Kaspersky offers the two ways of integrating Kaspersky Threat Data Feeds with IBM QRadar: by using Kaspersky CyberTrace or by using Kaspersky Data Feeds for QRadar importing utility.
Kaspersky CyberTrace
Kaspersky CyberTrace for IBM QRadar (SIEM connector) allows you to check URLs, file hashes, and IP addresses contained in events that arrive in IBM QRadar. The URLs, file hashes, and IP addresses are checked against threat data feeds from Kaspersky Lab, or from other vendors or sources loaded to CyberTrace. During the matching process, Kaspersky CyberTrace determines the indicator category and an generates event supplemented with actionable context.
To install the SIEM connector for IBM QRadar:
- Download Kaspersky CyberTrace for IBM QRadar.
- Install the latest QRadar updates (optional).
- Follow the instructions in the product documentation to install the package.
You can also get the Kaspersky Threat Feed App installation package from the IBM Security App Exchange and install it to IBM QRadar. Kaspersky Threat Feed App provides the following features within the IBM QRadar GUI to always keep you informed:
- The display and prioritization of information about URLs, IP addresses, and file hashes from events that match Kaspersky Threat Data Feeds.
- The lookup of URLs, IP addresses, and hashes in Kaspersky Threat Data Feeds via the QRadar Search field.
- Dashboards for at-a-glance overviews as well as more detailed information on matching events.
Download Kaspersky CyberTrace for IBM QRadar:
- The .exe file for Windows can be downloaded here.
- The .rpm file for Linux can be downloaded here.
- The .deb file for Linux can be downloaded here.
- The .tgz file for Linux can be downloaded here.
To install the Kaspersky Threat Feed App:
- Download the Kaspersky Threat Feed App from the IBM App Exchange.
- In QRadar Web Console, select Admin and then Extensions Management.
- In the Extensions Management form, click the Add button and select the application file archive.
Kaspersky Data Feeds for QRadar
Kaspersky Data Feeds for QRadar is an application designed to integrate Kaspersky Threat Intelligence Data Feeds into IBM QRadar environment to highlight risks and implications associated with security breaches, aid in mitigating cyber threats more effectively and defend against attacks even before they are launched.
Kaspersky Data Feeds for QRadar importing utility is a utility provided by Kaspersky that imports indicators from Kaspersky Threat Data Feeds to IBM® QRadar reference sets.
After the indicators are imported from the feed to QRadar, you can check incoming events in QRadar against them. The Custom Rules Engine (CRE) module of QRadar can check whether incoming events contain records stored in the reference sets. You can configure QRadar to respond in a specific way when an incoming event contains a record from one of the reference sets that have been created.
Kaspersky Data Feeds for QRadar importing utility is a Python application; it contains no binary files.
You can download Kaspersky Data Feeds for QRadar importing utility:
- The documentation file can be downloaded here.
- The .tgz file for Linux can be downloaded here.
