Kaspersky has updated its Kaspersky SIEM platform with a set of capabilities focused on AI-assisted detection, native integration with its Digital Footprint Intelligence (DFI) and Managed Detection and Response (MDR) services, along with significant enhancements in dashboards, reporting, and scalability. The company emphasizes a dual goal: increase detection effectiveness against persistent threats — such as dynamic library hijacking or DLL hijacking — and reduce operational load on cybersecurity teams.
The move follows a year of intense offensive pressure. According to the latest analyst report from Kaspersky MDR, advanced persistent threats (APTs) affected 1 in 4 companies in 2024, representing a 74% increase over 2023. In this context, the company advocates that combining behavior-based detection, enrichment with intelligence, and automation is essential to closing gaps that purely reactive tools can no longer cover.
AI Against DLL Hijacking: From Indication to Investigable Alert
The most notable innovation is a subsystem of AI designed to detect signs of malicious DLL replacement. This analyzes continuously all loaded libraries by legitimate processes; when it detects anomalous patterns compatible with DLL hijacking — such as loads from unexpected paths, incongruent versions or signatures, or altered search order precedence — it automatically annotates the event to be escalated as an incident in the SOC.
Activation is straightforward: simply connect the “DLL Hijacking” enrichment rule to the collector or correlator of the SIEM. This way, the platform adds actionable context to each relevant telemetry (process, library, hash, path, user, host, time), enabling differentiation between legitimate activity and potential covert execution attempts.
Why does it matter?
DLL hijacking remains popular among attackers because it exploits normal library loading logic in Windows. Instead of injecting noisy binaries, adversaries inject code disguised as harmless DLLs, which are then loaded by trusted applications. For defense teams, identifying this behavior in real-time and with low noise is critical to disrupting attack chains before privilege escalation or persistence occurs.
Integration with DFI and MDR: Intelligence and Response on the Same Level
The update also integrates Kaspersky SIEM with Digital Footprint Intelligence (DFI), providing visibility into exposed external digital footprints of the organization: credential leaks, mentions in open sources or dark web spaces, and other external risk indicators. When DFI detects a finding, it generates automatic alerts that are fed directly into the SIEM, where they are correlated with internal events to prioritize signals that pose a real threat.
Similarly, the integration with Kaspersky MDR allows automatic import of managed incidents from the MDR console into the SIEM engine, unifying the detection, analysis, and response cycle. The operational promise is clear: fewer screens, less friction, and more shared context to help analysts and threat hunters reduce MTTR.
UEBA: Behavioral Rules for Windows Accounts and Devices
The set of improvements includes a package of UEBA (User and Entity Behavior Analytics) rules that monitor authentication, network activity, and process execution on Windows workstations and servers. These rules enable the SIEM to detect deviations from normal patterns — from unusual hours and unexpected sources to process graph changes — that often precede APT intrusions, targeted attacks, or even insider threats.
According to Kaspersky, the advantage of UEBA is detecting subtle anomalies: those gradual changes that don’t trigger signatures but don’t align with typical behavior of a user, host, or service.
Reporting and Dashboards: Sharing, Versioning, and Deepening
In governance, Kaspersky SIEM now enables sharing and transferring dashboard and report templates across different deployments. This standardizes criteria across distributed teams and speeds up the deployment of official content that the company updates regularly.
Moreover, new visualization widgets have been introduced to show trends, combine multiple charts, and depict relationships. A preconfigured widget supports refined queries and offers drill-down navigation: from a high-level dashboard, analysts can drill down into specific panels for detailed investigation without losing context.
High Availability and Scalability: Distributed Core Based on Raft
To support environments with high loads and continuity requirements, the SIEM core adopts a distributed architecture based on Raft. This approach distributes consensus among nodes, tolerates failures, and facilitates horizontal scaling as log volumes, use cases, and casuistics grow. In practice, this means less downtime, greater resilience against peaks, and a more predictable operation.
Operational Highlights: What SOC Gains from This Version
- Less noise, more signal. Automatic annotation of DLL hijacking events and correlation with DFI/MDR increase the average value of each alert received by analysts.
- Context inside, context outside. Cross-referencing internal telemetry with external digital footprints (via DFI) helps prioritize risks and close the investigation loop.
- Stronger governance. With shareable dashboards, traceability, and versioned reports, CISOs can explain risks and demonstrate control to management or auditors.
- Continuity and scalability. The Raft-based core ensures that growth does not penalize availability, essential for observability as a critical service.
Challenges and Best Practices: What Teams Still Need to Handle
Technology doesn’t operate in a vacuum. To maximize these capabilities, teams should:
- Refine telemetry. Ensure complete and reliable log sources (EDR, endpoints, AD/IdP, network, perimeter, cloud) and standardize formats and timestamps for precise correlation.
- Maintain and version rules. UEBA and AI-based detections require regular review to adjust thresholds and prevent drift.
- Align with playbooks for response. Ensure each prioritized alert triggers actions: isolation, rollback, account locks, secret rotation, etc.
- Provide ongoing training. Analysts need criteria to interpret anomalies and explain decisions—both to risk teams and auditors.
Looking Ahead: Applied AI and Demonstrable Resilience
The guiding theme of this update is applying AI where it’s needed: enriching events to separating signals from noise, and automating time-consuming steps without expert judgment. Combined with digital footprint visibility, MDR incident ingestion, UEBA, and a fault-tolerant engine, the platform aims to raise the bar for defense against adversaries that also automate and orchestrate.
For organizations operating in regulated or critical environments, the ability to demonstrate with data and dashboards that deviations are detected, investigated with traceability, and responded to with well-defined plans is increasingly part of business value.
Frequently Asked Questions
What is DLL hijacking, and how does Kaspersky SIEM detect it?
DLL hijacking exploits Windows’ library search order to load a malicious DLL instead of the legitimate one. The SIEM features a AI subsystem that continuously monitors loaded DLLs and tags suspicious events (unusual paths, signatures, versions) for SOC handling as investigable incidents.
What does integration with Digital Footprint Intelligence (DFI) contribute?
DFI monitors external digital footprints—like credential leaks—and sends findings to the SIEM. This information is correlated with internal telemetry to prioritize real risks and accelerate responses.
How does SIEM benefit from integration with Managed Detection and Response (MDR)?
MDR automatically imports incidents into the SIEM, unifying detection, analysis, and response. This helps SOC save time by operating on a single platform with shared context.
What practical advantages do new dashboards and reporting functions offer?
They enable template sharing, version control, and utilize advanced widgets (trends, relationships, drill-down). This enhances communication with business and auditors, and helps measure resilience with consistent indicators.
What role does the Raft architecture play in the SIEM’s core?
Raft provides high availability and resilience through distributed consensus, ensuring continuity under load and facilitating horizontal scaling without compromising operation.
Sources consulted:
Kaspersky — Official statement on new features in Kaspersky SIEM (AI DLL hijacking detection, DFI/MDR integrations, UEBA, dashboard/architecture improvements).