How to integrate Kaspersky Threat Data Feeds with Splunk

Kaspersky offers the two ways of integrating Kaspersky Threat Data Feeds with Splunk:

• By using Kaspersky CyberTrace. For instructions, follow the steps below.
• By using Kaspersky Data Feed Apps for Splunk Enterprise and Kaspersky Threat Feed for Splunk Cloud. See the guide below.

Kaspersky CyberTrace

Kaspersky CyberTrace allows you to check URLs, file hashes, and IP addresses contained in events that arrive in Splunk. The URLs, file hashes, and IP addresses are checked against Kaspersky Threat Data Feeds or against feeds from other vendors or sources loaded to CyberTrace. During the matching process, the SIEM connector determines the indicator category and generates an event supplemented with actionable context. The detected events are sent back to Splunk.

To install Kaspersky CyberTrace and integrate it with Splunk:

1. Download Kaspersky CyberTrace. Find the download files for Kaspersky CyberTrace in this article.
2. Install Kaspersky CyberTrace. See the Online Help page for instructions.
3. Configure the integration with Splunk. See the Online Help page for instructions.

Please note that SIEM connector for Splunk has been tested with Splunk 9.0 and later.

Kaspersky Threat Feed Apps for Splunk

Kaspersky Threat Feed Apps for Splunk are the applications that allow to match observables from events received by Splunk against Kaspersky Threat Data Feeds using built-in Splunk capabilities. The process of importing Kaspersky Threat Data Feeds consists of downloading Kaspersky Threat Data Feeds, converting them to CSV format, and importing them to Splunk.

For details, see the following Online Help pages:

• Threat Feed for Splunk Enterprise.
• Threat Feed for Splunk Cloud.

The appropriate .tgz file for Linux can be requested at intelligence@kaspersky.com.