The partners said the system will give Sentinel users “actionable context” to investigate incidents or attacks, expand threat detection capabilities, and enhance the effectiveness of alert triage, threat victimization or Incident response.
Newly available data points will include threat names, timestamps, geolocations, resolved IP addresses of infected web resources, hashes, popularity, and other search terms.
With this data in hand, security teams or security operations center (SOC) analysts can make better-informed decisions to investigate or escalate, speeding the time to go from alert to incident response to an impactful cyber incident.
“We are thrilled to partner with Microsoft and help Microsoft Sentinel users get access to trusted and valuable threat intelligence from Kaspersky,” said Ivan Vasunov, vice-president of corporate products at Kaspersky. “Expanding integration with third-party security controls makes it even easier for customers to manage our threat intelligence. [TI]Which is one of our main priorities.
“TI from Kaspersky is tailored to the needs of any organization as we collect data from a large number of different and diverse sources to cover organizations with specific industries, geographies and specific threat landscapes.
“More than two decades of threat research help us achieve this, while empowering security teams worldwide with the information they need at every step of the incident management cycle.”
Rizuta Kapur, senior program manager at Microsoft, added: “Threat attacks continue to grow like never before, and to stay secure, organizations need faster ways to detect these threats.
“With Kaspersky and Microsoft Sentinel integration, customers will now have an easy way to import high-fidelity threat intelligence produced by Kaspersky using Microsoft Sentinel’s industry standard. Structured Threat Information Expression [Stix] And Trusted automated exchange of intelligence [Taxii] For detection, hunting, investigation and automation.”
The use of Stix and Taxii open standards within Sentinel allows configuration of Kaspersky’s data feed as a source of Taxii threat intel, meaning security teams can use out-of-the-box analytical rules to match threat indicators to logs.
Data feeds are generated automatically in real time, and aggregate data from multiple sources, including Kaspersky’s security network – which compromises millions of volunteer participants; the expertise of its botnet monitoring services, spam traps, and Kaspersky’s Global Research and Analysis (GREAT) team; and its research and development activities.