How to integrate Kaspersky Threat Data Feeds with MISP

 

Kaspersky Threat Data Feeds

 
 
 
 

How to integrate Kaspersky Threat Data Feeds with MISP

Back to article list
Latest update: October 20, 2020 ID: 14787
 
 
 
 

Kaspersky offers the two ways of integrating Kaspersky Threat Data Feeds with MISP:

  • by using Kaspersky Threat Feed App for MISP v1
  • by using Kaspersky Threat Feed App for MISP v2

Both applications allow you to import and update Kaspersky Threat Data Feeds in a MISP instance.

Kaspersky Threat Feed App for MISP v1

In case of Kaspersky Threat Feed App for MISP v1, every feed is imported as a MISP event. Indicators from the feeds are added to events as attributes.

This version is suitable for working with large sets of indicators, has better performance, but limits the possibility of correlating events based on their context.

To install the connector for MISP:

  1. Download Kaspersky Threat Feed App for MISP. The .tar.gz file for Linux can be downloaded here.
  2. Follow the instructions in the product documentation to install the package.

Kaspersky Threat Feed App for MISP v2

Kaspersky Threat Feed App for MISP v2 has the following features in comparison with Kaspersky Threat Feed App for MISP v1:

  • The application imports Kaspersky Threat Data Feeds using the Feeds feature of MISP by converting the feeds to MISP JSON format (the previous version of the application used the API for importing feeds). Every record from Kaspersky Threat Data Feeds is imported as a MISP event.
  • This allows the users to correlate records based on their context (in the previous version of the application, MISP events included all records from every data feed).

Kaspersky Threat Feed App for MISP v2 is well suited for working with small feeds (such as APT) and allows analysts to pay more attention to the analysis (looking for the relations between different indicators) of threat intelligence.

Because of MISP performance, we do not recommend that you import more than one feed into one MISP instance (except APT and Demo feeds) using application v2. Loading all Kaspersky Threat Data Feeds into a single MISP instance is not supported in this version.

To install the connector for MISP v2:

  1. Download Kaspersky Threat Feed App for MISP. The .tar.gz file for Linux can be downloaded here.
  2. Follow the instructions in the product documentation to install the package.
 
 
 
 
Was this information helpful?
Yes No
Thank you
 
 
 

Back to article list
 
 

 
 

How can we improve this article?

Your feedback will be used for content improvement purposes only. If you need assistance, please contact technical support.

Submit Submit

Thank you for your feedback!

Your suggestions will help improve this article.

OK