Support

Support for business applications

Kaspersky Threat Data Feeds
Kaspersky Threat Data Feeds
Knowledge Base
FAQ Solution overview Contact support Product videos
 
 

How to integrate Kaspersky Threat Data Feeds with ArcSight

Latest update: 6 June 2024 ID: 13852
 
 
 
 

To integrate threat data feeds with ArcSight, you can use Kaspersky CyberTrace or Kaspersky Threat Feed App for ArcSight ESM.

Kaspersky CyberTrace

Kaspersky CyberTrace allows to check URLs, file hashes, and IP addresses contained in events arriving in ArcSight ESM. The URLs, file hashes, and IP addresses are checked against Kaspersky Threat Data Feeds or feeds from other vendors and sources uploaded to Kaspersky CyberTrace. During the matching process, Kaspersky CyberTrace determines the indicator category and generates an event with information on necessary actions to take.

To install the SIEM application for ArcSight ESM:

  1. Download the installation file for Kaspersky CyberTrace from this article.
  2. Install the application using these guides.

Please note that the SIEM application for ArcSight has been tested with ArcSight ESM version 6.5 and higher.

Kaspersky Threat Feed App for ArcSight ESM

Kaspersky Threat Feed App for ArcSight ESM is an application used for matching events received by ArcSight ESM against Kaspersky Threat Data Feeds using built-in SIEM capabilities (without Kaspersky CyberTrace).

The import of threat data feeds is performed using Kaspersky Feed Utility and the kl_feed_for_arcsight.py script. The feeds are uploaded and converted to a format which can be imported to ArcSight ESM. The kl_feed_for_arcsight.py script generates events in the CEF format and sends them to ArcSight SmartConnector that transfers them to ArcSight ESM. ArcSight ESM receives the events from SmartConnector and fills in the lists with the indicators from threat data feeds according to the rules contained in Kaspersky_Threat_Data_Feeds.arb. After importing threat data feeds to ArcSight ESM, the fields of events arriving in ArcSight ESM are matched against the indicators from the feeds according to the rules from Kaspersky_Threat_Data_Feeds.arb. If a field matches a data feed, ArcSight ESM adds the detected event to the active list.

To install Kaspersky Threat Feed App for ArcSight ESM:

  1. Download the installation file in the TGZ format for Linux: Kaspersky_ThreatDataFeed_for_ArcSight-1.1.tar.xz.
  2. Install the application using these guides.
 
 
 
 
 
Did you find this article helpful?
What can we do better?
Thank you for your feedback! You're helping us improve.
Thank you for your feedback! You're helping us improve.