How to integrate Kaspersky Threat Data Feeds with RSA NetWitness

Kaspersky offers the two ways of integrating Kaspersky Threat Data Feeds with RSA NetWitness: by using either Kaspersky CyberTrace or Kaspersky Threat Feed App for RSA NetWitness.

The recommended way of integrating is Kaspersky CyberTrace.

Kaspersky CyberTrace

Kaspersky CyberTrace allows you to check URLs, file hashes and IP addresses contained in events that arrive in RSA NetWitness. The URLs, file hashes and IP addresses are checked against threat data feeds from Kaspersky or from other vendors or sources loaded to CyberTrace. During the matching process, Kaspersky CyberTrace determines the indicator category and generates an event with information on necessary actions to take.

To install the SIEM connector for RSA NetWitness:

1. Download the installation file for Kaspersky CyberTrace from this article.
2. Install the application using the instructions.

Kaspersky Threat Feed App for RSA NetWitness

Kaspersky Threat Feed App for RSA NetWitness allows you to match observables from events received by RSA NetWitness against Kaspersky Threat Data Feeds using SIEM built-in capabilities (without CyberTrace).

Kaspersky Threat Data Feeds are downloaded and converted to a format that can be imported to RSA NetWitness. After that, RSA NetWitness can match fields of events received by RSA NetWitness against indicators contained in Kaspersky Threat Data Feeds. If a match is detected, RSA NetWitness will add context from the corresponding Kaspersky Threat Data Feeds record to the matched event that contains this indicator of compromise (IoC).

To install Kaspersky Threat Feed App for RSA NetWitness:

1. Download the TGZ file for Linux.
2. Install the application.