How to integrate Kaspersky Threat Data Feeds with Malware Information Sharing Platform (MISP) for Linux
Malware Information Sharing Platform (MISP) is an open source software for cyberthreat analysis and information exchange. Kaspersky offers two ways of integrating Kaspersky Threat Data Feeds with MISP: by using Kaspersky Threat Feed App for MISP version 1.x and version 2.x.
Both applications allow you to import and update Kaspersky Threat Data Feeds in an MISP instance.
Kaspersky Threat Feed App for MISP version 1.x
In case of Kaspersky Threat Feed App for MISP version 1.x, every feed is imported as an MISP event. Indicators from the feeds are added to events as attributes.
To integrate with MISP:
- Download Kaspersky Threat Feed for MISP version 1.x (SHA256: 552c5706b5ae0827211d4457002d074cc51caf0c8dce67674a3ba5d2ba0f2f00).
- Install the application using these guides.
Kaspersky Threat Feed App for MISP version 2.x
The application imports threat data feeds using the Feeds function by converting the data feeds to the MISP JSON format (Kaspersky Threat Feed for MISP version 1.x uses the API for importing data feeds). Each record from threat data feeds is imported as an MISP event. It allows to match records based on their context (in Kaspersky Threat Feed for MISP version 1.x, the MISP events include all records from each data feed).
Kaspersky Threat Feed for MISP version 2.x is best for analysing threat information and searching for relationships between different indicators.
To improve the performance of the initial import and subsequent data updates of Kaspersky Threat Data Feeds, configure MISP using these recommendations.
To integrate with MISP:
- Download Kaspersky Threat Feed for MISP version 2.x (SHA256: 0e50e394f74f770192b9d4bdf56c956076541b5324e56b208055517b64d57a37).
- Install the application using these guides.
