Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Kaspersky Threat Feed Service

 

The JSA DSM for Kaspersky Threat Feed Service collects events from Kaspersky Feed Service.

The following table describes the specifications for the Kaspersky Threat Feed Service DSM:

Table 1: Kaspersky Threat Feed Service DSM Specifications

Specification

Value

Manufacturer

Kaspersky Lab

DSM name

KasperskyThreatFeedService

RPM file name

DSM-KasperskyThreatFeedService-JSA_version-build_number.noarch.rpm

Supported versions

2.0

Protocol

Syslog

Event format

LEEF

Recorded event types

Detect, Status, Evaluation

Automatically discovered?

Yes

Includes identity?

No

Includes custom properties?

No

More information

Kaspersky website (http://www.kaspersky.com/)

To integrate Kaspersky Threat Feed Service with JSA, complete the following steps:

  1. If automatic updates are not enabled, download and install the most recent version of the following RPMs on your JSA console, in the order that they are listed:

    • DSMCommon RPM

    • Kaspersky Threat Feed Service DSM RPM

  2. Configure Kaspersky Threat Feed Service to send syslog events to JSA.

  3. If JSA does not automatically detect the log source, add a Kaspersky Threat Feed Service log source on the desired event collector. The following table describes the parameters that require specific values for Kaspersky Threat Feed Service event collection:

    Table 2: Kaspersky Threat Feed Service Log Source Parameters

    Parameter

    Value

    Log Source type

    Kaspersky Threat Feed Service

    Protocol Configuration

    Syslog

    Log Source Identifier

    KL_Threat_Feed_Service_V2

The following table provides a sample event message for Kaspersky Threat Feed Service.

Table 3: Kaspersky Threat Feed Service Sample Event Message

Event name

Low level category

Sample log message

KL_Mobile_BotnetCnc_URL

Botnet address

Jul 10 10:10:14 KL_Threat_Feed_Service_v2 LEEF:1.0|Kaspersky Lab|Threat Feed Service |2.0|KL_Mobile_ BotnetCnc_URL| url=cjfisdckzvou.dhbg/ nbcecr5akith94jq/998 md5=- sha1=- sha256=- usrName= TestUser mask= cjfisdckzvou.dhbg type=2 first_seen=04.01.2016 16:40 last_seen=27.01.2016 10:46 popularity=5

Configuring Kaspersky Threat Feed Service to Communicate with JSA

Before you install the Threat Feed Service on a device, ensure that your device meets the hardware and software requirements. The requirements are specified in the Kaspersky Threat Feed Service for JSA distribution kit documentation.

  1. Unpack the contents of the installation archive, Kaspersky_Threat_Feed_Service-Linux-x86_64-2.0.x.y-Release_for_Qradar.tar.gz, to any directory on the computer that you want to use for running the service.Note

    The installation directory is denoted by the variable <service_dir> in the following configuration steps.

  2. Configure the Threat Feed Service.
    1. Edit <service_dir>/etc/kl_feed_service.conf

    2. Modify the ConnectionString element nested within the InputSettings element to specify the IP and Port where the Threat Feed Service listens for events from JSA:

      The IP address is from the server that the Thread Feed Service runs from.

      <InputSettings> ... <ConnectionString>Server_IP:Port</ConnectionString> </InputSettings>

      The following table identifies the Input Settings parameters that need to be modified in the kl_feed_service.conf file.

      Table 4: Input Settings Parameters

      Parameter

      Value

      QRadar_IP

      The IP address of the system the Threat Feed Service is running on.

      Port

      An available port where the Threat Feed Service listens for events from JSA. The default is 9995.

    3. Modify the ConnectionString element nested within the OutputSettings element to specify the JSA event collector IP and Port that the threat Feed Service sends events to.

      <OutputSettings> ... <ConnectionString>QRadar_IP:Port</ConnectionString> </OutputSettings>

      The following table identifies the Output Settings parameters that need to be modified in the kl_feed_service.conf file.

      Table 5: Output Settings Parameters

      Parameter

      Value

      QRadar_IP

      The IP address of the JSA Event Collector.

      Port

      514

  3. Save the changes.
  4. Type the following command from the <service_dir> directory to start the Threat Feed Service.

    etc/init.d/kl_feed_service start

    The following message is displayed when the Threat Feed Service starts.

    Starting kl_feed_service: Config file: ../etc/kl_feed_service.conf [ OK ]

    Note

    To stop the Feed Service, type the following command from the <service_dir> directory.

    etc/init.d/kl_feed_service stop

  5. Verify the communication between the Threat Feed Service and JSA is working by sending a set of test events by entering the following command:

    /usr/bin/python <service_dir>/tools/tcp_client.py -a <QRadar_IP> -p 514 <service_dir>/integration/sample_initiallog.txt

    Note

    The <QRadar_IP> test parameter is the IP address of your JSA Event Collector.

Configuring JSA to Forward Events to the Kaspersky Threat Feed Service

To have the Threat Feed Service check events that arrive in JSA, you must configure JSA to forward events to the Threat Feed Service.

  1. Log in to the JSA console UI.
  2. Click the Admin tab, and select System Configuration >Forwarding Destinations.
  3. In the Forwarding Destinations window, click Add.
  4. In the Forwarding Destination Properties pane, configure the Forwarding Destination Properties.

    Table 6: Forwarding Destination Parameters.

    Parameter

    Value

    Name

    An identifier for the destination. For example,

    KL Threat Feed Service v2

    Destination Address

    IP address of the host that runs the Threat Feed Service.

    Event Format

    JSON

    Destination Port

    The port that is specified in

    kl_feed_service.conf InputSetting > ConnectionString.

    The default value is 9995.

    Protocol

    TCP

    Profile

    Default profile

  5. Click Save.
  6. Click the Admin tab, and then select System Configuration >Routing Rule.
  7. In the Routing Rules window, click Add.
  8. In the Routing Rules window, configure the routing rule parameters.

    Table 7: Routing Rules Parameters

    Parameter

    Value

    Name

    An identifier for the rule name. For example,

    KL Threat Feed Service v2 Rule.

    Description

    Create a description for the routing rule that you are creating.

    Mode

    Online

    Forwarding Event Collector

    Select the event collector that is used to forward events to the Threat Feed Service.

    Data Source

    Events

    Event Filters

    Create a filter for the events that are going to be forwarded to the Threat Feed Service. To achieve maximum performance of the Threat Feed Service, only forward events that contain a URL or hash.

    Routing Options

    Enable Forward, and then select the <forwarding_destination> that you created in Step 1.

  9. Click Save.

Related Documentation