How to integrate Kaspersky Threat Data Feeds with Splunk
Kaspersky offers the two ways of integrating Kaspersky Threat Data Feeds with Splunk:
- By using Kaspersky CyberTrace
- By using Kaspersky Threat Feed for Splunk Enterprise and Kaspersky Threat Feed for Splunk Cloud
Kaspersky CyberTrace
Kaspersky CyberTrace allows you to check URLs, file hashes, and IP addresses contained in events that arrive in Splunk. The URLs, file hashes, and IP addresses are checked against Kaspersky Threat Data Feeds or against feeds from other vendors or sources loaded to CyberTrace. During the matching process, the SIEM connector determines the indicator category and generates an event supplemented with actionable context. The detected events are sent back to Splunk.
To install Kaspersky CyberTrace and integrate it with Splunk:
- Download the installation file for Kaspersky CyberTrace from this article.
- Install Kaspersky CyberTrace.
- Configure the integration with Spunk.
Please note that SIEM connector for Splunk has been tested with Splunk 9.0 and later.
Kaspersky Threat Feed Apps for Splunk
Kaspersky Threat Feed Apps for Splunk are the applications that allow to match observables from events received by Splunk against Kaspersky Threat Data Feeds using built-in Splunk capabilities. The process of importing Kaspersky Threat Data Feeds consists of downloading Kaspersky Threat Data Feeds, converting them to CSV format, and importing them to Splunk.
For details, see the following Online Help pages:
To get the TGZ file for Linux, send a request to intelligence@kaspersky.com.
