Microsoft Sentinel is a cloud native SIEM and SOAR solution that allows you to detect and hunt for actionable threats. Microsoft Sentinel allows various ways to import threat intelligence data and use it in various parts of the product like hunting, investigation, analytics, workbooks etc.
One of the ways to bring in threat intelligence data into Microsoft Sentinel is using the Threat Intelligence – TAXII Data connector. This data connector in Microsoft Sentinel uses the TAXII protocol for sharing data in STIX format which is one of the most widely adopted standard for sharing threat intelligence across the industry. This data connector supports pulling data from TAXII 2.0 and 2.1 servers. The Threat Intelligence – TAXII data connector is essentially a built-in TAXII client in Microsoft Sentinel to import threat intelligence from TAXII 2.x servers.
Today we are announcing the availability of the Kaspersky TAXII server which allows you to get threat intelligence data from Kaspersky into Microsoft Sentinel using the TAXII data connector.
Benefits of Kaspersky + Microsoft Sentinel Integration
Integrated with Microsoft Sentinel, Kaspersky Threat Data Feeds expands a company’s capacity to make timely, informed decisions about adversaries’ actions by leveraging globally sourced, context-rich and immediately actionable threat information. Gain insights from a wide range of varied and trustworthy sources, including Kaspersky Security Network (KSN), the Botnet Monitoring system, spam traps, honeypots, the deep and dark webs, together with data about malicious objects that Kaspersky has discovered during 25 years of continuous threat research.
The aggregated data is meticulously inspected and refined in real time using multiple preprocessing techniques – statistical criteria, sandboxes, heuristics engines, similarity tools, behavior profile, analyst validation, allow listing verification, etc. – to deliver 100% vetted information to customers.
The solution ensures that your business remains vigilant against the widest range of cyberthreats, regardless of their origin.
Connecting Kaspersky to Microsoft Sentinel
Step by step process of how to connect Microsoft Sentinel to Kaspersky TI can be found here.
Once you import threat intelligence data from Kaspersky into Microsoft Sentinel it shows up in the ThreatIntelligenceIndicator table of log analytics. The data also shows up in the Threat Intelligence menu in the product where you can search, sort, filter, and tag on the data.
Put Kaspersky threat intelligence to use in Microsoft Sentinel
Once the threat intelligence from Kaspersky is imported into Microsoft Sentinel, you can use it for matching against log sources. This can be done using the out-of-the-box analytic rules in Microsoft Sentinel. These completely customizable analytics rule used to match threat indicators with your event data all have names beginning with, ‘TI map’.
To learn how to enable and create analytic rules, follow the steps mentioned in this documentation.
With the release of the Kaspersky TAXII server, it is extremely easy to bring in the threat intelligence feed from Kaspersky into Microsoft Sentinel by leveraging the built-in TAXII client of Microsoft Sentinel. This data can then be easily utilized by SOC analysts in your organization for further hunting, investigation and analysis of threats.