About Kaspersky Threat Data Feeds
Latest update: 11 July 2024
ID: 13849
Cyber threats are constantly growing in frequency and complexity. Criminals use complicated intrusion kill chains, campaigns and customized Tactics, Techniques and Procedures (TTPs) to bypass your security controls and disrupt your business. Kaspersky offers continuously updated Threat Data Feeds to detect malicious activity on your enterprise network.
Threat Intelligence is aggregated from fused, heterogeneous and highly reliable sources such as Kaspersky Security Network (KSN) and our own web crawlers, Botnet Monitoring service (24/7/365 monitoring of botnets, their targets and activities) and spam traps.
We also receive data from research teams, the deep web, partners and other historical data about malicious objects collected by Kaspersky over 2 decades.
All the aggregated data is carefully inspected and refined in real-time using multiple preprocessing techniques, such as statistical criteria, Kaspersky Expert Systems (sandboxes, heuristics engines, similarity tools, behavior profiling etc.), analysts validation and allowlisting verification. As a result, Kaspersky Threat Data Feeds contain thoroughly vetted threat indicator data sourced from the real world, in real time.
For more information about Kaspersky Threat Data Feeds, please download the following leaflet or go to this website.
Watch this video explaining how to improve your company's cyber security with Kaspersky Threat Data Feeds.
What feeds does Kaspersky provide?
Demo Data Feeds
- Demo IP Reputation Data Feed
- Demo Botnet C&C URL Data Feed
- Demo Malicious Hash Data Feed
- Demo APT Hash Data Feed
- Demo APT IP Data Feed
- Demo APT URL Data Feed
- Demo Suricata Rules Data Feed
Commercial feeds
- Malicious URL Data Feed — a set of URL masks and extra context that cover malicious web resources. The feed is designed for integration into security controls (for example, SIEM solutions) using Kaspersky CyberTrace or into next generation firewalls, secure mail and web gateways through network traffic analysis (NTA) or by making a dynamically updated list of URLs to be blocked.
- Malicious URL Exact Data Feed — a set of exact URLs, hosts, domains and extra context for detecting malicious web resources. The feed is intended for direct integration into security controls (for example, SIEM solutions, firewalls, or secure mail and web gateways) and Threat Intelligence Platforms where the use of masks and Kaspersky CyberTrace matching engine is not possible.
- Ransomware URL Data Feed — a set of URLs, domains, and hosts with context that cover web resources where ransomware is hosted. The feed is intended for integration into security controls (for example, SIEM solutions) directly or using Kaspersky CyberTrace as well as for integration into next generation firewalls, secure mail and web gateways using network traffic analysis (NTA) or by making a dynamically updated list of URLs to be blocked.
- Phishing URL Data Feed — a set of URL masks and extra context covering phishing web resources. The feed is designed for integration into security controls (for example, SIEM solutions) using Kaspersky CyberTrace or into next generation firewalls, secure mail and web gateways through network traffic analysis (NTA) or by making a dynamically updated list of URLs to be blocked.
- Phishing URL Exact Data Feed — a set of exact URLs as well as hosts, domains and extra context for detecting phishing web resources. The feed is intended for direct integration into security controls (for example, SIEM solutions, firewalls, or secure mail and web gateways) and Threat Intelligence Platforms where the use of masks and Kaspersky CyberTrace matching engine is not possible.
- Botnet C&C URL Data Feed — a set of URLs and extra context that cover desktop botnet C&C servers and related malicious objects. The feed is designed for integration into security controls (for example, SIEM solutions) using Kaspersky CyberTrace or into next generation firewalls, secure mail and web gateways through network traffic analysis (NTA) or by making a dynamically updated list of URLs to be blocked.
- Botnet C&C URL Exact Data Feed — a set of exact URLs, hosts, domains and extra context containing information about desktop botnet C&C servers and related malicious objects. The feed is intended for direct integration into security controls (for example, SIEM solutions, firewalls, or secure mail and web gateways) and Threat Intelligence Platforms where the use of masks and Kaspersky CyberTrace matching engine is not possible.
- Mobile Botnet С&C URL Data Feed — a set of URL masks and extra context for detecting C&C servers and web resources that are related to mobile botnets The feed is designed for integration into security controls (for example, SIEM solutions) using Kaspersky CyberTrace or into next generation firewalls, secure mail and web gateways through network traffic analysis (NTA).
- Malicious Hash Data Feed — a set of file hashes with corresponding context covering the most dangerous, prevalent and emerging malware. The feed is designed for integration into security controls (for example, SIEM solutions) using Kaspersky CyberTrace or into next generation firewalls, secure mail and web gateways through network traffic analysis (NTA).
- Mobile Malicious Hash Data Feed — a set of file hashes with corresponding context covering malicious objects that target mobile platforms (Google Android and Apple iPhone devices). The feed is designed for integration into security controls (for example, SIEM solutions) using Kaspersky CyberTrace or into next generation firewalls, secure mail and web gateways through network traffic analysis (NTA).
- IP Reputation Data Feed — a set of IP addresses with context that cover different categories of suspicious and malicious hosts. The feed is designed for integration into security controls (for example, SIEM solutions) using Kaspersky CyberTrace or into next generation firewalls, secure mail and web gateways through integration with network traffic analysis (NTA) or by making a dynamically update list of IP adresses to block.
- IoT URL Data Feed — a set of URLs with context covering malware that infects IoT (Internet of Things) devices, such as IP cameras, routers and dishwashers. The feed is designed for integration into security controls (for example, SIEM solutions) using Kaspersky CyberTrace or into next generation firewalls, secure mail and web gateways through network traffic analysis (NTA).
- Vulnerability Data Feed — a set of corporate security vulnerabilities with related threat intelligence (hashes of vulnerable apps/exploits, timestamps, CVEs, patches etc.). The feed is intended for integration into Threat Intelligence Platforms and SIEM solutions to find software vulnerabilities by matching incoming events against Data Feeds of a used software (e.g., a list of assets from SIEM).
- ICS Vulnerability Data Feed — a set of security vulnerabilities in both ICS and the commonly used IT systems integrated into Industrial Control Systems (ICS) networks with related context, such as hashes of affected files/exploits, timestamps, CVEs patches, and other. The feed is designed for integration into Threat Intelligence Platforms and for aggregation of company's known and relevant vulnerabilities. The feed can be used for integration into Threat Intelligence Platforms and SIEM solutions to find software vulnerabilities by matching incoming events against Data Feeds of a used software (e.g., a list of assets from SIEM).
- ICS Vulnerability Data Feed in OVAL format — a set of rules for searching security ICS vulnerabilities. The feed is intended for scanning files in the Microsoft Windows OS using popular scanners for detecting vulnerable ICS infrastructure.
- ICS Hash Data Feed — a set of file hashes with corresponding context covering the malicious files that are used to attack ICS infrastructure. The feed is designed for integration into security controls (for example, SIEM solutions) using Kaspersky CyberTrace or into next generation firewalls, secure mail and web gateways through network traffic analysis (NTA).
- pDNS Data Feed — a set of records that contain the results of DNS resolutions for domains into corresponding IP addresses over a period of time. The feed is used for investigation of cyber incidents.
- Suricata Rules Data Feed — Suricata IDS rules that cover detecting various threat categories, such as APT, Botnet C&C, Ransomware and etc. The feed is intended for integration into IDS solutions.
- Sigma Rules Data Feed — a definition of detection logic in the SIGMA rule format. The feed is intended to be used as a set of expert guidelines for creating detection logic for SIEM or EDR.
- Cloud Access Security Broker (CASB) Data Feed — a set of masks covering domains of a cloud service. The feed is used for configuring CASB solutions, such as policies of cloud services addressing.
- APT Hash Data Feed — a set of hashes that cover malicious artifacts used by Advanced Persistent Threat (APT) actors to conduct APT campaigns. The feed is designed for investigation of cyber incidents and for integration into security controls (for example, SIEM solutions) using Kaspersky CyberTrace.
- APT IP Data Feed — a set of IP addresses that belong to an infrastructure used in APT campaigns. The feed is designed for investigation of cyber incidents and for integration into security controls (for example, SIEM solutions) using Kaspersky CyberTrace.
- APT URL Data Feed — a set of domains that are part of an infrastructure used in APT campaigns. The feed is designed for investigation of cyber incidents and for integration into security controls (for example, SIEM solutions) using Kaspersky CyberTrace.
- APT Yara Data Feed — YARA rules describing various malicious files used in APT campaigns. The feed is used for searching indicators of targeted attacks in corporate local networks and for cyber incident investigations.
- Open Source Software Threats Data Feed — a set of open source software packages that contain malicious functionality, vulnerabilities or political compromises of functionality, such as blocking in certain regions, political slogans. The feed is intended for Software Component Analysis (SCA) in terms of DevSecOps to protect software packages against supply chain attacks, to timely detect and resolve vulnerabilities, and to prevent political compromises of functionalities and undeclared capabilities.
- Crimeware Hash Data Feed — a set of hashes and extra context that are described in Kaspersky Crimeware Reports and related to objects used to conduct fraudulent campaigns. The feed is used for investigation of cyber incidents.
- Crimeware URL Data Feed — a set of domains and extra context described in Kaspersky Crimeware Reports and belong to the infrastructure used in fraudulent campaigns. The feed is used for investigation of cyber incidents.
- Crimeware Yara Data Feed — a set of YARA rules that indicate objects used to conduct fraudulent campaigns. The rules are described in Kaspersky Crimeware Reports. The feed is used for searching indicators of fraudulent campaigns in corporate local networks and for cyber incident investigations.
What is contained in the feeds?
Kaspersky Threat Data Feeds contain the context which allows to confirm and prioritize treats:
- Threat names
- IP addresses and domains that belong to malicious web resources
- Hashes of malicious files
- Identifiers of vulnerable and compromised objects
- Timestamps
- Geographical location
- Popularity and other
You can use this data to get a general idea about an event that happened or to make additional investigation. These feeds may help to find answers to the following questions: "Who? What? Where? When?" and to identify attack sources for making timely decisions and provide multi-level cybersecurity for organizations to protect their business from present and future cyber threats.
How often are the feeds updated?
- Malicious URL Data Feed in JSON format — every 20 minutes
- Malicious URL Exact Data Feed in JSON format — every 10 minutes
- Ransomware URL Data Feed in JSON format — every 20 minutes
- Phishing URL Data Feed in JSON format — every 20 minutes
- Phishing URL Exact Data Feed in JSON format — every 30 minutes
- Botnet C&C URL Data Feed in JSON format — every 60 minutes
- Demo Botnet C&C URL Data Feed — every 24 hours
- Botnet C&C URL Exact Data Feed in JSON format — every 60 minutes
- Mobile Botnet C&C URL Data Feed in JSON format — every 60 minutes
- Malicious Hash Data Feed in JSON format — every 20 minutes
- Demo Malicious Hash Data Feed — every 24 hours
- Mobile Malicious Hash Data Feed in JSON format — every 20 minutes
- IP Reputation Data Feed in JSON format — every 20 minutes
- Demo IP Reputation Data Feed — every 24 hours
- IoT URL Data Feed in JSON format — every 60 minutes
- APT Hash Data Feed in JSON format — every 60 minutes
- APT IP Data Feed in JSON format — every 60 minutes
- APT URL Data Feed in JSON format — every 60 minutes
- Crimeware Hash Data Feed in JSON format — every 3 hours, but the new data appear depending on Crimeware Reports updates
- Crimeware URL Data Feed — every 3 hours, but the new data appear depending on Crimeware Reports updates.
- Vulnerability Data Feed in JSON format — every 6 hours
- pDNS Data Feed in JSON format — every 60 minutes
- ICS Hash Data Feed in JSON format — every 60 minutes
- ICS Vulnerability Data Feed in JSON format — every 60 minutes
- Cloud Access Security Broker (CASB) Data Feed — every 6 hours
- Open Source Software Threats Data Feed — every 4 hours
- Malicious URL Differential Data Feed in JSON — every 20 minutes for a diff part, every 24 hours for a snapshot
- Phishing URL Differential Data Feed in JSON — every 20 minutes for a diff part, every 24 hours for a snapshot
- Botnet CnC Differential URL Data Feed in JSON — every 60 minutes for a diff part, every 24 hours for a snapshot
- META Malicious URL Data Feed in JSON — every 60 minutes
- META Phishing URL Data Feed in JSON — every 60 minutes
- META Botnet C&C URL Data Feed in JSON — every 60 minutes
- META Malicious Hash Data Feed in JSON — every 60 minutes
- META Mobile Malicious Hash Data Feed in JSON — every 60 minutes
- Suricata Rules Data Feed — every 24 hours
- Demo Suricata Rules Data Feed — every 24 hours
- APT Yara Data Feed — every 60 minutes
- Crimeware YARA Data Feed — every 3 hours, but the new data appear depending on Crimeware Reports updates.
How are the feeds delivered?
We make the feeds available for download over HTTPS protocol. To do so, you need to use a tool that automatically downloads feeds and a Kaspersky certificate for client authorization. We can provide you with those resources if you send a request to [email protected].
The most popular feeds are available via TAXII protocol with token-based authentication. To receive a token and instructions, send a request to [email protected].
If necessary, a different protocol can be used upon request.
What format are the feeds in?
We output our feeds in JSON format (for Enterprise) and plain text (for OEM).
We also provide a tool that converts our JSON feeds to STIX, OpenIOC, Snort, CSV and plain text. It may be possible to provide conversion to other formats upon request.
