Kaspersky Threat Data Feeds are now integrated with Microsoft Sentinel. "Threat attacks continue to increase, and to stay protected, organizations need ways to quickly detect these threats," said Rijuta Kapoor, senior program manager at Microsoft. "With the new integration between Microsoft and Kaspersky, customers now have an easy way to import threat data generated by Kaspersky into Microsoft Sentinel."
Kaspersky Threat Data Feeds contain up-to-the-minute threat intelligence containing information on suspicious and dangerous IPs, URLs and file hashes to be integrated into existing security systems like SIEM, SOAR and Threat Intelligence Platforms. Security teams can automate the initial alert triage process while providing their triage specialists with enough context to immediately identify alerts that need to be investigated or escalated to incident response teams for further investigation and response.
Microsoft Sentinel is a cloud-native SIEM and SOAR solution that provides users with actionable context for investigating and responding to attacks. Enterprise security teams can use it to extend their detection radius of cyber threats and increase the effectiveness of their initial alert triage, threat hunting, and incident response.
Intelligence-driven defense
The number of security alerts analyzed each day in most cases exceeds the existing capacity of security teams. Amid a million alerts, we need accurate and relevant threat intelligence to find and respond to the most dangerous attacks.
Integrated with Microsoft Sentinel, Kaspersky Threat Data Feeds expands a company's capacity to make timely, informed decisions about adversaries' actions by leveraging globally sourced, contextrich and immediately actionable threat information.
Global visibility into cyberthreats
Threat Data Feeds are aggregated from fused, heterogeneous and highly reliable sources, such as Kaspersky Security Network, collecting anonymized threat data from 100 mln+ users worldwide, our own web crawlers, Botnet Monitoring service (24/7/365 monitoring of botnets, their targets and activities), spam traps, honeypots, different kind of sensors, passive DNS, partners and OSINT.
Then, in real-time, all the aggregated data is carefully inspected, dissected and interpreted by our in-house threat research teams, with threat research centers established in each region. The data is processed by numerous automated expert systems (such as sandboxes, heuristic engines, similarity tools etc.), transforming it into finished intelligence to deliver 100% vetted information to our customers.
Actionable context in feeds includes threat names, timestamps, geolocation, resolved IP addresses of infected web resources, hashes, popularity or other search terms. With this data, security teams or SOC analysts can accelerate the initial alert triage by making informed decisions for investigation or escalation to an incident response team.
How it works
Microsoft Sentinel uses the TAXII protocol and gets data feeds in STIX format so it allows configuration of Kaspersky Threat Data Feeds as a TAXII Threat Intelligence source in the interface. Once it is imported, cybersecurity teams can use out-of-the-box analytic rules to match threat indicators from feeds with logs.
With the Kaspersky TAXII server, it is extremely easy to bring in the Threat Data Feeds from Kaspersky into Microsoft Sentinel by leveraging the built-in TAXII client of Microsoft Sentinel. This data can then be easily utilized by SOC analysts in your organization for further hunting, investigation and analysis of threats.