using Kaspersky Feed Utility and the kl_feed_for_arcsight.py script. Feeds are downloaded and converted to a format that can be imported to ArcSight ESM. kl_feed_for_arcsight.py script generates events in CEF format and sends them to ArcSight SmartConnector, which sends them to ArcSight ESM. ArcSight ESM receives events from SmartConnector and fills the lists with indicators from Kaspersky Threat Data Feeds according to the rules contained in the Kaspersky_Threat_Data_Feeds.arb package. After Kaspersky Threat Data Feeds are imported to ArcSight ESM, the fields of events that arrive in ArcSight ESM are matched against indicators from the feeds in accordance with rules contained in Kaspersky_Threat_Data_Feeds.arb. If a field matches a feed record, ArcSight ESM adds a detection event to the Active List.

You can download Kaspersky Threat Feed App for ArcSight ESM:

  • The documentation file can be downloaded here.
  • The .tgz file for Linux can be downloaded here.
 
 
 
 
 
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.