To bolster the productivity and effectiveness of cybersecurity teams, Kaspersky has unveiled a significant update to its Security Information and Event Management (SIEM) solution. The enhanced platform provides a new AI module for faster and more effective alert triage, helps to visualize resource dependencies and enables extended search capabilities.

According to Verified Market Research, the SIEM market was valued at $5.21 billion in 2024 and is expected to reach $10.09 billion by 2031. Among the key factors that contribute to such growth are rising cyber threats, regulatory compliance regulations and demand for rapid threat detection. Businesses are searching for solutions that enable them to collect and analyze data in real time, significantly enhancing their situational awareness. To meet this demand, Kaspersky added new features to its SIEM, allowing cybersecurity professionals to detect threats more efficiently.

Kaspersky SIEM is a security operations center (SOC) platform based on an AI-powered technology stack and reinforced by world-leading Threat Intelligence. The platform collects log data and enriches it with contextual information and actionable threat intelligence to provide all the data needed for incident investigation and response, while enabling automated responses to alerts and threat hunting.

New AI module

Kaspersky SIEM features a new AI module that improves triage alerts and incidents by analyzing historical data, while AI-based risk scoring of assets provides valuable hypotheses for proactive searches.

This module analyzes how the characteristic of a particular activity is related to different assets – workstations, virtual machines, mobile phones, and so on. If an alert detected by the system as a result of event correlation is not typical for the asset on which it is detected, such a detection is marked in the interface with an additional status. Therefore, analysts can quickly see incidents that require immediate attention.

Data collection by the Kaspersky Endpoint Security agent

Previously, to collect data from workstations running Windows and Linux, it was necessary to install a SIEM agent on each station or configure data transmission to an intermediate host and then configure data exchange with the SIEM. Now, if the Kaspersky Endpoint Security agent is installed on the host, it can directly send data to the SIEM system. This data can be used for further event searches, analysis, and correlation. Thus, the additional step of installing and monitoring separate SIEM agents is eliminated for customers who already use Kaspersky products for endpoint security.

Resource dependencies graph and extended search capabilities

The platform also improved its search capabilities and now allows customers to visualize how resources (filters, rules, lists) are connected with each other. A resource dependencies graph featuring a hierarchical folder structure makes it easier to find the correct search query for large teams or multiple stored searches. Analysts can quickly and precisely locate relevant events or create “rolling window” reports by defining the start and finish timeframes for a search query or report. Storing search query history enables the user to access previous inquiries with ease.

Content versioning

Kaspersky SIEM stores the history of resource changes in the form of versions. A resource version is created automatically when an analyst creates a new resource or saves changes to parameters in an existing resource. Version storage simplifies interaction within analyst teams. For example, one team member can see any changes a colleague has made in a correlation rule, and if necessary, undo them.

Unique field mapping

With the updated platform, analysts can now add an array of specified field values from the correlation rule’s unique field section to a correlation event, thus saving time by eliminating the need to search through field values in underlying events.

Kaspersky SIEM also enables the addition of specific field values to an exception if an alert is identified as a false positive. Each correlation rule generates a separate exception list, allowing analysts to focus on critical alerts and quickly reduce correlation rule ‘noise’.

“As SIEM is one of the main tools for SOC teams and IT security departments, we do everything we can to make our platform easier to use. These new features mean businesses can react to events faster and with less effort. Also, we enhanced our Kaspersky SIEM by enriching it with connectors to event sources and correlation rules. Today, our out-of-the-box rules already cover over 400 techniques from the MITRE ATT&CK matrix, and the number of supported sources has reached close to 300. And this number is constantly growing,” comments Ilya Markelov, Head of Unified Platform Product Line at Kaspersky.