Kaspersky threat data added to Microsoft Sentinel service

Microsoft and Kaspersky have launched a collaboration that will see Kaspersky’s automated, real-time threat data feeds integrated into Microsoft’s cloud-native SIEM/SOAR solution, Sentinel.

The partners said the arrangement will give Sentinel users “actionable context” for incident or attack investigation, extending threat detection capabilities and increasing the effectiveness of alert triage, threat hunting or incident response.

Among the newly available data points will be threat names, timestamps, geolocation, resolved IP addresses of infected web resources, hashes, popularity and other search terms.

With this data to hand, security teams or security operations centre (SOC) analysts can make better-informed decisions for investigation or escalation, accelerating the time taken for an impactful cyber incident to move from alert to incident response.

“We are thrilled to partner with Microsoft and help Microsoft Sentinel users to get access to the trusted and valuable threat intelligence from Kaspersky,” said Ivan Vassunov, corporate products vice-president at Kaspersky. “Expanding integration with third-party security controls makes it even easier for customers to operationalise our threat intelligence [TI], which is one of our key priorities.

“TI from Kaspersky is designed to be tailored to the needs of any organisation since we collect data from a great number of different and diverse sources to cover organisations in specific industries, geolocations and with specific threat landscapes.

“More than two decades of threat research helps us achieve this, while empowering global security teams with the information they require at each step of the incident management cycle.”

Rijuta Kapoor, senior programme manager at Microsoft, added: “Threat attacks are on a continuous rise like never before and to remain protected, organisations need quick ways to detect these threats.

“With the Kaspersky and Microsoft Sentinel integration, customers will now have an easy way to import high-fidelity threat intelligence produced by Kaspersky into Microsoft Sentinel using the industry standard of Structured Threat Information Expression [Stix] and Trusted Authomated eXchange of Intelligence Information [Taxii] for detections, hunting, investigation and automation.”

The use of the Stix and Taxii open standards within Sentinel allows the configuration of Kaspersky’s data feed as a Taxii threat intel source in the interface, which means security teams can use out-of-the-box analytic rules to match threat indicators with logs.

The data feeds themselves are automatically generated in real time, and aggregate data from multiple sources, including Kaspersky’s security network – which compromises millions of voluntary participants; its botnet monitoring service, spam traps, and expertise from Kaspersky’s Global Research and Analysis (GReAT) team; and its research and development ops.