Configuration of Kaspersky Threat Data Feeds in Microsoft Sentinel

To import Kaspersky Threat Intelligence Data Feeds into Microsoft Sentinel as TAXII Threat Intelligence source:

  1. Create Log Analytics workspace in your Microsoft Azure Account.
  2. Add Microsoft Sentinel into your workspace.
  3. Open the Threat Intelligence – TAXII connector:

    Threat intelligence - Taxii connector window.

    Opening the connector

    Threat intelligence taxii connector

    Opening the connector

  4. Configure the connector as follows:
    • Friendly name (for server): specify the friendly name of the TAXII server.
    • API Root URL: https://taxii.tip.kaspersky.com/v2/.
    • Collection ID: specify the Collection ID for one of the supported collections.

      You can check the ID of the specified collection by sending the following request:

      curl -v -k -H "Accept: application/taxii+json;version=2.1" -u taxii:<TOKEN> https://taxii.tip.kaspersky.com/v2/collections/

    • Username: taxii
    • Password: Specify your token. To obtain a trial or commercial token, please contact intelligence@kaspersky.com.
    • Import indicators: Select an appropriate option (e.g. All available).
    • Polling frequency: Select an appropriate option (e.g. Once_an_ hour).

    Connector configuration window.

    Configuring the connector

  5. Click Add.

After the indicators are pulled, you can use Kaspersky Threat Intelligence Data Feeds in Microsoft Sentinel:

Overview window.

Overview window

Threat Intelligence window.

Threat Intelligence window

Page top