Integration with Kaspersky Threat Intelligence Portal

You must configure integration with Kaspersky Threat Intelligence Portal (hereinafter also referred to as Kaspersky TIP) to obtain information about the reputation of the observable objects.

Before configuring the settings, you have to create an authorization token for API requests on Kaspersky TIP or Kaspersky OpenTIP.

To configure integration between Kaspersky Next XDR Expert and Kaspersky TIP:

  1. In the main menu, go to SettingsTenants.

    The list of tenants is displayed on the screen.

  2. Click the name of the required tenant.

    The tenant's properties window opens.

  3. Go to the Settings tab, and then select the Kaspersky TIP section.

    You can edit the Kaspersky TIP section if you are assigned one of the following XDR roles: Main administrator, Tenant administrator, or SOC administrator.

  4. If at step 2 you selected the Root tenant, you can turn on the Proxy toggle button to use a proxy server for interaction with Kaspersky TIP.

    The proxy server is configured in the root Administration Server properties.

  5. In the Cache TTL field, specify the period of cache storage and the units: days or hours.

    By default, 7 days is set. If you do not specify any value, the period of cache storage is unlimited.

    You set the period of cache storage for all connections.

  6. Turn on the Integration toggle button for one of the following services:
    • Kaspersky TIP (General access)

      After you add an authorization token, you will be able to obtain information from Kaspersky TIP about the following types of observables listed at the Observables tab in the alert or incident details: domain, URL, IP, MD5, SHA256. The information is updated in the Enrichment column. Quota is consumed when you request data.

    • Kaspersky TIP (Premium access)

      After you add an authorization token, you will be able to do the following:

      • Obtain information from Kaspersky TIP about the following types of observables listed at the Observables tab in the alert or incident details: domain, URL, IP, MD5, SHA256. The information is updated in the Enrichment column. Quota is consumed when you request data.
      • Obtain information from Kaspersky TIP about the following types of observables listed at the Observables tab in the alert or incident details: domain, URL, IP, MD5, SHA256. The information is updated in the Status update column. Quota is not consumed when you request data.
  7. Click the Add token button.
  8. In the window that opens, enter the authorization token, and then click the Add button.

    For details about generating an authorization token for API requests, refer to the Kaspersky TIP or Kaspersky OpenTIP help.

    After you add the token, you can change it by clicking the Replace button, and then entering a new token in the window that opens. This may be necessary if the token is expired.

  9. Click the Save button.
Page top